Re: [Declude.JunkMail] Processing order Junkmail or Virus
Correct. Darin. - Original Message - From: "Mark Smith" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, December 09, 2004 9:20 PM Subject: RE: [Declude.JunkMail] Processing order Junkmail or Virus > Note - messages _returned to the queue with this switch ON will not be scanned for a virus Meaning messages that are returned from a JM hold action and not the declude overflow right? IOW Declude Virus will only scan the messages that aren't deleted by Junkmail BUT if JM has a hold action, Declude virus won't scan them after they're placed back into the queue? On 9 Dec 2004 at 16:23, Mark E. Smith wrote: > I know this has been asked before but which processes first Junkmail > or Virus? If Virus is first, is there a way to change this? AVAFTERJM ON Note - messages _returned to the queue with this switch ON will not be scanned for a virus -Nick --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Processing order Junkmail or Virus
> Note - messages _returned to the queue with this switch ON will not be scanned for a virus Meaning messages that are returned from a JM hold action and not the declude overflow right? IOW Declude Virus will only scan the messages that aren't deleted by Junkmail BUT if JM has a hold action, Declude virus won't scan them after they're placed back into the queue? On 9 Dec 2004 at 16:23, Mark E. Smith wrote: > I know this has been asked before but which processes first Junkmail > or Virus? If Virus is first, is there a way to change this? AVAFTERJM ON Note - messages _returned to the queue with this switch ON will not be scanned for a virus -Nick --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Moving logfiles out of spool
Which log files are you referring to? If Imail syslog files, best recommendation is to use Kiwi Syslogger instead of Imail syslog. Then you can put them where ever you like. John Tolmachoff Engineer/Consultant/Owner eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of Markus Gufler > Sent: Thursday, December 09, 2004 1:41 PM > To: [EMAIL PROTECTED] > Subject: [Declude.JunkMail] Moving logfiles out of spool > > Anyone can send me his script (cmdline, unixtools, perl, ...) that will move > logfiles out of the spool folder to another partition on a daily or hourly > basis? > > Thanks in advance > Markus > > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Moving logfiles out of spool
This is the VBS script I use. It's probably an chopped up version from
someone else...
==
Const OverwriteExisting = True
Const SpoolPath = "F:\IMail\spool\"
Const LogPath = "F:\IMail\spool\logarchive\"
dim currdate, curryear, oldfile, newfile
Set objFSO = CreateObject("Scripting.FileSystemObject")
currdate= ""
if month(now()-1)<10 then
currdate=currdate & "0" & month(now()-1)
else
currdate=currdate & month(now()-1)
end if
if day(now()-1)<10 then
currdate=currdate & "0" & day(now()-1)
else
currdate=currdate & day(now()-1)
end if
curryear = right(year(now()-1), 2)
MoveLog "dec", "log", ""
MoveLog "list", "txt", ""
MoveLog "log", "txt", ""
MoveLog "spam", "log", ""
MoveLog "sys", "txt", ""
MoveLog "vir", "log", ""
MoveLog "W1", "log", curryear
MoveLog "W2", "log", curryear
Sub MoveLog(strType, strExt, strYear)
oldfile = SpoolPath & strType & strYear & currdate & "." & strExt
if objFSO.FileExists(oldfile) then
objFSO.MoveFile oldfile, LogPath
end if
End Sub
==
Darin.
- Original Message -
From: "Markus Gufler" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, December 09, 2004 4:40 PM
Subject: [Declude.JunkMail] Moving logfiles out of spool
Anyone can send me his script (cmdline, unixtools, perl, ...) that will move
logfiles out of the spool folder to another partition on a daily or hourly
basis?
Thanks in advance
Markus
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
Re: [Declude.JunkMail] Processing order Junkmail or Virus
Virus first. To run Junkmail filtering first use AFTERJM option. From the manual (http://www.declude.com/Articles.asp?ID=116): "With versions before v1.68, Declude Hijack would be run before Declude Virus and Declude JunkMail. If using the AVAFTERJM option in Declude Virus, Declude Virus will run after Declude JunkMail. " Darin. - Original Message - From: Mark E. Smith To: [EMAIL PROTECTED] Sent: Thursday, December 09, 2004 4:23 PM Subject: [Declude.JunkMail] Processing order Junkmail or Virus I know this has been asked before but which processes first Junkmail or Virus? If Virus is first, is there a way to change this? Considering we delete about 50% of inbound messages as spam that would take the load off of the virus scanner.
[Declude.JunkMail] Moving logfiles out of spool
Anyone can send me his script (cmdline, unixtools, perl, ...) that will move logfiles out of the spool folder to another partition on a daily or hourly basis? Thanks in advance Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Processing order Junkmail or Virus
On 9 Dec 2004 at 16:23, Mark E. Smith wrote: > I know this has been asked before but which processes first Junkmail > or Virus? If Virus is first, is there a way to change this? AVAFTERJM ON Note - messages _returned to the queue with this switch ON will not be scanned for a virus -Nick --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Processing order Junkmail or Virus
I know this has been asked before but which processes first Junkmail or Virus? If Virus is first, is there a way to change this? Considering we delete about 50% of inbound messages as spam that would take the load off of the virus scanner.
RE: [Declude.JunkMail] OT - RevDNS lookups by range
Scott, I use a security tool called Superscan (from Foundstone). It does reverse lookups, and if you just choose the ping option only (not to scan)- it will provide the information you need (even if pinging is blocked). The newest version (4) doesn't support this feature. Look online for the older version 3. You can copy to the clipboard and use as needed. It is multi-threaded and fast. It can also do larger than Class C networks (no limitation that I am aware of). It is also free and small :) Runs on M$. Stan Lyzak BSEE, CISSP, MCSE², CCNA, Security+, A+ Network Security Engineer ASysTech, Inc. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of MattSent: Wednesday, December 08, 2004 12:18 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] OT - RevDNS lookups by rangeScott,I've been using a tool called Angry IP Scanner. It sometimes dies on bad data being returned, but otherwise it is a good tool for querrying large blocks of IP's for reverse DNS entries. I would strongly suggest that you turn off the port detection since it really doesn't give reliable results (based on how the servers are configured).MattScott Fisher wrote: I like to research a range of Reverse DNS entries before potentially blocking a IP range. I'm looking tool (an online one would be fantastic) where I could type in a range say 209.200.18.0 (today's culprit) and it would provide a list of Reverse DNS entries for 209.200.18.0 through 209.200.18.255. This would be a time saver in creating my own IP blacklists. Any suggestions? -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] WAY OT: Syslog entries from Cisco ACL question
-- Original Message -- From: "Rick Davidson" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Wed, 8 Dec 2004 15:17:27 -0500 >Does anyone know what traffic uses a destination and source port of 0? FYI: >From the Internet Protocols Handbook published by the Coriolis Group, >Scottsdale, AZ: The TCP and UDP port number spaces are divided into three sections: Well-known ports (0 through 1023) Registered ports (1024 through 49151) Dynamic or private ports (49152 through 65535) The first section is controlled by the IANA, and port 0 for both TCP and UDP is reserved. -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Error in addition?
On 9 Dec 2004 at 9:08, Nick wrote: I think I have it. Sometimes its just good to talk about it... I changed my config line experimenting and did not put it back to what does work: SPAMASSASSIN_v3.01 external weight "d:\windows\system32\cmd.exe /c if %WEIGHT% LSS 36 e:\imail\declude\spamd\spamc32.exe -e -f" 0 0 I changed "nonzero" to "weight". Sorry to bother -Nick > Declude Scott - > > I have an instance here where a test [SPAMASSASSIN_v3.01] scored a 33 > however the value was not passed to the final overall weight of the > email. > > There were no negative scoring applied. > > Any idea why this test did not contribute to the total? > > My spamassasin config line is: > SPAMASSASSIN_v3.01 external nonzero "d:\windows\system32\cmd.exe /c if > %WEIGHT% LSS 36 e:\imail\declude\spamd\spamc32.exe -e -f" 0 > 0 > > Here are exerpts from the log: > > > 12/09/2004 04:26:45 Q1a490f0f01be3f00 Msg failed CIP-OnlyIp (Message > failed CIP-OnlyIp: 11.). Action=IGNORE. 12/09/2004 04:26:45 > Q1a490f0f01be3f00 Msg failed SIZE-BT-1KB-5KB (Message failed > SIZE-BT-1KB-5KB: 12.). Action=IGNORE. 12/09/2004 04:26:45 > Q1a490f0f01be3f00 Msg failed SPAMASSASSIN_v3.01 (Message failed > SPAMASSASSIN_v3.01: 33.). Action=WARN. 12/09/2004 04:26:45 > Q1a490f0f01be3f00 Msg failed HELOISP (Message failed HELOISP: 1.). > Action=IGNORE. 12/09/2004 04:26:45 Q1a490f0f01be3f00 Msg failed > HELOISPX (Message failed HELOISPX: 1.). Action=IGNORE. 12/09/2004 > 04:26:45 Q1a490f0f01be3f00 Msg failed BADHEADERS (This E- mail was > sent from a broken mail client [804e].). Action=IGNORE. 12/09/2004 > 04:26:45 Q1a490f0f01be3f00 Msg failed CMDSPACE (Space found in RCPT > TO: command.). Action=IGNORE. 12/09/2004 04:26:45 Q1a490f0f01be3f00 > Msg failed REVDNS (This E-mail was sent from a MUA/MTA 206.135.194.167 > with no reverse DNS entry.). Action=IGNORE. 12/09/2004 04:26:45 > Q1a490f0f01be3f00 Msg failed DRUGLIST (Message failed DRUGLIST test > (line 45, weight 4)). Action=WARN. 12/09/2004 04:26:45 > Q1a490f0f01be3f00 Msg failed BODY! (Message failed BODY! test (line > 122, weight 3)). Action=WARN. 12/09/2004 04:26:45 Q1a490f0f01be3f00 > Msg failed PHRASE (Message failed PHRASE test (line 69, weight 1)). > Action=WARN. 12/09/2004 04:26:45 Q1a490f0f01be3f00 Tests failed > [weight=25]: CIP- OnlyIp=IGNORE SIZE-BT-1KB-5KB=IGNORE > SPAMASSASSIN_v3.01=WARN HELOISP=IGNORE HELOISPX=IGNORE > BADHEADERS=IGNORE CMDSPACE=IGNORE IPNOTINMX=IGNORE > NOLEGITCONTENT=IGNORE REVDNS=IGNORE DRUGLIST=WARN BODY!=WARN > PHRASE=WARN WEIGHT10=IGNORE WEIGHT15=IGNORE WEIGHT20=IGNORE > WEIGHT24=IGNORE MESSAGE_OK=IGNORE SPAM-HIGH=SUBJECT 12/09/2004 > 04:26:45 Q1a490f0f01be3f00 Last action = IGNORE. > ## > > Thanks! > > -Nick Hayer > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Error in addition?
Declude Scott - I have an instance here where a test [SPAMASSASSIN_v3.01] scored a 33 however the value was not passed to the final overall weight of the email. There were no negative scoring applied. Any idea why this test did not contribute to the total? My spamassasin config line is: SPAMASSASSIN_v3.01 external nonzero "d:\windows\system32\cmd.exe /c if %WEIGHT% LSS 36 e:\imail\declude\spamd\spamc32.exe -e -f"0 0 Here are exerpts from the log: 12/09/2004 04:26:45 Q1a490f0f01be3f00 Msg failed CIP-OnlyIp (Message failed CIP-OnlyIp: 11.). Action=IGNORE. 12/09/2004 04:26:45 Q1a490f0f01be3f00 Msg failed SIZE-BT-1KB-5KB (Message failed SIZE-BT-1KB-5KB: 12.). Action=IGNORE. 12/09/2004 04:26:45 Q1a490f0f01be3f00 Msg failed SPAMASSASSIN_v3.01 (Message failed SPAMASSASSIN_v3.01: 33.). Action=WARN. 12/09/2004 04:26:45 Q1a490f0f01be3f00 Msg failed HELOISP (Message failed HELOISP: 1.). Action=IGNORE. 12/09/2004 04:26:45 Q1a490f0f01be3f00 Msg failed HELOISPX (Message failed HELOISPX: 1.). Action=IGNORE. 12/09/2004 04:26:45 Q1a490f0f01be3f00 Msg failed BADHEADERS (This E- mail was sent from a broken mail client [804e].). Action=IGNORE. 12/09/2004 04:26:45 Q1a490f0f01be3f00 Msg failed CMDSPACE (Space found in RCPT TO: command.). Action=IGNORE. 12/09/2004 04:26:45 Q1a490f0f01be3f00 Msg failed REVDNS (This E-mail was sent from a MUA/MTA 206.135.194.167 with no reverse DNS entry.). Action=IGNORE. 12/09/2004 04:26:45 Q1a490f0f01be3f00 Msg failed DRUGLIST (Message failed DRUGLIST test (line 45, weight 4)). Action=WARN. 12/09/2004 04:26:45 Q1a490f0f01be3f00 Msg failed BODY! (Message failed BODY! test (line 122, weight 3)). Action=WARN. 12/09/2004 04:26:45 Q1a490f0f01be3f00 Msg failed PHRASE (Message failed PHRASE test (line 69, weight 1)). Action=WARN. 12/09/2004 04:26:45 Q1a490f0f01be3f00 Tests failed [weight=25]: CIP- OnlyIp=IGNORE SIZE-BT-1KB-5KB=IGNORE SPAMASSASSIN_v3.01=WARN HELOISP=IGNORE HELOISPX=IGNORE BADHEADERS=IGNORE CMDSPACE=IGNORE IPNOTINMX=IGNORE NOLEGITCONTENT=IGNORE REVDNS=IGNORE DRUGLIST=WARN BODY!=WARN PHRASE=WARN WEIGHT10=IGNORE WEIGHT15=IGNORE WEIGHT20=IGNORE WEIGHT24=IGNORE MESSAGE_OK=IGNORE SPAM-HIGH=SUBJECT 12/09/2004 04:26:45 Q1a490f0f01be3f00 Last action = IGNORE. ## Thanks! -Nick Hayer --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] MailFrom issues
Hi. Yesterday (Wednesday)afternoon, I had some false positives from users that I usually receive mail from, after failing mainly the MailFrom test Reason: Domain "name of the domain here" has no MX or A records Domains are working fine and they have MXs. Even one of the domains is in my Imail Server (where declude runs). How does Declude perform the MailFrom test? What DNS does it use? Is it a problem with the DNS's configured in the IMAIL box? Did you check the IMail SMTP log files to see if it had troubles delivering E-mail during that time period? Declude uses the DNS server listed in the IMail SMTP settings (if multiple servers are listed there, it uses the first one). It should only fail the test if there is a successful response from the DNS server (meaning no timeout, no error from the DNS server, etc.), and it reports that neither the MX nor A records exist. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
