CBL:RE: Re[2]: [Declude.JunkMail] Content Rules plus/vs. Sniffer?
Maybe Pete can provide some tips what would be good combinations. Like IP4R + SNIFFER = good because SNIFFER make's no DNS lookups But not FILTERX + SNIFFER because SNIFFER checks for this already. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Weight Ranges
How much extra processing to an e-mail does adding a bunch of weight range statements like: WEIGHT1019 weightrange x x 10 19 WEIGHT2029 weightrange x x 20 29 WEIGHT3034 weightrange x x 30 34 WEIGHT3539 weightrange x x 35 39 I really just want these just to report on from the logs rather than take action on them during e-mail processing. My guess is that it should not take too much CPU. You are correct; the weightrange tests use only a negligible amount of CPU time. Also if I so not want these tests to show up in the %TESTSFAILED% variable then would I add HIDETESTS WEIGHT1019 WEIGHT2029.. And would I need to put in the $default$.junkmail file WEIGHT1019 LOG Correct. Note that you could simply not include the WEIGHT1019 line in the $default$.JunkMail file, which would have the same effect. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Weight Ranges
Also if I so not want these tests to show up in the %TESTSFAILED% variable then would I add HIDETESTS WEIGHT1019 WEIGHT2029.. And would I need to put in the $default$.junkmail file WEIGHT1019 LOG Correct. Note that you could simply not include the WEIGHT1019 line in the $default$.JunkMail file, which would have the same effect. Personally I like to have it written down in the .junkmail file so that there is no confusion about the test and if it is being employed etc. The KISS principle. Thanx GOran --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] TESTSFAILED END Question
Correct format. It should show up at high level logs. Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 06/17/04 05:12PM I seen this post below and wanted to implement the TESTSFAILED to exit out of one of my body filters based on if another test was already triggered. Is the below line correct (assuming REVERSEDNSFILTER is one of my filters that occurs before the filter I put the below line in)? TESTSFAILED END CONTAINS REVERSEDNSFILTER [2] When that line is matched does it show in the logs? Darrell - Check out http://www.invariantsystems.com for utilities for Declude and Imail. Scott Fisher writes: I haven't found any easy way to tell. The information is in the logs at high level. But I can chime in that SKIPIFWEIGHT bypasses about 80% of my e-mail that is obviously spam. TESTSFAILED ENDS for friendly domains/revdns drop off about 8% of e-mail that is most likely not spam, leaving about 12% of the e-mail that I run body filters on. Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 06/17/04 12:03PM Matt- My body filters only catch about 4% of messages, but I don't know how often they are run. Is htere a convenient way to tell? -d - Original Message - From: Matt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 17, 2004 12:40 PM Subject: Re: [Declude.JunkMail] Declude and attachments Scott, I've got a lot more BODY filters than Dave has, though I don't feel that they are excessive. I probably have about 1,500 BODY searches, but with SKIPIFWEIGHT they only run about 25% of the time. If Dave is using Declude Virus, I would also look there for the issue. Anything besides F-Prot and ClamAV in daemon mode will chug a server on a large attachment and it will use up far more processing than Declude JunkMail, but it will keep the Declude instance alive for longer. On about 65,000 messages a day currently, we generally see from 2 to 10 Declude processes running at one time with both F-Prot and AVG enabled (much less with just F-Prot). Disabling AVG results in our average processor utilization dropping by 1/3 to 1/2 on heavy load hours. Matt R. Scott Perry wrote: One instance of Declude, then two, then three, all in the 25%+ range. As soon as it dropped to two Decludes, Queue Manager came right in at 30-40%, then the cycles dropped as QueueManager dropped down. It does sound like it is the large files that are causing the problem. One option would be to temporarily disable the BODY filter with the 200 lines in it, to see if that prevents the problem with the high CPU usage in Declude JunkMail. That could indeed be causing the problem. The other would be to use the debug mode (LOGLEVEL DEBUG in the \IMail\Declude\global.cfg file) and waiting for one of these files to be sent. We can look at the debug log file entries to get a better idea of where the high CPU usage is occurring. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came
[Declude.JunkMail] Error allowed message through
What happened here, this message failed miserably and was still delivered to the user. I hold at 30 this weighed in at 81, it says last action IGNORE but I dont have any ignore lines in my junkmail file. 06/18/2004 09:39:31 Qf08d0038022e15b0 ERROR: Could not open recip file D:\IMail\spool\_f08d0038022e15b0.~MD [2] 06/18/2004 09:39:31 Qf08d0038022e15b0 Msg failed WEIGHT30 (Weight of 81 reaches or exceeds the limit of 30.). Action=ROUTETO. 06/18/2004 09:39:31 Qf08d0038022e15b0 ERROR: Could not open recip file D:\IMail\spool\_f08d0038022e15b0.~MD [2] 06/18/2004 09:39:31 Qf08d0038022e15b0 L1 Message OK 06/18/2004 09:39:31 Qf08d0038022e15b0 Subject: snipped 06/18/2004 09:39:31 Qf08d0038022e15b0 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 221.124.183.82 ID: mz199JIWbN93D0AF 06/18/2004 09:39:31 Qf08d0038022e15b0 Tests failed [weight=81]: SORBS-HTTP=WARN SORBS-SOCKS=WARN SORBS-MISC=WARN SORBS-SPAM=IGNORE SPAMCOP=WARN SXBL=WARN HELOBOGUS=WARN REVDNS=WARN IPNOTINMX=WARN GRABBER=ROUTETO WEIGHT30=ROUTETO 06/18/2004 09:39:31 Qf08d0038022e15b0 Last action = IGNORE. 06/18/2004 09:39:31 Qf08d0038022e15b0 WARNING: Could not unlock D:\IMail\spool\_f08d0038022e15b0.~MD; it has been deleted. version 1.79i6 Ideas? Rick Davidson National Systems Manager North American Title Group - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] IP4R DNS lookup
I posted my May Ip4R results at this link if you want to compare percents. http://www.mail-archive.com/[EMAIL PROTECTED]/msg19089.html I don't fail on any specific tests, although some are at 90% of my tag weight. Like Andy I also group tests too. I have a DUL-Combo that consists of 4 DUL tests. I have a proxy-combo that has numerous proxy and relay tests. Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 06/17/04 03:57PM I was wondering how reliable the ip4r lookups are. There seems to be a lot of SPAM that is only failing one of the ip4r test (SORBS, SBL, AHBL, etc) and no more of the test, hence delivering the SPAM. Is it safe to increase the weight of all these test to my deletion weight in order to stop them from being delivered or are there some false positives that may be caught? Isaias Hernandez TC Online Internet Support 979-775-6239 [EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Grouping Syntax
Hi Scott: Just thinking out loud. I currently use filters to group multiple test results. It works fine - but it's not very intuitive to your new customers. I also don't like maintaining external files where it doesn't offer any other benefits. How about the following GROUP...GROUPEND syntax in Global.cfg: OPENRELAY GROUP OR * 5 0 SORBS-SMTP ip4r dnsbl.sorbs.net 127.0.0.5 0 0 AHBLRELAYS ip4r dnsbl.ahbl.org 127.0.0.2 0 0 NJABLRELAYS ip4r qwdnsbl.njabl.org 127.0.0.2 0 0 DSBLSINGLE ip4r list.dsbl.org * 0 0 ORDB ip4r relays.ordb.org * 0 0 KUNDENSERVER ip4r relays.bl.kundenserver.de 127.0.0.2 0 0 * GROUPEND By definition, each test could only be part of one group. Nested grouping would not be supported One could define either OR or AND condition for the group. This may be a simple way to address some of the frequent request to combine tests with AND and OR without having to introduce a complete scripting language. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: Andy Schmidt [mailto:[EMAIL PROTECTED] Sent: Thursday, June 17, 2004 05:59 PM To: '[EMAIL PROTECTED]' Subject: RE: [Declude.JunkMail] IP4R DNS lookup Hi, I have used filters to summarize categories of ip4r and other tests. All the open relay tests will fail ONE filter. So whether one or 4 black-lists say it's an open relay - it will only get ONE weight. All the DUL/DUHL will fail ONE filter. So, whether a dial-up or dynamic port is listed in one or many black-lists - it will only get ONE weight. This technique allowed me to check against MORE blacklists AND define a higher weight for each class of blacklist. I don't have to fear that just because a dial-up port is widely known it will suddenly fail JUST on that. Best Regards Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Transfering the Relay IP address list.
We have relay setup for a list of class c ip addresses. We are in the process of moving imail to a different machine. This is fairly large list. Where is this list stored (file/registry) and is it transferable to the other machine without retyping the entire list? Thank you, Joshua Sunline Team (941)206-7870 (888)512-6100 http://www.sunline.net/
Re: [Declude.JunkMail] Grouping Syntax
I would love it, but really it's a major change. I requested a feature like this about a month ago. Darin. - Original Message - From: Andy Schmidt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 18, 2004 10:50 AM Subject: [Declude.JunkMail] Grouping Syntax Hi Scott: Just thinking out loud. I currently use filters to group multiple test results. It works fine - but it's not very intuitive to your new customers. I also don't like maintaining external files where it doesn't offer any other benefits. How about the following GROUP...GROUPEND syntax in Global.cfg: OPENRELAY GROUP OR * 5 0 SORBS-SMTP ip4r dnsbl.sorbs.net 127.0.0.5 0 0 AHBLRELAYS ip4r dnsbl.ahbl.org 127.0.0.2 0 0 NJABLRELAYS ip4r qwdnsbl.njabl.org 127.0.0.2 0 0 DSBLSINGLE ip4r list.dsbl.org * 0 0 ORDB ip4r relays.ordb.org * 0 0 KUNDENSERVER ip4r relays.bl.kundenserver.de 127.0.0.2 0 0 * GROUPEND By definition, each test could only be part of one group. Nested grouping would not be supported One could define either OR or AND condition for the group. This may be a simple way to address some of the frequent request to combine tests with AND and OR without having to introduce a complete scripting language. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: Andy Schmidt [mailto:[EMAIL PROTECTED] Sent: Thursday, June 17, 2004 05:59 PM To: '[EMAIL PROTECTED]' Subject: RE: [Declude.JunkMail] IP4R DNS lookup Hi, I have used filters to summarize categories of ip4r and other tests. All the open relay tests will fail ONE filter. So whether one or 4 black-lists say it's an open relay - it will only get ONE weight. All the DUL/DUHL will fail ONE filter. So, whether a dial-up or dynamic port is listed in one or many black-lists - it will only get ONE weight. This technique allowed me to check against MORE blacklists AND define a higher weight for each class of blacklist. I don't have to fear that just because a dial-up port is widely known it will suddenly fail JUST on that. Best Regards Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Transfering the Relay IP address list.
We have relay setup for a list of class c ip addresses. We are in the process of moving imail to a different machine. This is fairly large list. Where is this list stored (file/registry) and is it transferable to the other machine without retyping the entire list? It's in the \IMail\smtpd32.loc file. You should just be able to copy that file over to the new machine, without any problems. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Routing Questions
Received: from SMTP32-FWD by myserver.mydomain.com Received: from 82-44-97-74.cable.ubr05.croy.blueyonder.co.uk [82.44.97.74] by myserver.mydomain.com (SMTPD32-8.12) id A2FC109014A; Thu, 17 Jun 2004 03:31:24 -0700 X-Message-Info: M910kloPMXge5x274W205+aumRB668UNfe Received: from mail98522.juzoq.overture.com ([151.226.174.214]) by hg94-we19.overture.com with Microsoft SMTPSVC(5.0.2195.6824); Thu, 17 Jun 2004 01:35:20 +0200 Received: from DT3 (iwa243.204.198.160.noc80.ndq.icq.com [244.232.20.84]) by mail31.gt.icq.com (530.27.92dkj5/8.71.59) with SMTP id qbn6FLD934Xwzm5432; Thu, 17 Jun 2004 04:36:20 +0500 Message-ID: [EMAIL PROTECTED] From: Jennifer Dennis [EMAIL PROTECTED] To: Dbaron [EMAIL PROTECTED] References: [EMAIL PROTECTED] Subject: all direct octal dissuade keno Date: Wed, 16 Jun 2004 16:33:20 -0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=--518179476306625 X-RBL-Warning: SORBS-DUHL: Dynamic IP Address See: http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=82.44.97.74; [2-15-7800] X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command . [2-23-b800] X-Declude-Sender: [EMAIL PROTECTED] [82.44.97.74] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: SORBS-DUHL, CMDSPACE [8] X-Note: This E-mail was sent from 82-44-97-74.cable.ubr05.croy.blueyonder.co.uk ([82.44.97.74]). X-RBL-Warning: SORBS-DUHL: Dynamic IP Address See: http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=82.44.97.74; [2-15-7800] X-Declude-Sender: [EMAIL PROTECTED] [82.44.97.74] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: SORBS-DUHL [-1] X-Note: This E-mail was sent from 82-44-97-74.cable.ubr05.croy.blueyonder.co.uk ([82.44.97.74]). Status: U X-UIDL: 375168223 What happens in this case where the email is routed through several servers to get to my user. Does Declude check all the paths or just the last one that it received it from. It appears that Declude would know about the other routes because they are mentioned in the headers. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Virus Scanners Missing Viruses.
I have the following config for Virus Scanning: #McAfee Command Line SCANFILE1 Z:\IMail\NAI\SCAN.EXE /ALL /NOMEM /NOBEEP /NOBREAK /UNZIP /SILENT /NODDA /REPORT report.txt VIRUSCODE1 13 REPORT1 Found #CAI v7 SCANFILE2e:\Progra~1\CA\sHARED~1\ScanEn~1\inocmd32.exe -ARC -VER -LIS:report.txt -ENG VET VIRUSCODE2 100 VIRUSCODE2 101 REPORT2 infected by virus: #CAI v7 SCANFILE3 e:\Progra~1\CA\sHARED~1\ScanEn~1\inocmd32.exe -ARC -VER -LIS:report.txt VIRUSCODE3 100 VIRUSCODE3 101 REPORT3 infected by virus: For some reason, even though the definations are current and each of them reports that they are able to detect the virus, they are all missing ZAFI.B virus. They are succufully catching the Netsky variants. Anyone have any ideas? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Virus Scanners Missing Viruses.
For some reason, even though the definations are current and each of them reports that they are able to detect the virus, they are all missing ZAFI.B virus. They are succufully catching the Netsky variants. What does the Declude Virus log file say? What version of Declude Virus are you running? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] What's wrong with this header?
Normally, we expect that all the clients we host on our own mail server would get very low spam weights. However, I just recieved a message from a client with a weight of 7. I'm trying to understand why the high weight. Here is the message header: Received: from slaptop [65.75.194.49] by paulsoncommodities.com with ESMTP (SMTPD32-7.15) id AF04C681014A; Thu, 17 Jun 2004 14:37:08 -0700 X-Spam-Tests-Failed: CMDSPACE, REVDNS, WEIGHT5, WEIGHT5r [7] This E-mail failed 2 tests: CMDSPACE and REVDNS. It failed the REVDNS test because it was sent from an IP with no reverse DNS entry. That can usually be fixed quite easily. The CMDSPACE test, though, it an odd test -- it is very rare for a legitimate E-mail from another mailserver to fail the test (less than 1 in 1,000), but it is very common for E-mail from mail clients to fail that test. As a result, it may be worth whitelisting your own users (if you use IMail v8, you can do this with a line WHITELIST AUTH in the \IMail\Declude\global.cfg file if your users authenticate, and you are running the latest beta of Declude JunkMail). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Routing Questions
Received: from 82-44-97-74.cable.ubr05.croy.blueyonder.co.uk [82.44.97.74] by myserver.mydomain.com (SMTPD32-8.12) id A2FC109014A; Thu, 17 Jun 2004 03:31:24 -0700 X-Message-Info: M910kloPMXge5x274W205+aumRB668UNfe Received: from mail98522.juzoq.overture.com ([151.226.174.214]) by hg94-we19.overture.com with Microsoft SMTPSVC(5.0.2195.6824); Thu, 17 Jun 2004 01:35:20 +0200 ... What happens in this case where the email is routed through several servers to get to my user. Does Declude check all the paths or just the last one that it received it from. It appears that Declude would know about the other routes because they are mentioned in the headers. That depends on how you have Declude JunkMail set up. By default, Declude JunkMail will only scan the IP that connected to you (which is what most people historically have done with anti-spam software). However, Declude JunkMail is very flexible; you can have it bypass gateways/backups of yours, and you have it scan multiple hops if you want to. Normally this is only necessary if either you have gateways/backups, or if you have people forwarding E-mail from another address that does not scan the E-mail for spam. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] What's wrong with this header?
Normally, we expect that all the clients we host on our own mail server would get very low spam weights. However, I just recieved a message from a client with a weight of 7. I'm trying to understand why the high weight. Here is the message header: Received: from slaptop [65.75.194.49] by paulsoncommodities.com with ESMTP (SMTPD32-7.15) id AF04C681014A; Thu, 17 Jun 2004 14:37:08 -0700 Message-ID: [EMAIL PROTECTED] From: Steve [EMAIL PROTECTED] To: Dr Ben Bednarz [EMAIL PROTECTED] Subject: SPAM [7]Fw: SPAM [13]ngate antelope.ppt Date: Thu, 17 Jun 2004 14:34:47 -0700 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_00BE_01C45478.3D874360 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 65.75.194.49 with no reverse DNS entry. X-Declude-Sender: [EMAIL PROTECTED] [65.75.194.49] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: CMDSPACE, REVDNS, WEIGHT5, WEIGHT5r [7] X-Note: This E-mail was sent from [No Reverse DNS] ([65.75.194.49]). X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 387407616 Any thoughts? Ben Bednarz BC Web --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] What's wrong with this header?
We're still running Imail 7.15 -- I have yet to see any value in upgrading to 8.x -- so is there an easy way to do the whitelisting of local accounts for IMail 7.x? Also, what would you think about lowering the weight for CMDSPACE from 8 to 4? Ben - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 18, 2004 9:48 AM Subject: Re: [Declude.JunkMail] What's wrong with this header? Normally, we expect that all the clients we host on our own mail server would get very low spam weights. However, I just recieved a message from a client with a weight of 7. I'm trying to understand why the high weight. Here is the message header: Received: from slaptop [65.75.194.49] by paulsoncommodities.com with ESMTP (SMTPD32-7.15) id AF04C681014A; Thu, 17 Jun 2004 14:37:08 -0700 X-Spam-Tests-Failed: CMDSPACE, REVDNS, WEIGHT5, WEIGHT5r [7] This E-mail failed 2 tests: CMDSPACE and REVDNS. It failed the REVDNS test because it was sent from an IP with no reverse DNS entry. That can usually be fixed quite easily. The CMDSPACE test, though, it an odd test -- it is very rare for a legitimate E-mail from another mailserver to fail the test (less than 1 in 1,000), but it is very common for E-mail from mail clients to fail that test. As a result, it may be worth whitelisting your own users (if you use IMail v8, you can do this with a line WHITELIST AUTH in the \IMail\Declude\global.cfg file if your users authenticate, and you are running the latest beta of Declude JunkMail). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] ROUTETO and SUBJECT Line Marking
Scott, I think you are going to tell me that I cannot do this but I am going to ask anyway. I have a client who wants me to send all SPAM to a specific e-mail address (gateway scenario) so no problem WEIGHT10 ROUTETO [EMAIL PROTECTED] but it appears that I cannot do an ATTACH nor can I mark the subject line. I really need a way to put something in the subject line. I do the following with the spamattach.eml file ***[SPAM]***[21]***Wild Saturday SuperBonus: Get 2 FREE Cameras Save 77% A static marker and the weight. Do I have any options for this? Can I use a unique spamattach.eml file per domain? Anything? Thanx Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
