date:20040514

Dan..

Can you not use a filter file for this?

Kami 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser
Sent: Friday, May 14, 2004 9:09 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS?

Scott,
I know it's been awhile since you posted the answer to my original question
but I would _love_ to have a test which functions exactly the same as
spamdomains but instead of searching the reverse DNS in a CONTAINS type
manner it searched it an ENDSWITH type manner.

That would allow me to create a file like the below (that would be used with
the ENDSWITH-typespamdomains test)...

-
a.edu
b.edu
c.edu
d.edu
.
.
.
w.edu
x.edu
y.edu
z.edu
-

which I would use to add a small amount of points for the end of every
SENDER that doesn't match the end of every REVDNS in the edu TLD.  With
edu especially a large majority of the time it does match so points for
not matching would be great.

And that's just one example of how that would be very useful to me.
.Just another request to give consideration for the future.

Thanks,
Dan Geiser
[EMAIL PROTECTED]

- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, March 02, 2004 7:11 PM
Subject: Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS?



 If I have a SPAMDOMAINS type test in my GLOBAL.CFG...
 
 SD-TLD   spamdomains D:\iMail\declude\JunkMail.SpamDomains.TLD.txt  x 5 0
 
 ...and I have some entries in the corresponding flat text file like
below...
 
 .mil
 
 will SPAMDOMAINS search the reverse DNS entry in a CONTAINS type manner
or
 an ENDSWITH type manner?

 It will work like CONTAINS, so:

 For example would the host name .milton-bradley.com in the below...
 
 -
 X-Note: Sent with HELO [mail] from Reverse DNS [mail.milton-bradley.com]
 -
 
 get flagged as passing or failing the SPAMDOMAINS test?

 That one would get caught, if the reverse DNS entry did not contain .mil
 in it.  So if the E-mail was from [EMAIL PROTECTED], and the
 reverse DNS entry was mail.milton-bradley.com, the E-mail would not fail
 the test (but if the reverse DNS was mail.someone_else.com, it would
fail
 the test).

 -Scott
 ---
 Declude JunkMail: The advanced anti-spam solution for IMail mailservers
 since 2000.
 Declude Virus: Catches known viruses and is the leader in mailserver
 vulnerability detection.
 Find out what you've been missing: Ask for a free 30-day evaluation.

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.
 ---
 Sign up for virus-free and spam-free e-mail with Nexus Technology Group
 http://www.nexustechgroup.com/mailscan



---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS?

2004-05-14 Thread Dan Geiser

Kami,
How do you see me using a filter file to add a small amount of points for
the end of every SENDER that doesn't match the end of every REVDNS in the
edu TLD.?

I don't know how to use a filter file to compare a string in one field to a
string in another.

If it can be done that would be great.

Thanks,
Dan Geiser
[EMAIL PROTECTED]

- Original Message - 
From: Kami Razvan [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, May 14, 2004 9:22 AM
Subject: RE: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS?


 Dan..

 Can you not use a filter file for this?

 Kami

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser
 Sent: Friday, May 14, 2004 9:09 AM
 To: [EMAIL PROTECTED]
 Subject: Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS?

 Scott,
 I know it's been awhile since you posted the answer to my original
question
 but I would _love_ to have a test which functions exactly the same as
 spamdomains but instead of searching the reverse DNS in a CONTAINS type
 manner it searched it an ENDSWITH type manner.

 That would allow me to create a file like the below (that would be used
with
 the ENDSWITH-typespamdomains test)...

 -
 a.edu
 b.edu
 c.edu
 d.edu
 .
 .
 .
 w.edu
 x.edu
 y.edu
 z.edu
 -

 which I would use to add a small amount of points for the end of every
 SENDER that doesn't match the end of every REVDNS in the edu TLD.  With
 edu especially a large majority of the time it does match so points for
 not matching would be great.

 And that's just one example of how that would be very useful to me.
 .Just another request to give consideration for the future.

 Thanks,
 Dan Geiser
 [EMAIL PROTECTED]

 - Original Message -
 From: R. Scott Perry [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Tuesday, March 02, 2004 7:11 PM
 Subject: Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS?


 
  If I have a SPAMDOMAINS type test in my GLOBAL.CFG...
  
  SD-TLD   spamdomains D:\iMail\declude\JunkMail.SpamDomains.TLD.txt  x 5
0
  
  ...and I have some entries in the corresponding flat text file like
 below...
  
  .mil
  
  will SPAMDOMAINS search the reverse DNS entry in a CONTAINS type manner
 or
  an ENDSWITH type manner?
 
  It will work like CONTAINS, so:
 
  For example would the host name .milton-bradley.com in the below...
  
  -
  X-Note: Sent with HELO [mail] from Reverse DNS
[mail.milton-bradley.com]
  -
  
  get flagged as passing or failing the SPAMDOMAINS test?
 
  That one would get caught, if the reverse DNS entry did not contain
.mil
  in it.  So if the E-mail was from [EMAIL PROTECTED], and the
  reverse DNS entry was mail.milton-bradley.com, the E-mail would not
fail
  the test (but if the reverse DNS was mail.someone_else.com, it would
 fail
  the test).
 
  -Scott
  ---
  Declude JunkMail: The advanced anti-spam solution for IMail mailservers
  since 2000.
  Declude Virus: Catches known viruses and is the leader in mailserver
  vulnerability detection.
  Find out what you've been missing: Ask for a free 30-day evaluation.
 
  ---
  [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]
 
  ---
  This E-mail came from the Declude.JunkMail mailing list.  To
  unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
  type unsubscribe Declude.JunkMail.  The archives can be found
  at http://www.mail-archive.com.
  ---
  Sign up for virus-free and spam-free e-mail with Nexus Technology Group
  http://www.nexustechgroup.com/mailscan
 
 

 ---
 Sign up for virus-free and spam-free e-mail with Nexus Technology Group
 http://www.nexustechgroup.com/mailscan

 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.
 ---
 Sign up for virus-free and spam-free e-mail with Nexus Technology Group
 http://www.nexustechgroup.com/mailscan



---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing

RE: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS?

Dan..
May be I am not understanding the question.  But I basically have a couple
of combination tests that are like the following:

REVDNS  END ENDSWITH.hotmail.com
MAILFROM3   ENDSWITH@hotmail.com
HELO5   ENDSWITH.hotmail.com

So with this logic you can add weight if someone is using Hotmail as return
address but is not using hotmail to send mail.

We have this for a lot of ISP's.

Is this what you are trying to do?

Regards,
-Kami
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser
Sent: Friday, May 14, 2004 9:31 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS?

Kami,
How do you see me using a filter file to add a small amount of points for
the end of every SENDER that doesn't match the end of every REVDNS in the
edu TLD.?

I don't know how to use a filter file to compare a string in one field to a
string in another.

If it can be done that would be great.

Thanks,
Dan Geiser
[EMAIL PROTECTED]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] ISBLANK is blank





I just figured out why SPAMCOP(DYNA) didn't hit...it's because the
sender forged a local address as the Mail From and it appears that this
is what you are using as a trip to turn off DUL tests. Please allow
those of us on IMail 8.x with WHITELIST AUTH to turn this feature off.
There was an old discussion about this, but clearly this is causing
problems since it is being exploited. In fact this severely weakens my
system for hosted accounts, and unfortunately I wasn't aware of how big
the issue was until now.

Thanks,

Matt



Matt wrote:

  
  
Scott,
  
I have a filter for the following that isn't getting hit:
  
BODY 4 ISBLANK
SUBJECT  2 ISBLANK
  
For some reason IMail consistently delivers messages from broken
spamware, and those filters seem like the best way to add points to the
message. Here's an example:
  Received: from p508B2C3C.dip.t-dialin.net
[80.139.44.60] by mx3.mailpure.com
 (SMTPD32-8.05) id AAA6127301CC; Tue, 11 May 2004 09:52:38 -0400
Received: from h[8
Subject: [16]
X-MailPure:

X-MailPure: SPAMCOP(ALL): Failed, listed in bl.spamcop.net (weight 2).
X-MailPure: FIVETEN-SPAM: Failed, listed in blackholes.five-ten-sg.com
(weight 1).
X-MailPure: BRINKPATTERN: Failed, BRINK pattern found (weight 1).
X-MailPure: BADHEADERS: Failed, headers not RFC compliant [8c21]
(weight 4).
X-MailPure: CMDSPACE: Failed, improperly formatted SMTP commands
(weight 3).
X-MailPure: FORGEDFROM: Message failed FORGEDFROM test (weight 2).
X-MailPure: FOREIGN: Message failed FOREIGN test (line 1432, weight 3)
(weight capped at 3).
X-MailPure: RECIPIENTS: hidden
X-MailPure:

X-MailPure: Spam Score: 16
X-MailPure: Scan Time: 09:52:44 on 05/11/2004
X-MailPure: Spool File: Ddaa6127301cc364a.SMD
X-MailPure: Server Name: p508B2C3C.dip.t-dialin.net
X-MailPure: SMTP Sender: hidden
X-MailPure: Received From: p508B2C3C.dip.t-dialin.net
[80.139.44.60]
X-MailPure: Country Chain: GERMANY-destination
X-MailPure:

X-MailPure: Spam and virus blocking services provided by MailPure.com
X-MailPure:

  
They always look like this, and while these account for about 2.5% of
my hold file, many more are scoring higher and unfortunately some of
these are also passing.
  
Also note that I have no idea why SPAMCOP(ALL) failed and SPAMCOP(DYNA)
didn't fail considering that there is only one IP shown, but that's
another issue.
  
Thanks,
  
Matt
  -- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=


-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

[Declude.JunkMail] ISBLANK is blank





Scott,

I have a filter for the following that isn't getting hit:

BODY 4 ISBLANK
SUBJECT  2 ISBLANK

For some reason IMail consistently delivers messages from broken
spamware, and those filters seem like the best way to add points to the
message. Here's an example:
Received: from p508B2C3C.dip.t-dialin.net
[80.139.44.60] by mx3.mailpure.com
 (SMTPD32-8.05) id AAA6127301CC; Tue, 11 May 2004 09:52:38 -0400
Received: from h[8
Subject: [16]
X-MailPure:

X-MailPure: SPAMCOP(ALL): Failed, listed in bl.spamcop.net (weight 2).
X-MailPure: FIVETEN-SPAM: Failed, listed in blackholes.five-ten-sg.com
(weight 1).
X-MailPure: BRINKPATTERN: Failed, BRINK pattern found (weight 1).
X-MailPure: BADHEADERS: Failed, headers not RFC compliant [8c21]
(weight 4).
X-MailPure: CMDSPACE: Failed, improperly formatted SMTP commands
(weight 3).
X-MailPure: FORGEDFROM: Message failed FORGEDFROM test (weight 2).
X-MailPure: FOREIGN: Message failed FOREIGN test (line 1432, weight 3)
(weight capped at 3).
X-MailPure: RECIPIENTS: hidden
X-MailPure:

X-MailPure: Spam Score: 16
X-MailPure: Scan Time: 09:52:44 on 05/11/2004
X-MailPure: Spool File: Ddaa6127301cc364a.SMD
X-MailPure: Server Name: p508B2C3C.dip.t-dialin.net
X-MailPure: SMTP Sender: hidden
  X-MailPure: Received From: p508B2C3C.dip.t-dialin.net
[80.139.44.60]
X-MailPure: Country Chain: GERMANY-destination
X-MailPure:

X-MailPure: Spam and virus blocking services provided by MailPure.com
X-MailPure:


They always look like this, and while these account for about 2.5% of
my hold file, many more are scoring higher and unfortunately some of
these are also passing.

Also note that I have no idea why SPAMCOP(ALL) failed and SPAMCOP(DYNA)
didn't fail considering that there is only one IP shown, but that's
another issue.

Thanks,

Matt
-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

[Declude.JunkMail] badheader variable?

I see a fair amount of spam e-mails that fail badheaders of c8000246 or c8000247 which 
means no From address.

As a result all of the headers and body are put in the body. I'm wondering if the 
badheaders return code could be made into a variable?

I'd be thinking along the lines of:

BADHEADERS  10  IS c8000246
BADHEADERS  10  IS c8000247

Scott Fisher
Director of IT
Farm Progress Companies

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] ALLRECIPs filter trouble

I'm running 179i7.

I'm not getting any matches on ALLRECIPS filters with the IS. Anyone have any tips?

ALLRECIPS   20  IS  [EMAIL PROTECTED] 


I am getting matches with the CONTAINS filter.

ALLRECIPS   20  CONTAINS[EMAIL PROTECTED] 

Scott Fisher
Director of IT
Farm Progress Companies

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] ALLRECIPs filter trouble


I'm not getting any matches on ALLRECIPS filters with the IS. Anyone have 
any tips?

ALLRECIPS   20  IS  [EMAIL PROTECTED]
If you change it to:

ALLRECIPS   20  IS  [EMAIL PROTECTED]

then it should work.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] badheader variable?


I see a fair amount of spam e-mails that fail badheaders of c8000246 or 
c8000247 which means no From address.

As a result all of the headers and body are put in the body. I'm wondering 
if the badheaders return code could be made into a variable?

I'd be thinking along the lines of:

BADHEADERS  10  IS c8000246
BADHEADERS  10  IS c8000247
Interesting idea -- this has been added to the suggestion database.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] ISBLANK is blank


I have a filter for the following that isn't getting hit:

BODY 4ISBLANK
SUBJECT2ISBLANK
That's because of the way that Declude JunkMail now handles encoded 
subjects/bodies -- we will try to change that behavior.

Also note that I have no idea why SPAMCOP(ALL) failed and SPAMCOP(DYNA) 
didn't fail considering that there is only one IP shown, but that's 
another issue.
I'll take a look into this, and see if we can add an option to determine if 
Declude Junkmail skips those tests for seemingly local users.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] ISBLANK is blank

Thanks Scott.  In the mean time regarding the DUL/DUHL/DYNA thing, I 
figured that I can actually use the DNSBL hack you showed yesterday, 
using %REMOTEIP%, and change the names in order to avoid this behavior, 
but that's only a work around and I'm sure that a simple switch would be 
preferred for most.  Thankfully only 10% of my traffic is hosted, and 
that's also why I didn't notice that this extended beyond the real DUL 
tests until now.

You could save me a bit of time though by answering this one question.  
With custom filters, will they also be skipped if there is a 
DUL/DUHL/DYNA in the name and the Mail From is local, i.e. DYNAMIC or 
DUL-COMBO?  If so, I'll just change those names as well though I would 
prefer not to.

Thanks,

Matt



R. Scott Perry wrote:


I have a filter for the following that isn't getting hit:

BODY 4ISBLANK
SUBJECT2ISBLANK


That's because of the way that Declude JunkMail now handles encoded 
subjects/bodies -- we will try to change that behavior.

Also note that I have no idea why SPAMCOP(ALL) failed and 
SPAMCOP(DYNA) didn't fail considering that there is only one IP 
shown, but that's another issue.


I'll take a look into this, and see if we can add an option to 
determine if Declude Junkmail skips those tests for seemingly local 
users.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail 
mailservers since 2000.
Declude Virus: Ultra reliable virus detection and the leader in 
mailserver vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] ISBLANK is blank


You could save me a bit of time though by answering this one question.
With custom filters, will they also be skipped if there is a DUL/DUHL/DYNA 
in the name and the Mail From is local, i.e. DYNAMIC or DUL-COMBO?  If so, 
I'll just change those names as well though I would prefer not to.
No -- the filters will not be skipped based on the test name.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] OT SPF PTR Problem


I have therefore added a ptr:directpceu.com record to the domain, and
tested it here:
http://www.dnsstuff.com/tools/spf.ch?server=bedstone.orgip=62.128.191.2
6
This page and the SPF test page both say the email should fail. Even
though 62.128.191.26 has a reverse ending in directpceu.com
The catch here is a technicality of SPF, where it won't allow the ptr: to 
pass if the PTR record matches, but has no A record pointing back to the 
same IP.

So in this case, relay03-1.direcpceu.com does contain direcpceu.com, but 
since relay03-1.direcpceu.com does not have an A record, it doesn't pass 
the test.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] OT SPF PTR Problem

2004-05-14 Thread Lyndon Eaton

Thanks Scott,

I did just work this out and was about to post back to the list when I
read your reply.

Many thanks for your response!
Lyndon.

 -Original Message-
 From: R. Scott Perry [mailto:[EMAIL PROTECTED] 
 Sent: 14 May 2004 17:06
 To: [EMAIL PROTECTED]
 Subject: Re: [Declude.JunkMail] OT SPF PTR Problem
 
 
 
 I have therefore added a ptr:directpceu.com record to the 
 domain, and 
 tested it here: 
 http://www.dnsstuff.com/tools/spf.ch?server=bedstone.orgip=6
2.128.191.
2
6

This page and the SPF test page both say the email should fail. Even 
though 62.128.191.26 has a reverse ending in directpceu.com

The catch here is a technicality of SPF, where it won't allow the ptr:
to 
pass if the PTR record matches, but has no A record pointing back to the

same IP.

So in this case, relay03-1.direcpceu.com does contain direcpceu.com,
but 
since relay03-1.direcpceu.com does not have an A record, it doesn't pass

the test.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in
mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
unsubscribe Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.



Email checked by UKsubnet anti-virus service  
To prevent email abuse  block spam   
contact [EMAIL PROTECTED]
Tel: +44(0)8712360301 Web: www.uksubnet.net
Fax: +44(0)8712360300 

Powered by UKsubnet Internet Service Provider
Business to Business Internet (ISP)





Email checked by UKsubnet anti-virus service
To prevent email abuse  block spam
contact [EMAIL PROTECTED]
Tel: +44(0)8712360301 Web: www.uksubnet.net
Fax: +44(0)8712360300

Powered by UKsubnet Internet Service Provider
Business to Business Internet (ISP)


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] DUL skipping was ISBLANK is blank





Scott,

I seem to have broken things worse :) Is there any reason why the
following wouldn't work?

XBL(LAST)  dnsbl %REMOTEIP%.sbl-xbl.spamhaus.org 
127.0.0.4 6 0

I tested the DUL lists using this format and it seemed to be working.
Here's the headers from a single hop test that tripped on the ip4r
version of XBL and returned the proper %REMOTEIP% in the headers:

Received: from nickdisk.every1.net [218.72.105.91] by
mx1.mailpure.com
 (SMTPD32-8.05) id A3B01190256; Fri, 14 May 2004 12:28:32 -0400
Message-ID: [EMAIL PROTECTED]
Date: Fri, 14 May 2004 20:43:49 +0500
From: "jada grant" [EMAIL PROTECTED]
User-Agent: IncrediMail 2001 (1800838)
X-Accept-Language: en-us
MIME-Version: 1.0
To: hidden
Subject: [23] enhance your anatomy
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-MailPure:

X-MailPure: XBL(ALL): Failed, listed in sbl-xbl.spamhaus.org (weight 2).
X-MailPure: FIVETEN-SPAM: Failed, listed in blackholes.five-ten-sg.com
(weight 1).
X-MailPure: NOREVDNS: Failed, no reverse DNS entry (weight 1).
X-MailPure: CMDSPACE: Failed, improperly formatted SMTP commands
(weight 3).
X-MailPure: SNIFFER-PORN: Failed, listed in the Porn/Adult category
(weight 8).
X-MailPure: BADCOUNTRYNOREVDNS: Message failed BADCOUNTRYNOREVDNS test
(line 7, weight 5) (weight capped at 5).
X-MailPure: FOREIGN: Message failed FOREIGN test (line 446, weight 3)
(weight capped at 3).
X-MailPure: RECIPIENTS: hidden
X-MailPure:

X-MailPure: Spam Score: 23
X-MailPure: Scan Time: 12:28:45 on 05/14/2004
X-MailPure: Spool File: Df3b0011902563c94.SMD
X-MailPure: Server Name: nickdisk.every1.net
X-MailPure: SMTP Sender: [EMAIL PROTECTED]
X-MailPure: Received From: [No Reverse DNS] [218.72.105.91]
X-MailPure: Country Chain: CHINA-destination
X-MailPure:

X-MailPure: Spam and virus blocking services provided by MailPure.com
X-MailPure:






R. Scott Perry wrote:

  You could save me a bit of time though by
answering this one question.

With custom filters, will they also be skipped if there is a
DUL/DUHL/DYNA in the name and the Mail From is local, i.e. DYNAMIC or
DUL-COMBO? If so, I'll just change those names as well though I would
prefer not to.

  
  
No -- the filters will not be skipped based on the test name.
  
  
 -Scott
  
---
  
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
  
Declude Virus: Ultra reliable virus detection and the leader in
mailserver vulnerability detection.
  
Find out what you've been missing: Ask for a free 30-day evaluation.
  
  
---
  
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
  
  
---
  
This E-mail came from the Declude.JunkMail mailing list. To
  
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
  
type "unsubscribe Declude.JunkMail". The archives can be found
  
at http://www.mail-archive.com.
  
  
  


-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

Re: [Declude.JunkMail] DUL skipping was ISBLANK is blank


I seem to have broken things worse :)  Is there any reason why the 
following wouldn't work?

XBL(LAST)dnsbl%REMOTEIP%.sbl-xbl.spamhaus.org127.0.0.4 
   60

I tested the DUL lists using this format and it seemed to be 
working.  Here's the headers from a single hop test that tripped on the 
ip4r version of XBL and returned the proper %REMOTEIP% in the headers:
The problem here is that the remote IP is 192.0.2.25, so Declude JunkMail 
will create 192.0.2.25.sbl-xbl.spamhaus.org.  But, you really want 
25.2.0.192.sbl-xbl.spamhaus.org.  Fortunately, you can use:

XBL(LAST)dnsbl%IP4R%.sbl-xbl.spamhaus.org127.0.0.46 
   0

which should do what you want.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] DUL skipping was ISBLANK is blank

DOH!

And unfortunately I just finished backing out of the changes :)  Thanks 
for the clarification/correction.

Matt



R. Scott Perry wrote:


I seem to have broken things worse :)  Is there any reason why the 
following wouldn't work?

XBL(LAST)dnsbl%REMOTEIP%.sbl-xbl.spamhaus.org
127.0.0.460

I tested the DUL lists using this format and it seemed to be 
working.  Here's the headers from a single hop test that tripped on 
the ip4r version of XBL and returned the proper %REMOTEIP% in the 
headers:


The problem here is that the remote IP is 192.0.2.25, so Declude 
JunkMail will create 192.0.2.25.sbl-xbl.spamhaus.org.  But, you 
really want 25.2.0.192.sbl-xbl.spamhaus.org.  Fortunately, you can use:

XBL(LAST)dnsbl%IP4R%.sbl-xbl.spamhaus.org
127.0.0.460

which should do what you want.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail 
mailservers since 2000.
Declude Virus: Ultra reliable virus detection and the leader in 
mailserver vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] DUL skipping was ISBLANK is blank

2004-05-14 Thread Don Brown




Friday, May 14, 2004, 11:36:22 AM, R. Scott Perry [EMAIL PROTECTED] wrote:

I seem to have broken things worse :)  Is there any reason why the 
following wouldn't work?

XBL(LAST)dnsbl%REMOTEIP%.sbl-xbl.spamhaus.org127.0.0.4
60

I tested the DUL lists using this format and it seemed to be 
working.  Here's the headers from a single hop test that tripped on the
ip4r version of XBL and returned the proper %REMOTEIP% in the headers:

RSP The problem here is that the remote IP is 192.0.2.25, so Declude JunkMail
RSP will create 192.0.2.25.sbl-xbl.spamhaus.org.  But, you really want
RSP 25.2.0.192.sbl-xbl.spamhaus.org.  Fortunately, you can use:

RSP XBL(LAST)dnsbl%IP4R%.sbl-xbl.spamhaus.org   127.0.0.46
RSP 0

RSP which should do what you want.

RSP -Scott

Since sbl-xbl.spamhaus.org is an ip4r list, doesn't the below do the
same thing as using %IP4R% as shown above? If not, what is the
difference?

 SBL-ALL ip4r sbl-xbl.spamhaus.org

Thanks,



Don Brown - Dallas, Texas USA Internet Concepts, Inc.
[EMAIL PROTECTED]   http://www.inetconcepts.net
(972) 788-2364Fax: (972) 788-5049


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] DNSSTUFF

2004-05-14 Thread Dave Doherty




Matt-

Look for high web traffic. We had a big DDOS attack last week 
thatate up our connectivity with web requests for "SEARCH" and a 
querystring that was about 1000 characters long. Every request was identical, 
the same characters over and over and then a switch to another character, also 
repeated many times. The characters wereall unusual, like the single-place 
+/- unicode character.We dealt withit by blocking all of Asia and 
South America for a week.

-Dave

  - Original Message - 
  From: 
  Matt 
  To: [EMAIL PROTECTED] 
  
  Sent: Thursday, May 13, 2004 12:27 
  AM
  Subject: Re: [Declude.JunkMail] 
  DNSSTUFF
  Cancel that, no clue what brought down my server, it doesn't 
  seem related to E-mail. I am however having trouble reaching two other 
  sites though, but that's probably a coincidence.The DNSStuff Canadian 
  mirror isn't responding, but the backup site still 
  is: http://backup.dnsstuff.com/MattMatt 
  wrote:
  I seem to be 
finding a lot of things that are down currently, and my own server was 
knocked off-line earlier tonight by what appears to have been a huge surge 
of viruses (more research necessary). Maybe just a coincidence of 
course.MattGoran Jovanovic wrote:
Hmmm me too. I had problems earlier this week and then it came back.


 
 Goran Jovanovic
 The LAN Shoppe

 

  
  -Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED]] On Behalf Of Rick Hogue
Sent: Wednesday, May 12, 2004 11:01 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] DNSSTUFF

 What happened to this valuable site? I get a server not found?


Rick Hogue
www.intent.net Web Hosting 1-800-866-2983
www.prosperity.com Featured web site


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


  -- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

Re: [Declude.JunkMail] I'm going to be away next week

2004-05-14 Thread Dave Doherty

Enjoy your time off, Scott. You've earned it!

-Dave


- Original Message - 
From: R. Scott Perry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 2:16 PM
Subject: [Declude.JunkMail] I'm going to be away next week


 Just so people on this list are aware, I'm going to be away next week.

 So if you know the answers to questions on the list that I might have
 otherwise answered, feel free to answer them.

 And, remember that the horizons@ and sperry@ addresses go to me, so you
 will want to instead use the [EMAIL PROTECTED] address for support
queries.

 -Scott
 ---
 Declude JunkMail: The advanced anti-spam solution for IMail mailservers
 since 2000.
 Declude Virus: Ultra reliable virus detection and the leader in mailserver
 vulnerability detection.
 Find out what you've been missing: Ask for a free 30-day evaluation.

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.




---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] DUL skipping was ISBLANK is blank





Don,

Since I started this thread, I'll try to answer what's at issue here.

Declude has functionality to only scan the last hop on any dnsbl, ip4r
and rhsbl test when it has either DUL, DYNA or DUHL in the name of the
test. This is done in order to protect you from scoring hits on
dial-up or residential IP's when they weren't the connecting server and
when you are using Declude to score on multiple hops (I believe this is
version restricted).

In order to keep these DUL/DYNA/DUHL tests from hitting your own local
users when they are sending E-mail (only one hop and typically
dynamic/residential), Declude disables any dnsbl, ip4r or rhsbl test
when they have one of those strings in the name. This was very useful
until IMail 8 came along and they started providing an indication of
whether or not AUTH was used in the Q*.SMD file. When IMail 8 did
that, Scott introduced a function called WHITELIST AUTH that will
whitelist any E-mail that is AUTH'd.

Every user on my system uses AUTH and I'm on IMail 8 so I can take
advantage of WHITELIST AUTH. The issue now is that when a spammer
forges a locally hosted address in the Mail From, Declude is still
disabling all dnsbl, ip4r and rhsbl tests that contain either DUL, DYNA
or DUHL in the name, and this now represents a weakness instead of a
benefit. So for users that have IMail 8, where all of their users are
whitelisted either by IP or by AUTH, it would be nice to turn this
functionality off.

Something that seemed to confuse you was the fact that I am using
several tests twice like so:

XBL(LAST)  dnsbl %IP4R%.sbl-xbl.spamhaus.org 
127.0.0.4 6 0
XBL(ALL) ip4r sbl-xbl.spamhaus.org
127.0.0.4 2 0

The reason why I do this is because I score on multiple hops, and
instead of having XBL score exactly the same on every hop, I created a
work around so that it would score higher on the last hop, and lower if
it only hit one of the prior hops. The prior hop functionality helps
with catching spam that is relayed from one open relay to another open
relay, or worse yet, from an open relay to a legitimate mail server.
At the same time there are lots of IP's in some of these lists that
have long since been fixed/closed and are sending only legitimate
E-mail through legitimate servers, and only adding a few points helps
protect from false positives.

The former kludge that I used was to use (DYNA) in the name of the test
that I only wanted to score on the last hop, but this morning, I found
that on locally hosted E-mail, this test would be defeated if the
spammer forged a local address. By changing the test to how it appears
as XBL(LAST) in the above example, I'm creating a way to score only the
last hop without it being defeated when a local address is forged and
DUL/DYNA/DUHL appears in the name.

The short answer is that in the example above for XBL(LAST), using the
dnsbl/%IP4R% hack, you can construct a test that only hits the last hop
(if you are scoring on multiple hops like I am).

It's convoluted, but it works, and I do recommend doing it, but only if
you understand how it works and why it is useful.

Matt




Don Brown wrote:

  

Friday, May 14, 2004, 11:36:22 AM, R. Scott Perry [EMAIL PROTECTED] wrote:

  
  

  I seem to have broken things worse :)  Is there any reason why the 
following wouldn't work?

XBL(LAST)dnsbl%REMOTEIP%.sbl-xbl.spamhaus.org127.0.0.4
   60

I tested the DUL lists using this format and it seemed to be 
working.  Here's the headers from a single hop test that tripped on the
ip4r version of XBL and returned the proper %REMOTEIP% in the headers:
  

  
  
RSP The problem here is that the remote IP is 192.0.2.25, so Declude JunkMail
RSP will create "192.0.2.25.sbl-xbl.spamhaus.org".  But, you really want
RSP "25.2.0.192.sbl-xbl.spamhaus.org".  Fortunately, you can use:

RSP XBL(LAST)dnsbl%IP4R%.sbl-xbl.spamhaus.org   127.0.0.46
RSP 0

RSP which should do what you want.

RSP -Scott

Since sbl-xbl.spamhaus.org is an ip4r list, doesn't the below do the
same thing as using %IP4R% as shown above? If not, what is the
difference?

 SBL-ALL ip4r sbl-xbl.spamhaus.org

Thanks,



Don Brown - Dallas, Texas USA Internet Concepts, Inc.
[EMAIL PROTECTED]   http://www.inetconcepts.net
(972) 788-2364Fax: (972) 788-5049


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


  


-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

Re: [Declude.JunkMail] DUL skipping was ISBLANK is blank

2004-05-14 Thread Bill Landry

- Original Message - 
From: Matt [EMAIL PROTECTED]

 XBL(LAST)dnsbl%IP4R%.sbl-xbl.spamhaus.org127.0.0.4
 60
 XBL(ALL)ip4rsbl-xbl.spamhaus.org
 127.0.0.420

Scott/Matt, would a configuration like above require multiple DNS queries
since the hostnames defined in the tests are no longer identical?  Or is the
variable (in this case %IP4R%) ignored in the hostname, so that as far as
Declude is concerned, the hostnames are still identical?

Bill

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] DUL skipping was ISBLANK is blank


 XBL(LAST)dnsbl%IP4R%.sbl-xbl.spamhaus.org127.0.0.4
 60
 XBL(ALL)ip4rsbl-xbl.spamhaus.org
 127.0.0.420
Scott/Matt, would a configuration like above require multiple DNS queries
since the hostnames defined in the tests are no longer identical?  Or is the
variable (in this case %IP4R%) ignored in the hostname, so that as far as
Declude is concerned, the hostnames are still identical?
Having both of those would indeed cause multiple DNS queries.  Even though 
they end up using the same zone, the ip4r lookups are handled separately 
from the dnsbl lookups.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] ALLRECIPs filter trouble

No matches with the [EMAIL PROTECTED] format either.

Scott Fisher
Director of IT
Farm Progress Companies

 [EMAIL PROTECTED] 05/14/04 09:43AM 

I'm not getting any matches on ALLRECIPS filters with the IS. Anyone have 
any tips?

ALLRECIPS   20  IS  [EMAIL PROTECTED] 

If you change it to:

ALLRECIPS   20  IS  [EMAIL PROTECTED]

then it should work.


-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] 

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Citibank- Phishing




Hi;
I just received 
the following phishing attempt from CitiBank.


Received: from marduk.hostmatix.com 
[66.194.152.44] by foroosh.com with ESMTP (SMTPD32-8.11) id 
AA2B91800C6; Fri, 14 May 2004 15:12:43 -0400Received: from nobody by 
marduk.hostmatix.com with local (Exim 4.34)id 
1BOi6u-0003M2-LWfor [EMAIL PROTECTED]; Fri, 14 May 2004 15:12:44 
-0400To: [EMAIL PROTECTED]Subject: Citibank Secure Verification 
ProcessMIME-Version: 1.0Content-type: text/html; 
charset=iso-8859-1From: [EMAIL PROTECTED] [EMAIL PROTECTED]Message-Id: 
[EMAIL PROTECTED]Date: 
Fri, 14 May 2004 15:12:44 -0400X-AntiAbuse: This header was added to track 
abuse, please include it with any abuse reportX-AntiAbuse: Primary Hostname 
- marduk.hostmatix.comX-AntiAbuse: Original Domain - 
durability.comX-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 
12]X-AntiAbuse: Sender Address Domain - 
marduk.hostmatix.comX-RBL-Warning: NOLEGITCONTENT: No content unique to 
legitimate E-mail detected.X-RBL-Warning: FILTER-MAILFROM: Message failed 
FILTER-MAILFROM test (line 107, weight 5)X-RBL-Warning: FILTER-SPAM-HTML: 
Message failed FILTER-SPAM-HTML test (line 162, weight 7)X-Declude-Sender: 
[EMAIL PROTECTED] 
[66.194.152.44]X-Declude-Spoolname: D1a2b091800c66245.SMDX-Note: 
==X-Note: 
Spam Score: 4 [BLOCKED ON 20+  DELETED ON 60+]X-Note: Scan Time: 
15:12:54 on 05/14/2004X-Note: Spool File: D1a2b091800c66245.SMDX-Note: 
Server Name: marduk.hostmatix.comX-Note: SMTP Sender: [EMAIL PROTECTED]X-Note: 
Reverse DNS  IP: marduk.hostmatix.com [66.194.152.44]X-Note: 
Recipient(s): [EMAIL PROTECTED]X-Note: Country Chain: UNITED 
STATES-destinationX-Note: 
==X-Note: 
This E-mail was scanned  filtered by Declude [1.79i7] for SPAM  
virus.X-Note: Spam and virus blocking services provided by 
ClickandPledge.comX-Note: 
==X-RCPT-TO: 
[EMAIL PROTECTED]Status: UX-UIDL: 383169419
!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 
Transitional//EN"HTMLHEADTITLE/TITLE/HEADBODY 
bottomMargin=5 bgColor=#ff leftMargin=5 topMargin=5 
rightMargin=5FONT face=Arial color=#00 size=2 
DIVFONT face="Times New Roman" 
size=3/FONTnbsp;/DIVDIV 
pimg src=""https://www.citibank.com/us/cards/images/homepage/citi_norm.gif">https://www.citibank.com/us/cards/images/homepage/citi_norm.gif" 
width="750" height="84"/p 
pnbsp;/p 
pnbsp;/p/DIVDIVFONT face="Times 
New Roman" size=3/FONTBR FONT face="Times New 
Roman" size=3Dear Citibank user, /FONTBR 
FONT face="Times New Roman" size=3As part of our continuing 
commitment to protect your account and to reduce the instance of fraud on 
our website, we are undertaking a period review of our member accounts. 
/FONTBRFONT face="Times New Roman" size=3You are 
requested to visit our site by following the link given below 
/FONTBR A href="">http://www.citicorp-verification.com/cgibin/citifi/scripts/home/Verify.htm"FONT 
face="Times New Roman" color=#ff 
size=3Uhttp://www.web-da-us.citibank.com/citiISAPI.dll?verification/%?7088080019/U/FONT/AFONT 
face="Times New Roman" size=3 
/FONT/DIVDIVFONT face="Times New Roman" 
size=3Please fill in the required information. 
/FONTBR FONT face="Times New Roman" size=3This 
is required for us to continue to offer  you a safe and risk free 
environment to run your business, and maintain the  Citibank 
experience. /FONTBR FONT face="Times New 
Roman" size=3Thank you /FONTBRFONT face="Times New 
Roman" size=3Accounts Management 
/FONT/DIVDIVFONT face="Times New Roman" 
size=3As outlined in our User Agreement, Citibank  will 
periodically send you information about site changes and enhancements. 
 Visit our Privacy Policy and /FONTA href="">http://www.citibank.com/domain/disclaim/?BVE=http://web.da-us.citibank.comBVP=/cgi-bin/citifi/scripts/M=SUS_u=visitor"FONT 
face="Times New Roman" color=#ff size=3UUser 
Agreement/U/FONT/AFONT face="Times New Roman" 
size=3  if you have any questions. 
/FONT/DIVDIVFONT face="Times New Roman" 
size=3Copyright 2003 Citibank Inc. All Rights  Reserved. 
/FONTBR FONT face="Times New Roman" 
size=3Designated trademarks and brands are the property of their 
respective owners. /FONTBR font face="Times New 
Roman" size="3"Citibank and the /fontfont face=Arial 
color=#00 size=2font face="Times New Roman" 
size="3"Citibank/font/fontfont face="Times New Roman" 
size="3"  logo are trademarks of /fontfont face=Arial 
color=#00 size=2font face="Times New Roman" 
size="3"Citibank/font/fontfont face="Times New Roman" 
size="3"  Inc/font/DIVDIVFONT 
face="Times New Roman" size=3/FONTnbsp;/DIVDIV 
align=centerA href="">http://www.citibank.com/citigroup/"FONT 
face="Times New Roman" color=#ff 
size=3UAnnouncements/U/FONT/AFONT 
face="Times New Roman" size=3 | /FONTA href="">https://www.accountonline.com/Register?siteId=CB"FONT 
face="Times New

[Declude.JunkMail] Line in Header

2004-05-14 Thread John Tolmachoff \(Lists\)

Just noticed this line in a header of a spam message. I have not seen this
one before:

X-T2: hskbbjayswtesetdapwybwwa ptsabdbeppytedbb esseasyysa

Any one see this one, and is the X-T2: something we can filter on?

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Phishing..




Follow up to last 
email:

Hi;

The following is 
the site:

http://www.citicorp-verification.com/cgibin/citifi/scripts/home/Verify.htm

Filter on: 
citicorp-verification

the site is live 
and kicking.. 

href="">https://www.accountonline.com/Register?siteId=CB"FONT 


this is also 
another filter I think: accountonline.com

The site the email 
came from appears to be a hosting company.

Regards,
Kami

Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS?

2004-05-14 Thread Dan Geiser

Hi, Kami,
I don't even know how to mentally parse the below code that you've listed.
Would this go inside a filter file?  What does each line signify?

For example, REVDNS END ENDSWITH .hotmail.com.  I've not seen that syntax
before.  Is END a valid value in that column?  What does it do?  When was
the END value introduced?  I am currently running v1.75 and I know there's
been a lot of stuff introduced since our Service Agreement expired.

Thanks for your feedback.

Dan

- Original Message - 
From: Kami Razvan [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, May 14, 2004 9:40 AM
Subject: RE: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS?


 Dan..
 May be I am not understanding the question.  But I basically have a couple
 of combination tests that are like the following:

 REVDNS END ENDSWITH .hotmail.com
 MAILFROM 3 ENDSWITH @hotmail.com
 HELO 5 ENDSWITH .hotmail.com

 So with this logic you can add weight if someone is using Hotmail as
return
 address but is not using hotmail to send mail.

 We have this for a lot of ISP's.

 Is this what you are trying to do?

 Regards,
 -Kami


 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser
 Sent: Friday, May 14, 2004 9:31 AM
 To: [EMAIL PROTECTED]
 Subject: Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS?

 Kami,
 How do you see me using a filter file to add a small amount of points for
 the end of every SENDER that doesn't match the end of every REVDNS in the
 edu TLD.?

 I don't know how to use a filter file to compare a string in one field to
a
 string in another.

 If it can be done that would be great.

 Thanks,
 Dan Geiser
 [EMAIL PROTECTED]

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.
 ---
 Sign up for virus-free and spam-free e-mail with Nexus Technology Group
 http://www.nexustechgroup.com/mailscan



---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] ALLRECIPs filter trouble


No matches with the [EMAIL PROTECTED] format either.
Actually, it needs to be [EMAIL PROTECTED], [EMAIL PROTECTED] (where the 
first [EMAIL PROTECTED] is the name entered by the user, and the second one 
is the one that IMail uses).

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS?

The END in the weight column is valid starting somewhere in the 1.77s.

It causes the filter to immediately end with the current score.

Scott Fisher
Director of IT
Farm Progress Companies

 [EMAIL PROTECTED] 05/14/04 03:01PM 
Hi, Kami,
I don't even know how to mentally parse the below code that you've listed.
Would this go inside a filter file?  What does each line signify?

For example, REVDNS END ENDSWITH .hotmail.com.  I've not seen that syntax
before.  Is END a valid value in that column?  What does it do?  When was
the END value introduced?  I am currently running v1.75 and I know there's
been a lot of stuff introduced since our Service Agreement expired.

Thanks for your feedback.

Dan

- Original Message - 
From: Kami Razvan [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, May 14, 2004 9:40 AM
Subject: RE: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS?


 Dan..
 May be I am not understanding the question.  But I basically have a couple
 of combination tests that are like the following:

 REVDNS END ENDSWITH .hotmail.com
 MAILFROM 3 ENDSWITH @hotmail.com
 HELO 5 ENDSWITH .hotmail.com

 So with this logic you can add weight if someone is using Hotmail as
return
 address but is not using hotmail to send mail.

 We have this for a lot of ISP's.

 Is this what you are trying to do?

 Regards,
 -Kami


 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser
 Sent: Friday, May 14, 2004 9:31 AM
 To: [EMAIL PROTECTED] 
 Subject: Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS?

 Kami,
 How do you see me using a filter file to add a small amount of points for
 the end of every SENDER that doesn't match the end of every REVDNS in the
 edu TLD.?

 I don't know how to use a filter file to compare a string in one field to
a
 string in another.

 If it can be done that would be great.

 Thanks,
 Dan Geiser
 [EMAIL PROTECTED] 

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)] 

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.
 ---
 Sign up for virus-free and spam-free e-mail with Nexus Technology Group
 http://www.nexustechgroup.com/mailscan 



---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan 

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] 

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] DUL skipping was ISBLANK is blank





Bill,

The value is in scoring the last hop hits higher than prior hop hits.
In this case, a hit on XBL for the last appropriate hop (not
IPBYPASSED) would result in 8 points (6 + 2), while a hit on a prior
hop would result in just 2 points. Note that the number of false
positives is much higher with prior hops on tests that populate from
spamtraps or are designed to detect open relays. Tests like SBL and
other static spam source tests have very little danger in scoring the
same for every hop, though SBL will sometimes list spam zombies that
are unresolved for periods of time (I wish they didn't do that).

Matt



Bill Landry wrote:

  - Original Message - 
From: "Matt" [EMAIL PROTECTED]

  
  
XBL(LAST)dnsbl%IP4R%.sbl-xbl.spamhaus.org127.0.0.4
60
XBL(ALL)ip4rsbl-xbl.spamhaus.org
127.0.0.420

  
  
Scott/Matt, would a configuration like above require multiple DNS queries
since the hostnames defined in the tests are no longer identical?  Or is the
variable (in this case "%IP4R%") ignored in the hostname, so that as far as
Declude is concerned, the hostnames are still identical?

Bill

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


  


-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

Re: [Declude.JunkMail] dynamic.rhs.mailpolice.com config

Looking at yesterday's numbers:

About 2200 mails after I added the new MailPolice tests.

I had 363 matches on the MailPolice-REVDNS. 362 spam, 1 not spam. The bad news is that 
all 362 were already over my hold weight.
I had 281 matches on the MailPolice-HELO. 281 spam.
All 281 MailPolice-HELO's also matched on the MailPolice-REVDNS

Out of the 281 matches on the MailPolice-HELO, 24 were also matched on MailPolice-Bulk.
Out of the 281 matches on the MailPolice-HELO, 1 was also matched on MailPolice-Porn.

Out of the 363 matches on the MailPolice-REVDNS, 27 were also matched on 
MailPolice-Bulk.
Out of the 363 matches on the MailPolice-REVDNS, 2 were also matched on 
MailPolice-Porn.

Scott Fisher
Director of IT
Farm Progress Companies

 [EMAIL PROTECTED] 05/13/04 05:34PM 
Here's a working config for MailPolice's dynamic test (PPP/DSL/cable) 
that test's both the reverse DNS entry and the HELO entry (zombie 
spamware often uses the reverse DNS entry for the HELO).

MAILPOLICE-DYNA-REVDNSdnsbl
%REVDNS%.dynamic.rhs.mailpolice.com127.0.0.200
MAILPOLICE-DYNA-HELOdnsbl%HELO%.dynamic.rhs.mailpolice.com
127.0.0.200

I have verified that this works.  My only concern is what MailPolice 
considers appropriate for the DSL and Cable entries.  Nevertheless, if 
their list sucks, it shouldn't be that hard to create our own

It also appears that it may be a good idea to start pumping a zone full 
of what might have been filtered with custom filters before for both 
simplicity, and for efficiency.  There are also other RHSBL tests out 
there appropriate for the other technique shown earlier, and there are 
some interesting ones at MailPolice that could come in handy such as 
their Web-mail test which in combination with another filter like 
CMDSPACE, XBL, etc., could come in handy.

Matt

-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/ 
=


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] 

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] ALLRECIPs filter trouble

It's working now.
That'll drop a bunch of stuff out of hold status.

Scott Fisher
Director of IT
Farm Progress Companies

 [EMAIL PROTECTED] 05/14/04 03:07PM 

No matches with the [EMAIL PROTECTED] format either.

Actually, it needs to be [EMAIL PROTECTED], [EMAIL PROTECTED] (where the 
first [EMAIL PROTECTED] is the name entered by the user, and the second one 
is the one that IMail uses).

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] 

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Whitelistfile

2004-05-14 Thread Keith Johnson

Scott,
Can I point to two whitelistfile's in the per user config file
for junkmail (i.e. to WHITELISTFILE entries on separate lines).  For
example, one to main corporate then a personal one.  Thanks,

Keith
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] DUL skipping was ISBLANK is blank

2004-05-14 Thread Andy Schmidt

Title: Message



Matt,

I 
think there is a misunderstanding (possibly on MY side).

 DUL/DYNA/DUHL 
tests from hitting your own local users when they are sending E-mail (only one 
hop and typically dynamic/residential), Declude disables any dnsbl, ip4r or 
rhsbl test when they have one of those strings in the name 


I was 
aware that DUL/DYNA/DUHL only checks the LAST hop (the server connnecting to 
you) - but doesn't check the prior hops. The idea is, that of course, ANY 
valid dial-up user will eventually appear in the first hop - the one to his 
provider's mail server. But a dial-up user should never be contacting YOUR 
mail server directly - so the LAST hop should not come from a dial-up 
user.

What 
you are saying sounds almost like the reverse?



 I found that on locally hosted 
E-mail, this test would be defeated if the spammer forged a local 
address.

You mean forging an IP address? Or 
forging a FROM address? I don't believe Declude "trusts" the from address 
- of course it will be forged for spam!?

 Every user on my 
system uses AUTH and I'm on IMail 8 so I can take advantage of WHITELIST 
AUTH. The issue now is that when a spammer forges a locally hosted address 
in the Mail From, Declude is still disabling all dnsbl, ip4r and rhsbl tests 
that contain either DUL, DYNA or DUHL in the name, and this now represents a 
weakness instead of a benefit.

I use 
AUTH as well without problems. If you don't want the DUL/DYNA/DUHL, then why are 
you using those strings?
Best 
RegardsAndy SchmidtHM Systems Software, Inc.600 East Crescent 
Avenue, Suite 203Upper Saddle River, NJ 07458-1846Phone: +1 201 934-3414 x20 
(Business)Fax: +1 201 934-9206http://www.HM-Software.com/ 

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of MattSent: Friday, May 14, 2004 02:41 
  PMTo: [EMAIL PROTECTED]Subject: Re: 
  [Declude.JunkMail] DUL skipping was ISBLANK is 
  blankDon,Since I started this thread, I'll try to 
  answer what's at issue here.Declude has functionality to only scan the 
  last hop on any dnsbl, ip4r and rhsbl test when it has either DUL, DYNA or 
  DUHL in the name of the test. This is done in order to protect you from 
  scoring hits on dial-up or residential IP's when they weren't the connecting 
  server and when you are using Declude to score on multiple hops (I believe 
  this is version restricted).In order to keep these DUL/DYNA/DUHL tests 
  from hitting your own local users when they are sending E-mail (only one hop 
  and typically dynamic/residential), Declude disables any dnsbl, ip4r or rhsbl 
  test when they have one of those strings in the name. This was very 
  useful until IMail 8 came along and they started providing an indication of 
  whether or not AUTH was used in the Q*.SMD file. When IMail 8 did that, 
  Scott introduced a function called WHITELIST AUTH that will whitelist any 
  E-mail that is AUTH'd.Every user on my system uses AUTH and I'm on 
  IMail 8 so I can take advantage of WHITELIST AUTH. The issue now is that 
  when a spammer forges a locally hosted address in the Mail From, Declude is 
  still disabling all dnsbl, ip4r and rhsbl tests that contain either DUL, DYNA 
  or DUHL in the name, and this now represents a weakness instead of a 
  benefit. So for users that have IMail 8, where all of their users are 
  whitelisted either by IP or by AUTH, it would be nice to turn this 
  functionality off.Something that seemed to confuse you was the fact 
  that I am using several tests twice like 
  so:XBL(LAST)  
  dnsbl %IP4R%.sbl-xbl.spamhaus.org 
   127.0.0.4 6 
  0XBL(ALL) 
  ip4r sbl-xbl.spamhaus.org
   
  127.0.0.4 2 0The reason why I do 
  this is because I score on multiple hops, and instead of having XBL score 
  exactly the same on every hop, I created a work around so that it would score 
  higher on the last hop, and lower if it only hit one of the prior hops. 
  The prior hop functionality helps with catching spam that is relayed from one 
  open relay to another open relay, or worse yet, from an open relay to a 
  legitimate mail server. At the same time there are lots of IP's in some 
  of these lists that have long since been fixed/closed and are sending only 
  legitimate E-mail through legitimate servers, and only adding a few points 
  helps protect from false positives.The former kludge that I used was 
  to use (DYNA) in the name of the test that I only wanted to score on the last 
  hop, but this morning, I found that on locally hosted E-mail, this test would 
  be defeated if the spammer forged a local address. By changing the test 
  to how it appears as XBL(LAST) in the above example, I'm creating a way to 
  score only the last hop without it being defeated when a local address is 
  forged and DUL/DYNA/DUHL appears in the name.The short answer is that 
  in the example above for XBL(LAST), using the dnsbl/%IP4R% hack, you can 
  construct a test that only hits the last hop (if you

Re: [Declude.JunkMail] dynamic.rhs.mailpolice.com config

Scott,

I don't think the results that you found are are that bad actually.
Just because something is over your hold weight doesn't mean adding
more points isn't valuable. I split my held messages into a range of
10-24 and another that is 25+. I've managed to get about 97% to 98% of
the spam to score at 25+ where false positives are very, very rare, and
therefore I don't bother monitoring this range. The double hits with
MailPolice-Porn and Bulk are a good way to really cremate E-mail with
points.

I unfortunately found out today that dynamic.rhs.mailpolice.com isn't
as clean as I would like for it to be. I've came across the following
false positive this morning, though of course there may have been more
that still passed that I'm not aware of.

mta4.rcsntx.swbell.net [151.164.30.28]

I have temporarily removed the REVDNS test, and dropped the weight of
the HELO test to just 2 points. I think what I am probably going to do
here is create my own reverse DNS test. I'll do this by making
nominations from my spam capture Hold account and look for things that
didn't fail a DUL list. I may make an external test to handle reverse
DNS entries as the HELO considering that DNS is limited to just one
wildcard representing a full sub-domain and not any partial matches. I
score DUL hits very high and can't tolerate problems like the above (I
score DUL hits in a single filter as a combo test with one score no
matter how many lists a hit appears in). The above false positive
tripped both the REVDNS and the HELO tests, and it came in at 21 points
which is pretty high for a false positive personal E-mail on my system.

Matt

Scott Fisher wrote:

Looking at yesterday's numbers:

About 2200 mails after I added the new MailPolice tests.

I had 363 matches on the MailPolice-REVDNS. 362 spam, 1 not spam. The bad news is that all 362 were already over my hold weight.
I had 281 matches on the MailPolice-HELO. 281 spam.
All 281 MailPolice-HELO's also matched on the MailPolice-REVDNS

Out of the 281 matches on the MailPolice-HELO, 24 were also matched on MailPolice-Bulk.
Out of the 281 matches on the MailPolice-HELO, 1 was also matched on MailPolice-Porn.

Out of the 363 matches on the MailPolice-REVDNS, 27 were also matched on MailPolice-Bulk.
Out of the 363 matches on the MailPolice-REVDNS, 2 were also matched on MailPolice-Porn.

Scott Fisher
Director of IT
Farm Progress Companies

[EMAIL PROTECTED] 05/13/04 05:34PM

Here's a working config for MailPolice's dynamic test (PPP/DSL/cable)
that test's both the reverse DNS entry and the HELO entry (zombie
spamware often uses the reverse DNS entry for the HELO).

MAILPOLICE-DYNA-REVDNSdnsbl
%REVDNS%.dynamic.rhs.mailpolice.com127.0.0.200
MAILPOLICE-DYNA-HELOdnsbl%HELO%.dynamic.rhs.mailpolice.com
127.0.0.200

I have verified that this works. My only concern is what MailPolice
considers appropriate for the DSL and Cable entries. Nevertheless, if
their list sucks, it shouldn't be that hard to create our own

It also appears that it may be a good idea to start pumping a zone full
of what might have been filtered with custom filters before for both
simplicity, and for efficiency. There are also other RHSBL tests out
there appropriate for the other technique shown earlier, and there are
some interesting ones at MailPolice that could come in handy such as
their Web-mail test which in combination with another filter like
CMDSPACE, XBL, etc., could come in handy.

Matt

--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

Re: [Declude.JunkMail] DUL skipping was ISBLANK is blank





Andy Schmidt wrote:

  
  Message
  
  Matt,
  
  I think there is a misunderstanding (possibly
on MY side).
  
   DUL/DYNA/DUHL tests from hitting your own
local users when they are sending E-mail (only one hop and typically
dynamic/residential), Declude disables any dnsbl, ip4r or rhsbl test
when they have one of those strings in the name 
  
  I was aware that DUL/DYNA/DUHL only checks
the LAST hop (the server connnecting to you) - but doesn't check the
prior hops. The idea is, that of course, ANY valid dial-up user will
eventually appear in the first hop - the one to his provider's mail
server. But a dial-up user should never be contacting YOUR mail server
directly - so the LAST hop should not come from a dial-up user.
  
  What you are saying sounds almost like the
reverse?


The caviat is that if the connecting IP is from your own customer
trying to send E-mail, it may very well be a DUL IP.



  
  
I found that on locally hosted E-mail, this test would be defeated if
the spammer forged a local address.
  
  You mean forging an IP address? Or forging a
FROM address? I don't believe Declude "trusts" the from address - of
course it will be forged for spam!?
  


At this moment, Declude will not apply scores from any dnsbl, ip4r or
rhsbl tests if they have either DUL, DYNA or DUHL in the name AND the
Mail From matches a local user. So to a certain extent, Declude does
"trust" the from address. The reason for this was to defeat DUL tests
for local users that might be sending from IP's listed in DUL lists.
This was good thinking before WHITELIST AUTH became available because
otherwise we couldn't use DUL lists effectively if we hosted accounts
and had users that came in from DUL IP's, but for those that can
whitelist all legitimate senders, either by IP, AUTH, or otherwise
guarantee that no one will be sending from a DUL tagged IP, turning
this feature off is of great benefit. The work-around discussed today
is also an effective means of doing this.



  
   Every user on my
system uses AUTH and I'm on IMail 8 so I can take advantage of
WHITELIST AUTH. The issue now is that when a spammer forges a locally
hosted address in the Mail From, Declude is still disabling all dnsbl,
ip4r and rhsbl tests that contain either DUL, DYNA or DUHL in the name,
and this now represents a weakness instead of a benefit.
  
  
  I use AUTH as well without problems. If you
don't want the DUL/DYNA/DUHL, then why are you using those strings?


I was using those strings on non-DUL tests as a kludge. I've tried to
explain this several times recently and in the past. I score on
multiple hops, but I want to score hits on the connecting IP high than
on a relaying IP. I am doing this because some spam is relayed from
one machine to another and even through an ISP's mailserver, but at the
same time, there is a higher false positive rate with relaying IP's
because some lists keep IP's in their database for many months or even
years after they are nominated, and without an attempt to clean up the
listing. ORDB for instance is very bad about this, and their removal
process is useless in this regard since most broadband IP's don't have
mail servers to receive the removal requests on.

Take a look at the reply to Bill from two messages ago for further
explanation of why this is done, and note that I was only naming tests
like XBL(DYNA) to make that one test only score on the last hop, and
the one marked XBL(ALL) would score on any hop that matched, including
the first. I have HOPHIGH set to 3 which means (I believe) that I am
checking as many as 4 hops (or 3 hops plus the connecting IP).

Matt





  Best Regards
  Andy Schmidt
  
  HM Systems Software, Inc.
600 East Crescent Avenue, Suite 203
Upper Saddle River, NJ 07458-1846
  
  Phone: +1 201 934-3414
x20 (Business)
Fax: +1 201 934-9206
  
  http://www.HM-Software.com/
  
  
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Matt
Sent: Friday, May 14, 2004 02:41 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] DUL skipping was ISBLANK is
blank


Don,

Since I started this thread, I'll try to answer what's at issue here.

Declude has functionality to only scan the last hop on any dnsbl, ip4r
and rhsbl test when it has either DUL, DYNA or DUHL in the name of the
test. This is done in order to protect you from scoring hits on
dial-up or residential IP's when they weren't the connecting server and
when you are using Declude to score on multiple hops (I believe this is
version restricted).

In order to keep these DUL/DYNA/DUHL tests from hitting your own local
users when they are sending E-mail (only one hop and typically
dynamic/residential), Declude disables any dnsbl, ip4r or rhsbl test
when they have one of those strings in the name. This was very useful
until IMail 8 came along and they started providing an indication of
whether or not AUTH was used in the Q*.SMD file. When IMail 8 did
that,

Re: [Declude.JunkMail] Whitelistfile