Re: [Declude.JunkMail] ZEN test
Hi, Due to your HOP setting you are checking multiple hops. Ok, that was the intent. Since you use a multihop setting you should score the hops differently or run into problems like you identified. That's one way of handling it. I would suggest reducing it to 1. This will score the last two hops. And that's what I don't get. As far as I know I'm at hop 0, the machine sending it to me is hop 1. The machine sending it to that machine is hop 2. That's as far as I want to check, but in the case below it seemed as if it was checking hop 3. The Received: from hulsbeek.nl (adsl-dc-34529.adsl.wanadoo.nl [83.116.227.41])by mwinf6301.orange.nl (SMTP Server) with ESMTP id line was the third Received line and it was caught bij the ZEN test X-RBL-Warning: ZEN: http://www.spamhaus.org/query/bl?ip=83.116.227.41; So, am I mistaken in the meaning of the Hop count, or is something else going on? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl - Original Message - From: Darrell ([EMAIL PROTECTED]) To: declude.junkmail@declude.com Sent: Wednesday, August 01, 2007 4:48 PM Subject: Re: [Declude.JunkMail] ZEN test Bonno, Due to your HOP setting you are checking multiple hops. Since you use a multihop setting you should score the hops differently or run into problems like you identified. I would suggest reducing it to 1. This will score the last two hops. Than you can modify your tests like the following. The first one only checks the last ip recevied. The second one checks all of them. One thing to keep in mind if the LAST test hits so will the ALL test. So for example if you want the last hop (who connected to you) to have a weight of 3 for the SORBS-SPAM test than you will want to make sure that the sum of the two tests equal that weight. SORBS-SPAM(LAST) dnsbl %IP4R%.dnsbl.sorbs.net 127.0.0.6 2 0 SORBS-SPAM(ALL) ip4r dnsbl.sorbs.net 127.0.0.6 1 0 So in the case above if the second hop was listed we would only assign a score of 1 from the SORBS-SPAM(ALL) test. If the last hop was listed than we would have a score of 3 since both the (LAST) and (ALL) test would hit. Let me know if this is not clear, Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Bonno Bloksma wrote: Hi, Maybe using the ZEN test isn't such a good idea. It is caching a DSL line that is several hops down. In Global.cfg I have Hophigh 2, should I maybe reduca that to 1? Is that the cause? If so As far as I know my server is Hop 0, the smtp-4 should then be Hop 1, the me-wanadoo.net should then be Hop 2. So the hulsbeek.nl (adsl-dc-34529 line) should be Hop 3 and not be checked. Why was that ip number checked? --quote Received: from smtp-4.orange.nl [193.252.22.249] by student.tio.nl with ESMTP (SMTPD-9.21) id A33707C8; Mon, 30 Jul 2007 09:28:55 +0200 Received: from me-wanadoo.net (localhost [127.0.0.1])by mwinf6301.orange.nl (SMTP Server) with ESMTP id E8495784for [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]; Mon, 30 Jul 2007 09:28:54 +0200 (CEST) Received: from hulsbeek.nl (adsl-dc-34529.adsl.wanadoo.nl [83.116.227.41])by mwinf6301.orange.nl (SMTP Server) with ESMTP id AF5A9782for [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]; Mon, 30 Jul 2007 09:28:54 +0200 (CEST) X-ME-UUID: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Subject: [SPAM: 22]RE: 5 augustus MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=_=_NextPart_001_01C7D27B.467F4FA9 Date: Mon, 30 Jul 2007 09:28:50 +0200 Content-class: urn:content-classes:message X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Message-ID: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: 5 augustus thread-index: AcfSClRkqB1y6CB4TkymtwIq3Exp3QAZtfQA From: Erve Hulsbeek [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Sender: Piet Heuvelmans [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] To: Nienke Koster [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] X-RBL-Warning: FIVETEN-SRC: 41.227.116.83.blackholes.five-ten-sg.com. X-RBL-Warning: MXRATE-BLOCK: http://www.mxrate.com/lookup/refused.asp?ipaddress=193.252.22.249; X-RBL-Warning: ZEN: http://www.spamhaus.org/query/bl?ip=83.116.227.41; X-RBL-Warning: SPAMCANNIBAL: blocked, See: http://www.spamcannibal.org/cannibal.cgi?page=lookuplookup=193.252.22.249 http://www.spamcannibal.org/cannibal.cgi?page=lookuplookup=193.252.22.249
Re: [Declude.JunkMail] ZEN test
Hop 0 is the MTA delivering to your MTA - Hop 0 is NOT your MTA, i.e. (sender-MUA)--(sender MTA)--(Your MTA)--(Your MUA) (Hop 1)---(Hop 0)---(No HOP)(No Hop) The reason to use Hop 0 and HopHigh 1 is to pick up a spammer MUA or MTA which is sending or relaying through a clean MTA. You don't however want to apply Dial-up lists in this instance and Zen has two of them. To prevent it, I believe the test name needs to include DUL or DUHL. Since this isn't in the manual, I've asked Tech Support to confirm it. The test would look something like below. Declude does only one look up of Zen, but scores each test individually. SPAMHAUS-5ip4rzen.spamhaus.org127.0.0.5100 SPAMHAUS-DULip4rzen.spamhaus.org127.0.0.10100 SPAMHAUS-DUL2ip4rzen.spamhaus.org127.0.0.11100 Thursday, August 2, 2007, 2:49:46 AM, Bonno Bloksma [EMAIL PROTECTED] wrote: Hi, Due to your HOP setting you are checking multiple hops. Ok, that was the intent. Since you use a multihop setting you should score the hops differently or run into problems like you identified. That's one way of handling it. I would suggest reducing it to 1. This will score the last two hops. And that's what I don't get. As far as I know I'm at hop 0, the machine sending it to me is hop 1. The machine sending it to that machine is hop 2. That's as far as I want to check, but in the case below it seemed as if it was checking hop 3. The Received: from hulsbeek.nl (adsl-dc-34529.adsl.wanadoo.nl [83.116.227.41])by mwinf6301.orange.nl (SMTP Server) with ESMTP id line was the third Received line and it was caught bij the ZEN test X-RBL-Warning: ZEN: "http://www.spamhaus.org/query/bl?ip=83.116.227.41" So, am I mistaken in the meaning of the Hop count, or is something else going on? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] /www.tio.nl - Original Message - From:Darrell ([EMAIL PROTECTED]) To:declude.junkmail@declude.com Sent:Wednesday, August 01, 2007 4:48 PM Subject:Re: [Declude.JunkMail] ZEN test Bonno, Due to your HOP setting you are checking multiple hops. Since you use a multihop setting you should score the hops differently or run into problems like you identified. I would suggest reducing it to 1. This will score the last two hops. Than you can modify your tests like the following. The first one only checks the last ip recevied. The second one checks all of them. One thing to keep in mind if the LAST test hits so will the ALL test. So for example if you want the last hop (who connected to you) to have a weight of 3 for the SORBS-SPAM test than you will want to make sure that the sum of the two tests equal that weight. SORBS-SPAM(LAST) dnsbl %IP4R%.dnsbl.sorbs.net 127.0.0.6 2 0 SORBS-SPAM(ALL) ip4r dnsbl.sorbs.net 127.0.0.6 1 0 So in the case above if the second hop was listed we would only assign a score of "1" from the SORBS-SPAM(ALL) test. If the last hop was listed than we would have a score of "3" since both the (LAST) and (ALL) test would hit. Let me know if this is not clear, Darrell -- Check outhttp://www.invariantsystems.comfor utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Bonno Bloksma wrote: Hi, Maybe using the ZEN test isn't such a good idea. It is caching a DSL line that is several hops down. In Global.cfg I have Hophigh 2, should I maybe reduca that to 1? Is that the cause? If so As far as I know my server is Hop 0, the smtp-4 should then be Hop 1, the me-wanadoo.net should then be Hop 2. So the hulsbeek.nl (adsl-dc-34529 line) should be Hop 3 and not be checked. Why was that ip number checked? --quote Received: from smtp-4.orange.nl [193.252.22.249] by student.tio.nl with ESMTP (SMTPD-9.21) id A33707C8; Mon, 30 Jul 2007 09:28:55 +0200 Received: from me-wanadoo.net (localhost [127.0.0.1])by mwinf6301.orange.nl (SMTP Server) with ESMTP id E8495784for [EMAIL PROTECTED]mailto:[EMAIL PROTECTED]; Mon, 30 Jul 2007 09:28:54 +0200 (CEST) Received: from hulsbeek.nl (adsl-dc-34529.adsl.wanadoo.nl [83.116.227.41])by mwinf6301.orange.nl (SMTP Server) with ESMTP id AF5A9782for [EMAIL PROTECTED]mailto:[EMAIL PROTECTED]; Mon, 30 Jul 2007 09:28:54 +0200 (CEST) X-ME-UUID:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Subject: [SPAM: 22]RE: 5 augustus MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="_=_NextPart_001_01C7D27B.467F4FA9" Date: Mon, 30 Jul 2007 09:28:50 +0200 Content-class: urn:content-classes:message X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Message-ID: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: 5
[Declude.JunkMail] Zip files
Hi Everyone - It's hit and miss, but today I received several of the small zip files. A quick glance and they were either txt files or .exe files. All were between 5-25K in size. How is everyone else handling these? I was almost wondering if there is a way to say (in general terms) IF file = zip, then -5, and if size 30K, then minus 10. Some way to deduct for the small zip file if that makes sense. Anyway, if anyone has any suggestions, I'm all ears! Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Zip files
Sure. You could create a Declude combo filter like that. Put a size test before the custom filter in your global.cfg, add the tests the message fails to incoming message headers, and in the custom combo filter look for the size test failure warning in the headers, and look for the zip file in the body, failing the combo test only if both conditions hit. Darin. - Original Message - From: Todd Richards [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Thursday, August 02, 2007 2:24 PM Subject: [Declude.JunkMail] Zip files Hi Everyone - It's hit and miss, but today I received several of the small zip files. A quick glance and they were either txt files or .exe files. All were between 5-25K in size. How is everyone else handling these? I was almost wondering if there is a way to say (in general terms) IF file = zip, then -5, and if size 30K, then minus 10. Some way to deduct for the small zip file if that makes sense. Anyway, if anyone has any suggestions, I'm all ears! Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] another whitelist
I'm looking at another whitelist, but this one deosn't seem to use the IP4R format (reversed dotted quad). It's a spanish whitelist, and its instructions can be viewed at http://www.rediris.es/abuses/eswl/en/ Is there another test type that can be used in Declude to implement this (other than ip4r)? I see in the online documentation for Junkmail a mention of the dnsbl test type. How is that different from the ip4r test type? Thanks, Gary Steiner --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
