[Declude.JunkMail] Filter question
The following header lines are the basis of my question. The from domain (mine) does not match the from [IP] address (not mine.) Received: from jcjc.edu [65.240.76.232] by bobcat.jcjc.edu with ESMTP (SMTPD32-8.15) id AB4F105B014E; Wed, 23 Feb 2005 17:01:35 -0600 From: Returned mail [EMAIL PROTECTED] To: [EMAIL PROTECTED] This may have been discussed before and I just didn't use the right search words, but ... has anyone worked on a filter/external program/whatever that could check for match/mismatch of the from address and the from IP in the Received: line. Example: One could specify the domains and IP's that must match each other. If they don't, boost the score by whatever makes one happy. My logic: whether it is an uncaught virus (like MyDoom.BE) or junk mail, it doesn't matter. If your users see email supposedly from you, they are going to be more likely to open it and suffer the results. Is this worth working on? Has someone done something on this? Thanks, John --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SmarterMail Held email recovery
I understand why you may want to use your methods (for analyzing, adjusting, etc.). We prefer to use a different (not necessarily better) and much easier approach. One of the things that attracted us to SmarterMail was its built in Junk E-Mail Folder. We aren't using any of SM's Spam filtering features, but we are having Declude tag the subject of all hold-weight messages. We then setup domain content filtering in SM to route all tagged subjects into the users' Junk folder. We found that customers are much happier with checking held messages themselves, rather than call us to do it. And believe me, we're much happier with less administration. SM's autoclean feature makes it very easy to keep unchecked folders from eating up disk space. My only gripes are: #1 - you can't access the Junk folder through POP3; and #2 - there doesn't appear to be an easy way to combine SM's whitelisting with Declude (which is why we don't enable SM Spam filtering for customers--I don't want to try to explain to every customer why the screen shows you can whitelist an address, when in fact it won't whitelist it in Declude). Shayne Embry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Thursday, February 24, 2005 12:46 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] SmarterMail Held email recovery I am just finishing up a version that will support IMail and SmarterMail the new version fixes a few bugs and simplifies the config GUI and renames the application so it reflects what it does. I will be creating an installer later this month. But I need to get the delivery from SmarterMail functional. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc Catuogno Sent: Wednesday, February 23, 2005 9:11 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] SmarterMail Held email recovery Wow any of those scripts available for sale? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Wednesday, February 23, 2005 9:27 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] SmarterMail Held email recovery Aha! That's pretty nifty, Kevin. Well, *if* SmarterMail doesn't have the ability to re-queue without scanning, I'd suggest that you could add a bit more development to your web application to accomodate automatic counterweighting of re-queued messages. You're a programmer, so I don't have to detail a technique for inserting a magic cookie into the header, and have Declude check for the cookie and counterweight/whitelist appropriately. But heck, I figured it was worth mentioning here. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Wednesday, February 23, 2005 5:55 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] SmarterMail Held email recovery I do not monitor my hold directory manually. I have a program the sends and email to all the users that have held email from the previous day with a recovery link for each message. The user has the option to recover the mesage or not. If they recover the message it is requeued and then delivered. A copy of the message source is also sent to our abuse@ email address to be analyzed and adjusted or to notify the admin of the sending server of the problem. Most of the messages that get held with our configuration fail due to SFP, HELOBOGUS, and RDNS otherwise I have very few false positives from filters to adjust for. I do not adjust for IP4 black list failures a server would have to be in 2 or 3 black lists to be held. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Colbeck, Andrew Sent: Wednesday, February 23, 2005 5:39 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] SmarterMail Held email recovery Well, I guess our goals differ. So although with IMail+Declude you can re-queue without scanning (your way) as well as re-queue with scanning (my way), I choose to re-queue with scanning AND fix the reason why the message was held. Re-queuing with scanning forces me to fix it, and I also try to fix it so that it is also fixed for future messages. So, while we wait for an official answer to your question (Hello, Declude?) can you tell us why you want to re-queue without scanning? Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Wednesday, February 23, 2005 5:04 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] SmarterMail Held email recovery
Re: [Declude.JunkMail] SmarterMail Held email recovery
We do much the same thing through IMail. Customers have a second POP account to retrieve email from the spam folder. They report false positives and spam that gets through by forwarding the messages as attachments to program aliases we have set up. We'd like to add buttons to WebMail to allow customers to click a button instead of having to forward the message as an attachment. Maybe we'll do that when we migrate to SmarterMail later this year. Darin. - Original Message - From: Shayne Embry [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Thursday, February 24, 2005 9:36 AM Subject: RE: [Declude.JunkMail] SmarterMail Held email recovery I understand why you may want to use your methods (for analyzing, adjusting, etc.). We prefer to use a different (not necessarily better) and much easier approach. One of the things that attracted us to SmarterMail was its built in Junk E-Mail Folder. We aren't using any of SM's Spam filtering features, but we are having Declude tag the subject of all hold-weight messages. We then setup domain content filtering in SM to route all tagged subjects into the users' Junk folder. We found that customers are much happier with checking held messages themselves, rather than call us to do it. And believe me, we're much happier with less administration. SM's autoclean feature makes it very easy to keep unchecked folders from eating up disk space. My only gripes are: #1 - you can't access the Junk folder through POP3; and #2 - there doesn't appear to be an easy way to combine SM's whitelisting with Declude (which is why we don't enable SM Spam filtering for customers--I don't want to try to explain to every customer why the screen shows you can whitelist an address, when in fact it won't whitelist it in Declude). Shayne Embry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Thursday, February 24, 2005 12:46 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] SmarterMail Held email recovery I am just finishing up a version that will support IMail and SmarterMail the new version fixes a few bugs and simplifies the config GUI and renames the application so it reflects what it does. I will be creating an installer later this month. But I need to get the delivery from SmarterMail functional. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc Catuogno Sent: Wednesday, February 23, 2005 9:11 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] SmarterMail Held email recovery Wow any of those scripts available for sale? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Wednesday, February 23, 2005 9:27 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] SmarterMail Held email recovery Aha! That's pretty nifty, Kevin. Well, *if* SmarterMail doesn't have the ability to re-queue without scanning, I'd suggest that you could add a bit more development to your web application to accomodate automatic counterweighting of re-queued messages. You're a programmer, so I don't have to detail a technique for inserting a magic cookie into the header, and have Declude check for the cookie and counterweight/whitelist appropriately. But heck, I figured it was worth mentioning here. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Wednesday, February 23, 2005 5:55 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] SmarterMail Held email recovery I do not monitor my hold directory manually. I have a program the sends and email to all the users that have held email from the previous day with a recovery link for each message. The user has the option to recover the mesage or not. If they recover the message it is requeued and then delivered. A copy of the message source is also sent to our abuse@ email address to be analyzed and adjusted or to notify the admin of the sending server of the problem. Most of the messages that get held with our configuration fail due to SFP, HELOBOGUS, and RDNS otherwise I have very few false positives from filters to adjust for. I do not adjust for IP4 black list failures a server would have to be in 2 or 3 black lists to be held. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Colbeck, Andrew Sent: Wednesday, February 23, 2005 5:39 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] SmarterMail Held email recovery Well, I guess our goals differ. So although with IMail+Declude you can re-queue without scanning (your way) as well as re-queue with scanning (my way), I choose to re-queue
RE: [Declude.JunkMail] Filter question
I have my own domain in the spamdomains test and then I have Whitelist Auth so almost anytime something appears to me from [EMAIL PROTECTED] if it isn't whitelisted because of authentication it adds quite a bit of weight. The major down side is that when people send e-mail from websites that have you fill in the from address. Since these don't authenticate they often get caught as well. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Carter Sent: Thursday, February 24, 2005 8:58 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Filter question The following header lines are the basis of my question. The from domain (mine) does not match the from [IP] address (not mine.) Received: from jcjc.edu [65.240.76.232] by bobcat.jcjc.edu with ESMTP (SMTPD32-8.15) id AB4F105B014E; Wed, 23 Feb 2005 17:01:35 -0600 From: Returned mail [EMAIL PROTECTED] To: [EMAIL PROTECTED] This may have been discussed before and I just didn't use the right search words, but ... has anyone worked on a filter/external program/whatever that could check for match/mismatch of the from address and the from IP in the Received: line. Example: One could specify the domains and IP's that must match each other. If they don't, boost the score by whatever makes one happy. My logic: whether it is an uncaught virus (like MyDoom.BE) or junk mail, it doesn't matter. If your users see email supposedly from you, they are going to be more likely to open it and suffer the results. Is this worth working on? Has someone done something on this? Thanks, John --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Filter question
What about SPF? One of the benefits of having SPF records is that you can easily add weight to email with your domain in the FROM address that does not originate from designated sources (i.e. your servers). Darin. - Original Message - From: Marc Catuogno [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Thursday, February 24, 2005 9:54 AM Subject: RE: [Declude.JunkMail] Filter question I have my own domain in the spamdomains test and then I have Whitelist Auth so almost anytime something appears to me from [EMAIL PROTECTED] if it isn't whitelisted because of authentication it adds quite a bit of weight. The major down side is that when people send e-mail from websites that have you fill in the from address. Since these don't authenticate they often get caught as well. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Carter Sent: Thursday, February 24, 2005 8:58 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Filter question The following header lines are the basis of my question. The from domain (mine) does not match the from [IP] address (not mine.) Received: from jcjc.edu [65.240.76.232] by bobcat.jcjc.edu with ESMTP (SMTPD32-8.15) id AB4F105B014E; Wed, 23 Feb 2005 17:01:35 -0600 From: Returned mail [EMAIL PROTECTED] To: [EMAIL PROTECTED] This may have been discussed before and I just didn't use the right search words, but ... has anyone worked on a filter/external program/whatever that could check for match/mismatch of the from address and the from IP in the Received: line. Example: One could specify the domains and IP's that must match each other. If they don't, boost the score by whatever makes one happy. My logic: whether it is an uncaught virus (like MyDoom.BE) or junk mail, it doesn't matter. If your users see email supposedly from you, they are going to be more likely to open it and suffer the results. Is this worth working on? Has someone done something on this? Thanks, John --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SmarterMail Held email recovery
SmarterMail does not use the same delivery mechanism that IMail uses. IMail daisy-chains to smtp32.exe, whereas SmarterMail simply waits for the Declude process to terminate and delivers the message. If you place a *.hdr and its corresponding *.eml file back into the queue, it will be passed to Declude again and be held. When you are using Declude and you wish to re-queue a held message, you must follow this procedure: Prepend an uppercase X to both the *.eml and *.hdr file names (rename them with an uppercase X as the first character) and then place them back into the SmarterMail spool. Declude will immediately exit and will ignore all files passed to it with X as the first character of the file name. David Franco-Rocha - Original Message - From: Kevin Bilbee [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Wednesday, February 23, 2005 7:23 PM Subject: [Declude.JunkMail] SmarterMail Held email recovery I am evaluating Declude and SmarterMail and have a question about recovering held messages. How do I do a final delivery of a held message with SmarterMail. I took a held message from the spam folder moved it back to the spool and it was reporcessed by declude and placed back into the spam folder. With IMail I can just move the Q and D files back to the spool for final delivery. The manual has not been updated for SmarterMail and the HOLD action. Kevin Bilbee Network Administrator Standard Abrasives, Inc. [EMAIL PROTECTED] (805) 520-5800 x7332 Changing the way industry works. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] [IMail Forum] odd behavior
That's the thing, I have one white list file (hate whitelists) and ameripride is not in it Did anything change in declude junkmail lately in reguards to whitelists (I just upgrade 2 nights ago)? All I have for references to whitelist are : $default.junkmail WHITELISTFILE D:\Imail\Declude\AWHITELST.txt #note AWhitelst.txt does not include ameripride.org Global.cfg CODE LOGFILE d:\declude\logfiles\dec.logLOGLEVEL LOWHOP 0HIDETESTSCATCHALLMAILS IPNOTINMX NOLEGITCONTENTXINHEADERX-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam.XINHEADERX-Spam-Tests-Failed: %TESTSFAILED% [%WEIGHT%]XINHEADERX-Country-Chain: %COUNTRYCHAIN%XOUTHEADERX-Note: E-mail scanned by Declude-JunkMail for spam by CRC.XSENDERONXSPOOLNAMEONXINHEADERX-Note: This E-mail was sent from %REVDNS% ([%REMOTEIP%]).PREWHITELISTONAUTOWHITELIST ONWHITELISTAUTH . . WHITELIST IP 192.168.0.182WHITELIST IP 192.168.0.85WHITELIST IP 192.168.0.86 #Servers on local network (not exposed to public) that send emails (status reports) - Original Message - From: E. Shanbrom (Ipswitch) To: IMail_Forum@list.ipswitch.com Sent: Thursday, February 24, 2005 2:48 PM Subject: Re: [IMail Forum] odd behavior Says ameripride.org is on the whitelist (decludes not IMail's) Eric S - Original Message - From: Doug Anderson To: IMail_Forum@list.ipswitch.com Sent: Thursday, February 24, 2005 3:03 PM Subject: Re: [IMail Forum] odd behavior Trying to figure out why it's white listed. 02:22 07:40 SMTPD(3664039604421990) [192.168.0.135] connect 221.127.179.32 port 119402:22 07:41 SMTPD(3664039604421990) [221.127.179.32] HELO 67.130.17.12602:22 07:41 SMTPD(3664039604421990) [221.127.179.32] MAIL FROM: [EMAIL PROTECTED]02:22 07:41 SMTPD(3664039604421990) [221.127.179.32] RCPT TO: [EMAIL PROTECTED]02:22 07:41 SMTPD(3664039604421990) [221.127.179.32] RCPT TO: [EMAIL PROTECTED]02:22 07:41 SMTPD(3664039604421990) [221.127.179.32] RCPT TO: [EMAIL PROTECTED]02:22 07:41 SMTPD(3664039604421990) [221.127.179.32] d:\IMail\spool\D3664039604421990.SMD 20102:22 07:41 SMTP-(3664039604421990) processing d:\IMail\spool\Q3664039604421990.SMD02:22 07:41 SMTPD(3664039604421990) [ameripride.org] in white list02/22/2005 07:41:11 Q3664039604421990 Scanned: Virus Free 02/22/2005 07:41:14 Q3664039604421990 L1 Message OK02/22/2005 07:41:14 Q3664039604421990 Tests failed [weight=25]: BADHEADERS=WARN CMDSPACE=WARN IPNOTINMX=IGNORE NOLEGITCONTENT=IGNORE REVDNS=WARN TLD=WARN COUNTRY=WARN WEIGHT10PLUS=SUBJECT CATCHALLMAILS=IGNORE 02/22/2005 07:41:14 Q3664039604421990 L2 Message OK02/22/2005 07:41:14 Q3664039604421990 Tests failed [weight=25]: BADHEADERS=WARN CMDSPACE=WARN IPNOTINMX=IGNORE NOLEGITCONTENT=IGNORE REVDNS=WARN TLD=WARN COUNTRY=WARN WEIGHT10PLUS=SUBJECT CATCHALLMAILS=IGNORE 02/22/2005 07:41:14 Q3664039604421990 Skipping4 E-mail from [EMAIL PROTECTED]; whitelisted [EMAIL PROTECTED]02/22/2005 07:41:14 Q3664039604421990 Skipping4 E-mail from [EMAIL PROTECTED]; whitelisted [EMAIL PROTECTED]02/22/2005 07:41:14 Q3664039604421990 L3 Message OK02/22/2005 07:41:14 Q3664039604421990 Tests failed [weight=0]: CATCHALLMAILS=IGNORE 02:22 07:41 SMTP-(3664039604421990) ldeliver mail.ameripride.org maria.snyder-main (1) [EMAIL PROTECTED] 97202:22 07:41 SMTP-(3664039604421990) ldeliver mail.ameripride.org reggie.licari-main (1) [EMAIL PROTECTED] 97202:22 07:41 SMTP-(3664039604421990) ldeliver mail.ameripride.org richard.boudreau-main (1) [EMAIL PROTECTED] 97202:22 07:41 SMTP-(3664039604421990) finished d:\IMail\spool\Q3664039604421990.SMD status=1 - Original Message - From: Travis Rabe To: IMail_Forum@list.ipswitch.com Sent: Thursday, February 24, 2005 1:09 PM Subject: RE: [IMail Forum] odd behavior What do the logs show you? T From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Doug AndersonSent: Thursday, February 24, 2005 11:04 AMTo: IMail_Forum@list.ipswitch.comSubject: [IMail Forum] odd behavior I have the following type of email showing up...basically blank. I'm trying to figure out if our imail server is hacked or something - because it's coming from local host. Any ideas here? Got 8.15 and the most current release of declude running. Received: from 67.130.17.126 [221.127.179.32] by mail.ameripride.org (SMTPD32-8.15) id A66D3960442; Tue, 22 Feb 2005 07:41:01 -0600Received: from localhost (HELO localhost [127.0.0.1])by
RE: [Declude.JunkMail] [IMail Forum] odd behavior
As AUTOWHITELIST ON is in your global.cfg is it possible that ameripride.org is in an address book ? David B www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Doug Anderson Sent: Thursday, February 24, 2005 4:13 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] [IMail Forum] odd behavior That's the thing, I have one white list file (hate whitelists) and ameripride is not in it Did anything change in declude junkmail lately in reguards to whitelists (I just upgrade 2 nights ago)? All I have for references to whitelist are : $default.junkmail WHITELISTFILE D:\Imail\Declude\AWHITELST.txt #note AWhitelst.txt does not include ameripride.org Global.cfg CODE LOGFILE d:\declude\logfiles\dec.log LOGLEVELLOW HOP 0 HIDETESTS CATCHALLMAILS IPNOTINMX NOLEGITCONTENT XINHEADER X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. XINHEADER X-Spam-Tests-Failed: %TESTSFAILED% [%WEIGHT%] XINHEADER X-Country-Chain: %COUNTRYCHAIN% XOUTHEADER X-Note: E-mail scanned by Declude-JunkMail for spam by CRC. XSENDER ON XSPOOLNAME ON XINHEADER X-Note: This E-mail was sent from %REVDNS% ([%REMOTEIP%]). PREWHITELIST ON AUTOWHITELIST ON WHITELIST AUTH . . WHITELIST IP 192.168.0.182 WHITELIST IP 192.168.0.85 WHITELIST IP 192.168.0.86 #Servers on local network (not exposed to public) that send emails (status reports) - Original Message - From: E. Shanbrom (Ipswitch) mailto:[EMAIL PROTECTED] To: IMail_Forum@list.ipswitch.com Sent: Thursday, February 24, 2005 2:48 PM Subject: Re: [IMail Forum] odd behavior Says ameripride.org is on the whitelist (decludes not IMail's) Eric S - Original Message - From: Doug Anderson mailto:[EMAIL PROTECTED] To: IMail_Forum@list.ipswitch.com Sent: Thursday, February 24, 2005 3:03 PM Subject: Re: [IMail Forum] odd behavior Trying to figure out why it's white listed. 02:22 07:40 SMTPD(3664039604421990) [192.168.0.135] connect 221.127.179.32 port 1194 02:22 07:41 SMTPD(3664039604421990) [221.127.179.32] HELO 67.130.17.126 02:22 07:41 SMTPD(3664039604421990) [221.127.179.32] MAIL FROM: [EMAIL PROTECTED] 02:22 07:41 SMTPD(3664039604421990) [221.127.179.32] RCPT TO: [EMAIL PROTECTED] 02:22 07:41 SMTPD(3664039604421990) [221.127.179.32] RCPT TO: [EMAIL PROTECTED] 02:22 07:41 SMTPD(3664039604421990) [221.127.179.32] RCPT TO: [EMAIL PROTECTED] 02:22 07:41 SMTPD(3664039604421990) [221.127.179.32] d:\IMail\spool\D3664039604421990.SMD 201 02:22 07:41 SMTP-(3664039604421990) processing d:\IMail\spool\Q3664039604421990.SMD 02:22 07:41 SMTPD(3664039604421990) [ameripride.org] in white list 02/22/2005 07:41:11 Q3664039604421990 Scanned: Virus Free 02/22/2005 07:41:14 Q3664039604421990 L1 Message OK 02/22/2005 07:41:14 Q3664039604421990 Tests failed [weight=25]: BADHEADERS=WARN CMDSPACE=WARN IPNOTINMX=IGNORE NOLEGITCONTENT=IGNORE REVDNS=WARN TLD=WARN COUNTRY=WARN WEIGHT10PLUS=SUBJECT CATCHALLMAILS=IGNORE 02/22/2005 07:41:14 Q3664039604421990 L2 Message OK 02/22/2005 07:41:14 Q3664039604421990 Tests failed [weight=25]: BADHEADERS=WARN CMDSPACE=WARN IPNOTINMX=IGNORE NOLEGITCONTENT=IGNORE REVDNS=WARN TLD=WARN COUNTRY=WARN WEIGHT10PLUS=SUBJECT CATCHALLMAILS=IGNORE 02/22/2005 07:41:14 Q3664039604421990 Skipping4 E-mail from [EMAIL PROTECTED]; whitelisted [EMAIL PROTECTED] 02/22/2005 07:41:14 Q3664039604421990 Skipping4 E-mail from [EMAIL PROTECTED]; whitelisted [EMAIL PROTECTED] 02/22/2005 07:41:14 Q3664039604421990 L3 Message OK 02/22/2005 07:41:14 Q3664039604421990 Tests failed [weight=0]: CATCHALLMAILS=IGNORE 02:22 07:41 SMTP-(3664039604421990) ldeliver mail.ameripride.org maria.snyder-main (1) [EMAIL PROTECTED] 972 02:22 07:41 SMTP-(3664039604421990) ldeliver mail.ameripride.org reggie.licari-main (1) [EMAIL PROTECTED] 972 02:22 07:41 SMTP-(3664039604421990) ldeliver mail.ameripride.org richard.boudreau-main (1) [EMAIL PROTECTED] 972 02:22 07:41 SMTP-(3664039604421990) finished d:\IMail\spool\Q3664039604421990.SMD status=1 - Original Message - From: Travis Rabe mailto:[EMAIL PROTECTED] To: IMail_Forum@list.ipswitch.com Sent: Thursday, February 24, 2005 1:09 PM Subject: RE: [IMail Forum] odd behavior What
Re: [Declude.JunkMail] [IMail Forum] odd behavior
John's semi right. Forgive me for not using plain text...but I've colored the lines red and put ** by it. The first line is imail whitelist, the next 2 are declude. Does declude understand when imail whitelists? Maybe I got it - under trusted addresses ameripride.org and our other domain WERE in there - I've removed it. - Original Message - From: John Tolmachoff (Lists) To: IMail_Forum@list.ipswitch.com Sent: Thursday, February 24, 2005 4:29 PM Subject: RE: [IMail Forum] odd behavior No it is not. Look at the log line again. It is in the Imail log and that line is on the SMTPD line. Declude does not log to the Imail log. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of E. Shanbrom (Ipswitch)Sent: Thursday, February 24, 2005 12:48 PMTo: IMail_Forum@list.ipswitch.comSubject: Re: [IMail Forum] odd behavior Says ameripride.org is on the whitelist (decludes not IMail's) Eric S - Original Message - From: Doug Anderson To: IMail_Forum@list.ipswitch.com Sent: Thursday, February 24, 2005 3:03 PM Subject: Re: [IMail Forum] odd behavior Trying to figure out why it's white listed. 02:22 07:40 SMTPD(3664039604421990) [192.168.0.135] connect 221.127.179.32 port 119402:22 07:41 SMTPD(3664039604421990) [221.127.179.32] HELO 67.130.17.12602:22 07:41 SMTPD(3664039604421990) [221.127.179.32] MAIL FROM: [EMAIL PROTECTED]02:22 07:41 SMTPD(3664039604421990) [221.127.179.32] RCPT TO: [EMAIL PROTECTED]02:22 07:41 SMTPD(3664039604421990) [221.127.179.32] RCPT TO: [EMAIL PROTECTED]02:22 07:41 SMTPD(3664039604421990) [221.127.179.32] RCPT TO: [EMAIL PROTECTED]02:22 07:41 SMTPD(3664039604421990) [221.127.179.32] d:\IMail\spool\D3664039604421990.SMD 20102:22 07:41 SMTP-(3664039604421990) processing d:\IMail\spool\Q3664039604421990.SMD** 02:22 07:41 SMTPD(3664039604421990) [ameripride.org] in white list02/22/2005 07:41:11 Q3664039604421990 Scanned: Virus Free 02/22/2005 07:41:14 Q3664039604421990 L1 Message OK02/22/2005 07:41:14 Q3664039604421990 Tests failed [weight=25]: BADHEADERS=WARN CMDSPACE=WARN IPNOTINMX=IGNORE NOLEGITCONTENT=IGNORE REVDNS=WARN TLD=WARN COUNTRY=WARN WEIGHT10PLUS=SUBJECT CATCHALLMAILS=IGNORE 02/22/2005 07:41:14 Q3664039604421990 L2 Message OK02/22/2005 07:41:14 Q3664039604421990 Tests failed [weight=25]: BADHEADERS=WARN CMDSPACE=WARN IPNOTINMX=IGNORE NOLEGITCONTENT=IGNORE REVDNS=WARN TLD=WARN COUNTRY=WARN WEIGHT10PLUS=SUBJECT CATCHALLMAILS=IGNORE ** 02/22/2005 07:41:14 Q3664039604421990 Skipping4 E-mail from [EMAIL PROTECTED]; whitelisted [EMAIL PROTECTED]** 02/22/2005 07:41:14 Q3664039604421990 Skipping4 E-mail from [EMAIL PROTECTED]; whitelisted [EMAIL PROTECTED]02/22/2005 07:41:14 Q3664039604421990 L3 Message OK02/22/2005 07:41:14 Q3664039604421990 Tests failed [weight=0]: CATCHALLMAILS=IGNORE 02:22 07:41 SMTP-(3664039604421990) ldeliver mail.ameripride.org maria.snyder-main (1) [EMAIL PROTECTED] 97202:22 07:41 SMTP-(3664039604421990) ldeliver mail.ameripride.org reggie.licari-main (1) [EMAIL PROTECTED] 97202:22 07:41 SMTP-(3664039604421990) ldeliver mail.ameripride.org richard.boudreau-main (1) [EMAIL PROTECTED] 97202:22 07:41 SMTP-(3664039604421990) finished d:\IMail\spool\Q3664039604421990.SMD status=1 - Original Message - From: Travis Rabe To: IMail_Forum@list.ipswitch.com Sent: Thursday, February 24, 2005 1:09 PM Subject: RE: [IMail Forum] odd behavior What do the logs show you? T From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Doug AndersonSent: Thursday, February 24, 2005 11:04 AMTo: IMail_Forum@list.ipswitch.comSubject: [IMail Forum] odd behavior I have the following type of email showing up...basically blank. I'm trying to figure out if our imail server is hacked or something - because it's coming from local host. Any ideas here? Got 8.15 and the most current release of declude running. Received: from 67.130.17.126 [221.127.179.32] by mail.ameripride.org (SMTPD32-8.15) id A66D3960442; Tue, 22 Feb 2005 07:41:01 -0600Received: from localhost (HELO localhost [127.0.0.1])by actsX-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client
[Declude.JunkMail] Strange filtering behavior
I am not getting a consistent behavior on one ofthe filters I am using. The filter test does not seem to catch anything from some addresses even though I have not set any whitelists on my server. I have attached a txt file of the headers from the messages, the entries from the declude log file, and the related entriesfrom my cfg file. The example emails are two that I sent with the same subject line, one from my gmail account and one from my hotmail account. the one from hotmail is caught, and one from gmail is not. I'm not sure what I am missing here. Any suggestions or ideas would be greatly appreciated. Jeffrey Jeffrey Di Gregorio MCSE CCNP Systems Administrator Pacific School of Religion 510-849-8283 [EMAIL PROTECTED] test PHISHINGFILTER filter D:\IMail\Declude\Filters\phishing.txt x 0 0 Action PHISHINGFILTER ROUTETO [EMAIL PROTECTED] entry in the filter SUBJECT 0 CONTAINSYour Account Will Be Suspended * this message got through, did not trip the filter... 02/24/2005 14:59:50 Q5c641c9803d4c707 R1 Message OK 02/24/2005 14:59:50 Q5c641c9803d4c707 Subject: your account will be suspended 02/24/2005 14:59:50 Q5c641c9803d4c707 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 64.233.170.204 ID: b11so443721rne02/24/2005 14:59:50 Q5c641c9803d4c707 Tests failed [weight=0]: IPNOTINMX=WARN NOLEGITCONTENT=WARN CATCHALLMAILS=IGNORE 02/24/2005 14:59:50 Q5c641c9803d4c707 Last action = IGNORE. message header Microsoft Mail Internet Headers Version 2.0 Received: from mecca.psr.edu ([209.76.204.2]) by psr-exch01.psr.edu with Microsoft SMTPSVC(6.0.3790.211); Thu, 24 Feb 2005 15:02:47 -0800 Received: from rproxy.gmail.com [64.233.170.204] by mecca.psr.edu with ESMTP (SMTPD32-8.11) id AC641C9803D4; Thu, 24 Feb 2005 14:59:48 -0800 Received: by rproxy.gmail.com with SMTP id b11so443721rne for [EMAIL PROTECTED]; Thu, 24 Feb 2005 14:59:30 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=VHGNr9rLCK5DNvyNzfvPeLYT/xbQmeMt9cEPolvkrAuTqONgxBfFxdFHgDGNu90jWaRDW5YkhDSq1RCh4ZyOWibwd7m9Xuuikl6tXFJsc1ganKPm0SvNO0wkhShHCybe++7ZOPfxmyrHxgvmuZliMAPSQdJn/8piZLXb0JC1Ku8= Received: by 10.38.22.69 with SMTP id 69mr192034rnv; Thu, 24 Feb 2005 14:59:30 -0800 (PST) Received: by 10.38.98.27 with HTTP; Thu, 24 Feb 2005 14:59:30 -0800 (PST) Message-ID: [EMAIL PROTECTED] Date: Thu, 24 Feb 2005 14:59:30 -0800 From: jeffrey Di Gregorio [EMAIL PROTECTED] Reply-To: jeffrey Di Gregorio [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: your account will be suspended Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-RBL-Warning: IPNOTINMX: X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected. X-Declude-Sender: [EMAIL PROTECTED] [64.233.170.204] X-Spam-Tests-Failed: None X-Country-Chain: UNITED STATES-destination X-Note: Reverse DNS: rproxy.gmail.com X-Note-Out: The total spam weight is 0 Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 24 Feb 2005 23:02:47.0947 (UTC) FILETIME=[F53105B0:01C51AC4] This message was caught by the filter and the ROUTETO action was used... 02/24/2005 14:58:24 Q5c0f18fd03ccc6f4 nNOLEGITCONTENT:-40 . Total weight = -40. 02/24/2005 14:58:24 Q5c0f18fd03ccc6f4 R1 Message OK 02/24/2005 14:58:25 Q5c0f18fd03ccc6f4 Subject: your account will be suspended 02/24/2005 14:58:25 Q5c0f18fd03ccc6f4 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 64.4.56.33 ID: 02/24/2005 14:58:25 Q5c0f18fd03ccc6f4 Tests failed [weight=-40]: NOPOSTMASTER=IGNORE IPNOTINMX=WARN PHISHINGFILTER=ROUTETO CATCHALLMAILS=IGNORE 02/24/2005 14:58:25 Q5c0f18fd03ccc6f4 Last action = IGNORE. message header Microsoft Mail Internet Headers Version 2.0 Received: from mecca.psr.edu ([209.76.204.2]) by psr-exch01.psr.edu with Microsoft SMTPSVC(6.0.3790.211); Thu, 24 Feb 2005 15:01:22 -0800 Received: from hotmail.com [64.4.56.33] by mecca.psr.edu with ESMTP (SMTPD32-8.11) id AC0F18FD03CC; Thu, 24 Feb 2005 14:58:23 -0800 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 24 Feb 2005 14:58:04 -0800 Message-ID: [EMAIL PROTECTED] Received: from 64.162.197.45 by by101fd.bay101.hotmail.msn.com with HTTP; Thu, 24 Feb 2005 22:57:15 GMT X-Originating-IP: [64.162.197.45] X-Originating-Email: [EMAIL PROTECTED] X-Sender: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] From: jeffree 13 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Bcc: Subject: your account will be
Re: [Declude.JunkMail] Strange filtering behavior
I believe there is a problem with subject filters in the late 1.8x and early 2.0x versions. Especially with gmail... I believe it is fixed in the higher 2.0 versions: http://www.declude.com/Articles.asp?ID=122 ALL FIX Ensures correct identification of message subject - Original Message - From: Jeffrey Di Gregorio To: declude.junkmail@declude.com Sent: Thursday, February 24, 2005 6:53 PM Subject: [Declude.JunkMail] Strange filtering behavior I am not getting a consistent behavior on one ofthe filters I am using. The filter test does not seem to catch anything from some addresses even though I have not set any whitelists on my server. I have attached a txt file of the headers from the messages, the entries from the declude log file, and the related entriesfrom my cfg file. The example emails are two that I sent with the same subject line, one from my gmail account and one from my hotmail account. the one from hotmail is caught, and one from gmail is not. I'm not sure what I am missing here. Any suggestions or ideas would be greatly appreciated. Jeffrey Jeffrey Di Gregorio MCSE CCNP Systems Administrator Pacific School of Religion 510-849-8283 [EMAIL PROTECTED]
Re: [Declude.JunkMail] [IMail Forum] odd behavior
Doug, It is likely that this is due to the AUTOWHITELIST ON setting and the recipient having their own E-mail address listed in their Web mail address book. Either that or something that says [EMAIL PROTECTED] (Declude's version of a wildcard match for that domain). Matt Doug Anderson wrote: That's the thing, I have one white list file (hate whitelists) and ameripride is not in it Did anything change in declude junkmail lately in reguards to whitelists (I just upgrade 2 nights ago)? All I have for references to whitelist are : $default.junkmail WHITELISTFILE D:\Imail\Declude\AWHITELST.txt #note AWhitelst.txt does not include ameripride.org Global.cfg CODE LOGFILE d:\declude\logfiles\dec.log LOGLEVEL LOW HOP 0 HIDETESTSCATCHALLMAILS IPNOTINMX NOLEGITCONTENT XINHEADERX-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. XINHEADERX-Spam-Tests-Failed: %TESTSFAILED% [%WEIGHT%] XINHEADERX-Country-Chain: %COUNTRYCHAIN% XOUTHEADERX-Note: E-mail scanned by Declude-JunkMail for spam by CRC. XSENDERON XSPOOLNAMEON XINHEADERX-Note: This E-mail was sent from %REVDNS% ([%REMOTEIP%]). PREWHITELISTON AUTOWHITELIST ON WHITELISTAUTH . . WHITELIST IP 192.168.0.182 WHITELIST IP 192.168.0.85 WHITELIST IP 192.168.0.86 #Servers on local network (not exposed to public) that send emails (status reports) - Original Message - From: E. Shanbrom (Ipswitch) To: IMail_Forum@list.ipswitch.com Sent: Thursday, February 24, 2005 2:48 PM Subject: Re: [IMail Forum] odd behavior Says ameripride.org is on the whitelist (decludes not IMail's) Eric S - Original Message - From: Doug Anderson To: IMail_Forum@list.ipswitch.com Sent: Thursday, February 24, 2005 3:03 PM Subject: Re: [IMail Forum] odd behavior Trying to figure out why it's white listed. 02:22 07:40 SMTPD(3664039604421990) [192.168.0.135] connect 221.127.179.32 port 1194 02:22 07:41 SMTPD(3664039604421990) [221.127.179.32] HELO 67.130.17.126 02:22 07:41 SMTPD(3664039604421990) [221.127.179.32] MAIL FROM: [EMAIL PROTECTED] 02:22 07:41 SMTPD(3664039604421990) [221.127.179.32] RCPT TO: [EMAIL PROTECTED] 02:22 07:41 SMTPD(3664039604421990) [221.127.179.32] RCPT TO: [EMAIL PROTECTED] 02:22 07:41 SMTPD(3664039604421990) [221.127.179.32] RCPT TO: [EMAIL PROTECTED] 02:22 07:41 SMTPD(3664039604421990) [221.127.179.32] d:\IMail\spool\D3664039604421990.SMD 201 02:22 07:41 SMTP-(3664039604421990) processing d:\IMail\spool\Q3664039604421990.SMD 02:22 07:41 SMTPD(3664039604421990) [ameripride.org] in white list 02/22/2005 07:41:11 Q3664039604421990 Scanned: Virus Free 02/22/2005 07:41:14 Q3664039604421990 L1 Message OK 02/22/2005 07:41:14 Q3664039604421990 Tests failed [weight=25]: BADHEADERS=WARN CMDSPACE=WARN IPNOTINMX=IGNORE NOLEGITCONTENT=IGNORE REVDNS=WARN TLD=WARN COUNTRY=WARN WEIGHT10PLUS=SUBJECT CATCHALLMAILS=IGNORE 02/22/2005 07:41:14 Q3664039604421990 L2 Message OK 02/22/2005 07:41:14 Q3664039604421990 Tests failed [weight=25]: BADHEADERS=WARN CMDSPACE=WARN IPNOTINMX=IGNORE NOLEGITCONTENT=IGNORE REVDNS=WARN TLD=WARN COUNTRY=WARN WEIGHT10PLUS=SUBJECT CATCHALLMAILS=IGNORE 02/22/2005 07:41:14 Q3664039604421990 Skipping4 E-mail from [EMAIL PROTECTED]; whitelisted [EMAIL PROTECTED] 02/22/2005 07:41:14 Q3664039604421990 Skipping4 E-mail from [EMAIL PROTECTED]; whitelisted [EMAIL PROTECTED] 02/22/2005 07:41:14 Q3664039604421990 L3 Message OK 02/22/2005 07:41:14 Q3664039604421990 Tests failed [weight=0]: CATCHALLMAILS=IGNORE 02:22 07:41 SMTP-(3664039604421990) ldeliver mail.ameripride.org maria.snyder-main (1) [EMAIL PROTECTED] 972 02:22 07:41 SMTP-(3664039604421990) ldeliver mail.ameripride.org reggie.licari-main (1) [EMAIL PROTECTED] 972 02:22 07:41 SMTP-(3664039604421990) ldeliver mail.ameripride.org richard.boudreau-main (1) [EMAIL PROTECTED] 972 02:22 07:41 SMTP-(3664039604421990) finished d:\IMail\spool\Q3664039604421990.SMD status=1 - Original Message - From: Travis Rabe To: IMail_Forum@list.ipswitch.com Sent: Thursday, February 24, 2005 1:09 PM Subject: RE: [IMail Forum] odd behavior What do the logs show you? T From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Doug Anderson Sent: Thursday, February 24, 2005 11:04 AM To: IMail_Forum@list.ipswitch.com Subject: [IMail Forum] odd behavior I have the following type of email showing