[Declude.JunkMail] FW: Not scanning junk mail - smartermail
I have occasional junk mail not being scanned by Declude we are running Declude 2.0.6 PRO. We run Smartermail. The Declude header for the e-mail is being put into the body. I check through the archives and found several references. Based on their best recommendation I copied the original 2.0.6 GLOBAL.CFG and $default$.junkmail. I only made minor changes to them. The problem still occurred. We run multiple domains and each domain has their own $default$.junkmail. We also use Declude Antivirus with TrendMicro. The only e-mails that seem to be getting through are from Yahoo. Any ideas would be appreciated. Thank you, Scott Powner [EMAIL PROTECTED] ** ** The header: Return-Path: [EMAIL PROTECTED] Tue Aug 16 05:57:10 2005 Received: from aamiens-157-1-20-114.w86-196.abo.wanadoo.fr [86.196.3.114] by miu4.k12.pa.us with SMTP; Tue, 16 Aug 2005 05:57:10 -0400 Date: mar., 16 août 2005 11:57:13 +0100 Return-path: [EMAIL PROTECTED] From: Grossman[EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Our store is your cureall! Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Content-Type: text/html X-SmarterMail-Spam: SPF_None *** *** The letter: Suffering from pain, depression or heartburn? We'll help you! All verified [EMAIL PROTECTED] collected at one LICENSED online store! Great choice of wonderful meds to give you long-awaited relief! Operative support, fast shipping, secure [EMAIL PROTECTED] processing and complete confidentiality! The store is VERIFIED BY BBB and APPROVED BY VISA! Subject: POSSIBLE SPAM X-RBL-Warning: NOABUSE: Not supporting [EMAIL PROTECTED] X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [c010100e]. X-RBL-Warning: DYNHELO: Dynamic HELO found. X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam [c010100e]. X-RBL-Warning: WEIGHT10: Weight of 15 reaches or exceeds the limit of 10. X-RBL-Warning: WEIGHT11: Weight of 15 reaches or exceeds the limit of 11. X-RBL-Warning: WEIGHT12: Weight of 15 reaches or exceeds the limit of 12. X-RBL-Warning: WEIGHT13: Weight of 15 reaches or exceeds the limit of 13. X-Declude-Sender: [EMAIL PROTECTED] [86.196.3.114] X-Declude-Spoolname: 31237915.EML X-Declude-Note: Scanned by Declude 2.0.6 (http://www.declude.com/x-note.htm) for spam. X-Declude-Scan: Score [15] at 05:57:51 on 16 Aug 2005 X-Declude-Tests: NOABUSE, BADHEADERS, DYNHELO, SPAMHEADERS, WEIGHT10, WEIGHT11, WEIGHT12, WEIGHT13, WEIGHT14, WEIGHT15 X-Country-Chain: FRANCE-destination [This E-mail scanned for viruses by Declude 2.0.6 ANTI-Virus] The GLOBAL.CFG: # # Declude JunkMail configuration file. # # This file has the global Declude JunkMail settings, defines the tests, and lists the # actions to take on outgoing E-mail (for the Pro version; not normally used). # # JunkMail Online Manual http://www.declude.com/Articles.asp?ID=116 # Technical Support http://www.declude.com/SearchResults.asp?Cat=5 # # This file was distributed with v2.0.6 # # This Code is only required for IMail CODExx #=LOGS == # in the LOGFILE option, if present, automatically gets replaced with the month/date. # Log Level options: WARN / LOW / MID / HIGH / DEBUG / ERROR LOGFILE spool\dec.log LOGLEVEL LOW #EVENTLOG ON #= HEADERS #--INCOMING--- XINHEADER X-Declude-Note: Scanned by Declude %VERSION% (http://www.declude.com/x-note.htm) for spam. XINHEADER X-Declude-Scan: Score [%WEIGHT%] at %TIME% on %DATE% XINHEADER X-Declude-Tests: %TESTSFAILED% XINHEADER X-Country-Chain: %COUNTRYCHAIN% #--OUTBOUND or GATEWAY--- XOUTHEADER X-Declude-Note: Scanned by Declude %VERSION% (http://www.declude.com/x-note.htm) for spam. XOUTHEADER X-Declude-Scan: Score [%WEIGHT%] at %TIME% on %DATE% XOUTHEADER X-Declude-Tests: %TESTSFAILED% XOUTHEADER X-Country-Chain: %COUNTRYCHAIN% #XOUTHEADER Organization: MIU IV XSENDER ON XSPOOLNAME ON #=ADVANCED OPTIONS = #These are Advance Options please ensure you have read the manual and understand what impact these #settings have on Delcude #CONSOLEON #IPBYPASS 192.0.2.25 HOP 0 #HOPHIGH1 #DNS
Re: [Declude.JunkMail] Bonded Sender
Russ, Since no one commented on this I figured that I should add a third cent. The bottom line with any sort of service that charges a fee for adding IP's to a whitelist is that it will largely attract customers that have issues with being blacklisted. There is no doubt that most such services do not desire to be responsible for spamming, but they are often not capable of verifying that every customer's supposed opt-in list is from a first-party source and uses exclusively verified addresses. While places like roving.com (Constant Contact) probably have over 95% fully legitimate customers, as much as half of the E-mails that I get from these services are spam. The difference is due to the volumes. I have in the past reported issues with known spam operations being bonded and I was not happy with the resolution that they took in either case. I believe that your experience will show that there isn't likely a net benefit to using BondedSender. Clean sources shouldn't have issues being blacklisted, and dirty sources should be scrutinized, especially when they service a wide range of unassociated customers. Blacklists also of course have issues with these mixed/shared sources, in fact the lack of granularity in IP or domain based tests with such sources is one of the primary reasons for the problems. Another issue is that blacklists are fairly unforgiving in how they list such things, and end-users are not often concerned enough about false positives on legitimate advertising to seek having them delisted. This forced me to create my own list of domains and IP's that correspond to bulk-mail providers so that I could isolate their traffic and score them differently than I do E-mail. Some are passed automatically except for extreme circumstances, and others are held automatically and I whitelist only what customers report, and I whitelist specific mailings by things like Reply-To addresses and not the entire service. Matt Russ Uhte wrote: What's the general consensus on the BondedSender test? I looked back through the archive, and found a little debate on it. I know Matt said he removed the test completely. I've never enabled logging for messages that pass until today. And right off the get-go I get 2 that definitely shouldn't have passed, but bondedsender said they were good... -Russ --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Bonded Sender
Here's a list of who has hot bonded sender for me this month: Check Mail with Tests FromDomain CountOfMessageID online.com 84 YOURNEWSLETTERS.NET 70 google.com 52 beliefnet.com 28 ebay.com 28 LIFESCRIPT.COM 26 classmates.com 24 tigeronline.com 23 ABOUT.COM 20 ediets.com 18 subscribermail.com 10 americanexpress.com 9 COOLSAVINGS.COM 8 travelzoo.com 7 email-advantage.com 6 verticalresponse.com 5 databack.com 4 foolsubs.com 4 exacttarget.com 2 hallmark.com 2 myabout.com 2 pmailus.com 2 chtah.com 2 ceocast.com 2 vresp.com 2 gliq.com 2 match.com 1 date.com 1 pdirectmail.net 1 trustedemailsender1.com 1 - Original Message - From: Russ Uhte [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Monday, August 15, 2005 9:07 AM Subject: [Declude.JunkMail] Bonded Sender What's the general consensus on the BondedSender test? I looked back through the archive, and found a little debate on it. I know Matt said he removed the test completely. I've never enabled logging for messages that pass until today. And right off the get-go I get 2 that definitely shouldn't have passed, but bondedsender said they were good... -Russ --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] VIRUS WARNING
VIRUS WARNING - For the past 2 days, our server that runs IMail was bringing the rest of our network to a crawl. If we disconnected this server from the network, then the network would restore to normal. Just in case anyone else is having network problems, this may be the cause. Here's what we did to fix it. In the Windows Task Manager, look for either of two programs/processes: mousebm.exe mousesync.exe You will not be able to end these processes from Task Manager. You must first open the Registry Editor and search for the following folders and delete them: HKLM/System/ControlSet001/Services/Mousebm HKLM/System/ControlSet001/Services/Mousesync HKLM/System/ControlSet002/Services/Mousebm HKLM/System/ControlSet002/Services/Mousesync Then reboot the server. After rebooting, you will now be able to delete the two offending files. They are located in: c:\winnt\system32\mousebm.exe c:\winnt\system32\mousesync.exe If you find that the offending files re-appear in the Task Manager, look for the following file and delete it: c:\winnt\system32\i You will then have to repeat the above steps again. We searched Trend Micro, Symantec, McAfee, and Google for these files, but none of these web sites had any information on them. Perhaps, this virus has not yet been identified by them. Good luck! -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] VIRUS WARNING
Thanks for the heads up, Kim. If you still have the files, you can do a couple more things to help the wider community: Password protect them in a zip file and submit the samples to: The handlers at the SANS Internet Storm Center, who love to chase down new mailware and will share with vendors: http://isc.sans.org/ This free webform that will check multiple antivirus vendors' current signatures (submit them one executable at a time): http://www.virustotal.com/ The open source CLAM team, which will add to their database and submit your samples to other vendors: http://www.clamav.com/ For the most detail, submit the malware you've found to the Norman sandbox, which will email you a report of what the executable does (if it's hostile, it will advise you to forward the message plus the malware to their antivirus submission email address): http://sandbox.norman.no/live.html Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kim Premuda Sent: Tuesday, August 16, 2005 3:13 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] VIRUS WARNING VIRUS WARNING - For the past 2 days, our server that runs IMail was bringing the rest of our network to a crawl. If we disconnected this server from the network, then the network would restore to normal. Just in case anyone else is having network problems, this may be the cause. Here's what we did to fix it. In the Windows Task Manager, look for either of two programs/processes: mousebm.exe mousesync.exe You will not be able to end these processes from Task Manager. You must first open the Registry Editor and search for the following folders and delete them: HKLM/System/ControlSet001/Services/Mousebm HKLM/System/ControlSet001/Services/Mousesync HKLM/System/ControlSet002/Services/Mousebm HKLM/System/ControlSet002/Services/Mousesync Then reboot the server. After rebooting, you will now be able to delete the two offending files. They are located in: c:\winnt\system32\mousebm.exe c:\winnt\system32\mousesync.exe If you find that the offending files re-appear in the Task Manager, look for the following file and delete it: c:\winnt\system32\i You will then have to repeat the above steps again. We searched Trend Micro, Symantec, McAfee, and Google for these files, but none of these web sites had any information on them. Perhaps, this virus has not yet been identified by them. Good luck! -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] VIRUS WARNING
Hi, It's the IRC virus. Seems that you don't have MS05-039 missing: http://www.internetsecurity.fi/v-descs/ircbot_es.shtml Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, August 16, 2005 06:33 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] VIRUS WARNING Thanks for the heads up, Kim. If you still have the files, you can do a couple more things to help the wider community: Password protect them in a zip file and submit the samples to: The handlers at the SANS Internet Storm Center, who love to chase down new mailware and will share with vendors: http://isc.sans.org/ This free webform that will check multiple antivirus vendors' current signatures (submit them one executable at a time): http://www.virustotal.com/ The open source CLAM team, which will add to their database and submit your samples to other vendors: http://www.clamav.com/ For the most detail, submit the malware you've found to the Norman sandbox, which will email you a report of what the executable does (if it's hostile, it will advise you to forward the message plus the malware to their antivirus submission email address): http://sandbox.norman.no/live.html Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kim Premuda Sent: Tuesday, August 16, 2005 3:13 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] VIRUS WARNING VIRUS WARNING - For the past 2 days, our server that runs IMail was bringing the rest of our network to a crawl. If we disconnected this server from the network, then the network would restore to normal. Just in case anyone else is having network problems, this may be the cause. Here's what we did to fix it. In the Windows Task Manager, look for either of two programs/processes: mousebm.exe mousesync.exe You will not be able to end these processes from Task Manager. You must first open the Registry Editor and search for the following folders and delete them: HKLM/System/ControlSet001/Services/Mousebm HKLM/System/ControlSet001/Services/Mousesync HKLM/System/ControlSet002/Services/Mousebm HKLM/System/ControlSet002/Services/Mousesync Then reboot the server. After rebooting, you will now be able to delete the two offending files. They are located in: c:\winnt\system32\mousebm.exe c:\winnt\system32\mousesync.exe If you find that the offending files re-appear in the Task Manager, look for the following file and delete it: c:\winnt\system32\i You will then have to repeat the above steps again. We searched Trend Micro, Symantec, McAfee, and Google for these files, but none of these web sites had any information on them. Perhaps, this virus has not yet been identified by them. Good luck! -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
