RE: [Declude.JunkMail] Question
Title: Message I think this will do Thank you all Alex V -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Friday, October 15, 2004 1:33 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] Question You could use minweighttofail (1.80 or higher). This would assign 103 or more points to a something that failed three or more statements global.cfg THREEBLFAILfilter D:\IMail\Declude\3blfail.txt x 100 0 3blfail.txt: MINWEIGHTTOFAIL 3 TESTSFAILED 1 CONTAINS CBL TESTSFAILED 1 CONTAINS SBL TESTSFAILED 1 CONTAINS MAILPOLICE-BULK TESTSFAILED 1 CONTAINS MAILPOLICE-PORN - Original Message - From: Alejandro Valenzuela To: [EMAIL PROTECTED] Sent: Friday, October 15, 2004 2:49 PM Subject: [Declude.JunkMail] Question I would like to have a test that checks if a message has been found on 3 or more black lists Then if that is the case, assign more points to it... Is this posible ?? Thanks... Alex Valenzuela
[Declude.JunkMail] Question
Title: Message I would like to have a test that checks if a message has been found on 3 or more black lists Then if that is the case, assign more points to it... Is this posible ?? Thanks... Alex Valenzuela
[Declude.JunkMail] Upgrading from 1.78 to 1.81
Title: Message Last upgrades from declude, where a single file, now the 1.81 zip file has many files in it, Could I just copy declude.exe to my Imail directory as always or there is an installation procedure ? Where can I get that info/Upgrade manual ?? Thanks Alex V
[Declude.JunkMail] Question about filters..
The text filters check on BODY or SUBJECT, What about the text on the HEADERS ?? Also, how can I put wildcards on filters ?? Couldn't find the manual at declude.com www.declude.com\manual.htm Anybody have the correct link ?? Thanks AV --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: Email attack could kill servers
Does Imail have this problem ? If So, what can we do to fix it ? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Lee Heath Sent: Tuesday, April 06, 2004 8:59 AM To: Mark Smith Subject: Re: [Declude.JunkMail] OT: Email attack could kill servers Wondering if a rule in Declude could trap such an email? This is actually a very old vulnerability in almost all mail servers. -- Roger Heath [EMAIL PROTECTED] www.rleeheath.com - Copy of Original Message(s): - MS http://www.newscientist.com/news/news.jsp?id=ns4858 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Filter not working on Body..
I got these messages -Dont go everywhere for all u needs -WE have all -Meridia Víagra Propecia Celebrex Soma -Zyban Prozac Vioxx Penís Enlargement -and Much more And Declude is not detecting the word Viagra in the body. This is my filter file(reduced..) ## Filter file Generated from: Adult_words.txt ## To File: ADULT_FILTER.TXT ## On: 1/14/2004 SKIPIFWEIGHT 40 MAXWEIGHT40 SUBJECT 12 CONTAINS viagra BODY 12 CONTAINS viagra Any ideas why ?? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Filter not working on Body..
Ok, thats the problem. I didn't check on that. Thanks!! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Monday, April 05, 2004 11:07 AM To: [EMAIL PROTECTED] Subject: SPAM:[15] RE: [Declude.JunkMail] Filter not working on Body.. I don't know if you noticed but the Víagra is not an i it is an i acute char(237) The same with Penís Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Alejandro Valenzuela Sent: Monday, April 05, 2004 10:51 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Filter not working on Body.. I got these messages -Dont go everywhere for all u needs -WE have all -Meridia Víagra Propecia Celebrex Soma -Zyban Prozac Vioxx Penís Enlargement -and Much more And Declude is not detecting the word Viagra in the body. This is my filter file(reduced..) ## Filter file Generated from: Adult_words.txt ## To File: ADULT_FILTER.TXT ## On: 1/14/2004 SKIPIFWEIGHT 40 MAXWEIGHT40 SUBJECT 12 CONTAINS viagra BODY 12 CONTAINS viagra Any ideas why ?? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Log File Changes
Where I should put the LogLevel configuration On Global.cfg or in the $default$.JUnkMail File ?? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Sent: Tuesday, January 13, 2004 11:57 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Log File Changes From visual inspection, it looks like there is also warning lines in this format: 01/07/2004 00:13:11 Qa376165600fc12a6 WARNING: some type of error report here These are easy enough to ignore during my analysis. Are there other types of lines that may be of concern? Thanks, Bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Tuesday, January 13, 2004 11:31 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Log File Changes I am assuming that for this information, I need MID log level. On visual inspection of the MID log file, it looks like this format is: 00/00/00 00:00:00 Qx FailedTest1Name:weight FailedTest2Name:weight TOTALWEIGHT = weight. 00/00/00 00:00:00 Qx Subject: message subject 00/00/00 00:00:00 Qx From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: x.x.x.x ID: 00/00/00 00:00:00 Qx FailedTest1Name:action FailedTest2Name:action . That is correct. Some of those lines appear at LOGLEVEL LOW, but to get them all, you would need LOGLEVEL MID (or LOGLEVEL HIGH). And for multiple recipients, the last three lines are repeated (not sure why subject line is repeated?) for each user with the new TO address appended to the previous TO line. i.e.: To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Etc. Are my assumptions correct? That is correct. I'll look into getting the Subject: line to only appear once. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Any suggestions on some tests ??
Thank you all for your suggestions.. Alex V. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Tuesday, December 16, 2003 3:17 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Any suggestions on some tests ?? If you have Declude JunkMail Pro, then the custom filters shared on my site are all generally good at detecting this sort of thing. This one in particular would have been it by DYNAMIC, FOREIGN, TLD-WESTERNEUROPEAN, and TLD-MIDDLEEASTERN for a total of 9 points (or 90% of fail weight according to recommended scoring) between those filters alone. http://www.mailpure.com/software/decludefilters/ The subject is also base64 encoded Latin-1 (normal text), and that can be filtered as well, though there are some rare occurrances where this can be used with foreign languages utilizing high-bit characters. SUBJECT 8 CONTAINS iso-8859-1?b? Matt Alejandro Valenzuela wrote: Is there any test on declude that will detect this ?? beside ipr4 tests ?? only failed one test, not enough to tag it as spam... (on WEIGHT=10) Received: from worldonline.de [80.230.246.63] by mail.fanosa.com with ESMTP (SMTPD32-8.04) id A910153400AA; Mon, 15 Dec 2003 23:24:48 -0500 To: [EMAIL PROTECTED] MIME-Version: 1.0 User-Agent: Mozilla/5.001 (windows; U; NT4.0; en-us) Gecko/25250101 Subject: =?iso-8859-1?b?VHJ5IFNvbWUgVmlhZ3JcYSEgSGFyZCBhcyBhIFBvbGUgaW4gMTUgbWludXRl c w==?= From: Darrell Middleton [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Date: Tue, 16 Dec 2003 05:29:24 + Content-Type: multipart/alternative; boundary==_NextPart_000_0889_494E5F41.4FA5DE8F X-RBL-Warning: SORBS_DUL: Dynamic IP Address See: http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=80.230.246.63 X-Declude-Sender: [EMAIL PROTECTED] [80.230.246.63] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: SORBS_DUL, IPNOTINMX, NOLEGITCONTENT [4] X-Country-Chain: X-Date-Time: 12/15/2003 @ 23:24:51 X-Note: This E-mail was sent from cable-246-63.inter.net.il ([80.230.246.63]). X-IMAIL-SPAM-URL-DBL: www.545dre2c.com X-RCPT-TO: DELETED Status: U X-UIDL: 365550799 htmlbody center!--4veh7o3diyt--a href=http://www.545dre2c.com?rid=1097; !--srq13mYftm2B-- img src=http://www.test57v6.com/a7.gif; border=0/a/center /html/body --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [Declude - This Mail was sent from 24.107.232.14 ] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Any suggestions on some tests ??
Is there any test on declude that will detect this ?? beside ipr4 tests ?? only failed one test, not enough to tag it as spam... (on WEIGHT=10) Received: from worldonline.de [80.230.246.63] by mail.fanosa.com with ESMTP (SMTPD32-8.04) id A910153400AA; Mon, 15 Dec 2003 23:24:48 -0500 To: [EMAIL PROTECTED] MIME-Version: 1.0 User-Agent: Mozilla/5.001 (windows; U; NT4.0; en-us) Gecko/25250101 Subject: =?iso-8859-1?b?VHJ5IFNvbWUgVmlhZ3JcYSEgSGFyZCBhcyBhIFBvbGUgaW4gMTUgbWludXRlc w==?= From: Darrell Middleton [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Date: Tue, 16 Dec 2003 05:29:24 + Content-Type: multipart/alternative; boundary==_NextPart_000_0889_494E5F41.4FA5DE8F X-RBL-Warning: SORBS_DUL: Dynamic IP Address See: http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=80.230.246.63 X-Declude-Sender: [EMAIL PROTECTED] [80.230.246.63] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: SORBS_DUL, IPNOTINMX, NOLEGITCONTENT [4] X-Country-Chain: X-Date-Time: 12/15/2003 @ 23:24:51 X-Note: This E-mail was sent from cable-246-63.inter.net.il ([80.230.246.63]). X-IMAIL-SPAM-URL-DBL: www.545dre2c.com X-RCPT-TO: DELETED Status: U X-UIDL: 365550799 htmlbody center!--4veh7o3diyt--a href=http://www.545dre2c.com?rid=1097; !--srq13mYftm2B-- img src=http://www.test57v6.com/a7.gif; border=0/a/center /html/body --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] refining the filtering process
For your second question I use this ... WEIGHT10SUBJECT SPAM:[%WEIGHT%] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burzin Sumariwalla Sent: Tuesday, December 16, 2003 11:19 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] refining the filtering process I used the Attach action and edited the .eml file. Burzin At 03:52 PM 12/15/2003, you wrote: While I'm hoping that Scott or someone will still reply to my earlier message (quoted below), I have a simpler, more mechanical question: how can I place the weight into the subject line of a message that fails one of the weight tests? It would be handy, for example, to see SPAM [6]: blah blah blah. Thanks, Ben - Original Message - From: IMail Admin [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, December 15, 2003 11:41 AM Subject: [Declude.JunkMail] refining the filtering process We're fairly new at using JunkMail and we want to refine the process beyond the basic tests (typically weight10 or weight20). What strategy or steps would you recommend next? Two obvious ideas are Filtering and the ip4r tests. For filtering, I'm concerned about the system overhead and the effectiveness. I've heard that filtering on message headers is not effective and that filtering on message bodies is hard on the system. For ip4r, I've heard so many horror stories about over-zealous spam databases that I'm not sure which spam databases are worth working with. It would be really cool if someone at Declude wrote an addendum to the manual that talks about how to work with Declude JunkMail, rather than just how to use it. Any guidelines would be much appreciated. Thanks and happy holidays. Ben BC Web --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] -- Burzin Sumariwalla Phone: (314) 994-9411 x291 [EMAIL PROTECTED] Fax: (314) 997-7615 Pager: (314) 407-3345 Networking and Telecommunications Manager Information Technology Services St. Louis County Library District 1640 S. Lindbergh Blvd. St. Louis, MO 63131 --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [Declude - This Mail was sent from 24.107.232.14 ] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] How to use Country Filters
Where I can find documentation on how to use COUNTRY filters ?? Did not find anything on the manual. Thanks. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] MAILFROM like Imail Test..
Here are the headers... How this can be caught with Declude ?? 12:05 00:32 SMTPD(06E400CC) [0640] mail.fanosa.com VALIDATION: (MAIL FROM) mail.fanosa.com FAILED to validate MAIL FROM address [EMAIL PROTECTED] 12:05 00:32 SMTPD(06E400CC) [0640] mail.fanosa.com VALIDATION: (MAIL FROM) [EMAIL PROTECTED] user does not exist on remote system 12:05 00:33 SMTPD(06E500CC) [2292] mail.fanosa.com VALIDATION: (MAIL FROM) mail.fanosa.com FAILED to validate MAIL FROM address [EMAIL PROTECTED] 12:05 00:33 SMTPD(06E500CC) [2292] mail.fanosa.com VALIDATION: (MAIL FROM) [EMAIL PROTECTED] user does not exist on remote system -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alejandro Valenzuela Sent: Thursday, December 04, 2003 11:40 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] MAILFROM like Imail Test.. Declude MAILFROM test check only the domain on the MAILFROM address But we recive a lot of SPAM with mailfrom like this. [EMAIL PROTECTED] since hotmail.com is a valid Domain, then the message pass the test Is there a test like the Mailfrom of Imail that test that the user really exists on the remote server ?? [EMAIL PROTECTED] (In Imail this will fail...) Thanks.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Thursday, December 04, 2003 5:21 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] sniffer FYI, I believe the demo consolidates everything into two separate tests: General Malware. However, it will still give you a very good idea of the overall effectiveness of running Sniffer with Declude. Bill - Original Message - From: T. Bradley Dean [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, December 04, 2003 4:02 PM Subject: RE: [Declude.JunkMail] sniffer Declude is optimized to run the external test only once That was going to be my next question, it looked terribly in-efficient at first! Thanks for the responses guys. I just installed the demo. ~Brad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, December 03, 2003 8:10 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] sniffer Brad, That's right. :-) Heuristics for patterns are grouped by the spam that prompts us to generate them, or by how we created them. Most of the time they are at least close to classifying the type of spam. Each system that uses Message Sniffer is encouraged to specify adjustable weights for each rule group so that the results from the pattern matching tests can be tuned for the greatest accuracy on that system and according to it's unique mix of incoming spam and the users being served. Declude is optimized to run the external test only once and allow the result code to be evaluated for all of the tests that define that external test... so in the example shown below sniffer would be called once and it's result code would be evaluated many times. Message Sniffer will typically match many patterns in a given spam. Currently the voting system that decides the winning pattern match uses the following rule: Chose the first pattern match found with the lowest symbol. Within the standard rulebase, rule groups are loosely grouped so that the least specific patterns have the largest symbols. The combination of these arrangements tends toward selecting the most specific pattern match available for a given message. If anyone has other questions that are specific to sniffer then please feel free to contact us off list at our support@ sortmonster.com address. Thanks, _M At 10:20 PM 12/3/2003, you wrote: Brad, Sniffer does message based pattern matching (Pete, correct me if I am wrong). If you opt to separate the 20 or so tests that Sniffer currently supports, then you can set whatever weight you want to each individual test. Here is how I currently have the individual Sniffer tests defined in my global.cfg (License ID and Authentication Code obscured): SNIFFER-WHITELIST external 000 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode -5 0 SNIFFER-TRAVEL external 047 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 07 0 SNIFFER-INSURANCE external 048 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-AV-PUSH external 049 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 07 0 SNIFFER-WAREZ external 050 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-SPAMWARE external 051 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-SNAKEOIL external 052 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-SCAMS external 053 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-PORN external 054 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 12 0 SNIFFER-MALWARE external 055 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 12 0
RE: [Declude.JunkMail] MAILFROM like Imail Test..
Ok, I didn't noticed how easy could spam pass this test. Thanks Scott. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Friday, December 05, 2003 6:00 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] MAILFROM like Imail Test.. Declude MAILFROM test check only the domain on the MAILFROM address But we recive a lot of SPAM with mailfrom like this. [EMAIL PROTECTED] since hotmail.com is a valid Domain, then the message pass the test Is there a test like the Mailfrom of Imail that test that the user really exists on the remote server ?? No. The problem is that such a test is very resource intensive -- specifically, it will use about 10 times as much bandwidth as the MAILFROM test, and will often have false negatives (E-mail addresses that do not exist, but pass the test), and occasional false positives (E-mail addresses that do exist, but fail the test). Also, it will delay the delivery of the E-mail by anywhere from several seconds to a minute or so (lots of mailservers take a long time to respond to commands), as there are about 8 round trips that need to be made rather than just 1 -- and those round trips also require more effort on the remote end. Then, imagine if a spammer joe jobs you, using your E-mail address as the return address. If everyone plays this game, then your mailserver is going to receive thousands to millions of hits in a very short period of time, causing a DDoS attack on your server. So I'm not a big fan of this type of test. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] MAILFROM like Imail Test..
Declude MAILFROM test check only the domain on the MAILFROM address But we recive a lot of SPAM with mailfrom like this. [EMAIL PROTECTED] since hotmail.com is a valid Domain, then the message pass the test Is there a test like the Mailfrom of Imail that test that the user really exists on the remote server ?? [EMAIL PROTECTED] (In Imail this will fail...) Thanks.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Thursday, December 04, 2003 5:21 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] sniffer FYI, I believe the demo consolidates everything into two separate tests: General Malware. However, it will still give you a very good idea of the overall effectiveness of running Sniffer with Declude. Bill - Original Message - From: T. Bradley Dean [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, December 04, 2003 4:02 PM Subject: RE: [Declude.JunkMail] sniffer Declude is optimized to run the external test only once That was going to be my next question, it looked terribly in-efficient at first! Thanks for the responses guys. I just installed the demo. ~Brad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, December 03, 2003 8:10 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] sniffer Brad, That's right. :-) Heuristics for patterns are grouped by the spam that prompts us to generate them, or by how we created them. Most of the time they are at least close to classifying the type of spam. Each system that uses Message Sniffer is encouraged to specify adjustable weights for each rule group so that the results from the pattern matching tests can be tuned for the greatest accuracy on that system and according to it's unique mix of incoming spam and the users being served. Declude is optimized to run the external test only once and allow the result code to be evaluated for all of the tests that define that external test... so in the example shown below sniffer would be called once and it's result code would be evaluated many times. Message Sniffer will typically match many patterns in a given spam. Currently the voting system that decides the winning pattern match uses the following rule: Chose the first pattern match found with the lowest symbol. Within the standard rulebase, rule groups are loosely grouped so that the least specific patterns have the largest symbols. The combination of these arrangements tends toward selecting the most specific pattern match available for a given message. If anyone has other questions that are specific to sniffer then please feel free to contact us off list at our support@ sortmonster.com address. Thanks, _M At 10:20 PM 12/3/2003, you wrote: Brad, Sniffer does message based pattern matching (Pete, correct me if I am wrong). If you opt to separate the 20 or so tests that Sniffer currently supports, then you can set whatever weight you want to each individual test. Here is how I currently have the individual Sniffer tests defined in my global.cfg (License ID and Authentication Code obscured): SNIFFER-WHITELIST external 000 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode -5 0 SNIFFER-TRAVEL external 047 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 07 0 SNIFFER-INSURANCE external 048 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-AV-PUSH external 049 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 07 0 SNIFFER-WAREZ external 050 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-SPAMWARE external 051 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-SNAKEOIL external 052 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-SCAMS external 053 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-PORN external 054 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 12 0 SNIFFER-MALWARE external 055 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 12 0 SNIFFER-ADVERTISING external 056 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-SCHEMES external 057 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-CREDIT external 058 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-GAMBLING external 059 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-GREYMAIL external 060 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 07 0 SNIFFER-OBFUSCATION external 061 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 12 0 SNIFFER-SPAM external 062 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 07 0 SNIFFER-GENERAL external 063 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 12 0 You would need to adjust the weights to fit your own needs. However, this will at
RE: [Declude.JunkMail] SpamDomains
Question.. SPAMDOMAIN will test the REVDNS only for the domains included in the spamdomains.txt file ?? Any domain not included will not be tested ?? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Wednesday, December 03, 2003 2:42 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SpamDomains John, If you include an @ symbol before the domain name, it will stop it from tagging this VERP stuff. @domain.moc domain.moc @aol.com .aol.com @yahoo. .yahoo. etc... The only drawback here is that you can only have one match (the second column) because the first column will never produce a match on REVDNS this way. Matt John Tolmachoff (Lists) wrote: Why would this be caught with SPAMDOMAINS when closeout-sale.com is not in the spamdomains.txt file? X-RBL-Warning: SPAMDOMAINS: Spamdomain 'domain.moc' found: Address of [EMAIL PROTECTED] sent from invalid mail.closeout-sale.com. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] EASYNET tests going away December 1
Paul What program do you use to get those statistics listed ?? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of paul Sent: Monday, December 01, 2003 9:52 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] EASYNET tests going away December 1 Andy, You have all of these tests running? What's the impact on the server for all of these? What's your mail load? I just love having to replace all these tests every month or so, don't we all? LOL! But I want to lessen the impact on our server as much as possible. What of these tests do you recommend the most? Paul Hi, Yesterday's results of my EasyNet replacement candidates: TEST # FAILED Percentage AHBLDOMAINS710.95% AHBLPROXIES...7359.82% AHBLSOURCES...3514.69% (reliable, so far) NJABLDUL..2743.66% (many duplicates with SORBS-DUL) NJABLPROXIES1,085...14.49% NJABLRELAYS...1181.58% NJABLSOURCES..2653.54% (reliable, so far) SORBS-DUL...2,664...35.58% SORBS-HTTP7379.84% (proxies) SORBS-MISC.801.07% (proxies) SORBS-SOCKS...873...11.66% (proxies) SORBS-SMTP..50.07% SORBS-ZOMBIE...300.40% A) Do NOT use SORBS-SPAM. As they point out on their web site, it has been infested with the mail servers of most major providers by the simple fact that virus-infected customer systems have been sending arbitrary emails, implicating the mail sever of the provider. I tested it for two days and kept lowering the weight until I realized that it was not at all helpful in trying to distinguish spam from legitimate mail. B) I have been holding and/or deleting ANYTHING proxy for many weeks now and so far never had any customer complaints about lost emails. Best Regards Andy Schmidt --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Whitelist Auth ??
What this options does ?? WHITELIST AUTH Can't find it on the manual.. Thanks --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] How to white list some ISP ips ??
What would be the option to whitelist this domain ?? It comes from the IP of the conection.. Nothing to do with the real sender.. The header is.. X-Note: This E-mail was sent from dup-148-233-101-61.prodigy.net.mx I tried WHITELIST REVDNS .prodigy.net.mx Didn't work.. Thanks.. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] How to use URL file from Imail with Declude ??
I update the URL file in Imail by sending all not recognized SPAM to a mailbox then running the spam_sedeer utility Now, can Declude filter E-mail based on that file ?? I am new to Declude, just testing it for two days now It seems good but have some emails that are not caught with Declude, and they are caught with email URL Filter. Any help would be appreciated.. Thanks.. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] How to use URL file from Imail with Declude ??
Ok, on the first option, how it would work ?? Because the manual says that Declude JunkMail run earlier that Imail filters... So even if I add the Imail header, Declude will not detect it. Or there is a way to change that scanning order ?? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Thursday, November 27, 2003 12:18 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] How to use URL file from Imail with Declude ?? 2 things you can do with filters. (Only available in JunkMail Pro.) 1. Have Imail add a header for the URL list and then filter on that header and add weight. 2. Create a URLFILTER filter file in Declude from the Imail URL list. You can do this by using Excel. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Alejandro Valenzuela Sent: Thursday, November 27, 2003 11:04 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] How to use URL file from Imail with Declude ?? I update the URL file in Imail by sending all not recognized SPAM to a mailbox then running the spam_sedeer utility Now, can Declude filter E-mail based on that file ?? I am new to Declude, just testing it for two days now It seems good but have some emails that are not caught with Declude, and they are caught with email URL Filter. Any help would be appreciated.. Thanks.. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
