Re: [Declude.JunkMail] OT: Issues with Windows 2003 FTP service
Good morning all, I figured that I might save those that might respond some time...I found and fixed the issue. Turns out that the MS SMTP part of the metabase was still corrupt in some way...not sure exactly how...and this was causing FTP of all things to behave very, very slowly (while MS SMTP was operating normally). After a lot of playing around with things I figured out that it was the MS SMTP segment of the metabase that when enabled as it was originally would cause FTP to drag, and I also found that stopping the MS SMTP service would cause FTP to return to normal. Why??? Who really knows, but when my metabase was corrupted, it was a corruption in the MS SMTP portion of the file and somehow it is still bad (I'm thinking that my backup copy that I restored had the error that eventually caused the corruption). Thanks, Matt Matt wrote: I'm at wits end with this and I figured that I would put a feeler out here to see if anyone has a clue as to what the source of my issue might be. My MSFTPSVC on one server suddenly has slowed to a crawl, i.e. 15 to 60 seconds from issuing a command to receiving a response. This even happens with the FTP client on the same server going to 127.0.0.1. I have also tested by installing a third-party FTP server on the same box and that worked fine. There is nothing else that is remarkable going on with that server, and I am unsure as to what precipitated the issue, though one possibility is the last MS security rollout that caused my metabase to become corrupted following the reboot back on 12/22. I fixed that with a copy from a backup and all seemed normal. The corrupted metabase showed a block of random characters in the middle of the XML file, and it occurred in the SMTP segment. The current working metabase looks just fine, but I'm thinking that whatever caused the corruption might have also corrupted some other stuff that is affecting FTP. The release notes on those patches didn't suggest anything related to the FTP service or TCP/IP. I have tried many different things from uninstalling and reinstalling the FTP service, removing the last two MS patches (and reinstalling them), and a host of smaller tasks. I have run a rootkit detector and I have real-time virus protection on the server, but that was just to eliminate the very small possibility as the server is well firewalled, completely patched, has only one regular RD user (myself), unnecessary services are disabled, and I even stay away from often exploited software such as Perl and PHP. There is nothing else abnormal on the server that would suggest a bug or otherwise. Curiously this isn't affecting the Web server or SMTP services that are also part of IIS along with FTP. One clue to the problem is that when I reset my router, FTP works at full speed for maybe up to a minute. Although this makes no sense in the purest sense, the same thing happens when using a client on the same box FTPing to 127.0.0.1...the FTP will work at normal speed for a short while when FTPing to 127.0.0.1 immediately following a router reload. I am 99.9% positive that my network has nothing to do with causing the issue, but this one thing suggests that there is some interaction with TCP/IP and the FTP service that is contributing to the issue. This makes me think that it is a bug with the IIS rate limiting which requires QOS to be bound to the NIC, and maybe the router resets are resetting the QOS/rate limiting, allowing it to operate at full speed until it adjusts back to almost no throughput. I have rate limiting turned on for both Web and FTP, but this is only affecting FTP. I have tried turning off QOS and rebooting, but that had no affect on the issue, yet the way that rate limiting works, it seems to explain why a router reload causes things to work well for a few moments before degrading again. At this point my next try will probably be to uninstall and reinstall all of IIS, but I was hoping that maybe someone around here has seen this or a similar issue, or if there were any ideas about the possible interaction with QOS and rate limiting gone bad, and how to reinstall that part of Windows if possible. I would like to avoid rebuilding this box, but I won't keep it running in the present state with an unknown issue even though I could migrate to a third-party FTP server and avoid the issue. I would appreciate any glimmers of hope that anyone might have for me on this :) Thanks, Matt --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an
RE: [Declude.JunkMail] OT: Issues with Windows 2003 FTP service
Thanks a lot for the follow up and answer to your own post. It may help us in the future. You are very kind. I am glad you were able to solve the problem. regards Luis Arango -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: MiƩrcoles, 04 de Enero de 2006 08:37 a.m. To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] OT: Issues with Windows 2003 FTP service Good morning all, I figured that I might save those that might respond some time...I found and fixed the issue. Turns out that the MS SMTP part of the metabase was still corrupt in some way...not sure exactly how...and this was causing FTP of all things to behave very, very slowly (while MS SMTP was operating normally). After a lot of playing around with things I figured out that it was the MS SMTP segment of the metabase that when enabled as it was originally would cause FTP to drag, and I also found that stopping the MS SMTP service would cause FTP to return to normal. Why??? Who really knows, but when my metabase was corrupted, it was a corruption in the MS SMTP portion of the file and somehow it is still bad (I'm thinking that my backup copy that I restored had the error that eventually caused the corruption). Thanks, Matt Matt wrote: I'm at wits end with this and I figured that I would put a feeler out here to see if anyone has a clue as to what the source of my issue might be. My MSFTPSVC on one server suddenly has slowed to a crawl, i.e. 15 to 60 seconds from issuing a command to receiving a response. This even happens with the FTP client on the same server going to 127.0.0.1. I have also tested by installing a third-party FTP server on the same box and that worked fine. There is nothing else that is remarkable going on with that server, and I am unsure as to what precipitated the issue, though one possibility is the last MS security rollout that caused my metabase to become corrupted following the reboot back on 12/22. I fixed that with a copy from a backup and all seemed normal. The corrupted metabase showed a block of random characters in the middle of the XML file, and it occurred in the SMTP segment. The current working metabase looks just fine, but I'm thinking that whatever caused the corruption might have also corrupted some other stuff that is affecting FTP. The release notes on those patches didn't suggest anything related to the FTP service or TCP/IP. I have tried many different things from uninstalling and reinstalling the FTP service, removing the last two MS patches (and reinstalling them), and a host of smaller tasks. I have run a rootkit detector and I have real-time virus protection on the server, but that was just to eliminate the very small possibility as the server is well firewalled, completely patched, has only one regular RD user (myself), unnecessary services are disabled, and I even stay away from often exploited software such as Perl and PHP. There is nothing else abnormal on the server that would suggest a bug or otherwise. Curiously this isn't affecting the Web server or SMTP services that are also part of IIS along with FTP. One clue to the problem is that when I reset my router, FTP works at full speed for maybe up to a minute. Although this makes no sense in the purest sense, the same thing happens when using a client on the same box FTPing to 127.0.0.1...the FTP will work at normal speed for a short while when FTPing to 127.0.0.1 immediately following a router reload. I am 99.9% positive that my network has nothing to do with causing the issue, but this one thing suggests that there is some interaction with TCP/IP and the FTP service that is contributing to the issue. This makes me think that it is a bug with the IIS rate limiting which requires QOS to be bound to the NIC, and maybe the router resets are resetting the QOS/rate limiting, allowing it to operate at full speed until it adjusts back to almost no throughput. I have rate limiting turned on for both Web and FTP, but this is only affecting FTP. I have tried turning off QOS and rebooting, but that had no affect on the issue, yet the way that rate limiting works, it seems to explain why a router reload causes things to work well for a few moments before degrading again. At this point my next try will probably be to uninstall and reinstall all of IIS, but I was hoping that maybe someone around here has seen this or a similar issue, or if there were any ideas about the possible interaction with QOS and rate limiting gone bad, and how to reinstall that part of Windows if possible. I would like to avoid rebuilding this box, but I won't keep it running in the present state with an unknown issue even though I could
[Declude.JunkMail] Spammer IP Range
We're seeing spam from 198.145.23.1 - 198.145.23.254 This link will show you some of the other domains they're using. http://www.senderbase.org/search?searchBy=organizationsearchString=Universi ty%20of%20Portland Funny thing is the IPs are supposed to belong to the university of Portland. Why mark123inc.com has their own name servers on a Universities IP block is a mystery to me. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spammer IP Range
Perhaps you/others might want to add this url to your toolbox. http://ws.arin.net/whois/?queryinput=198.145.23.0 Palin Aquisitions Inc. PALIN-198-145 (NET-198-145-0-0-1) 198.145.0.0 - 198.145.255.255 MRC Marketing 198-145-23-0 (NET-198-145-23-0-1) 198.145.23.0 - 198.145.23.255 # ARIN WHOIS database, last updated 2006-01-03 19:10 At 03:13 PM 1/4/2006 -0600, Dave Beckstrom wrote: We're seeing spam from 198.145.23.1 - 198.145.23.254 This link will show you some of the other domains they're using. http://www.senderbase.org/search?searchBy=organizationsearchString=Universi ty%20of%20Portland Funny thing is the IPs are supposed to belong to the university of Portland. Why mark123inc.com has their own name servers on a Universities IP block is a mystery to me. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spammer IP Range
Whoa! Very cool. Seems to be more accurate than senderbase too. Thank you! Ironically, those B*stards at MRC Marketing are about 30 miles from my house. I wonder what they would do if I showed up on their door tomorrow to chat with them about their spamming? -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Ncl Admin Sent: Wednesday, January 04, 2006 3:56 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Spammer IP Range Perhaps you/others might want to add this url to your toolbox. http://ws.arin.net/whois/?queryinput=198.145.23.0 Palin Aquisitions Inc. PALIN-198-145 (NET-198-145-0-0-1) 198.145.0.0 - 198.145.255.255 MRC Marketing 198-145-23-0 (NET-198-145-23-0-1) 198.145.23.0 - 198.145.23.255 # ARIN WHOIS database, last updated 2006-01-03 19:10 At 03:13 PM 1/4/2006 -0600, Dave Beckstrom wrote: We're seeing spam from 198.145.23.1 - 198.145.23.254 This link will show you some of the other domains they're using. http://www.senderbase.org/search?searchBy=organizationsearchString=Univers i ty%20of%20Portland Funny thing is the IPs are supposed to belong to the university of Portland. Why mark123inc.com has their own name servers on a Universities IP block is a mystery to me. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spammer IP Range
Ironically, those B*stards at MRC Marketing are about 30 miles from my house. I wonder what they would do if I showed up on their door tomorrow chat with them about their spamming? My guess is they would probably have you arrested - but depending on how your conversation went it might be worth it... --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] F-prot
FRISK has just updated F-Prot for Windows to 3.16e and this purports to include enhanced scanning capability for malformed WMF that appear as other graphic formats. The subscription login server is down with HTTP error 500 again. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Tuesday, November 29, 2005 10:30 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] F-prot I got the following from F-Prot technical support at 6 AM this morning: Unfortunately we are experiencing some problems with our servers due to extensive traffic. These matters are being looked into as we speak. We apologize for the inconvenience and ask you to try again in about an hour. The problem seems to be fixed, as I was finally able to download the new version with no delays from their web site. Gary Steiner Original Message From: Kevin Bilbee [EMAIL PROTECTED] Sent: Monday, November 28, 2005 8:20 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] F-prot Same problem here. I get an Internal Server Error Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Richard Farris Sent: Monday, November 28, 2005 4:48 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] F-prot Anyone using F-Prot for antivirus...they just came out with a new update and I have been trying all day to get there to update with no luck...anybody else see this? Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support Crossroads to a Cleaner Internet --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] My hyperthreading test with Declude 2.0.6.16 (and plugins)
This came up several times in the past, and I finally got around to testing my dual Xeon server with hyperthreading turned off. I had read in some places (like Tom's Hardware I believe), that certain multi-threaded server applications did not perform as well with hyperthreading as without hyperthreading. You will see from the attached graph that this test shows that turning off hyperthreading is not the way to go with at least the 2.x version of Declude. Just to explain the graph, at about 7:30 a.m. I turned off hyperthreading and rebooted the computer. There was an immediate large spike in processing. I then later rebooted the server because this spike was so high that I thought that maybe there was something wrong with the state of the server, but that wasn't the case, it just couldn't handle the traffic very well even though it was normal in every other sense. Normally my server cruises along with peak average hourly utilization of about 40% to 45% on weekdays, but today it reached a peak hourly utilization of 80%. Then to make matters even worse, IMail SMTP crashed at around 7 p.m. (IMail 8.15 HF2). I would imagine that this had to do with mystery heap instability, though I have Declude set to just 20 threads which should have been fine. I was actually expecting little or no change in my results from this test, and the only explanation that I can think of would be that because so many single-threaded applications are being used, that managing these threads represented a large amount of overhead to the server...as large as the E-mail itself. By having 4 CPU's seen by the system instead of just 2, it seems to leap past this bottleneck. This also leads me to believe that as CPU utilization rises, efficiency goes down. This seems to be my experience at least. Note that Declude 3.x and IMail 8.2+ might show very different results, though I expect that they will be similar since much of the processing goes to the virus scanners and external tests that are plugged into Declude, and not Declude or IMail themselves. I'll probably test that out when I make the leap. Matt
[Declude.JunkMail] RBL warning
Based on the following header lines... X-RBL-Warning: CBL: Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=222.173.57.68; X-RBL-Warning: DSBL: http://dsbl.org/listing?222.173.57.68; X-RBL-Warning: MXRATE-BLOCK: http://www.mxrate.com/lookup/refused.asp?ipaddress=222.173.57.68; X-RBL-Warning: SORBS-SPAM: Spam Received See: http://www.sorbs.net/lookup.shtml?222.173.57.68; X-RBL-Warning: SPAMCOP: Blocked - see http://www.spamcop.net/bl.shtml?222.173.57.68; X-RBL-Warning: CSMA-SBL: http://bl.csma.biz/cgi-bin/listing.cgi?ip=222.173.57.68; X-RBL-Warning: SPAMBAG: 68.57.173.222.blacklist.spambag.org. X-RBL-Warning: FIVETENSRC: 68.57.173.222.blackholes.five-ten-sg.com. X-RBL-Warning: BASURA: This E-mail came from 222.173.57.68, a potential spam source listed in BASURA. X-RBL-Warning: UCEPROTECT-LEVEL1: Sorry, IP 222.173.57.68 is blacklisted at Level 1 by UCEPROTECT-Network see http://www.uceprotect.net; X-RBL-Warning: UCEPROTECT-LEVEL2: Sorry, Net 222.173.57.0/24 is blacklisted at Level 2 by UCEPROTECT-Network see http://www.uceprotect.net; Where does the message Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=222.173.57.68; or 68.57.173.222.blacklist.spambag.org come from? Is this something that comes from the blacklist, or is it defined by Declude? A few years ago when I was using EMWAC IMS as my mail server, I remember being able to define these messages. Is there some way we can do this with Declude? Gary --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] F-prot
Also the press release that they circulated said 3.16d, but the link on their web site says 3.16e. Original Message From: Colbeck, Andrew [EMAIL PROTECTED] Sent: Wednesday, January 04, 2006 8:08 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] F-prot FRISK has just updated F-Prot for Windows to 3.16e and this purports to include enhanced scanning capability for malformed WMF that appear as other graphic formats. The subscription login server is down with HTTP error 500 again. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Tuesday, November 29, 2005 10:30 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] F-prot I got the following from F-Prot technical support at 6 AM this morning: Unfortunately we are experiencing some problems with our servers due to extensive traffic. These matters are being looked into as we speak. We apologize for the inconvenience and ask you to try again in about an hour. The problem seems to be fixed, as I was finally able to download the new version with no delays from their web site. Gary Steiner Original Message From: Kevin Bilbee [EMAIL PROTECTED] Sent: Monday, November 28, 2005 8:20 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] F-prot Same problem here. I get an Internal Server Error Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Richard Farris Sent: Monday, November 28, 2005 4:48 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] F-prot Anyone using F-Prot for antivirus...they just came out with a new update and I have been trying all day to get there to update with no luck...anybody else see this? Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support Crossroads to a Cleaner Internet --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] RBL warning
Where does the message Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=222.173.57.68; or 68.57.173.222.blacklist.spambag.org come from? Is this something that comes from the blacklist, or is it defined by Declude? It's a DNS text (TXT) record returned by the blacklist. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] RBL warning
These are the text records returned from the blacklist. It might also be Declude inserting the full lookup in the place of a text record when none is present. This behavior is created when you set an action on a test to WARN in the appropriate JunkMail file like so: CBL WARN You can in fact customize the warning if you add a space and text, along with some variables that Declude allows: CBLWARNCustomHeaderName: %TESTNAME%: Failed, listed in %TESTDOMAIN% (weight 8). Most of Declude's variables are supported in the WARN action. More information can be found in the manual. One warning though, you need to make sure to not have any spaces before the first colon so that the header is properly formated, otherwise it might cause unexpected issues. Matt Gary Steiner wrote: Based on the following header lines... X-RBL-Warning: CBL: Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=222.173.57.68; X-RBL-Warning: DSBL: http://dsbl.org/listing?222.173.57.68; X-RBL-Warning: MXRATE-BLOCK: http://www.mxrate.com/lookup/refused.asp?ipaddress=222.173.57.68; X-RBL-Warning: SORBS-SPAM: Spam Received See: http://www.sorbs.net/lookup.shtml?222.173.57.68; X-RBL-Warning: SPAMCOP: Blocked - see http://www.spamcop.net/bl.shtml?222.173.57.68; X-RBL-Warning: CSMA-SBL: http://bl.csma.biz/cgi-bin/listing.cgi?ip=222.173.57.68; X-RBL-Warning: SPAMBAG: 68.57.173.222.blacklist.spambag.org. X-RBL-Warning: FIVETENSRC: 68.57.173.222.blackholes.five-ten-sg.com. X-RBL-Warning: BASURA: This E-mail came from 222.173.57.68, a potential spam source listed in BASURA. X-RBL-Warning: UCEPROTECT-LEVEL1: Sorry, IP 222.173.57.68 is blacklisted at Level 1 by UCEPROTECT-Network see http://www.uceprotect.net; X-RBL-Warning: UCEPROTECT-LEVEL2: Sorry, Net 222.173.57.0/24 is blacklisted at Level 2 by UCEPROTECT-Network see http://www.uceprotect.net; Where does the message Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=222.173.57.68; or 68.57.173.222.blacklist.spambag.org come from? Is this something that comes from the blacklist, or is it defined by Declude? A few years ago when I was using EMWAC IMS as my mail server, I remember being able to define these messages. Is there some way we can do this with Declude? Gary --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.