RE: [Declude.JunkMail] bannotify.eml
Is there a line I can add to not send this email message that fail EZIP? Why would you not want to notify your users that an legit e-mail that contained an encrypted zip file was caught and held? I know I have a client in the health care industry that always sends documents as encrypted zip files for HIPPA. Most of the time, when I see the postmaster copy of the message, I review and requeue for them. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] CORRUPTEDVIRUS v1.0.0
Due to the very low hit rate, the possibility of somewhat random false positives without additional exceptions which in turn would limit the hit rate even further, I believe that this filter isn't worth the processing and I'm going to retire it. For the good catches that it made, I feel that these are best targeted with more specific filters such as ANTI-AV. As always, we appreciate your efforts and work. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] bannotify.eml
Is there a line I can add to not send this email message that fail EZIP? With the latest interim (http://www.declude.com/version/interim), you can add a line SKIPIFEXT EZIP to the bannotify.eml file. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Tagging a mail if its weighted as spam
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: 21. juli 2004 13:00 To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Tagging a mail if its weighted as spam I know it's possible to do this in subject line but I wonder if its possible to add a line or two in the start of the mail. with a link ot a FAQ of why its marked as spam. Yes -- you can use the HEADER action to do that. For example: WEIGHT10HEADER [This E-mail is likely to be spam; see http://www.example.com/spam for details] so this WEIGHT10SUBJECT [Spam] WEIGHT10HEADER [This E-mail is likely to be spam; see http://www.example.com/spam for details] will put a subject line and a header ? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] How can I rescan a message ?
I have a message that was held as spam a couple days ago and I want to switch to logging mode to determine what in the words filter it matched, and what the badheaders code was (didn't have warn for badheaders on this domain). How can I run this message through Declude again? Without having the message resent. When a message is received Declude checks to see if there are any messages in the overflow directory. If there is a message in the overflow directory and youhave not met the max processes setting Declude will spawn additional instances to process the messages in the overflow queue. Here is a better explanation on why and how. http://www.declude.com/Articles.asp?ID=130 The original poster wanted to know how to get a message rescanned by Declude (Virus and JunkMail). I just took a Eicar virus message and performed the following experiments: 1) Move the Q*.SMD and D*.SMD file to the spool directory. Result: Message delivered to my Inbox. 2) Move the Q*.SMD to overflow and the D*.SMD file to the spool directory. Result: Message delivered to my Inbox (faster). I expected case 2 to be scanned by Declude Virus and quarantined again. I'm assuming that it wasn't scanned by Declude JunkMail either (this is a harder experiment for me to perform. I need to hold some spam for testing). So I think the original question is still unanswered... How do you get a message rescanned by Declude Virus and/or Declude JunkMail? Regards, Brad Morgan IT Manager Horizon Interactive Inc. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] How can I rescan a message ?
The original poster wanted to know how to get a message rescanned by Declude (Virus and JunkMail). I just took a Eicar virus message and performed the following experiments: 1) Move the Q*.SMD and D*.SMD file to the spool directory. Result: Message delivered to my Inbox. 2) Move the Q*.SMD to overflow and the D*.SMD file to the spool directory. Result: Message delivered to my Inbox (faster). I expected case 2 to be scanned by Declude Virus and quarantined again. I'm assuming that it wasn't scanned by Declude JunkMail either (this is a harder experiment for me to perform. I need to hold some spam for testing). So I think the original question is still unanswered... How do you get a message rescanned by Declude Virus and/or Declude JunkMail? Regards, Brad Morgan IT Manager Horizon Interactive Inc. To answer my own question... I held some spam so I could perform experiment 2 with a spam message instead of a virus message and it was rescanned by Declude JunkMail after the Q*.SMD file was placed in the spool\overflow directory. I examined both the dec0722.log and the vir0722.log and it does appear that the message was also rescanned by Declude Virus. Now to figure out why the Eicar Virus wasn't found the first time I ran this experiment. Regards, Brad --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Message header review
Can someone help me with the header of this message. I think this came from earthlink.net mail server. According to earthlink abuse they can't do anything about this type of spam since it did not originate from their network. We get porn spam from this segement all the time. Received: from asmtp-a063f33.pas.sa.earthlink.net [207.217.120.149] by deepspace.i360.net with ESMTP (SMTPD32-7.15) id A94339680150; Thu, 22 Jul 2004 10:12:03 -0500Received: from 68-235-252-102.atlsfl.adelphia.net ([68.235.252.102])by asmtp-a063f33.pas.sa.earthlink.net with asmtp (Exim 4.34)id 1BnfBN-00062N-F4; Thu, 22 Jul 2004 08:08:32 -0700Message-ID: [EMAIL PROTECTED]Reply-To: "=?windows-1251?B?Y2FtZWxsaWE=?=" [EMAIL PROTECTED]From: "=?windows-1251?B?Y2FtZWxsaWE=?=" [EMAIL PROTECTED]Subject: SPAM: =?windows-1251?B?QnJpZGdldCBtb25yb2Ugc3Vja2luZyBhIGhhcmQgY29jayB2ZXJ5IGRlZXA=?=Date: Thu, 22 Jul 2004 00:56:07 -0400MIME-Version: 1.0Content-Type: text/html;charset="windows-1251"Content-Transfer-Encoding: 7bitX-Priority: 3X-MSMail-Priority: NormalX-Mailer: Microsoft Outlook Express 6.00.2600.X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.X-ELNK-Trace: 006cdaaeaf6f69a98241270f52c7d65b7e972de0d01da9401ceba94723fb6a47959954e32e1a9354350badd9bab72f9c350badd9bab72f9c350badd9bab72f9cX-Originating-IP: 68.235.252.102X-RBL-Warning: NOABUSE: "Not supporting [EMAIL PROTECTED]"X-RBL-Warning: NOPOSTMASTER: "Not supporting [EMAIL PROTECTED]"X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [840a].X-Declude-Sender: [EMAIL PROTECTED] [207.217.120.149]X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam.X-Spam-Tests-Failed: NOABUSE, NOPOSTMASTER, BADHEADERS, WEIGHT10 [11]X-Note: This E-mail was sent from asmtp-a063f33.pas.sa.earthlink.net ([207.217.120.149]).X-RCPT-TO: [EMAIL PROTECTED]Status: UX-UIDL: 384479918
RE: [Declude.JunkMail] How can I rescan a message ?
I just took a Eicar virus message and performed the following experiments: 1) Move the Q*.SMD and D*.SMD file to the spool directory. Result: Message delivered to my Inbox. 2) Move the Q*.SMD to overflow and the D*.SMD file to the spool directory. Result: Message delivered to my Inbox (faster). I expected case 2 to be scanned by Declude Virus and quarantined again. I'm assuming that it wasn't scanned by Declude JunkMail either (this is a harder experiment for me to perform. I need to hold some spam for testing). So I think the original question is still unanswered... How do you get a message rescanned by Declude Virus and/or Declude JunkMail? Regards, Brad Morgan IT Manager Horizon Interactive Inc. To answer my own question... I held some spam so I could perform experiment 2 with a spam message instead of a virus message and it was rescanned by Declude JunkMail after the Q*.SMD file was placed in the spool\overflow directory. I examined both the dec0722.log and the vir0722.log and it does appear that the message was also rescanned by Declude Virus. Now to figure out why the Eicar Virus wasn't found the first time I ran this experiment. Regards, Brad So I ran the experiment again but this time I removed the headers in the D*.SMD file inserted by Declude the first time around. It worked! Declude Virus found the virus again! So ignore everything I've said in this thread G, it works as advertised. Regards, Brad --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] bannotify.eml
Scott, This is still the 1.79i8 interim that is listed on your site and it's not the one that handles the SKIPIFEXT exception. Matt R. Scott Perry wrote: Is there a line I can add to not send this email message that fail EZIP? With the latest interim (http://www.declude.com/version/interim), you can add a line SKIPIFEXT EZIP to the bannotify.eml file. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] bannotify.eml
If we want to block all zips, but we want to only send an 'attachment blocked' message if the zip is an EZIP, can this be accomplished with SKIPIFEXT EZIP? Problem seems to be that if you have BANEXT ZIP and BANEXT EZIP, Declude still only sees them as zip and not EZIP, and flags them as such and therefore never skips the EZIP because it does not see it as an EZIP, just as a ZIP. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Thursday, July 22, 2004 3:07 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] bannotify.eml Is there a line I can add to not send this email message that fail EZIP? With the latest interim (http://www.declude.com/version/interim), you can add a line SKIPIFEXT EZIP to the bannotify.eml file. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Copy To
I would like to monitor both incoming and outgoing mail from 1 particular e-mail address on my domain. What would be the easiest/simplest way of doing it without the persons knowledge. Jeff Kratka TymeWyse Internet P.O.Box 84 - 110 Ecklund St., Canyonville, OR 97417 tel/fax: (541) 839-6027 - [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Copy To
Imail copyall account and Imail rules for that account deleting all but to and from that address. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Jeff Kratka Sent: Thursday, July 22, 2004 11:30 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Copy To I would like to monitor both incoming and outgoing mail from 1 particular e-mail address on my domain. What would be the easiest/simplest way of doing it without the persons knowledge. Jeff Kratka TymeWyse Internet P.O.Box 84 - 110 Ecklund St., Canyonville, OR 97417 tel/fax: (541) 839-6027 - [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] bannotify.eml
Correction: Should read If we want to block all zips, but we want to NOT send an 'attachment blocked' message if the zip is an EZIP, can this be accomplished with SKIPIFEXT EZIP? Sorry for the confusion. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Marchette Sent: Thursday, July 22, 2004 11:25 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] bannotify.eml If we want to block all zips, but we want to only send an 'attachment blocked' message if the zip is an EZIP, can this be accomplished with SKIPIFEXT EZIP? Problem seems to be that if you have BANEXT ZIP and BANEXT EZIP, Declude still only sees them as zip and not EZIP, and flags them as such and therefore never skips the EZIP because it does not see it as an EZIP, just as a ZIP. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Thursday, July 22, 2004 3:07 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] bannotify.eml Is there a line I can add to not send this email message that fail EZIP? With the latest interim (http://www.declude.com/version/interim), you can add a line SKIPIFEXT EZIP to the bannotify.eml file. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Copy To
On Thursday, July 22, 2004, 2:29:39 PM, Jeff wrote: JK I would like to monitor both incoming and outgoing mail from 1 particular JK e-mail address on my domain. What would be the easiest/simplest way of doing JK it without the persons knowledge. Use the 'copy mail to' feature in IMail and then filter the contents. The feature will send all mail to that accout, so be sure you have appropriate filtering in place before you go this route. This should be the simplest way. _M --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Message header review
Earthlink has for some reason been forwarding spam through this server for some time. I'm not sure what the setup is, but it's a legitimate Earthlink server and the E-mail originates from a spam zombie. I have thought about IPBYPASS'ing this server in order to capture the real source, but I have yet to confirm if this server is just used for forwarding or what the case may be. It could be that this is an open relay, a forwarding server, or a full fledged mail server. I am guessing the first. Matt i360 Support wrote: Can someone help me with the header of this message. I think this came from earthlink.net mail server. According to earthlink abuse they can't do anything about this type of spam since it did not originate from their network. We get porn spam from this segement all the time. Received: from asmtp-a063f33.pas.sa.earthlink.net [207.217.120.149] by deepspace.i360.net with ESMTP (SMTPD32-7.15) id A94339680150; Thu, 22 Jul 2004 10:12:03 -0500 Received: from 68-235-252-102.atlsfl.adelphia.net ([68.235.252.102]) by asmtp-a063f33.pas.sa.earthlink.net with asmtp (Exim 4.34) id 1BnfBN-00062N-F4; Thu, 22 Jul 2004 08:08:32 -0700 Message-ID: [EMAIL PROTECTED] Reply-To: "=?windows-1251?B?Y2FtZWxsaWE=?=" [EMAIL PROTECTED] From: "=?windows-1251?B?Y2FtZWxsaWE=?=" [EMAIL PROTECTED] Subject: SPAM: =?windows-1251?B?QnJpZGdldCBtb25yb2Ugc3Vja2luZyBhIGhhcmQgY29jayB2ZXJ5IGRlZXA=?= Date: Thu, 22 Jul 2004 00:56:07 -0400 MIME-Version: 1.0 Content-Type: text/html; charset="windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600. X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600. X-ELNK-Trace: 006cdaaeaf6f69a98241270f52c7d65b7e972de0d01da9401ceba94723fb6a47959954e32e1a9354350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 68.235.252.102 X-RBL-Warning: NOABUSE: "Not supporting [EMAIL PROTECTED]" X-RBL-Warning: NOPOSTMASTER: "Not supporting [EMAIL PROTECTED]" X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [840a]. X-Declude-Sender: [EMAIL PROTECTED] [207.217.120.149] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: NOABUSE, NOPOSTMASTER, BADHEADERS, WEIGHT10 [11] X-Note: This E-mail was sent from asmtp-a063f33.pas.sa.earthlink.net ([207.217.120.149]). X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 384479918 -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
[Declude.JunkMail] Declude reporting wrong IP... why?
I've had a couple of reports that my messages were failing SPF. I sent a message to myself via a loop and am totally confused at the message header. The message was actually sent from my computer on private IP 192.168.1.177 to my IMail server at 216.229.87.4. For some reason Declude reports that I sent the message from 216.229.64.74. That IP is one of our IP's, but not at this location and the message never touched that subnet. Any ideas? Top part of message header shows correct information: Received: from source ([216.229.87.4]) by exprod6mx94.postini.com ([12.158.35.251]) with SMTP;Thu, 22 Jul 2004 16:09:56 CDTReceived: from office [192.168.1.177] by mail.csimo.com (SMTPD32-8.12) id AD281C400BE; Thu, 22 Jul 2004 16:10:00 -0500 Declude JunkMail reports wrong IP address in bottom section. This causes SPF fail: X-Declude-Sender: [EMAIL PROTECTED] [216.229.64.74]X-Note: This message was sent from 216-229-64-74-empty.fidnet.com ([216.229.64.74]). -Joe
RE: [Declude.JunkMail] Message header review
Earthlink has for some reason been forwarding spam through this server for some time. I'm not sure what the setup is, but it's a legitimate Earthlink server and the E-mail originates from a spam zombie. I have thought about IPBYPASS'ing this server in order to capture the real source, but I have yet to confirm if this server is just used for forwarding or what the case may be. It could be that this is an open relay, a forwarding server, or a full fledged mail server. I am guessing the first. Matt Can't you use abuse.net's open relay test to determine if its as simple as an open relay? I tried and it appears to not be an open relay, but I'm not an expert at these things so I may not understand what I'm doing. Regards, Brad --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Tagging a mail if its weighted as spam
so this WEIGHT10SUBJECT [Spam] WEIGHT10HEADER [This E-mail is likely to be spam; see http://www.example.com/spam for details] will put a subject line and a header ? No. You can't have multiple actions per test -- to do what you want, you would need to create a new test, such as WEIGHT10A, that is identical to the WEIGHT10 test (except fort the name). Then you could have: WEIGHT10SUBJECT [Spam] WEIGHT10AHEADER [This E-mail is likely to be spam; see http://www.example.com/spam for details] and both actions will work together for E-mail that fails the WEIGHT10 test. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] bannotify.eml
This is still the 1.79i8 interim that is listed on your site and it's not the one that handles the SKIPIFEXT exception. Thanks for pointing this out -- I'll get that updated. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] bannotify.eml
Correction: Should read If we want to block all zips, but we want to NOT send an 'attachment blocked' message if the zip is an EZIP, can this be accomplished with SKIPIFEXT EZIP? Correct. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Message header review
Can someone help me with the header of this message. I think this came from earthlink.net mail server. According to earthlink abuse they can't do anything about this type of spam since it did not originate from their network. We get porn spam from this segement all the time. You can always trust the IP address that IMail adds to the E-mail (which is normally the top one). In this case: Received: from asmtp-a063f33.pas.sa.earthlink.net [207.217.120.149] by deepspace.i360.net with ESMTP (SMTPD32-7.15) id A94339680150; Thu, 22 Jul 2004 10:12:03 -0500 the IP is 207.217.120.149. Although it *looks* like it came from earthlink.net, you can't be sure from that header. But looking at the reverse DNS entry of that IP: X-Note: This E-mail was sent from asmtp-a063f33.pas.sa.earthlink.net ([207.217.120.149]). shows that it did indeed come from an IP that claims to be an Earthlink IP. It is technically possible that a spammer could forge the reverse DNS entry, so you need to check that asmtp-a063f33.pas.sa.earthlink.net has an A record of 207.217.120.149, or you can check the IPWHOIS information for 207.217.120.149. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Message header review
I have forwarded several spam emails to [EMAIL PROTECTED] but the only response I get back is that the email did not originate from their network. Its really annoying that they don't give a shit. I would have blocked them if it had not been for one of my clients needing email from that server (they have a client that hosts with earthlink). Thanks to all for the responses. Heimir - Original Message - From: Matt To: [EMAIL PROTECTED] Sent: Thursday, July 22, 2004 4:07 PM Subject: Re: [Declude.JunkMail] Message header review Earthlink has for some reason been forwarding spam through this server for some time. I'm not sure what the setup is, but it's a legitimate Earthlink server and the E-mail originates from a spam zombie.I have thought about IPBYPASS'ing this server in order to capture the real source, but I have yet to confirm if this server is just used for forwarding or what the case may be. It could be that this is an open relay, a forwarding server, or a full fledged mail server. I am guessing the first.Matti360 Support wrote: Can someone help me with the header of this message. I think this came from earthlink.net mail server. According to earthlink abuse they can't do anything about this type of spam since it did not originate from their network. We get porn spam from this segement all the time. Received: from asmtp-a063f33.pas.sa.earthlink.net [207.217.120.149] by deepspace.i360.net with ESMTP (SMTPD32-7.15) id A94339680150; Thu, 22 Jul 2004 10:12:03 -0500Received: from 68-235-252-102.atlsfl.adelphia.net ([68.235.252.102])by asmtp-a063f33.pas.sa.earthlink.net with asmtp (Exim 4.34)id 1BnfBN-00062N-F4; Thu, 22 Jul 2004 08:08:32 -0700Message-ID: [EMAIL PROTECTED]Reply-To: "=?windows-1251?B?Y2FtZWxsaWE=?=" [EMAIL PROTECTED]From: "=?windows-1251?B?Y2FtZWxsaWE=?=" [EMAIL PROTECTED]Subject: SPAM: =?windows-1251?B?QnJpZGdldCBtb25yb2Ugc3Vja2luZyBhIGhhcmQgY29jayB2ZXJ5IGRlZXA=?=Date: Thu, 22 Jul 2004 00:56:07 -0400MIME-Version: 1.0Content-Type: text/html;charset="windows-1251"Content-Transfer-Encoding: 7bitX-Priority: 3X-MSMail-Priority: NormalX-Mailer: Microsoft Outlook Express 6.00.2600.X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.X-ELNK-Trace: 006cdaaeaf6f69a98241270f52c7d65b7e972de0d01da9401ceba94723fb6a47959954e32e1a9354350badd9bab72f9c350badd9bab72f9c350badd9bab72f9cX-Originating-IP: 68.235.252.102X-RBL-Warning: NOABUSE: "Not supporting [EMAIL PROTECTED]"X-RBL-Warning: NOPOSTMASTER: "Not supporting [EMAIL PROTECTED]"X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [840a].X-Declude-Sender: [EMAIL PROTECTED] [207.217.120.149]X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam.X-Spam-Tests-Failed: NOABUSE, NOPOSTMASTER, BADHEADERS, WEIGHT10 [11]X-Note: This E-mail was sent from asmtp-a063f33.pas.sa.earthlink.net ([207.217.120.149]).X-RCPT-TO: [EMAIL PROTECTED]Status: UX-UIDL: 384479918-- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] Message header review
I just tried to do a telnet session with this server and it requires SMTP AUTH. My feeling here is that there are enough Earthlink customers out there that someone could quite easily generate lists of hundreds of valid usernames and passwords from an AUTH attack on a server such as this, and that this is what they have done. Your mail headers and the ones that I have seen show clearly that spam zombies are sending E-mail directly through this server, and since this server requires AUTH to do so, I am guessing that this is what they are doing. I first noticed this about a month ago, although at this moment I can't guarantee it was the exact same machine at Earthlink that was leaking the spam. Here's the bad news about this server...it is a legitimate relay. Yesterday's log shows a message that is definitely legitimate that comes from this server (in addition to about 4 pieces of spam from the Cyrillic Spammer who encodes subjects in Windows 1251 charactersets and sends in both English and Russian if this is the guy that I am thinking it is). Unfortunately I don't have a copy of that message so I can't tell if it was relayed from another Earthlink server, or if it was relayed directly from a client through that server and then to us. Unless it is relayed from another server, you can't IPBYPASS it. Note that there are other Earthlink servers that are also relaying authenticated spam such as 207.217.120.220, 207.217.120.131, 207.217.120.227, etc. All of the spam is from this Cyrillic Spammer guy and it seems to be an issue with their entire mail server network. If anyone thinks that there is an easy way to stop this from our end...think again. If someone hacks your the AUTH in enough accounts, you can set up networks of spam zombies to send in low enough volume that you can bypass their automatic detection of such abuse (if it exists at present). In otherwords, it's totally up to Earthlink to stem this abuse. In the meantime since it seems to be completely isolated to this one guy, here's a filter that can be used in JunkMail Pro v1.79i8 or higher: # HACKEDEARTHLINK v1.0.0 REVDNS END NOTENDSWITH .earthlink.net MAILFROM END CONTAINS earthlink SUBJECT 10 CONTAINS =?windows-1251?b? This filter will work because he randomizes his Mail From address so it will frequently be from another domain. I would consider it to be quite safe to score high. The only time you should get a false positive is when a Earthlink customer relays E-mail that is Windows 1251 encoded through their servers and has configured their mail client to use a different domain name. In otherwords, this is about as safe of a filter as they come. Let's hope that other spammers are slower in picking up on the AUTH hacking bandwagon and that ISP's put in place proper E-mail intrusion detection systems. Matt Brad Morgan wrote: Earthlink has for some reason been forwarding spam through this server for some time. I'm not sure what the setup is, but it's a legitimate Earthlink server and the E-mail originates from a spam zombie. I have thought about IPBYPASS'ing this server in order to capture the real source, but I have yet to confirm if this server is just used for forwarding or what the case may be. It could be that this is an open relay, a forwarding server, or a full fledged mail server. I am guessing the first. Matt Can't you use abuse.net's open relay test to determine if its as simple as an open relay? I tried and it appears to not be an open relay, but I'm not an expert at these things so I may not understand what I'm doing. Regards, Brad --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] Declude reporting wrong IP... why?
Scott... HOP is 0, no HOPHIGH. IPBYPASS 192.168.1.50 which is my backup spooler. Complete Received: headers below: Received: from smtp.fidnet.com [216.229.64.74] by mail.csimo.com (SMTPD32-8.12) id AD2B20D0070; Thu, 22 Jul 2004 16:10:03 -0500 Received: (qmail 13061 invoked by uid 20954); 22 Jul 2004 21:09:57 - Delivered-To: [EMAIL PROTECTED] Received: (qmail 13057 invoked from network); 22 Jul 2004 21:09:57 - Received: from exprod6mx94.postini.com (HELO psmtp.com) (12.158.36.78) by smtp.fidnet.com with SMTP; 22 Jul 2004 21:09:57 - Received: from source ([216.229.87.4]) by exprod6mx94.postini.com ([12.158.35.251]) with SMTP; Thu, 22 Jul 2004 16:09:56 CDT Received: from office [192.168.1.177] by mail.csimo.com (SMTPD32-8.12) id AD281C400BE; Thu, 22 Jul 2004 16:10:00 -0500 I'm not running the current version of Declude (don't have a service agreement). Thanks for your help! -Joe - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, July 22, 2004 5:09 PM Subject: Re: [Declude.JunkMail] Declude reporting wrong IP... why? I've had a couple of reports that my messages were failing SPF. I sent a message to myself via a loop and am totally confused at the message header. The message was actually sent from my computer on private IP 192.168.1.177 to my IMail server at 216.229.87.4. For some reason Declude reports that I sent the message from 216.229.64.74. That IP is one of our IP's, but not at this location and the message never touched that subnet. What are your HOP, HOPHIGH, and IPBYPASS settings? Top part of message header shows correct information: Received: from source ([216.229.87.4]) by exprod6mx94.postini.com ([12.158.35.251]) with SMTP; Thu, 22 Jul 2004 16:09:56 CDT Received: from office [192.168.1.177] by mail.csimo.com (SMTPD32-8.12) id AD281C400BE; Thu, 22 Jul 2004 16:10:00 -0500 Are there any further Received: headers are there? X-Declude-Sender: mailto:[EMAIL PROTECTED][EMAIL PROTECTED] [216.229.64.74] X-Note: This message was sent from 216-229-64-74-empty.fidnet.com ([216.229.64.74]). Does the IP 216.229.64.74 appear anywhere in the headers? What version of Declude JunkMail are you running? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Copy To
are there no way to set a junkmail filter to test for receipients ? Something like headers 0 contains [EMAIL PROTECTED] TIA - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Jeff Kratka [EMAIL PROTECTED] Sent: Thursday, July 22, 2004 6:59 PM Subject: Re: [Declude.JunkMail] Copy To On Thursday, July 22, 2004, 2:29:39 PM, Jeff wrote: JK I would like to monitor both incoming and outgoing mail from 1 particular JK e-mail address on my domain. What would be the easiest/simplest way of doing JK it without the persons knowledge. Use the 'copy mail to' feature in IMail and then filter the contents. The feature will send all mail to that accout, so be sure you have appropriate filtering in place before you go this route. This should be the simplest way. _M --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Copy To
Serge, The headers will only contain To and CC addresses, and with spam the RCPT To is often different. If you want to test the To and CC addresses then you should use a HEADERS search. If you want to test the RCPT To addresses which are used during the SMTP connection, you would use either ALLRECIPS (which tests the actual RCPT To addresses) or REALRECIPS (which tests the addresses even if indirect, i.e. aliased). Matt serge wrote: are there no way to set a junkmail filter to test for receipients ? Something like headers 0 contains [EMAIL PROTECTED] TIA - Original Message - From: "Pete McNeil" [EMAIL PROTECTED] To: "Jeff Kratka" [EMAIL PROTECTED] Sent: Thursday, July 22, 2004 6:59 PM Subject: Re: [Declude.JunkMail] Copy To On Thursday, July 22, 2004, 2:29:39 PM, Jeff wrote: JK I would like to monitor both incoming and outgoing mail from 1 particular JK e-mail address on my domain. What would be the easiest/simplest way of doing JK it without the persons knowledge. Use the 'copy mail to' feature in IMail and then filter the contents. The feature will send all mail to that accout, so be sure you have appropriate filtering in place before you go this route. This should be the simplest way. _M --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] Copy To
thanks matt let me see if i finally understand this To and CC are in the headers but not BCC the recepient can be either in To, CC, or BCC, and therefore may nit be in the header when you say address used in smtp connection, you mean the recepient address, which is what we find in the Q.smd (called envelop??) Am i correct so far ? Finnaly, can we use ALLRECIPS and REALRECIPS in filters ? than, to answer the original question, we can have a filter test "Monitor" with REALRECIPS 0 Contains [EMAIL PROTECTED] and an action MONITOR copyto monitoracc - Original Message - From: Matt To: [EMAIL PROTECTED] Sent: Friday, July 23, 2004 5:13 AM Subject: Re: [Declude.JunkMail] Copy To Serge,The headers will only contain To and CC addresses, and with spam the RCPT To is often different. If you want to test the To and CC addresses then you should use a HEADERS search. If you want to test the RCPT To addresses which are used during the SMTP connection, you would use either ALLRECIPS (which tests the actual RCPT To addresses) or REALRECIPS (which tests the addresses even if indirect, i.e. aliased).Mattserge wrote: are there no way to set a junkmail filter to test for receipients ? Something like headers 0 contains [EMAIL PROTECTED] TIA - Original Message - From: "Pete McNeil" [EMAIL PROTECTED] To: "Jeff Kratka" [EMAIL PROTECTED] Sent: Thursday, July 22, 2004 6:59 PM Subject: Re: [Declude.JunkMail] Copy To On Thursday, July 22, 2004, 2:29:39 PM, Jeff wrote: JK I would like to monitor both incoming and outgoing mail from 1 particular JK e-mail address on my domain. What would be the easiest/simplest way of doing JK it without the persons knowledge. Use the 'copy mail to' feature in IMail and then filter the contents. The feature will send all mail to that accout, so be sure you have appropriate filtering in place before you go this route. This should be the simplest way. _M --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =