Re: [Declude.JunkMail] I'm going to be away next week
on 5/13/04 2:16 PM, R. Scott Perry wrote: So if you know the answers to questions on the list that I might have otherwise answered, feel free to answer them. Does that mean we can approve feature requests that we know you'd like? ;) Enjoy your time away from us, Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] I'm going to be away next week
Does that mean we can approve feature requests that we know you'd like? ;) Enjoy your time away from us, Greg As long as he does not say otherwise it must be so :-) Damm so many new features we can get here hehehehehe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS?
Scott, I know it's been awhile since you posted the answer to my original question but I would _love_ to have a test which functions exactly the same as spamdomains but instead of searching the reverse DNS in a CONTAINS type manner it searched it an ENDSWITH type manner. That would allow me to create a file like the below (that would be used with the ENDSWITH-typespamdomains test)... - a.edu b.edu c.edu d.edu . . . w.edu x.edu y.edu z.edu - which I would use to add a small amount of points for the end of every SENDER that doesn't match the end of every REVDNS in the edu TLD. With edu especially a large majority of the time it does match so points for not matching would be great. And that's just one example of how that would be very useful to me. .Just another request to give consideration for the future. Thanks, Dan Geiser [EMAIL PROTECTED] - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, March 02, 2004 7:11 PM Subject: Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS? If I have a SPAMDOMAINS type test in my GLOBAL.CFG... SD-TLD spamdomains D:\iMail\declude\JunkMail.SpamDomains.TLD.txt x 5 0 ...and I have some entries in the corresponding flat text file like below... .mil will SPAMDOMAINS search the reverse DNS entry in a CONTAINS type manner or an ENDSWITH type manner? It will work like CONTAINS, so: For example would the host name .milton-bradley.com in the below... - X-Note: Sent with HELO [mail] from Reverse DNS [mail.milton-bradley.com] - get flagged as passing or failing the SPAMDOMAINS test? That one would get caught, if the reverse DNS entry did not contain .mil in it. So if the E-mail was from [EMAIL PROTECTED], and the reverse DNS entry was mail.milton-bradley.com, the E-mail would not fail the test (but if the reverse DNS was mail.someone_else.com, it would fail the test). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS?
Dan.. Can you not use a filter file for this? Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Friday, May 14, 2004 9:09 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS? Scott, I know it's been awhile since you posted the answer to my original question but I would _love_ to have a test which functions exactly the same as spamdomains but instead of searching the reverse DNS in a CONTAINS type manner it searched it an ENDSWITH type manner. That would allow me to create a file like the below (that would be used with the ENDSWITH-typespamdomains test)... - a.edu b.edu c.edu d.edu . . . w.edu x.edu y.edu z.edu - which I would use to add a small amount of points for the end of every SENDER that doesn't match the end of every REVDNS in the edu TLD. With edu especially a large majority of the time it does match so points for not matching would be great. And that's just one example of how that would be very useful to me. .Just another request to give consideration for the future. Thanks, Dan Geiser [EMAIL PROTECTED] - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, March 02, 2004 7:11 PM Subject: Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS? If I have a SPAMDOMAINS type test in my GLOBAL.CFG... SD-TLD spamdomains D:\iMail\declude\JunkMail.SpamDomains.TLD.txt x 5 0 ...and I have some entries in the corresponding flat text file like below... .mil will SPAMDOMAINS search the reverse DNS entry in a CONTAINS type manner or an ENDSWITH type manner? It will work like CONTAINS, so: For example would the host name .milton-bradley.com in the below... - X-Note: Sent with HELO [mail] from Reverse DNS [mail.milton-bradley.com] - get flagged as passing or failing the SPAMDOMAINS test? That one would get caught, if the reverse DNS entry did not contain .mil in it. So if the E-mail was from [EMAIL PROTECTED], and the reverse DNS entry was mail.milton-bradley.com, the E-mail would not fail the test (but if the reverse DNS was mail.someone_else.com, it would fail the test). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS?
Kami, How do you see me using a filter file to add a small amount of points for the end of every SENDER that doesn't match the end of every REVDNS in the edu TLD.? I don't know how to use a filter file to compare a string in one field to a string in another. If it can be done that would be great. Thanks, Dan Geiser [EMAIL PROTECTED] - Original Message - From: Kami Razvan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, May 14, 2004 9:22 AM Subject: RE: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS? Dan.. Can you not use a filter file for this? Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Friday, May 14, 2004 9:09 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS? Scott, I know it's been awhile since you posted the answer to my original question but I would _love_ to have a test which functions exactly the same as spamdomains but instead of searching the reverse DNS in a CONTAINS type manner it searched it an ENDSWITH type manner. That would allow me to create a file like the below (that would be used with the ENDSWITH-typespamdomains test)... - a.edu b.edu c.edu d.edu . . . w.edu x.edu y.edu z.edu - which I would use to add a small amount of points for the end of every SENDER that doesn't match the end of every REVDNS in the edu TLD. With edu especially a large majority of the time it does match so points for not matching would be great. And that's just one example of how that would be very useful to me. .Just another request to give consideration for the future. Thanks, Dan Geiser [EMAIL PROTECTED] - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, March 02, 2004 7:11 PM Subject: Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS? If I have a SPAMDOMAINS type test in my GLOBAL.CFG... SD-TLD spamdomains D:\iMail\declude\JunkMail.SpamDomains.TLD.txt x 5 0 ...and I have some entries in the corresponding flat text file like below... .mil will SPAMDOMAINS search the reverse DNS entry in a CONTAINS type manner or an ENDSWITH type manner? It will work like CONTAINS, so: For example would the host name .milton-bradley.com in the below... - X-Note: Sent with HELO [mail] from Reverse DNS [mail.milton-bradley.com] - get flagged as passing or failing the SPAMDOMAINS test? That one would get caught, if the reverse DNS entry did not contain .mil in it. So if the E-mail was from [EMAIL PROTECTED], and the reverse DNS entry was mail.milton-bradley.com, the E-mail would not fail the test (but if the reverse DNS was mail.someone_else.com, it would fail the test). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing
RE: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS?
Dan.. May be I am not understanding the question. But I basically have a couple of combination tests that are like the following: REVDNS END ENDSWITH.hotmail.com MAILFROM3 ENDSWITH@hotmail.com HELO5 ENDSWITH.hotmail.com So with this logic you can add weight if someone is using Hotmail as return address but is not using hotmail to send mail. We have this for a lot of ISP's. Is this what you are trying to do? Regards, -Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Friday, May 14, 2004 9:31 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS? Kami, How do you see me using a filter file to add a small amount of points for the end of every SENDER that doesn't match the end of every REVDNS in the edu TLD.? I don't know how to use a filter file to compare a string in one field to a string in another. If it can be done that would be great. Thanks, Dan Geiser [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] ISBLANK is blank
I just figured out why SPAMCOP(DYNA) didn't hit...it's because the sender forged a local address as the Mail From and it appears that this is what you are using as a trip to turn off DUL tests. Please allow those of us on IMail 8.x with WHITELIST AUTH to turn this feature off. There was an old discussion about this, but clearly this is causing problems since it is being exploited. In fact this severely weakens my system for hosted accounts, and unfortunately I wasn't aware of how big the issue was until now. Thanks, Matt Matt wrote: Scott, I have a filter for the following that isn't getting hit: BODY 4 ISBLANK SUBJECT 2 ISBLANK For some reason IMail consistently delivers messages from broken spamware, and those filters seem like the best way to add points to the message. Here's an example: Received: from p508B2C3C.dip.t-dialin.net [80.139.44.60] by mx3.mailpure.com (SMTPD32-8.05) id AAA6127301CC; Tue, 11 May 2004 09:52:38 -0400 Received: from h[8 Subject: [16] X-MailPure: X-MailPure: SPAMCOP(ALL): Failed, listed in bl.spamcop.net (weight 2). X-MailPure: FIVETEN-SPAM: Failed, listed in blackholes.five-ten-sg.com (weight 1). X-MailPure: BRINKPATTERN: Failed, BRINK pattern found (weight 1). X-MailPure: BADHEADERS: Failed, headers not RFC compliant [8c21] (weight 4). X-MailPure: CMDSPACE: Failed, improperly formatted SMTP commands (weight 3). X-MailPure: FORGEDFROM: Message failed FORGEDFROM test (weight 2). X-MailPure: FOREIGN: Message failed FOREIGN test (line 1432, weight 3) (weight capped at 3). X-MailPure: RECIPIENTS: hidden X-MailPure: X-MailPure: Spam Score: 16 X-MailPure: Scan Time: 09:52:44 on 05/11/2004 X-MailPure: Spool File: Ddaa6127301cc364a.SMD X-MailPure: Server Name: p508B2C3C.dip.t-dialin.net X-MailPure: SMTP Sender: hidden X-MailPure: Received From: p508B2C3C.dip.t-dialin.net [80.139.44.60] X-MailPure: Country Chain: GERMANY-destination X-MailPure: X-MailPure: Spam and virus blocking services provided by MailPure.com X-MailPure: They always look like this, and while these account for about 2.5% of my hold file, many more are scoring higher and unfortunately some of these are also passing. Also note that I have no idea why SPAMCOP(ALL) failed and SPAMCOP(DYNA) didn't fail considering that there is only one IP shown, but that's another issue. Thanks, Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
[Declude.JunkMail] ISBLANK is blank
Scott, I have a filter for the following that isn't getting hit: BODY 4 ISBLANK SUBJECT 2 ISBLANK For some reason IMail consistently delivers messages from broken spamware, and those filters seem like the best way to add points to the message. Here's an example: Received: from p508B2C3C.dip.t-dialin.net [80.139.44.60] by mx3.mailpure.com (SMTPD32-8.05) id AAA6127301CC; Tue, 11 May 2004 09:52:38 -0400 Received: from h[8 Subject: [16] X-MailPure: X-MailPure: SPAMCOP(ALL): Failed, listed in bl.spamcop.net (weight 2). X-MailPure: FIVETEN-SPAM: Failed, listed in blackholes.five-ten-sg.com (weight 1). X-MailPure: BRINKPATTERN: Failed, BRINK pattern found (weight 1). X-MailPure: BADHEADERS: Failed, headers not RFC compliant [8c21] (weight 4). X-MailPure: CMDSPACE: Failed, improperly formatted SMTP commands (weight 3). X-MailPure: FORGEDFROM: Message failed FORGEDFROM test (weight 2). X-MailPure: FOREIGN: Message failed FOREIGN test (line 1432, weight 3) (weight capped at 3). X-MailPure: RECIPIENTS: hidden X-MailPure: X-MailPure: Spam Score: 16 X-MailPure: Scan Time: 09:52:44 on 05/11/2004 X-MailPure: Spool File: Ddaa6127301cc364a.SMD X-MailPure: Server Name: p508B2C3C.dip.t-dialin.net X-MailPure: SMTP Sender: hidden X-MailPure: Received From: p508B2C3C.dip.t-dialin.net [80.139.44.60] X-MailPure: Country Chain: GERMANY-destination X-MailPure: X-MailPure: Spam and virus blocking services provided by MailPure.com X-MailPure: They always look like this, and while these account for about 2.5% of my hold file, many more are scoring higher and unfortunately some of these are also passing. Also note that I have no idea why SPAMCOP(ALL) failed and SPAMCOP(DYNA) didn't fail considering that there is only one IP shown, but that's another issue. Thanks, Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
[Declude.JunkMail] badheader variable?
I see a fair amount of spam e-mails that fail badheaders of c8000246 or c8000247 which means no From address. As a result all of the headers and body are put in the body. I'm wondering if the badheaders return code could be made into a variable? I'd be thinking along the lines of: BADHEADERS 10 IS c8000246 BADHEADERS 10 IS c8000247 Scott Fisher Director of IT Farm Progress Companies --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] ALLRECIPs filter trouble
I'm running 179i7. I'm not getting any matches on ALLRECIPS filters with the IS. Anyone have any tips? ALLRECIPS 20 IS [EMAIL PROTECTED] I am getting matches with the CONTAINS filter. ALLRECIPS 20 CONTAINS[EMAIL PROTECTED] Scott Fisher Director of IT Farm Progress Companies --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] ALLRECIPs filter trouble
I'm not getting any matches on ALLRECIPS filters with the IS. Anyone have any tips? ALLRECIPS 20 IS [EMAIL PROTECTED] If you change it to: ALLRECIPS 20 IS [EMAIL PROTECTED] then it should work. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] badheader variable?
I see a fair amount of spam e-mails that fail badheaders of c8000246 or c8000247 which means no From address. As a result all of the headers and body are put in the body. I'm wondering if the badheaders return code could be made into a variable? I'd be thinking along the lines of: BADHEADERS 10 IS c8000246 BADHEADERS 10 IS c8000247 Interesting idea -- this has been added to the suggestion database. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] ISBLANK is blank
I have a filter for the following that isn't getting hit: BODY 4ISBLANK SUBJECT2ISBLANK That's because of the way that Declude JunkMail now handles encoded subjects/bodies -- we will try to change that behavior. Also note that I have no idea why SPAMCOP(ALL) failed and SPAMCOP(DYNA) didn't fail considering that there is only one IP shown, but that's another issue. I'll take a look into this, and see if we can add an option to determine if Declude Junkmail skips those tests for seemingly local users. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] ISBLANK is blank
Thanks Scott. In the mean time regarding the DUL/DUHL/DYNA thing, I figured that I can actually use the DNSBL hack you showed yesterday, using %REMOTEIP%, and change the names in order to avoid this behavior, but that's only a work around and I'm sure that a simple switch would be preferred for most. Thankfully only 10% of my traffic is hosted, and that's also why I didn't notice that this extended beyond the real DUL tests until now. You could save me a bit of time though by answering this one question. With custom filters, will they also be skipped if there is a DUL/DUHL/DYNA in the name and the Mail From is local, i.e. DYNAMIC or DUL-COMBO? If so, I'll just change those names as well though I would prefer not to. Thanks, Matt R. Scott Perry wrote: I have a filter for the following that isn't getting hit: BODY 4ISBLANK SUBJECT2ISBLANK That's because of the way that Declude JunkMail now handles encoded subjects/bodies -- we will try to change that behavior. Also note that I have no idea why SPAMCOP(ALL) failed and SPAMCOP(DYNA) didn't fail considering that there is only one IP shown, but that's another issue. I'll take a look into this, and see if we can add an option to determine if Declude Junkmail skips those tests for seemingly local users. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] ISBLANK is blank
You could save me a bit of time though by answering this one question. With custom filters, will they also be skipped if there is a DUL/DUHL/DYNA in the name and the Mail From is local, i.e. DYNAMIC or DUL-COMBO? If so, I'll just change those names as well though I would prefer not to. No -- the filters will not be skipped based on the test name. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT SPF PTR Problem
I have therefore added a ptr:directpceu.com record to the domain, and tested it here: http://www.dnsstuff.com/tools/spf.ch?server=bedstone.orgip=62.128.191.2 6 This page and the SPF test page both say the email should fail. Even though 62.128.191.26 has a reverse ending in directpceu.com The catch here is a technicality of SPF, where it won't allow the ptr: to pass if the PTR record matches, but has no A record pointing back to the same IP. So in this case, relay03-1.direcpceu.com does contain direcpceu.com, but since relay03-1.direcpceu.com does not have an A record, it doesn't pass the test. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT SPF PTR Problem
Thanks Scott, I did just work this out and was about to post back to the list when I read your reply. Many thanks for your response! Lyndon. -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED] Sent: 14 May 2004 17:06 To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] OT SPF PTR Problem I have therefore added a ptr:directpceu.com record to the domain, and tested it here: http://www.dnsstuff.com/tools/spf.ch?server=bedstone.orgip=6 2.128.191. 2 6 This page and the SPF test page both say the email should fail. Even though 62.128.191.26 has a reverse ending in directpceu.com The catch here is a technicality of SPF, where it won't allow the ptr: to pass if the PTR record matches, but has no A record pointing back to the same IP. So in this case, relay03-1.direcpceu.com does contain direcpceu.com, but since relay03-1.direcpceu.com does not have an A record, it doesn't pass the test. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. Email checked by UKsubnet anti-virus service To prevent email abuse block spam contact [EMAIL PROTECTED] Tel: +44(0)8712360301 Web: www.uksubnet.net Fax: +44(0)8712360300 Powered by UKsubnet Internet Service Provider Business to Business Internet (ISP) Email checked by UKsubnet anti-virus service To prevent email abuse block spam contact [EMAIL PROTECTED] Tel: +44(0)8712360301 Web: www.uksubnet.net Fax: +44(0)8712360300 Powered by UKsubnet Internet Service Provider Business to Business Internet (ISP) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DUL skipping was ISBLANK is blank
Scott, I seem to have broken things worse :) Is there any reason why the following wouldn't work? XBL(LAST) dnsbl %REMOTEIP%.sbl-xbl.spamhaus.org 127.0.0.4 6 0 I tested the DUL lists using this format and it seemed to be working. Here's the headers from a single hop test that tripped on the ip4r version of XBL and returned the proper %REMOTEIP% in the headers: Received: from nickdisk.every1.net [218.72.105.91] by mx1.mailpure.com (SMTPD32-8.05) id A3B01190256; Fri, 14 May 2004 12:28:32 -0400 Message-ID: [EMAIL PROTECTED] Date: Fri, 14 May 2004 20:43:49 +0500 From: "jada grant" [EMAIL PROTECTED] User-Agent: IncrediMail 2001 (1800838) X-Accept-Language: en-us MIME-Version: 1.0 To: hidden Subject: [23] enhance your anatomy Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: 7bit X-MailPure: X-MailPure: XBL(ALL): Failed, listed in sbl-xbl.spamhaus.org (weight 2). X-MailPure: FIVETEN-SPAM: Failed, listed in blackholes.five-ten-sg.com (weight 1). X-MailPure: NOREVDNS: Failed, no reverse DNS entry (weight 1). X-MailPure: CMDSPACE: Failed, improperly formatted SMTP commands (weight 3). X-MailPure: SNIFFER-PORN: Failed, listed in the Porn/Adult category (weight 8). X-MailPure: BADCOUNTRYNOREVDNS: Message failed BADCOUNTRYNOREVDNS test (line 7, weight 5) (weight capped at 5). X-MailPure: FOREIGN: Message failed FOREIGN test (line 446, weight 3) (weight capped at 3). X-MailPure: RECIPIENTS: hidden X-MailPure: X-MailPure: Spam Score: 23 X-MailPure: Scan Time: 12:28:45 on 05/14/2004 X-MailPure: Spool File: Df3b0011902563c94.SMD X-MailPure: Server Name: nickdisk.every1.net X-MailPure: SMTP Sender: [EMAIL PROTECTED] X-MailPure: Received From: [No Reverse DNS] [218.72.105.91] X-MailPure: Country Chain: CHINA-destination X-MailPure: X-MailPure: Spam and virus blocking services provided by MailPure.com X-MailPure: R. Scott Perry wrote: You could save me a bit of time though by answering this one question. With custom filters, will they also be skipped if there is a DUL/DUHL/DYNA in the name and the Mail From is local, i.e. DYNAMIC or DUL-COMBO? If so, I'll just change those names as well though I would prefer not to. No -- the filters will not be skipped based on the test name. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] DUL skipping was ISBLANK is blank
I seem to have broken things worse :) Is there any reason why the following wouldn't work? XBL(LAST)dnsbl%REMOTEIP%.sbl-xbl.spamhaus.org127.0.0.4 60 I tested the DUL lists using this format and it seemed to be working. Here's the headers from a single hop test that tripped on the ip4r version of XBL and returned the proper %REMOTEIP% in the headers: The problem here is that the remote IP is 192.0.2.25, so Declude JunkMail will create 192.0.2.25.sbl-xbl.spamhaus.org. But, you really want 25.2.0.192.sbl-xbl.spamhaus.org. Fortunately, you can use: XBL(LAST)dnsbl%IP4R%.sbl-xbl.spamhaus.org127.0.0.46 0 which should do what you want. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DUL skipping was ISBLANK is blank
DOH! And unfortunately I just finished backing out of the changes :) Thanks for the clarification/correction. Matt R. Scott Perry wrote: I seem to have broken things worse :) Is there any reason why the following wouldn't work? XBL(LAST)dnsbl%REMOTEIP%.sbl-xbl.spamhaus.org 127.0.0.460 I tested the DUL lists using this format and it seemed to be working. Here's the headers from a single hop test that tripped on the ip4r version of XBL and returned the proper %REMOTEIP% in the headers: The problem here is that the remote IP is 192.0.2.25, so Declude JunkMail will create 192.0.2.25.sbl-xbl.spamhaus.org. But, you really want 25.2.0.192.sbl-xbl.spamhaus.org. Fortunately, you can use: XBL(LAST)dnsbl%IP4R%.sbl-xbl.spamhaus.org 127.0.0.460 which should do what you want. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DUL skipping was ISBLANK is blank
Friday, May 14, 2004, 11:36:22 AM, R. Scott Perry [EMAIL PROTECTED] wrote: I seem to have broken things worse :) Is there any reason why the following wouldn't work? XBL(LAST)dnsbl%REMOTEIP%.sbl-xbl.spamhaus.org127.0.0.4 60 I tested the DUL lists using this format and it seemed to be working. Here's the headers from a single hop test that tripped on the ip4r version of XBL and returned the proper %REMOTEIP% in the headers: RSP The problem here is that the remote IP is 192.0.2.25, so Declude JunkMail RSP will create 192.0.2.25.sbl-xbl.spamhaus.org. But, you really want RSP 25.2.0.192.sbl-xbl.spamhaus.org. Fortunately, you can use: RSP XBL(LAST)dnsbl%IP4R%.sbl-xbl.spamhaus.org 127.0.0.46 RSP 0 RSP which should do what you want. RSP -Scott Since sbl-xbl.spamhaus.org is an ip4r list, doesn't the below do the same thing as using %IP4R% as shown above? If not, what is the difference? SBL-ALL ip4r sbl-xbl.spamhaus.org Thanks, Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DNSSTUFF
Matt- Look for high web traffic. We had a big DDOS attack last week thatate up our connectivity with web requests for "SEARCH" and a querystring that was about 1000 characters long. Every request was identical, the same characters over and over and then a switch to another character, also repeated many times. The characters wereall unusual, like the single-place +/- unicode character.We dealt withit by blocking all of Asia and South America for a week. -Dave - Original Message - From: Matt To: [EMAIL PROTECTED] Sent: Thursday, May 13, 2004 12:27 AM Subject: Re: [Declude.JunkMail] DNSSTUFF Cancel that, no clue what brought down my server, it doesn't seem related to E-mail. I am however having trouble reaching two other sites though, but that's probably a coincidence.The DNSStuff Canadian mirror isn't responding, but the backup site still is: http://backup.dnsstuff.com/MattMatt wrote: I seem to be finding a lot of things that are down currently, and my own server was knocked off-line earlier tonight by what appears to have been a huge surge of viruses (more research necessary). Maybe just a coincidence of course.MattGoran Jovanovic wrote: Hmmm me too. I had problems earlier this week and then it came back. Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED]] On Behalf Of Rick Hogue Sent: Wednesday, May 12, 2004 11:01 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] DNSSTUFF What happened to this valuable site? I get a server not found? Rick Hogue www.intent.net Web Hosting 1-800-866-2983 www.prosperity.com Featured web site --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =-- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] I'm going to be away next week
Enjoy your time off, Scott. You've earned it! -Dave - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, May 13, 2004 2:16 PM Subject: [Declude.JunkMail] I'm going to be away next week Just so people on this list are aware, I'm going to be away next week. So if you know the answers to questions on the list that I might have otherwise answered, feel free to answer them. And, remember that the horizons@ and sperry@ addresses go to me, so you will want to instead use the [EMAIL PROTECTED] address for support queries. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DUL skipping was ISBLANK is blank
Don, Since I started this thread, I'll try to answer what's at issue here. Declude has functionality to only scan the last hop on any dnsbl, ip4r and rhsbl test when it has either DUL, DYNA or DUHL in the name of the test. This is done in order to protect you from scoring hits on dial-up or residential IP's when they weren't the connecting server and when you are using Declude to score on multiple hops (I believe this is version restricted). In order to keep these DUL/DYNA/DUHL tests from hitting your own local users when they are sending E-mail (only one hop and typically dynamic/residential), Declude disables any dnsbl, ip4r or rhsbl test when they have one of those strings in the name. This was very useful until IMail 8 came along and they started providing an indication of whether or not AUTH was used in the Q*.SMD file. When IMail 8 did that, Scott introduced a function called WHITELIST AUTH that will whitelist any E-mail that is AUTH'd. Every user on my system uses AUTH and I'm on IMail 8 so I can take advantage of WHITELIST AUTH. The issue now is that when a spammer forges a locally hosted address in the Mail From, Declude is still disabling all dnsbl, ip4r and rhsbl tests that contain either DUL, DYNA or DUHL in the name, and this now represents a weakness instead of a benefit. So for users that have IMail 8, where all of their users are whitelisted either by IP or by AUTH, it would be nice to turn this functionality off. Something that seemed to confuse you was the fact that I am using several tests twice like so: XBL(LAST) dnsbl %IP4R%.sbl-xbl.spamhaus.org 127.0.0.4 6 0 XBL(ALL) ip4r sbl-xbl.spamhaus.org 127.0.0.4 2 0 The reason why I do this is because I score on multiple hops, and instead of having XBL score exactly the same on every hop, I created a work around so that it would score higher on the last hop, and lower if it only hit one of the prior hops. The prior hop functionality helps with catching spam that is relayed from one open relay to another open relay, or worse yet, from an open relay to a legitimate mail server. At the same time there are lots of IP's in some of these lists that have long since been fixed/closed and are sending only legitimate E-mail through legitimate servers, and only adding a few points helps protect from false positives. The former kludge that I used was to use (DYNA) in the name of the test that I only wanted to score on the last hop, but this morning, I found that on locally hosted E-mail, this test would be defeated if the spammer forged a local address. By changing the test to how it appears as XBL(LAST) in the above example, I'm creating a way to score only the last hop without it being defeated when a local address is forged and DUL/DYNA/DUHL appears in the name. The short answer is that in the example above for XBL(LAST), using the dnsbl/%IP4R% hack, you can construct a test that only hits the last hop (if you are scoring on multiple hops like I am). It's convoluted, but it works, and I do recommend doing it, but only if you understand how it works and why it is useful. Matt Don Brown wrote: Friday, May 14, 2004, 11:36:22 AM, R. Scott Perry [EMAIL PROTECTED] wrote: I seem to have broken things worse :) Is there any reason why the following wouldn't work? XBL(LAST)dnsbl%REMOTEIP%.sbl-xbl.spamhaus.org127.0.0.4 60 I tested the DUL lists using this format and it seemed to be working. Here's the headers from a single hop test that tripped on the ip4r version of XBL and returned the proper %REMOTEIP% in the headers: RSP The problem here is that the remote IP is 192.0.2.25, so Declude JunkMail RSP will create "192.0.2.25.sbl-xbl.spamhaus.org". But, you really want RSP "25.2.0.192.sbl-xbl.spamhaus.org". Fortunately, you can use: RSP XBL(LAST)dnsbl%IP4R%.sbl-xbl.spamhaus.org 127.0.0.46 RSP 0 RSP which should do what you want. RSP -Scott Since sbl-xbl.spamhaus.org is an ip4r list, doesn't the below do the same thing as using %IP4R% as shown above? If not, what is the difference? SBL-ALL ip4r sbl-xbl.spamhaus.org Thanks, Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] DUL skipping was ISBLANK is blank
- Original Message - From: Matt [EMAIL PROTECTED] XBL(LAST)dnsbl%IP4R%.sbl-xbl.spamhaus.org127.0.0.4 60 XBL(ALL)ip4rsbl-xbl.spamhaus.org 127.0.0.420 Scott/Matt, would a configuration like above require multiple DNS queries since the hostnames defined in the tests are no longer identical? Or is the variable (in this case %IP4R%) ignored in the hostname, so that as far as Declude is concerned, the hostnames are still identical? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DUL skipping was ISBLANK is blank
XBL(LAST)dnsbl%IP4R%.sbl-xbl.spamhaus.org127.0.0.4 60 XBL(ALL)ip4rsbl-xbl.spamhaus.org 127.0.0.420 Scott/Matt, would a configuration like above require multiple DNS queries since the hostnames defined in the tests are no longer identical? Or is the variable (in this case %IP4R%) ignored in the hostname, so that as far as Declude is concerned, the hostnames are still identical? Having both of those would indeed cause multiple DNS queries. Even though they end up using the same zone, the ip4r lookups are handled separately from the dnsbl lookups. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] ALLRECIPs filter trouble
No matches with the [EMAIL PROTECTED] format either. Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 05/14/04 09:43AM I'm not getting any matches on ALLRECIPS filters with the IS. Anyone have any tips? ALLRECIPS 20 IS [EMAIL PROTECTED] If you change it to: ALLRECIPS 20 IS [EMAIL PROTECTED] then it should work. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Citibank- Phishing
Hi; I just received the following phishing attempt from CitiBank. Received: from marduk.hostmatix.com [66.194.152.44] by foroosh.com with ESMTP (SMTPD32-8.11) id AA2B91800C6; Fri, 14 May 2004 15:12:43 -0400Received: from nobody by marduk.hostmatix.com with local (Exim 4.34)id 1BOi6u-0003M2-LWfor [EMAIL PROTECTED]; Fri, 14 May 2004 15:12:44 -0400To: [EMAIL PROTECTED]Subject: Citibank Secure Verification ProcessMIME-Version: 1.0Content-type: text/html; charset=iso-8859-1From: [EMAIL PROTECTED] [EMAIL PROTECTED]Message-Id: [EMAIL PROTECTED]Date: Fri, 14 May 2004 15:12:44 -0400X-AntiAbuse: This header was added to track abuse, please include it with any abuse reportX-AntiAbuse: Primary Hostname - marduk.hostmatix.comX-AntiAbuse: Original Domain - durability.comX-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]X-AntiAbuse: Sender Address Domain - marduk.hostmatix.comX-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected.X-RBL-Warning: FILTER-MAILFROM: Message failed FILTER-MAILFROM test (line 107, weight 5)X-RBL-Warning: FILTER-SPAM-HTML: Message failed FILTER-SPAM-HTML test (line 162, weight 7)X-Declude-Sender: [EMAIL PROTECTED] [66.194.152.44]X-Declude-Spoolname: D1a2b091800c66245.SMDX-Note: ==X-Note: Spam Score: 4 [BLOCKED ON 20+ DELETED ON 60+]X-Note: Scan Time: 15:12:54 on 05/14/2004X-Note: Spool File: D1a2b091800c66245.SMDX-Note: Server Name: marduk.hostmatix.comX-Note: SMTP Sender: [EMAIL PROTECTED]X-Note: Reverse DNS IP: marduk.hostmatix.com [66.194.152.44]X-Note: Recipient(s): [EMAIL PROTECTED]X-Note: Country Chain: UNITED STATES-destinationX-Note: ==X-Note: This E-mail was scanned filtered by Declude [1.79i7] for SPAM virus.X-Note: Spam and virus blocking services provided by ClickandPledge.comX-Note: ==X-RCPT-TO: [EMAIL PROTECTED]Status: UX-UIDL: 383169419 !DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"HTMLHEADTITLE/TITLE/HEADBODY bottomMargin=5 bgColor=#ff leftMargin=5 topMargin=5 rightMargin=5FONT face=Arial color=#00 size=2 DIVFONT face="Times New Roman" size=3/FONTnbsp;/DIVDIV pimg src=""https://www.citibank.com/us/cards/images/homepage/citi_norm.gif">https://www.citibank.com/us/cards/images/homepage/citi_norm.gif" width="750" height="84"/p pnbsp;/p pnbsp;/p/DIVDIVFONT face="Times New Roman" size=3/FONTBR FONT face="Times New Roman" size=3Dear Citibank user, /FONTBR FONT face="Times New Roman" size=3As part of our continuing commitment to protect your account and to reduce the instance of fraud on our website, we are undertaking a period review of our member accounts. /FONTBRFONT face="Times New Roman" size=3You are requested to visit our site by following the link given below /FONTBR A href="">http://www.citicorp-verification.com/cgibin/citifi/scripts/home/Verify.htm"FONT face="Times New Roman" color=#ff size=3Uhttp://www.web-da-us.citibank.com/citiISAPI.dll?verification/%?7088080019/U/FONT/AFONT face="Times New Roman" size=3 /FONT/DIVDIVFONT face="Times New Roman" size=3Please fill in the required information. /FONTBR FONT face="Times New Roman" size=3This is required for us to continue to offer you a safe and risk free environment to run your business, and maintain the Citibank experience. /FONTBR FONT face="Times New Roman" size=3Thank you /FONTBRFONT face="Times New Roman" size=3Accounts Management /FONT/DIVDIVFONT face="Times New Roman" size=3As outlined in our User Agreement, Citibank will periodically send you information about site changes and enhancements. Visit our Privacy Policy and /FONTA href="">http://www.citibank.com/domain/disclaim/?BVE=http://web.da-us.citibank.comBVP=/cgi-bin/citifi/scripts/M=SUS_u=visitor"FONT face="Times New Roman" color=#ff size=3UUser Agreement/U/FONT/AFONT face="Times New Roman" size=3 if you have any questions. /FONT/DIVDIVFONT face="Times New Roman" size=3Copyright 2003 Citibank Inc. All Rights Reserved. /FONTBR FONT face="Times New Roman" size=3Designated trademarks and brands are the property of their respective owners. /FONTBR font face="Times New Roman" size="3"Citibank and the /fontfont face=Arial color=#00 size=2font face="Times New Roman" size="3"Citibank/font/fontfont face="Times New Roman" size="3" logo are trademarks of /fontfont face=Arial color=#00 size=2font face="Times New Roman" size="3"Citibank/font/fontfont face="Times New Roman" size="3" Inc/font/DIVDIVFONT face="Times New Roman" size=3/FONTnbsp;/DIVDIV align=centerA href="">http://www.citibank.com/citigroup/"FONT face="Times New Roman" color=#ff size=3UAnnouncements/U/FONT/AFONT face="Times New Roman" size=3 | /FONTA href="">https://www.accountonline.com/Register?siteId=CB"FONT face="Times New
[Declude.JunkMail] Line in Header
Just noticed this line in a header of a spam message. I have not seen this one before: X-T2: hskbbjayswtesetdapwybwwa ptsabdbeppytedbb esseasyysa Any one see this one, and is the X-T2: something we can filter on? John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Phishing..
Follow up to last email: Hi; The following is the site: http://www.citicorp-verification.com/cgibin/citifi/scripts/home/Verify.htm Filter on: citicorp-verification the site is live and kicking.. href="">https://www.accountonline.com/Register?siteId=CB"FONT this is also another filter I think: accountonline.com The site the email came from appears to be a hosting company. Regards, Kami
Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS?
Hi, Kami, I don't even know how to mentally parse the below code that you've listed. Would this go inside a filter file? What does each line signify? For example, REVDNS END ENDSWITH .hotmail.com. I've not seen that syntax before. Is END a valid value in that column? What does it do? When was the END value introduced? I am currently running v1.75 and I know there's been a lot of stuff introduced since our Service Agreement expired. Thanks for your feedback. Dan - Original Message - From: Kami Razvan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, May 14, 2004 9:40 AM Subject: RE: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS? Dan.. May be I am not understanding the question. But I basically have a couple of combination tests that are like the following: REVDNS END ENDSWITH .hotmail.com MAILFROM 3 ENDSWITH @hotmail.com HELO 5 ENDSWITH .hotmail.com So with this logic you can add weight if someone is using Hotmail as return address but is not using hotmail to send mail. We have this for a lot of ISP's. Is this what you are trying to do? Regards, -Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Friday, May 14, 2004 9:31 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS? Kami, How do you see me using a filter file to add a small amount of points for the end of every SENDER that doesn't match the end of every REVDNS in the edu TLD.? I don't know how to use a filter file to compare a string in one field to a string in another. If it can be done that would be great. Thanks, Dan Geiser [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] ALLRECIPs filter trouble
No matches with the [EMAIL PROTECTED] format either. Actually, it needs to be [EMAIL PROTECTED], [EMAIL PROTECTED] (where the first [EMAIL PROTECTED] is the name entered by the user, and the second one is the one that IMail uses). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS?
The END in the weight column is valid starting somewhere in the 1.77s. It causes the filter to immediately end with the current score. Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 05/14/04 03:01PM Hi, Kami, I don't even know how to mentally parse the below code that you've listed. Would this go inside a filter file? What does each line signify? For example, REVDNS END ENDSWITH .hotmail.com. I've not seen that syntax before. Is END a valid value in that column? What does it do? When was the END value introduced? I am currently running v1.75 and I know there's been a lot of stuff introduced since our Service Agreement expired. Thanks for your feedback. Dan - Original Message - From: Kami Razvan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, May 14, 2004 9:40 AM Subject: RE: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS? Dan.. May be I am not understanding the question. But I basically have a couple of combination tests that are like the following: REVDNS END ENDSWITH .hotmail.com MAILFROM 3 ENDSWITH @hotmail.com HELO 5 ENDSWITH .hotmail.com So with this logic you can add weight if someone is using Hotmail as return address but is not using hotmail to send mail. We have this for a lot of ISP's. Is this what you are trying to do? Regards, -Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Friday, May 14, 2004 9:31 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS? Kami, How do you see me using a filter file to add a small amount of points for the end of every SENDER that doesn't match the end of every REVDNS in the edu TLD.? I don't know how to use a filter file to compare a string in one field to a string in another. If it can be done that would be great. Thanks, Dan Geiser [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DUL skipping was ISBLANK is blank
Bill, The value is in scoring the last hop hits higher than prior hop hits. In this case, a hit on XBL for the last appropriate hop (not IPBYPASSED) would result in 8 points (6 + 2), while a hit on a prior hop would result in just 2 points. Note that the number of false positives is much higher with prior hops on tests that populate from spamtraps or are designed to detect open relays. Tests like SBL and other static spam source tests have very little danger in scoring the same for every hop, though SBL will sometimes list spam zombies that are unresolved for periods of time (I wish they didn't do that). Matt Bill Landry wrote: - Original Message - From: "Matt" [EMAIL PROTECTED] XBL(LAST)dnsbl%IP4R%.sbl-xbl.spamhaus.org127.0.0.4 60 XBL(ALL)ip4rsbl-xbl.spamhaus.org 127.0.0.420 Scott/Matt, would a configuration like above require multiple DNS queries since the hostnames defined in the tests are no longer identical? Or is the variable (in this case "%IP4R%") ignored in the hostname, so that as far as Declude is concerned, the hostnames are still identical? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] dynamic.rhs.mailpolice.com config
Looking at yesterday's numbers: About 2200 mails after I added the new MailPolice tests. I had 363 matches on the MailPolice-REVDNS. 362 spam, 1 not spam. The bad news is that all 362 were already over my hold weight. I had 281 matches on the MailPolice-HELO. 281 spam. All 281 MailPolice-HELO's also matched on the MailPolice-REVDNS Out of the 281 matches on the MailPolice-HELO, 24 were also matched on MailPolice-Bulk. Out of the 281 matches on the MailPolice-HELO, 1 was also matched on MailPolice-Porn. Out of the 363 matches on the MailPolice-REVDNS, 27 were also matched on MailPolice-Bulk. Out of the 363 matches on the MailPolice-REVDNS, 2 were also matched on MailPolice-Porn. Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 05/13/04 05:34PM Here's a working config for MailPolice's dynamic test (PPP/DSL/cable) that test's both the reverse DNS entry and the HELO entry (zombie spamware often uses the reverse DNS entry for the HELO). MAILPOLICE-DYNA-REVDNSdnsbl %REVDNS%.dynamic.rhs.mailpolice.com127.0.0.200 MAILPOLICE-DYNA-HELOdnsbl%HELO%.dynamic.rhs.mailpolice.com 127.0.0.200 I have verified that this works. My only concern is what MailPolice considers appropriate for the DSL and Cable entries. Nevertheless, if their list sucks, it shouldn't be that hard to create our own It also appears that it may be a good idea to start pumping a zone full of what might have been filtered with custom filters before for both simplicity, and for efficiency. There are also other RHSBL tests out there appropriate for the other technique shown earlier, and there are some interesting ones at MailPolice that could come in handy such as their Web-mail test which in combination with another filter like CMDSPACE, XBL, etc., could come in handy. Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] ALLRECIPs filter trouble
It's working now. That'll drop a bunch of stuff out of hold status. Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 05/14/04 03:07PM No matches with the [EMAIL PROTECTED] format either. Actually, it needs to be [EMAIL PROTECTED], [EMAIL PROTECTED] (where the first [EMAIL PROTECTED] is the name entered by the user, and the second one is the one that IMail uses). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Whitelistfile
Scott, Can I point to two whitelistfile's in the per user config file for junkmail (i.e. to WHITELISTFILE entries on separate lines). For example, one to main corporate then a personal one. Thanks, Keith --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] DUL skipping was ISBLANK is blank
Title: Message Matt, I think there is a misunderstanding (possibly on MY side). DUL/DYNA/DUHL tests from hitting your own local users when they are sending E-mail (only one hop and typically dynamic/residential), Declude disables any dnsbl, ip4r or rhsbl test when they have one of those strings in the name I was aware that DUL/DYNA/DUHL only checks the LAST hop (the server connnecting to you) - but doesn't check the prior hops. The idea is, that of course, ANY valid dial-up user will eventually appear in the first hop - the one to his provider's mail server. But a dial-up user should never be contacting YOUR mail server directly - so the LAST hop should not come from a dial-up user. What you are saying sounds almost like the reverse? I found that on locally hosted E-mail, this test would be defeated if the spammer forged a local address. You mean forging an IP address? Or forging a FROM address? I don't believe Declude "trusts" the from address - of course it will be forged for spam!? Every user on my system uses AUTH and I'm on IMail 8 so I can take advantage of WHITELIST AUTH. The issue now is that when a spammer forges a locally hosted address in the Mail From, Declude is still disabling all dnsbl, ip4r and rhsbl tests that contain either DUL, DYNA or DUHL in the name, and this now represents a weakness instead of a benefit. I use AUTH as well without problems. If you don't want the DUL/DYNA/DUHL, then why are you using those strings? Best RegardsAndy SchmidtHM Systems Software, Inc.600 East Crescent Avenue, Suite 203Upper Saddle River, NJ 07458-1846Phone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206http://www.HM-Software.com/ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Friday, May 14, 2004 02:41 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] DUL skipping was ISBLANK is blankDon,Since I started this thread, I'll try to answer what's at issue here.Declude has functionality to only scan the last hop on any dnsbl, ip4r and rhsbl test when it has either DUL, DYNA or DUHL in the name of the test. This is done in order to protect you from scoring hits on dial-up or residential IP's when they weren't the connecting server and when you are using Declude to score on multiple hops (I believe this is version restricted).In order to keep these DUL/DYNA/DUHL tests from hitting your own local users when they are sending E-mail (only one hop and typically dynamic/residential), Declude disables any dnsbl, ip4r or rhsbl test when they have one of those strings in the name. This was very useful until IMail 8 came along and they started providing an indication of whether or not AUTH was used in the Q*.SMD file. When IMail 8 did that, Scott introduced a function called WHITELIST AUTH that will whitelist any E-mail that is AUTH'd.Every user on my system uses AUTH and I'm on IMail 8 so I can take advantage of WHITELIST AUTH. The issue now is that when a spammer forges a locally hosted address in the Mail From, Declude is still disabling all dnsbl, ip4r and rhsbl tests that contain either DUL, DYNA or DUHL in the name, and this now represents a weakness instead of a benefit. So for users that have IMail 8, where all of their users are whitelisted either by IP or by AUTH, it would be nice to turn this functionality off.Something that seemed to confuse you was the fact that I am using several tests twice like so:XBL(LAST) dnsbl %IP4R%.sbl-xbl.spamhaus.org 127.0.0.4 6 0XBL(ALL) ip4r sbl-xbl.spamhaus.org 127.0.0.4 2 0The reason why I do this is because I score on multiple hops, and instead of having XBL score exactly the same on every hop, I created a work around so that it would score higher on the last hop, and lower if it only hit one of the prior hops. The prior hop functionality helps with catching spam that is relayed from one open relay to another open relay, or worse yet, from an open relay to a legitimate mail server. At the same time there are lots of IP's in some of these lists that have long since been fixed/closed and are sending only legitimate E-mail through legitimate servers, and only adding a few points helps protect from false positives.The former kludge that I used was to use (DYNA) in the name of the test that I only wanted to score on the last hop, but this morning, I found that on locally hosted E-mail, this test would be defeated if the spammer forged a local address. By changing the test to how it appears as XBL(LAST) in the above example, I'm creating a way to score only the last hop without it being defeated when a local address is forged and DUL/DYNA/DUHL appears in the name.The short answer is that in the example above for XBL(LAST), using the dnsbl/%IP4R% hack, you can construct a test that only hits the last hop (if you
Re: [Declude.JunkMail] dynamic.rhs.mailpolice.com config
Scott, I don't think the results that you found are are that bad actually. Just because something is over your hold weight doesn't mean adding more points isn't valuable. I split my held messages into a range of 10-24 and another that is 25+. I've managed to get about 97% to 98% of the spam to score at 25+ where false positives are very, very rare, and therefore I don't bother monitoring this range. The double hits with MailPolice-Porn and Bulk are a good way to really cremate E-mail with points. I unfortunately found out today that dynamic.rhs.mailpolice.com isn't as clean as I would like for it to be. I've came across the following false positive this morning, though of course there may have been more that still passed that I'm not aware of. mta4.rcsntx.swbell.net [151.164.30.28] I have temporarily removed the REVDNS test, and dropped the weight of the HELO test to just 2 points. I think what I am probably going to do here is create my own reverse DNS test. I'll do this by making nominations from my spam capture Hold account and look for things that didn't fail a DUL list. I may make an external test to handle reverse DNS entries as the HELO considering that DNS is limited to just one wildcard representing a full sub-domain and not any partial matches. I score DUL hits very high and can't tolerate problems like the above (I score DUL hits in a single filter as a combo test with one score no matter how many lists a hit appears in). The above false positive tripped both the REVDNS and the HELO tests, and it came in at 21 points which is pretty high for a false positive personal E-mail on my system. Matt Scott Fisher wrote: Looking at yesterday's numbers: About 2200 mails after I added the new MailPolice tests. I had 363 matches on the MailPolice-REVDNS. 362 spam, 1 not spam. The bad news is that all 362 were already over my hold weight. I had 281 matches on the MailPolice-HELO. 281 spam. All 281 MailPolice-HELO's also matched on the MailPolice-REVDNS Out of the 281 matches on the MailPolice-HELO, 24 were also matched on MailPolice-Bulk. Out of the 281 matches on the MailPolice-HELO, 1 was also matched on MailPolice-Porn. Out of the 363 matches on the MailPolice-REVDNS, 27 were also matched on MailPolice-Bulk. Out of the 363 matches on the MailPolice-REVDNS, 2 were also matched on MailPolice-Porn. Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 05/13/04 05:34PM Here's a working config for MailPolice's dynamic test (PPP/DSL/cable) that test's both the reverse DNS entry and the HELO entry (zombie spamware often uses the reverse DNS entry for the HELO). MAILPOLICE-DYNA-REVDNSdnsbl %REVDNS%.dynamic.rhs.mailpolice.com127.0.0.200 MAILPOLICE-DYNA-HELOdnsbl%HELO%.dynamic.rhs.mailpolice.com 127.0.0.200 I have verified that this works. My only concern is what MailPolice considers appropriate for the DSL and Cable entries. Nevertheless, if their list sucks, it shouldn't be that hard to create our own It also appears that it may be a good idea to start pumping a zone full of what might have been filtered with custom filters before for both simplicity, and for efficiency. There are also other RHSBL tests out there appropriate for the other technique shown earlier, and there are some interesting ones at MailPolice that could come in handy such as their Web-mail test which in combination with another filter like CMDSPACE, XBL, etc., could come in handy. Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] DUL skipping was ISBLANK is blank
Andy Schmidt wrote: Message Matt, I think there is a misunderstanding (possibly on MY side). DUL/DYNA/DUHL tests from hitting your own local users when they are sending E-mail (only one hop and typically dynamic/residential), Declude disables any dnsbl, ip4r or rhsbl test when they have one of those strings in the name I was aware that DUL/DYNA/DUHL only checks the LAST hop (the server connnecting to you) - but doesn't check the prior hops. The idea is, that of course, ANY valid dial-up user will eventually appear in the first hop - the one to his provider's mail server. But a dial-up user should never be contacting YOUR mail server directly - so the LAST hop should not come from a dial-up user. What you are saying sounds almost like the reverse? The caviat is that if the connecting IP is from your own customer trying to send E-mail, it may very well be a DUL IP. I found that on locally hosted E-mail, this test would be defeated if the spammer forged a local address. You mean forging an IP address? Or forging a FROM address? I don't believe Declude "trusts" the from address - of course it will be forged for spam!? At this moment, Declude will not apply scores from any dnsbl, ip4r or rhsbl tests if they have either DUL, DYNA or DUHL in the name AND the Mail From matches a local user. So to a certain extent, Declude does "trust" the from address. The reason for this was to defeat DUL tests for local users that might be sending from IP's listed in DUL lists. This was good thinking before WHITELIST AUTH became available because otherwise we couldn't use DUL lists effectively if we hosted accounts and had users that came in from DUL IP's, but for those that can whitelist all legitimate senders, either by IP, AUTH, or otherwise guarantee that no one will be sending from a DUL tagged IP, turning this feature off is of great benefit. The work-around discussed today is also an effective means of doing this. Every user on my system uses AUTH and I'm on IMail 8 so I can take advantage of WHITELIST AUTH. The issue now is that when a spammer forges a locally hosted address in the Mail From, Declude is still disabling all dnsbl, ip4r and rhsbl tests that contain either DUL, DYNA or DUHL in the name, and this now represents a weakness instead of a benefit. I use AUTH as well without problems. If you don't want the DUL/DYNA/DUHL, then why are you using those strings? I was using those strings on non-DUL tests as a kludge. I've tried to explain this several times recently and in the past. I score on multiple hops, but I want to score hits on the connecting IP high than on a relaying IP. I am doing this because some spam is relayed from one machine to another and even through an ISP's mailserver, but at the same time, there is a higher false positive rate with relaying IP's because some lists keep IP's in their database for many months or even years after they are nominated, and without an attempt to clean up the listing. ORDB for instance is very bad about this, and their removal process is useless in this regard since most broadband IP's don't have mail servers to receive the removal requests on. Take a look at the reply to Bill from two messages ago for further explanation of why this is done, and note that I was only naming tests like XBL(DYNA) to make that one test only score on the last hop, and the one marked XBL(ALL) would score on any hop that matched, including the first. I have HOPHIGH set to 3 which means (I believe) that I am checking as many as 4 hops (or 3 hops plus the connecting IP). Matt Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Friday, May 14, 2004 02:41 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] DUL skipping was ISBLANK is blank Don, Since I started this thread, I'll try to answer what's at issue here. Declude has functionality to only scan the last hop on any dnsbl, ip4r and rhsbl test when it has either DUL, DYNA or DUHL in the name of the test. This is done in order to protect you from scoring hits on dial-up or residential IP's when they weren't the connecting server and when you are using Declude to score on multiple hops (I believe this is version restricted). In order to keep these DUL/DYNA/DUHL tests from hitting your own local users when they are sending E-mail (only one hop and typically dynamic/residential), Declude disables any dnsbl, ip4r or rhsbl test when they have one of those strings in the name. This was very useful until IMail 8 came along and they started providing an indication of whether or not AUTH was used in the Q*.SMD file. When IMail 8 did that,
Re: [Declude.JunkMail] Whitelistfile
Can I point to two whitelistfile's in the per user config file for junkmail (i.e. to WHITELISTFILE entries on separate lines). For example, one to main corporate then a personal one. Thanks, Yes, that will work fine. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DUL skipping was ISBLANK is blank
See below Friday, May 14, 2004, 5:22:35 PM, Matt [EMAIL PROTECTED] wrote: M Andy Schmidt wrote: M Matt, M M I think there is a misunderstanding (possiblyon MY side). M MDUL/DYNA/DUHL tests from hitting your ownlocal users when M they are sending E-mail (only one hop and M typicallydynamic/residential), Declude disables any dnsbl, ip4r or M rhsbl testwhen they have one of those strings in the name M M I was aware that DUL/DYNA/DUHL only checksthe LAST hop (the M server connnecting to you) - but doesn't check theprior hops. The M idea is, that of course, ANY valid dial-up user willeventually M appear in the first hop - the one to his provider's mailserver. M But a dial-up user should never be contacting YOUR mail M serverdirectly - so the LAST hop should not come from a dial-up M user. M M What you are saying sounds almost like thereverse? M The caviat is that if the connecting IP is from your own M customertrying to send E-mail, it may very well be a DUL IP. However, if you are using Imail 8 with Authentication and Whitelist Auth in Declude, it doesn't matter. The mail is whitelisted, anyway and is not subject to the DUL tests or any other tests, for that matter. I found that on locally hosted E-mail, this test would be defeated ifthe spammer forged a local address. M You mean forging an IP address? Or forging aFROM address? I M don't believe Declude trusts the from address - ofcourse it will M be forged for spam!? M At this moment, Declude will not apply scores from any dnsbl, M ip4r orrhsbl tests if they have either DUL, DYNA or DUHL in the M name AND theMail From matches a local user. I don't think that is accurate, except to the extent that if the user Authenticated (which has nothing to do with a forged 'from' address) that no checks will happen, since the e-mail is whitelisted at that point. OTOH, if it is not from an Authenticated user, and thus not a whitelisted e-mail, it is subject to all tests. M So to a certain M extent, Declude doestrust the from address. The reason for this M was to defeat DUL testsfor local users that might be sending from M IP's listed in DUL lists. Apples and oranges. Stick to IP or the 'From' address. The test doesn't flip-flop. It's an ip4r or its an rhsbl test - they are mutually exclusive to a certain extent - however, both are moot with Imail 8 and Whitelist Auth, since the e-mail will be whitelisted and not subject to either test, if the sender authenticated for smtp. M This was good thinking before WHITELIST M AUTH became available becauseotherwise we couldn't use DUL lists M effectively if we hosted accountsand had users that came in from M DUL IP's, but for those that canwhitelist all legitimate senders, M either by IP, AUTH, or otherwiseguarantee that no one will be M sending from a DUL tagged IP, turningthis feature off is of great M benefit. The work-around discussed todayis also an effective means M of doing this. I don't think that's correct. You could whitelist your block of IP addresses, before Auth. However, you're talking about applying the DUL list to more than the last hop, which is totally different, and in doing so, you will inevitably come upon the sending IP, which is potentially listed on the DUL and therefore potentially tag a legitimate e-mail. However, if the e-mail is sent from one of your users, using your SMTP, then they will have authenticated, be whitelisted and not subject to the test. I just don't see what you really accomplish other than to do more DNS transactions. Every user on mysystem uses AUTH and I'm on IMail 8 so I can take advantage ofWHITELIST AUTH. The issue now is that when a spammer forges a locallyhosted address in the Mail From, Declude is still disabling all dnsbl,ip4r and rhsbl tests that contain either DUL, DYNA or DUHL in the name,and this now represents a weakness instead of a benefit. M I use AUTH as well without problems. If youdon't want the M DUL/DYNA/DUHL, then why are you using those strings? Good point. Although I really don't comprehend the value in the tests, the easy way around it would be to change the name of the tests to eliminate the DUL/DYNA/DUHL part of the string. Still, I don't comprehend why you'd want to do that. Maybe, my gray matter is back of book -- it's late for an old guy . . . . M I was using those strings on non-DUL tests as a kludge. I've M tried toexplain this several times recently and in the past. I M score onmultiple hops, but I want to score hits on the connecting M IP high thanon a relaying IP. I am doing this because some spam is M relayed fromone machine to another and even through an ISP's M mailserver, but at thesame time, there is a higher false positive M rate with relaying IP'sbecause some lists keep IP's in their M database for many months or evenyears after they are nominated, and M without an attempt to clean up thelisting. ORDB for instance is M very bad about this, and their removalprocess
RE: [Declude.JunkMail] DUL skipping was ISBLANK is blank
Title: Message Scott (in case you're not gone yet): At this moment, Declude will not apply scores from any dnsbl, ip4r or rhsbl tests if they have either DUL, DYNA or DUHL in the name AND the Mail From matches a local user. Does Declude REALLY trust the mail from and will bypass DUL/DYNA/DUHL test just by someone forging the mail from? Never heard about that "bug"/behavior before? Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206