RE: [Declude.JunkMail] No one at Declude?
Not from THAT folder, but I found it in another folder on the FTP site - same recent date. -Original Message- From: Dave Beckstrom [mailto:db...@atving.com] Sent: Thursday, April 18, 2013 9:51 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Was anyone able to download the all_list.dat file from the interim directory that David posted? Everything else downloaded for me except that file. -Original Message- From: David Barker [mailto:david.bar...@mailsbestfriend.com] Sent: Thursday, April 18, 2013 8:37 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Filters yes all_list.dat working on that. -Original Message- From: John Dobbin [mailto:jo...@penpublishing.com] Sent: Thursday, April 18, 2013 9:14 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? David - with your support extended to the community, will you be able to offer maintenance of the all_list.dat as well as the filters? -Original Message- From: David Barker [mailto:david.bar...@mailsbestfriend.com] Sent: Thursday, April 18, 2013 1:02 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Not that I can think of, the real advantage is it shuts off all internal validations, AVG which has already stopped, SNF and CT which will stop anytime soon. -Original Message- From: Andy Schmidt [mailto:andy_schm...@hm-software.com] Sent: Thursday, April 18, 2013 1:43 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Thanks David, So, OTHER than Sniffer, any OTHER advantages of using the HOSTS trick vs. the Bypass key? -Original Message- From: David Barker [mailto:david.bar...@mailsbestfriend.com] Sent: Thursday, April 18, 2013 1:09 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? If internal SNF is still ON then it can conflict with external Message Sniffer by grabbing the port which SNF uses. By using our fix will ensure internal SNF is turned OFF. If using the bypass key has everything OFF then that is fine too. -Original Message- From: Andy Schmidt [mailto:andy_schm...@hm-software.com] Sent: Thursday, April 18, 2013 12:46 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? So - is there any advantage of using the hosts file trick (to invalidate the license server IP address) http://mailsbestfriend.com/declude-fix vs. using the special bypass license code? Does one enable more functions that the other? -Original Message- From: David Barker [mailto:david.bar...@mailsbestfriend.com] Sent: Thursday, April 18, 2013 12:31 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Yes Internal Sniffer is no longer a valid option. Need to switch to external. -Original Message- From: Andy Schmidt [mailto:andy_schm...@hm-software.com] Sent: Thursday, April 18, 2013 12:06 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Uh - but with that code, the internal SNF is turned off? So one has to configure Sniffer has an external test with a separate Sniffer license code? -Original Message- From: Stephan Chayer [mailto:scha...@intrasoft.net] Sent: Wednesday, April 17, 2013 5:37 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Use this key: CODE 28607230-BF21-4CDE-A59B-A451CC7C9CA0 -Message d'origine- De : SM Admin [mailto:imailad...@bcwebhost.net] Envoyé : 17 avril, 2013 2:43 À : Declude.JunkMail@declude.com Objet : Re: [Declude.JunkMail] No one at Declude? Apparently I was too quick on the draw as this line has since been added to the diag file: 04/16/2013 22:24:21.947[BB86F9-606322-C04138-958B5A-AB7343-94F75B] IS INVALID KEY Did someone say something about new keys? -Original Message- From: SM Admin Sent: Tuesday, April 16, 2013 10:25 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? I noticed today that Declude wasn't processing. I checked the diag file and it has the usual entries at the top plus an entry at the bottom saying that the Sniffer license is invalid. How is that? So then I restarted the Declud service and now the diag file only shows this: Declude 4.12.02 Diagnostics Compilation Platform: SmarterMail Copyright (c) 2000-2013 Declude, Inc. Host Name mail1.bcwebhost.net Declude Key redacted So I have no idea what's going on. Anyone? -Original Message- From: Brian Baker Sent: Tuesday, April 16, 2013 7:09 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? Looks like tonight we better figure out a new approach. My declude diag file is now reading declude lic as invalid. Anyone else? - Original Message - From
RE: [Declude.JunkMail] IS INVALID KEY
Phew - thanks for posting this. This WAS scary. Within a few minutes I had hundreds of spam emails in my inbox... Stopped the SMTP service and Queue service. This CODE did seem to help! -Original Message- From: Stephan Chayer [mailto:scha...@intrasoft.net] Sent: Wednesday, April 17, 2013 5:37 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Use this key: CODE 28607230-BF21-4CDE-A59B-A451CC7C9CA0 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] No one at Declude?
Uh - but with that code, the internal SNF is turned off? So one has to configure Sniffer has an external test with a separate Sniffer license code? -Original Message- From: Stephan Chayer [mailto:scha...@intrasoft.net] Sent: Wednesday, April 17, 2013 5:37 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Use this key: CODE 28607230-BF21-4CDE-A59B-A451CC7C9CA0 -Message d'origine- De : SM Admin [mailto:imailad...@bcwebhost.net] Envoyé : 17 avril, 2013 2:43 À : Declude.JunkMail@declude.com Objet : Re: [Declude.JunkMail] No one at Declude? Apparently I was too quick on the draw as this line has since been added to the diag file: 04/16/2013 22:24:21.947[BB86F9-606322-C04138-958B5A-AB7343-94F75B] IS INVALID KEY Did someone say something about new keys? -Original Message- From: SM Admin Sent: Tuesday, April 16, 2013 10:25 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? I noticed today that Declude wasn't processing. I checked the diag file and it has the usual entries at the top plus an entry at the bottom saying that the Sniffer license is invalid. How is that? So then I restarted the Declud service and now the diag file only shows this: Declude 4.12.02 Diagnostics Compilation Platform: SmarterMail Copyright (c) 2000-2013 Declude, Inc. Host Name mail1.bcwebhost.net Declude Key redacted So I have no idea what's going on. Anyone? -Original Message- From: Brian Baker Sent: Tuesday, April 16, 2013 7:09 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? Looks like tonight we better figure out a new approach. My declude diag file is now reading declude lic as invalid. Anyone else? - Original Message - From: Todd Richards to...@nnepa.com To: Declude.JunkMail@declude.com Sent: Monday, April 15, 2013 9:34 AM Subject: RE: [Declude.JunkMail] No one at Declude? What system is that? Our users are getting hammered with spam. Reminds me of the days, many years ago, before I happened upon Declude... Todd -Original Message- On Sunday, April 14, 2013 10:24 PM, John Doyle wrote: I have reverted to a system that works. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] No one at Declude?
So - is there any advantage of using the hosts file trick (to invalidate the license server IP address) http://mailsbestfriend.com/declude-fix vs. using the special bypass license code? Does one enable more functions that the other? -Original Message- From: David Barker [mailto:david.bar...@mailsbestfriend.com] Sent: Thursday, April 18, 2013 12:31 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Yes Internal Sniffer is no longer a valid option. Need to switch to external. -Original Message- From: Andy Schmidt [mailto:andy_schm...@hm-software.com] Sent: Thursday, April 18, 2013 12:06 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Uh - but with that code, the internal SNF is turned off? So one has to configure Sniffer has an external test with a separate Sniffer license code? -Original Message- From: Stephan Chayer [mailto:scha...@intrasoft.net] Sent: Wednesday, April 17, 2013 5:37 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Use this key: CODE 28607230-BF21-4CDE-A59B-A451CC7C9CA0 -Message d'origine- De : SM Admin [mailto:imailad...@bcwebhost.net] Envoyé : 17 avril, 2013 2:43 À : Declude.JunkMail@declude.com Objet : Re: [Declude.JunkMail] No one at Declude? Apparently I was too quick on the draw as this line has since been added to the diag file: 04/16/2013 22:24:21.947[BB86F9-606322-C04138-958B5A-AB7343-94F75B] IS INVALID KEY Did someone say something about new keys? -Original Message- From: SM Admin Sent: Tuesday, April 16, 2013 10:25 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? I noticed today that Declude wasn't processing. I checked the diag file and it has the usual entries at the top plus an entry at the bottom saying that the Sniffer license is invalid. How is that? So then I restarted the Declud service and now the diag file only shows this: Declude 4.12.02 Diagnostics Compilation Platform: SmarterMail Copyright (c) 2000-2013 Declude, Inc. Host Name mail1.bcwebhost.net Declude Key redacted So I have no idea what's going on. Anyone? -Original Message- From: Brian Baker Sent: Tuesday, April 16, 2013 7:09 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? Looks like tonight we better figure out a new approach. My declude diag file is now reading declude lic as invalid. Anyone else? - Original Message - From: Todd Richards to...@nnepa.com To: Declude.JunkMail@declude.com Sent: Monday, April 15, 2013 9:34 AM Subject: RE: [Declude.JunkMail] No one at Declude? What system is that? Our users are getting hammered with spam. Reminds me of the days, many years ago, before I happened upon Declude... Todd -Original Message- On Sunday, April 14, 2013 10:24 PM, John Doyle wrote: I have reverted to a system that works. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] No one at Declude?
Thanks David, So, OTHER than Sniffer, any OTHER advantages of using the HOSTS trick vs. the Bypass key? -Original Message- From: David Barker [mailto:david.bar...@mailsbestfriend.com] Sent: Thursday, April 18, 2013 1:09 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? If internal SNF is still ON then it can conflict with external Message Sniffer by grabbing the port which SNF uses. By using our fix will ensure internal SNF is turned OFF. If using the bypass key has everything OFF then that is fine too. -Original Message- From: Andy Schmidt [mailto:andy_schm...@hm-software.com] Sent: Thursday, April 18, 2013 12:46 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? So - is there any advantage of using the hosts file trick (to invalidate the license server IP address) http://mailsbestfriend.com/declude-fix vs. using the special bypass license code? Does one enable more functions that the other? -Original Message- From: David Barker [mailto:david.bar...@mailsbestfriend.com] Sent: Thursday, April 18, 2013 12:31 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Yes Internal Sniffer is no longer a valid option. Need to switch to external. -Original Message- From: Andy Schmidt [mailto:andy_schm...@hm-software.com] Sent: Thursday, April 18, 2013 12:06 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Uh - but with that code, the internal SNF is turned off? So one has to configure Sniffer has an external test with a separate Sniffer license code? -Original Message- From: Stephan Chayer [mailto:scha...@intrasoft.net] Sent: Wednesday, April 17, 2013 5:37 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Use this key: CODE 28607230-BF21-4CDE-A59B-A451CC7C9CA0 -Message d'origine- De : SM Admin [mailto:imailad...@bcwebhost.net] Envoyé : 17 avril, 2013 2:43 À : Declude.JunkMail@declude.com Objet : Re: [Declude.JunkMail] No one at Declude? Apparently I was too quick on the draw as this line has since been added to the diag file: 04/16/2013 22:24:21.947[BB86F9-606322-C04138-958B5A-AB7343-94F75B] IS INVALID KEY Did someone say something about new keys? -Original Message- From: SM Admin Sent: Tuesday, April 16, 2013 10:25 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? I noticed today that Declude wasn't processing. I checked the diag file and it has the usual entries at the top plus an entry at the bottom saying that the Sniffer license is invalid. How is that? So then I restarted the Declud service and now the diag file only shows this: Declude 4.12.02 Diagnostics Compilation Platform: SmarterMail Copyright (c) 2000-2013 Declude, Inc. Host Name mail1.bcwebhost.net Declude Key redacted So I have no idea what's going on. Anyone? -Original Message- From: Brian Baker Sent: Tuesday, April 16, 2013 7:09 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? Looks like tonight we better figure out a new approach. My declude diag file is now reading declude lic as invalid. Anyone else? - Original Message - From: Todd Richards to...@nnepa.com To: Declude.JunkMail@declude.com Sent: Monday, April 15, 2013 9:34 AM Subject: RE: [Declude.JunkMail] No one at Declude? What system is that? Our users are getting hammered with spam. Reminds me of the days, many years ago, before I happened upon Declude... Todd -Original Message- On Sunday, April 14, 2013 10:24 PM, John Doyle wrote: I have reverted to a system that works. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing
RE: Re[2]: [Declude.JunkMail] No one at Declude?
Not to mention the grossly unethical, possibly illegal behavior of abandoning people with active maintenance I’m still prepaid until end of June… From: Sanford Whiteman [mailto:sa...@figureone.com] Sent: Monday, April 08, 2013 7:37 PM To: Declude.JunkMail@declude.com Subject: Re[2]: [Declude.JunkMail] No one at Declude? So, has no one still heard nothing from Declude? This is my favorite anti-spam service and I would hate to lose them. Well, no apologetic post here == bye-bye to the product, IMO. What really irks me when this happens (I've had it happen to two beloved boutique apps in the past) is that no one gives a thought to open-sourcing it, just destroying it. We aren't OS zealots and most of us are sysadmins, but that doesn't mean we couldn't make us of the code. Not to mention the grossly unethical, possibly illegal behavior of abandoning people with active maintenance. -- S. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] why have spam scores jumped?
If you're that small - how many PUBLIC domains do you have to be authoritative for? What is the change frequency in a year, that you need this to be on your local DNS. For redundancy and availability purposes, why not host your public DNS at your registry, block incoming DNS queries at your border router/firewall - and set up your strinctly IN-HOUSE DNS server recursive? -Original Message- From: SM Admin [mailto:imailad...@bcwebhost.net] Sent: Saturday, March 16, 2013 2:04 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? Very succinct. But I need further explanation... Forget forwarding. We'd like to keep it to off-load the server and network traffic, but we can live without. However, I need one server to be both recursive for our mail server and non-recursive for our authoritative zones. We don't have to worry about our internal workstations because those I can set up to directly use the Comcast DNS servers (small network so I don't need internal DNS). But the mail server presents us the same kind of problem. The perfect solution would be a setting that tells the MS DNS server to accept recursive requests only from specified client IPs, but I don't see any way to do that. Any ideas? Thanks, Ben -Original Message- From: Scott Fosseen Sent: Friday, March 15, 2013 10:33 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? Another way to look at it. Recursion: Off: DNS server can only answer queries from its local zone files. Queries for any other records returns no results. Used when server is authoritative for Public domains (declude.com, nasa.gov) On: DNS server will try to answer all Queries. If it does not know the answer it will call out to other DNS servers to get the answer. ( I run both. I have 4 non-recursive DNS servers for hosting zone files, and 2 recursive DNS servers for workstations to point to. ) Forwarders: Valid only if Recurion is on. If Forwarder is set and DNS server does not know the answer to a query, the DNS server will ask the Forwarder DNS server for the answer. If no Forwarder is set and the DNS server does not know the answer to a query the DNS server will contact the Root servers and find the answer itself. My experience with MS DNS is that forwarders are setup at installation because the installer assumes a blank forwarder means the DNS server will be unable to lookup addresses. Because DNS works with a forwarder the setting gets left on. About the only time I recommend forwarders is if the site uses something like OpenDNS for Content Filtering, in which case all queries should go tot he OpenDNS servers. -Original Message- From: Sanford Whiteman sa...@cypressintegrated.com Sent 3/15/2013 8:08:14 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? The challenge for me is in not using forwarding. For MS DNS servers, forwarding and recursion are tied together; turn off one and you lose both. Incorrect. Turning off recursion turns off forwarders, but not vice versa. You can have a perfectly operating recursive MS DNS server that does not delegate recursion to any other server (forwarding amounts to delegating recursion, but the server as a whole is still recursive, thus the unidirectional relationship between the two settings). You only MUST use forwarders if you are not allowed to pass DNS requests out past your ISP's border (similar to when you have to use the ISP's outbound SMTP gateway). So if I turn off recursion and forwarding, then all my DNS requests will have to go to the root servers for resolution. No, if you turn off recursion completely, you can't get responses for domains that aren't on your box. No one is going to do it for you -- the root servers sure won't. I do understand the dangers of being an open resolver You're mixing up a lot of terms here. An open resolver is one that will perform recursive lookups for any address on the open internet. but I am also under the impression that resolving only through root servers is bad. It's not bad, it doesn't exist. Since MS seems to recommend forwarding I doubt that... With a stub zone, queries to URIBL.com are resolved directly through the URIBL Name servers... ... and there is no reason to go down this road. If you can get DNS requests past your ISP, there's no reason to have forwarders. -- S. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the
[Declude.JunkMail] NJABL Shut Down
March 1, 2013: NJABL is in the process of being shut down. The DNSBL zones have been emptied. After the Internet has had some time to remove NJABL from server configs, the NS's will be pointed off into unallocated space (192.0.2.0/24 TEST-NET-1) to hopefully make the shutdown obvious to those who were slower to notice. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] OT - Message Body Line-Ends in PHP
Hi, Recently, gateways have clamped down on malformed message bodies that contain single LF instead of the proper CF/LF mandated by RFCs: http://www.ietf.org/rfc/rfc2822.txt 2.1 A line is a series of characters that is delimited with the two characters carriage-return and line-feed; that is, the carriage return (CR) character (ASCII value 13) followed immediately by the line feed (LF) character (ASCII value 10). and it clarifies further: 2.3 CR and LF MUST only occur together as CRLF; they MUST NOT appear independently in the body. I believe there is no ambiguity as to the ONLY acceptable line-ending anywhere in an Internet email? Historically though, many programmers who grew up in the Unix/Apple world are used to seeing “LF”-only line-ends in their text files, and (out of understandable) ignorance of the written standards, have used their regular programming technique in any form handlers and other applications that generated automated SMTP messages. The main source of these emails that I see being caught by gateways in hundreds every single day, are PHP-based form handlers, many of which are using the PHPmail extension. Of course, when programmers read the PHP official manual (the mail() function) they are event “educated” to ONLY use “LF” as the line-end – perpetuating this myth. I have attempted to point their standards-violation to the PHP and PHPmail folks – but when the open source community (who usually points to the big bad wolf “Microsoft” for ignoring standards) is called to follow RFCs, they suddenly are full of excuses themselves. I invite you to share your professional opinion: PHP Manual on mail() function: https://bugs.php.net/bug.php?id=63778 https://bugs.php.net/bug.php?id=63778edit=2 edit=2 regarding: http://php.net/manual/en/function.mail.php PHPmailer http://code.google.com/a/apache-extras.org/p/phpmailer/issues/detail?id=62 They actually fixed it – and then REVERSED that fix (probably because of a bunch of lazy/ignorant developers who feel that following RFCs is NOT desirable if they would have to follow the lead of Microsoft in this case – which is getting it RIGHT). Best Regards, Andy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] OT - need stand-by Hyper-V host
Hi, I’m using this list, because I do know that some of you have small hosting operations and I have to come to value and respect your expertise over the years. I have a client who is hosting a few small Hyper-V virtual machines with me. After the recent Hurricane, they have asked if I could help them find a emergency host who would be able to bring up their virtual machines if OUR part of the country was ever out of reach for a prolonged period. Specifically, currently these are two machines, each configured with 4 GB of RAM, 4 virtual processors, and with less than 100 GB VHDs each. (Incidentally, they are running RHEL 6.3 – but that really doesn’t matter.) However, they do host very active web sites, so the Hyper-V host should be equipped with recent generation hardware (such as fast quad-core CPUs and modern SATA/SCSI disk technology). If this is an arrangement you are willing to discuss, please email me directly. Best Regards, Andy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] invisible attachments?
Most likely a malformed header created by the sending application. Depending on how strict an application insists on CR/LF combinations (vs just CR or just LF) – the attachment is either recognized as a distinct MAPI element – or treated as excess junk in the headers or some previous MAPI segment. That’s why it’s still “there” after forwarding it. It was never GONE. It’s not just “visible” to certain email applications who have strict standards implementations. You can get to the bottom of it, by setting up a temporary test rule in Declude based on the subject or some even the senders address that sends the email to some “hold” folder (like the Virus or Junkmail hold folders). Then, disable that rule again. Now you have the “native” message body and you can inspect it with a hex editor and you’ll be able to see some issue with quoting or folding and then tell the sender how to fix their application to be MAPI compliant. From: Imail Admin [mailto:imailad...@bcwebhost.net] Sent: Monday, March 12, 2012 9:11 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] invisible attachments? Hi, I have a problem with invisible attachments and I'm wondering if it's an IMail problem, a Declude problem, or something else. A law firm that I've dealt with for a long time recently has a problem that messages send to us with attachments sometimes don't display the attachments. They leave the sender with an attachment, but they arrive with no clue that there is an attachment. If I forward them on to a gmail account I use for testing, then the attachments are visible there. I've tested this with both Outlook Express and Mail Live on the receiving end and see nothing about the attachments. I check on an Android phone using K-9 and it doesn't show the attachments but does show the mail.dat file usually associated with Outlook and the formatting of messages (and these senders are using Outlook with MS Exchange). However, the usual fix (use Plain Text Only) doesn't seem to help. My first thought was that the attachments were getting stripped (by Declude?) at our server. But since they still seem to be there once I forward to the gmail account, that excludes that idea. I haven't had any problems receiving test JPG files as attachments and sometimes their PDF files get through just fine. So any idea what's going on here? Thanks, Ben --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Interim Download of CFG File
Hi, The old problem with the interim files is back/still there. Your web server does NOT have .CFG configured in the MIME types - so it refuses to download the sample CFG files. You need to either update the web server settings to permit .CFG filetypes OR rename or zip those sample CFG files. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] error 0xC0000142 smtp.exe
I had encountered the problem when I introduced another Declude add-on to the mix (e.g., another command line program that Declude was launching). Eventually there were too many command line processes using up too much heap… Some of us were using the old command-line sniffer and 2 or 3 anti-virus command line tools, and invURIBL and various other – each one chipping away at the heap. From: IMail Admin [mailto:imailad...@bcwebhost.net] Sent: Thursday, May 05, 2011 2:21 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] error 0xC142 smtp.exe HI Pete, Thanks for the links. After reading all of those, and everything they link to, I have a better idea of what’s happening. What Declude originally called the “mystery heap” is apparently the desktop heap, which had a system wide limit of 48 mb (Win2k and Win2k3), allocated between interactive and non-interactive desktops. Presumably, too many processes are launched, exhausting this heap. Setting a smaller value for the per-process allocation (512 kb by default) should allow more processes to run. So all of this makes sense but doesn’t explain why my server should have this problem. My business is so small any more than I could imagine using my smart phone to run the mail server. If it’s the smtp32.exe process causing the crash, then that would imply to me that I’ve got a lot of outbound messages all at once. I just don’t see how this could happen. I’m guessing that we’ve got no more than a couple hundred mailboxes spread over 30 domains, and no lists larger than 200. So how do I find out where all this outbound stuff is coming from? And is there a setting I could use to limit the number of outbound messages sent (or processed) at one time? Any suggestions are appreciated. Thanks, Ben P.S. I wonder what would happen if I moved my software (Imail 2006.23) to a Win 7 PC or a Windows 2010 server? Just thinking out loud. From: Pete McNeil mailto:madscient...@microneil.com Sent: Wednesday, May 04, 2011 8:34 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] error 0xC142 smtp.exe On 5/4/2011 11:08 PM, Imail Admin wrote: Hi,  I recall a while back about errors where you get Error #0xC142 (The application failed to initialize) for smtp32.exe, somehow related to Declude. We started getting these recently for no particular reason that I can think of. Is there a setting in Declude that helps with this? IIRC, this is the mystery heap problem and solving it will mostly have to do with the setting you're using. http://kb.imailserver.com/cgi-bin/imail.cfg/php/enduser/std_adp.php?p_faqid=686 There is a particular chunk of memory that runs out if too many applications/processes are started at once as children of other processes. In your case, for example, too many concurrent instances of SMTP32.exe along with a number of other factors. If I'm guessing correctly, you could suddenly experience this problem due to allowing enough SMTP32 processes (usually controlled by the number of processing threads you allow) and also having enough mail running through your system to exhaust the mystery heap. This search might help you find what you're looking for in previous discussions. Hope this helps, _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] error 0xC0000142 smtp.exe
In MY case it was not the number of threads, but eliminating one of the third party command line applications. Although – I had never TRIED reducing the number of threads to see if that would help the situation. From: IMail Admin [mailto:imailad...@bcwebhost.net] Sent: Thursday, May 05, 2011 4:10 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] error 0xC142 smtp.exe That sounds like me. What’s the cure? Drop the number of threads in declude.cfg? I haven’t looked at it yet to see what I have. From: Andy Schmidt mailto:andy_schm...@hm-software.com Sent: Thursday, May 05, 2011 1:05 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] error 0xC142 smtp.exe I had encountered the problem when I introduced another Declude add-on to the mix (e.g., another command line program that Declude was launching). Eventually there were too many command line processes using up too much heap… Some of us were using the old command-line sniffer and 2 or 3 anti-virus command line tools, and invURIBL and various other – each one chipping away at the heap. From: IMail Admin [mailto:imailad...@bcwebhost.net] Sent: Thursday, May 05, 2011 2:21 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] error 0xC142 smtp.exe HI Pete, Thanks for the links. After reading all of those, and everything they link to, I have a better idea of what’s happening. What Declude originally called the “mystery heap” is apparently the desktop heap, which had a system wide limit of 48 mb (Win2k and Win2k3), allocated between interactive and non-interactive desktops. Presumably, too many processes are launched, exhausting this heap. Setting a smaller value for the per-process allocation (512 kb by default) should allow more processes to run. So all of this makes sense but doesn’t explain why my server should have this problem. My business is so small any more than I could imagine using my smart phone to run the mail server. If it’s the smtp32.exe process causing the crash, then that would imply to me that I’ve got a lot of outbound messages all at once. I just don’t see how this could happen. I’m guessing that we’ve got no more than a couple hundred mailboxes spread over 30 domains, and no lists larger than 200. So how do I find out where all this outbound stuff is coming from? And is there a setting I could use to limit the number of outbound messages sent (or processed) at one time? Any suggestions are appreciated. Thanks, Ben P.S. I wonder what would happen if I moved my software (Imail 2006.23) to a Win 7 PC or a Windows 2010 server? Just thinking out loud. From: Pete McNeil mailto:madscient...@microneil.com Sent: Wednesday, May 04, 2011 8:34 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] error 0xC142 smtp.exe On 5/4/2011 11:08 PM, Imail Admin wrote: Hi,  I recall a while back about errors where you get Error #0xC142 (The application failed to initialize) for smtp32.exe, somehow related to Declude. We started getting these recently for no particular reason that I can think of. Is there a setting in Declude that helps with this? IIRC, this is the mystery heap problem and solving it will mostly have to do with the setting you're using. http://kb.imailserver.com/cgi-bin/imail.cfg/php/enduser/std_adp.php?p_faqid=686 There is a particular chunk of memory that runs out if too many applications/processes are started at once as children of other processes. In your case, for example, too many concurrent instances of SMTP32.exe along with a number of other factors. If I'm guessing correctly, you could suddenly experience this problem due to allowing enough SMTP32 processes (usually controlled by the number of processing threads you allow) and also having enough mail running through your system to exhaust the mystery heap. This search might help you find what you're looking for in previous discussions. Hope this helps, _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found
RE: [Declude.JunkMail] error 0xC0000142 smtp.exe
PS: I also upgraded Declude to use the integrated Sniffer and the integrated Anti-Virus engine so that I could eliminate the number of command line invocations. From: IMail Admin [mailto:imailad...@bcwebhost.net] Sent: Thursday, May 05, 2011 4:10 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] error 0xC142 smtp.exe That sounds like me. What’s the cure? Drop the number of threads in declude.cfg? I haven’t looked at it yet to see what I have. From: Andy Schmidt mailto:andy_schm...@hm-software.com Sent: Thursday, May 05, 2011 1:05 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] error 0xC142 smtp.exe I had encountered the problem when I introduced another Declude add-on to the mix (e.g., another command line program that Declude was launching). Eventually there were too many command line processes using up too much heap… Some of us were using the old command-line sniffer and 2 or 3 anti-virus command line tools, and invURIBL and various other – each one chipping away at the heap. From: IMail Admin [mailto:imailad...@bcwebhost.net] Sent: Thursday, May 05, 2011 2:21 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] error 0xC142 smtp.exe HI Pete, Thanks for the links. After reading all of those, and everything they link to, I have a better idea of what’s happening. What Declude originally called the “mystery heap” is apparently the desktop heap, which had a system wide limit of 48 mb (Win2k and Win2k3), allocated between interactive and non-interactive desktops. Presumably, too many processes are launched, exhausting this heap. Setting a smaller value for the per-process allocation (512 kb by default) should allow more processes to run. So all of this makes sense but doesn’t explain why my server should have this problem. My business is so small any more than I could imagine using my smart phone to run the mail server. If it’s the smtp32.exe process causing the crash, then that would imply to me that I’ve got a lot of outbound messages all at once. I just don’t see how this could happen. I’m guessing that we’ve got no more than a couple hundred mailboxes spread over 30 domains, and no lists larger than 200. So how do I find out where all this outbound stuff is coming from? And is there a setting I could use to limit the number of outbound messages sent (or processed) at one time? Any suggestions are appreciated. Thanks, Ben P.S. I wonder what would happen if I moved my software (Imail 2006.23) to a Win 7 PC or a Windows 2010 server? Just thinking out loud. From: Pete McNeil mailto:madscient...@microneil.com Sent: Wednesday, May 04, 2011 8:34 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] error 0xC142 smtp.exe On 5/4/2011 11:08 PM, Imail Admin wrote: Hi,  I recall a while back about errors where you get Error #0xC142 (The application failed to initialize) for smtp32.exe, somehow related to Declude. We started getting these recently for no particular reason that I can think of. Is there a setting in Declude that helps with this? IIRC, this is the mystery heap problem and solving it will mostly have to do with the setting you're using. http://kb.imailserver.com/cgi-bin/imail.cfg/php/enduser/std_adp.php?p_faqid=686 There is a particular chunk of memory that runs out if too many applications/processes are started at once as children of other processes. In your case, for example, too many concurrent instances of SMTP32.exe along with a number of other factors. If I'm guessing correctly, you could suddenly experience this problem due to allowing enough SMTP32 processes (usually controlled by the number of processing threads you allow) and also having enough mail running through your system to exhaust the mystery heap. This search might help you find what you're looking for in previous discussions. Hope this helps, _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came
RE: [Declude.JunkMail] JunkMail Bounce and Virus Notices
Hi, It’s not just limited to HiJack, it seems that Declude Virus and Declude Junkmail are both hardcoded to use IMail1 for virus notifications, Bounce Messages. I can’t find any configuration option where you can either use BLAT or some other command line mailer and/or mailer script. Here snippets from the VIR* and DEC* logs: 03/27/2011 09:08:21.095 q57ef0032830be332.smd Error starting imail1: 2 [D:\IMAIL\IMail1.exe -h Postmaster.Argos.net -t PostMaster@[123.26.186.94],PostMaster@localhost -u postmas...@postmaster.argos.net -s Our Virus Firewall has Rejected an Apparent Email of Your User! -f D:\IMail\spool\proc\work\D57ef0032830be332.sm0] 03/27/2011 00:03:01.096 q216f00324ee89e2d.smd Error starting imail1: 2 [D:\IMAIL\IMail1.exe -h Postmaster.Argos.net -t r...@images.solarcycle29.info -u postmas...@postmaster.argos.net -s Undelivered Mail -f D:\IMail\spool\proc\work\D216f00324ee89e2d.sm0] Best Regards, Andy _ From: John T johnl...@eservicesforyou.com Sender: John T johnl...@eservicesforyou.com Date: Sat, 26 Mar 2011 16:09:11 GMT To: Declude.JunkMail@declude.com ReplyTo: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] How to send notices about email held by HiJack With Ipswitches decision to remove imail1.exe from Imail 11.03 the scripts we have been using to check the HiJack hold folders and send emails when email is found hold no longer work. What options are avilable now to be able to send automated email through scripts? John T eServices For You --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] How to send notices about email held by HiJack
PS: appears they removed it in v10 – not just v11 (or v11.03). I went back to version 11.02 installer, and after going through the entire activation sequence for a new/second trial install – I ended up with 11.02 – but no Imail1.exe. I don’t have a pre-version 10 installer laying around! _ From: John T johnl...@eservicesforyou.com Sender: John T johnl...@eservicesforyou.com Date: Sat, 26 Mar 2011 16:09:11 GMT To: Declude.JunkMail@declude.com ReplyTo: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] How to send notices about email held by HiJack With Ipswitches decision to remove imail1.exe from Imail 11.03 the scripts we have been using to check the HiJack hold folders and send emails when email is found hold no longer work. What options are avilable now to be able to send automated email through scripts? John T eServices For You --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Blocking on no REV DNS?
I suppose it depends on your clients. I host mostly small to medium business sites, bounce on reverse DNS at my gateway and only get a question once or twice a year, where I assist some clueless Email Admin about contacting his ISP to set up the proper reverse DNS. I explain to them that we are in line with AOL, Hotmail, Google and others that have policies against missing Reverse DNS to show that he may have FOUND the problem by trying to email US, but that in fact, his emails to most places on the Internet are being silently deleted, held or flagged as SPAM - without giving him a warning as WE do. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave Beckstrom Sent: Monday, February 14, 2011 9:22 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Blocking on no REV DNS? Years ago it was recommended not to block mail on a missing reverse DNS because many legitimate mail servers were mis-configured. We know services like AOL block on missing DNS. Just wondering, do you block on missing REV DNS? If not, do you at least add weight? I'm getting to the point where if a mail server doesn't have a reverse DNS then I'm thinking the heck with them --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Blocking on no REV DNS?
Not sure if you're asking how to trap items without reverse DNS? It would be a line like this in the GLOBAL.CFG: WHITELIST AUTH REVDNS revdnsexists x x 5 0 (which would add a weight of 5 if there is no reverse DNS - but whitelist your clients who have no reverse DNS but still should be permitted to connect to your SMTP relay). Then, you could pick up on that test name in your $default$.junkmail, and decide what action you might want, e.g.: REVDNS ALERT or REVDNS HOLD Or REVDNS LOG Etc. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave Beckstrom Sent: Monday, February 14, 2011 2:07 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Blocking on no REV DNS? Headers from a typical email with missing reverse DNS: Received: from UnknownHost [208.94.247.117] by xx X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 208.94.247.117 with no reverse DNS entry. What is the best way to filter on no reverse DNS? --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Spam Routing and IP 6?
Hi, I may be barking up the wrong tree. But since the following email only had a single IP v4 hop to our Imail, I can't see how this could possibly be caught by spamrouting - unless there is some confusion on how to treat the IP v6 address address: Received: from SDKENG01.dkeng.co.uk [81.143.158.102] by hm-software.com with ESMTP (SMTPD-11.02) id 3f5e0001d39c4dd5; Fri, 8 Oct 2010 04:44:53 -0400 Received: from SDKENG01.dkeng.co.uk ([::1]) by SDKENG01.dkeng.co.uk ([::1]) with mapi; Fri, 8 Oct 2010 09:43:21 +0100 . X-RBL-Warning: This E-mail was routed in a poor manner consistent with spam [211f]. See: http://tools.declude.com/headercode.php?code=211f X-Declude: Version 4.10.51; Code 0x211f from host81-143-158-102.in-addr.btopenworld.com [81.143.158.102] The only other server uses the standard IP v6 loopback address (0:0:0:0:0:0:0:1), equivalent to the 127.0.0.1 in IP v4 - which clearly is internal and thus should not be evaluated for the Spamrouting test. If Spamrouting (or Declude?) does not handle IP v6, then it probably should at least SKIP those headers entirely? Best Regards, Andy --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Spam Routing and IP 6?
Hi, I may be barking up the wrong tree. But since the following email only had a single IP v4 hop to our Imail, I can't see how this could possibly be caught by spamrouting - unless there is some confusion on how to treat the IP v6 address address: Received: from SDKENG01.dkeng.co.uk [81.143.158.102] by hm-software.com with ESMTP (SMTPD-11.02) id 3f5e0001d39c4dd5; Fri, 8 Oct 2010 04:44:53 -0400 Received: from SDKENG01.dkeng.co.uk ([::1]) by SDKENG01.dkeng.co.uk ([::1]) with mapi; Fri, 8 Oct 2010 09:43:21 +0100 . X-RBL-Warning: This E-mail was routed in a poor manner consistent with spam [211f]. See: http://tools.declude.com/headercode.php?code=211f X-Declude: Version 4.10.51; Code 0x211f from host81-143-158-102.in-addr.btopenworld.com [81.143.158.102] The only other server uses the standard IP v6 loopback address (0:0:0:0:0:0:0:1), equivalent to the 127.0.0.1 in IP v4 - which clearly is internal and thus should not be evaluated for the Spamrouting test. If Spamrouting (or Declude?) does not handle IP v6, then it probably should at least SKIP those headers entirely? Best Regards, Andy --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Imail vs. Smartermail
Release 4.10.42What is blah- vs. blah+ for incoming mails? Are you referring to subfolders/submailboxes that Imail automatically generates? If Imail does DomainKeys and has the mailbox handling you need, why drop it? The next update to Imail will allow dropping connections for certain spam checks (we'll see which ones they are starting with.) I've been asking for that for 10 years - so hopefully I'll be able to reject (some) spam outright during the SMTP conversation. Best Regards Andy Schmidt Tel. +1 201-934-9411, x20 Fax +1 201-934-9206 From: Eddie Sent: Saturday, August 28, 2010 7:00 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Imail vs. Smartermail I am not sure about this. So I am opening this up for discussion.. What would happen if you just ran Smartermail as an Outbound email gateway. Wouldn't Domainkeys/Dkim still work without needing to change everyone's email address? Cheers, Eddie From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Robert Grosshandler Sent: Friday, August 27, 2010 9:17 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Imail vs. Smartermail Hi All - We're currently using Imail v2006. We had no need to upgrade and the iMail versions until this year didn't support some features we needed (primariy DomainKey / DKIM signing of outbound mail. ) We'd considered moving to Smartermail, but it didn't (and doesn't) support a feature we needed (blah-x...@igive.com) formatting of incoming mail. Smartermail does (blah+x...@igive.com) and we'd have to get 250,000 folks to change the e-mail address we assigned them. Pricing between the two for our needs is almost the same (Smartermail would be slightly cheaper in the long run). I know that people left iMail in droves over the past several years. Any current info on Ipswitch that should make me go through the pain of a switch to Smartermail? Thanks ahead of time. Rob --- [This E-mail was checked by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was checked by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Server AV Scanner
Server AV ScannerDave, ClamAV works perfectly fine with Declude - runs as a service and thus is fast. A native Windows version has been available for quite a while. Best Regards Andy Schmidt Tel. +1 201-934-9411, x20 Fax +1 201-934-9206 From: Dave Beckstrom Sent: Thursday, August 12, 2010 9:51 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Server AV Scanner Hi Everyone, I sold off the lion's share of my web business 3 years. I still host a few sites for some people who have been with me for a really long time. But I don't have the revenue I once did and hence can't afford to renew Declude (I'm running an older version) or buy any software. I used to use F-prot (command line version) to virus scan email at the server via Declude. They no longer offer the signature files for that version of F-prot. I haven't found anything in my searches so I thought I'd ask here -- is there a free antivirus scanner available that will run on 2003 server and which I could tie into Declude? Thanks, Dave --- [This E-mail was checked by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] RE: A small Junkmail enhancement suggestion
Hi, Yes - the From header is just for the mail client (such as Outlook). The real sender is typically provided in the Sender or X-Sender header. Here is an example using different versions of CDO: a) Up to Win 2000 Server and prior Reply-To: authorspreferredem...@somecorporatedomain.com From: authors...@somepdadomain.com Sender: postmas...@anamera.net To: customer.serv...@anamera.net The MAIL FROM was: postmas...@anamera.net b) Win 2003 and up (Win 2000 Server supports either) Reply-To: authorspreferredem...@somecorporatedomain.com From: authors...@somepdadomain.com X-Sender: postmas...@anamera.net To: customer.serv...@anamera.net The MAIL FROM was: postmas...@anamera.net So - the most appropriate logic for FROMNOMATCH would have been: - if X-Sender header exists, compare THAT against MAIL FROM - if Sender header exists, compare THAT against MAIL FROM - else, compare From header against MAIL FROM Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Colbeck, Andrew Sent: Thursday, July 15, 2010 2:36 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] A small Junkmail enhancement suggestion David, are you there? The FROMNOMATCH test introduced in 2006 checks whether the MAILFROM matches the From: header. I suggest an enhancement to reduce false positives: that the FROMNOMATCH is suppressed if the Sender: header line is present. The Sender: header line is used to indicate that the sending mail system knows that the actual sender is different from the cosmetic From: line. The result in, say, Microsoft Outlook, is that the From: line will show %MAILFROM% on behalf of %From: field contents%. The Sender: line receives a bare mention here: http://en.wikipedia.org/wiki/E-mail_header The FROMNOMATCH should also be suppressed if the MAILFROM is . I suspect that VERP addresses should also be excerpted, because as with the Sender: header, the envelope/MAILFROM is expected to not match the From: header. Here's the Wikipedia article on VERP: http://en.wikipedia.org/wiki/Variable_envelope_return_path There may be a problem with VERP if there is no clear winner or winners in the formatting; if there are VERP formats that are intended to be interpreted by software instead of humans, then those formats make good exceptions to FROMNOMATCH. As an example of what is too vague and relies on the human being is the huge variety of mailing list, return, and bounce formats in the MAILFROM. I see a lot of bounces that begin the MAILFROM with bounces, bounce, bo- or put bounce in the fully qualified domain name. The only one I know of that is consistent is the prvs=.+= prefix by BATV: http://en.wikipedia.org/wiki/Bounce_Address_Tag_Validation Reducing the incidence of FROMNOMATCH in the subjective bounce formattings may be too much of a custom configuration to maintain, and would make a decent combo test. I have been using FROMNOMATCH with a tiny weight since its inception, adding more weight in combination tests. I recently looked at my Declude logs, and found that FROMNOMATCH triggered 10:1 on ham:spam, that is, the spammers are now more likely to match the envelope and From: header (even though it's probably a fake address anyway). My statistic has to be taken with a grain of salt; I use Alligate in front of my Declude, so my results are skewed by omitting lots of the spam from zombie hosts. tldnr: Exclude from the FROMNOMATCH test when the MAILFROM is , or when the valid Sender: line is also in the header, or MAILFROM is in BATV or recognizable VERP format. Andrew. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Blocking domains by DNS server?
Hi Dave, Unless that name server is listed in one of the RBLs already, you'd have to set up your own RBL zone on your name server and then check against that. Here's the appropriate section of the config file: !--Enables the checking of the URI's name servers against an RBL. -- !--If the name servers are listed in the RBL the defined weight will be added-- !--Max_Name_servers_To_Check - Sets the number of name servers to check. -- !--If set to zero all name servers returned from the DNS query will be checked-- !--Bitmask_Skip_Options_Name_Server_RBLx - Bitmask value that allows you to skip -- !--the associated Namerserver check if the URI is listed in the URI list. -- !--Values: 0 - no skipping will occur. 1 - Skip Nameserver check if URI was listed-- !--in a URI list. 2 - Skip if the URI's name server was already found in he given -- !--blacklist. This prevents double scoring. 4 - Skip scoring if the URI's name server -- !--was listed on any of the previous lists. Skip values are added together based -- !--on the options you want.-- add key=Enable_URI_Name_Server_Check value=true / add key=Max_Name_Servers_To_Check value=3 / add key=Name_Server_RBL1 value=sbl.spamhaus.org / add key=Bitmask_Skip_Options_Name_Server_RBL1 value=2 / add key=Name_Server_Return_Code_RBL1 value=* / add key=Name_Server_Weight_RBL1 value=2 / -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave Beckstrom Sent: Thursday, July 01, 2010 5:31 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Blocking domains by DNS server? There is a pervasive spammer out there, where the common denominator in the jerk's spam is the fact that all of the domains in the body of the email are served by DNS servers NS1.domainsite.com - NS4.domainsite.com. I want to block all email where a link in the body is resolved by one of those DNS servers. I haven't looked at my invURIBL config for some time, but isn't that one of the things that it can do? If so, how do I set that up? Otherwise, is there another way to achieve the above? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] FTC Permanently Shuts Down Notorious Rogue Internet Service Provider
http://www.ftc.gov/opa/2010/05/perm.shtm --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Fine tuning Declude
Hi Michael: I have a Windows script that I use with a whole bunch of different Exchange customers to pull their email addresses from their servers and dump them into a small JET (.mdb = Access) Database. It does have a few input parameters where you configure the LDAP path to the mail domain (because many Exchange customers have different schemes), the LDAP user/pwd, and which alias domain names to generate. I uses that list in a SQL query that my ORF gateway uses to block invalid email address and outright terminate connections that have too many invalid email addresses. If you have any use for it, I'll be happy to let you have it. Instead of outputting database rows, you could certainly expand the script to output a flat file instead or add alias items to the IMAIL registry, etc. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael Cummins Sent: Wednesday, May 12, 2010 2:14 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Fine tuning Declude I wrote a batch file once on a number of the exchange servers that used VBS and LDAP to generate a list of valid exchange recipients and then FTP them to the server where a CF script parsed it clean. I didn't quite know what to do with them when they got there though (I was originally going to use them in Alligate, but never got that up and going) and I don't have the full granular cooperation of all the Exchange network peeps, only most of them, so it was difficult to implement a one-size-fits-all policy regardless. I'll put my thinking cap on. Another one of the problems is that most all of my clients don't want to disable NDRs with whatever solution I come up with, which makes it fairly impossible to avoid backscatter. It goes in me one way, and out another :p Very Respectfully, Michael Cummins --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Fine tuning Declude
Not sure that this list supports attachments - but here it is.
Here's how I launch it every half hour:
cscript //Nologo ExtractLDAP.wsf 70.255.255.84 ou=Their
Staff,dc=TheirCompany,dc=local logon.u...@theircompany.local mypassword
domainalias1.com domainalias2.com domainalias3.com TheirCompany
I usually use the LDAP Explorer tool to make sure I can connect to their
LDAP port through their firewall, that they have set up a valid
user/password for me, etc. Then I navigate through their LDAP hierarchy to
determine the correct OU/DC/DC, CN/DC/DC, etc path to their email users.
Once that succeeds I can simply take that info and use it as the parameters
to my script.
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael
Cummins
Sent: Wednesday, May 12, 2010 3:25 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Fine tuning Declude
That sounds like it would be fun to review, regardless. I can dig up my old
script and post it, too. Mine is pretty primitive: spew and parse.
Does it reach out to LDAP from the internet side of things, through a
properly configured firewall, I imagine? Mine was a local script that
uploaded. I like your idea better, if I am reading it right. With your
idea, I provide minimum requirements instead of installation steps.
Very Respectfully,
Michael Cummins
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.?XML version=1.0 standalone=yes ?
package
job id=ExtractLDAPAdr
?job error=true debug=true ?
reference object=Scripting.FileSystemObject /
reference object=ADODB.Connection /
reference object=ADOX.Catalog /
reference object=ADODB.Recordset/
script language=JScript
![CDATA[
//
===
// Extract Email Addresses from Active Directory
//
---
//
// Author: © 2005, Andy Schmidt
// Email: a...@argos.net
// Runtime: Windows Scripting Host 5.6
//
//
//
---
//
// CHANGE HISTORY
//
// 1.0.0 05-Apr-05 (AS) Initial Development.
// 1.1.0 17-Jan-07 (AS) Generalization and SQL sanitizing
// 1.2.0 19-Feb-07 (AS) Set Page Size ADO property for large query results
// 1.3.0 15-Apr-08 (AS) Allow for CommandLine Parameters
// 1.3.1 22-Apr-08 (AS) Reliable detection of DupRec return code from JET
//Permit Origin length of 15, check for max length
//
//
===
// --
// Global Constants
// --
var nPageSize = 2000; // (LDAP)
var strMDBFileName ='ImailAdr.mdb';
var strMDBConn ='Provider=Microsoft.Jet.OLEDB.4.0;Data Source=';
var strTable = 'UserList';
var strTableCreate = CREATE TABLE [ + strTable + ] ( [Domain] CHARACTER(255)
NOT NULL, [Host] CHARACTER(255) CONSTRAINT [HostKey] NOT NULL, [User]
CHARACTER(255) NOT NULL, [Email] CHARACTER(255) NOT NULL CONSTRAINT
[PrimaryKey] PRIMARY KEY, [Current] BIT, [Origin] CHARACTER(15) NOT NULL );;
var strIndexCreate = CREATE INDEX HostKey ON [ + strTable + ] ( [Host] )
WITH DISALLOW NULL;;
// --
// Global Variables
// --
var retCode = 0;
var bListOnly = false;
var nAddresses =0;
var nInserted = 0;
var nUpdated = 0;
var nRecordsEffected = 0;
var i, tempstr, temparr;
var strDomain, strEmail;
// ==
// Prolog
// ==
// Instantiate core objects
var objShell = WScript.CreateObject(WScript.Shell);
var objCat = WScript.CreateObject(ADOX.Catalog);
var objConn = WScript.CreateObject(ADODB.Connection);
var objRS = WScript.CreateObject(ADODB.Recordset);
// Get Command Line Parameters
if ( WScript.Arguments.Unnamed.Length 6 || WScript.Arguments.Unnamed.Length
7 )
{
WScript.Echo( 'Incorrect number of command line parameters: ' +
WScript.Arguments.Unnamed.Length + '. ');
WScript.Arguments.ShowUsage();
WScript.Quit( -4 );
}
var strComputer = WScript.Arguments.Unnamed.Item(0);
var adBase =WScript.Arguments.Unnamed.Item(1);
var adUser =WScript.Arguments.Unnamed.Item(2);
var adPwd = WScript.Arguments.Unnamed.Item(3);
var strDomains = + WScript.Arguments.Unnamed.Item(4) + ;
var strOrigin = WScript.Arguments.Unnamed.Item(5);
if ( WScript.Arguments.Unnamed.Length 6 )
bListOnly
[Declude.JunkMail] SORBS Website Down?
Hi, Does anyone have a URL that works? I haven't been able to get www.sorbs.net/lookup.shtml, or www.au.sorbs.net/lookup.shtml to come up? I remember reading something last year that they had trouble getting a hosting sponsor - but later they were acquired by GFI. Best Regards, Andy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Fine tuning Declude
Hi Darin, I have been fortunate that my customers (or their network consultants) were able to open the LDAP port and add a user without trouble. Either they were big enough to have their own IT staff, or small enough to have an external IT consultant. But I understand that this might be different for everyone else. As far as adding/deleting accounts - this script is designed to add/delete records in the live database (that is actively used by ORF) - instead of deleting and then refreshing the entire list. This way, there is no downtime. Of course, if your gateway does not support ODBC lookups (ORF supports ODBC, LDAP and AD lookups), then you're out of luck. Anyway - I'm just sharing the code in case it helps Michael. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Darin Cox Sent: Wednesday, May 12, 2010 4:32 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Fine tuning Declude This is about 1/3 of the process to sync the servers. Then there's the processing of the file on the gateway to add/delete accounts as needed, and the minor Exchange config changes to accept mail from a subdomain. In our implementations, and due to often insufficient access/knowledge on the part of most customers, it's a two-part batch sync. I like the all-in-one process you have by connecting through the firewall, Andy, but it's been hard enough getting access to customer servers to place the extraction script. Trying to get access to LDAP through firewalls for an external process would take a lot longer to coordinate on a per-customer basis. Darin. - Original Message - From: Andy Schmidt mailto:andy_schm...@hm-software.com To: declude.junkmail@declude.com Sent: Wednesday, May 12, 2010 4:05 PM Subject: RE: [Declude.JunkMail] Fine tuning Declude Not sure that this list supports attachments - but here it is. Here's how I launch it every half hour: cscript //Nologo ExtractLDAP.wsf 70.255.255.84 ou=Their Staff,dc=TheirCompany,dc=local logon.u...@theircompany.local mypassword domainalias1.com domainalias2.com domainalias3.com TheirCompany I usually use the LDAP Explorer tool to make sure I can connect to their LDAP port through their firewall, that they have set up a valid user/password for me, etc. Then I navigate through their LDAP hierarchy to determine the correct OU/DC/DC, CN/DC/DC, etc path to their email users. Once that succeeds I can simply take that info and use it as the parameters to my script. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael Cummins Sent: Wednesday, May 12, 2010 3:25 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Fine tuning Declude That sounds like it would be fun to review, regardless. I can dig up my old script and post it, too. Mine is pretty primitive: spew and parse. Does it reach out to LDAP from the internet side of things, through a properly configured firewall, I imagine? Mine was a local script that uploaded. I like your idea better, if I am reading it right. With your idea, I provide minimum requirements instead of installation steps. Very Respectfully, Michael Cummins --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SORBS Website Down?
Thanks Andrew - it was down for a long time - but now I can get it. Thanks for reassuring me. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Colbeck, Andrew Sent: Wednesday, May 12, 2010 5:29 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] SORBS Website Down? It may have been down when you looked, Andy. It's up now. Also, I like to use this 3rd party for an instant second opinion: http://downforeveryoneorjustme.com Andrew 8) _ From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, May 12, 2010 1:15 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] SORBS Website Down? Hi, Does anyone have a URL that works? I haven't been able to get www.sorbs.net/lookup.shtml, or www.au.sorbs.net/lookup.shtml to come up? I remember reading something last year that they had trouble getting a hosting sponsor - but later they were acquired by GFI. Best Regards, Andy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SORBS Website Down?
Nah - I wasn't imaging things - they really ARE having problems, e.g., when trying to query an IP address. Software error: Open DB Handle needed at /home/dnsbl/htdocs/cgi-bin/db line 190 For help, please send mail to the webmaster (supp...@support.sorbs.net), giving this error message and the time and date of the error. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Colbeck, Andrew Sent: Wednesday, May 12, 2010 5:29 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] SORBS Website Down? It may have been down when you looked, Andy. It's up now. Also, I like to use this 3rd party for an instant second opinion: http://downforeveryoneorjustme.com Andrew 8) _ From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, May 12, 2010 1:15 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] SORBS Website Down? Hi, Does anyone have a URL that works? I haven't been able to get www.sorbs.net/lookup.shtml, or www.au.sorbs.net/lookup.shtml to come up? I remember reading something last year that they had trouble getting a hosting sponsor - but later they were acquired by GFI. Best Regards, Andy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Sniffer Integration - Bad snf_engine.xml
Dave, Pete has helped me figure out that your XML samples, e.g.: http://interim.declude.com/41048/Scanners/SNF/snf_engine.xml is NOT a valid XML file. Specifically, the closing tag for the node element is invalid. It MUST be: /node (Currently it is node/). Consequently, opening this file with an xml parser (even just IE) will result in parser errors. I suppose everyone should double-click that XML file and see if it actually opens (assuming that this bug has been there since day 1). Best Regards, Andy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Sniffer IP Reputation -- Graduated Weight Scheme
Hi Dave, Hm - yes,I think if you added 21 lines (from -10 to 0 and to +10) to the config file, you would have could cover the reputation range from -1 to +1 in 0.1 step increments. Not elegant - but would have the same effect as multiplying the reputation range with the defined max weight. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, May 05, 2010 12:12 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer IP Reputation -- Graduated Weight Scheme Just a thought. We would have to test it but do you think the same thing could be achieved using: IPREPUTATION-3 SNFIPREP x -3 0 -5 IPREPUTATION-2 SNFIPREP x -2 0 -5 IPREPUTATION-1 SNFIPREP x -1 0 -5 IPREPUTATION-0SNFIPREP x 0 5 -5 IPREPUTATION+1SNFIPREP x 1 5 -5 IPREPUTATION+2SNFIPREP x 2 5 -5 IPREPUTATION+3 SNFIPREP x 3 5 -5 This way the further an IP is on the scale the greater the credit or additional score. This would have to wait till we implement the - negative for the BASEPOINT. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Monday, May 03, 2010 4:52 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer IP Reputation -- Graduated Weight Scheme Hi Dave, I'm breaking this into two discussions as they are two different topics. The REAL point of Pete's input (and my suggestion) for SNFIPREP is that the reputation scale of -1 through +1 should NOT just result in either ONE positive or ONE negative weight option. Your example: IPREPUTATIONSNFIPREP x 0 10 -5 only result in either a 10 being added or a 5 being subtracted. So you are turning a continuous scale of -1 to +1 into two discrete values - losing all the key benefits of having the reputation scale in the first place. You already have the SNFIP return codes, if someone wanted a fix value for a particular level of reputation. To really make use of the GBUdb, there should be a continuous weight from 0 to 10 for bad reputation and 0 through -5 for good reputation (using your sample of 10 and -5). Basically, for positive GBUdb values, multiply with the 10 (getting a value from 0 to 10 depending on how bad the reputation is), for negative values multiply with -5 to get a weight from 0 to -5 (depending on how good the IP is). This would make the test really useful because it would only cause BIG weight changes for BIG GBUdb values. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, May 03, 2010 3:40 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer IP Reputation for white listing As Pete already provided input on this. I am not going to prolix the answer other than to say when implementing Message Sniffer we abided by the Pete's advice Since many legitimate ISPs also produce a lot of spam it might be useful to apply a bias to this weight so that these systems appear closer to zero. So currently we do not allow for a negative value as a BASEPOINT, with that said if you think it is really important to be able to use a negative value as you have described in your post, let me know and I can add it to the dev list. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Sniffer Integration - Multiple Exit Codes
Hi Dave (just in case this got overlooked - or I missed the answer), Also even though there are multiple entries the test only runs once and the resulted exit code is the triggered. I know that all 18 SNF rule lines only require one invocation of Sniffer - which are then evaluated 18 different way. Fair enough. I also know that the 3 SNFIP rule lines are only one invocation - which is evaluated 3 different ways. And then there is the SNFIPREP rule. So I need to clarify this in my head. Will all 22 SNF. rules (even though they are using 3 different commands) evaluate ONE invocation of Sniffer (just different return fields) or is EACH of these 3 command groups (SNF, SNFIP, SNFIPREPS) a separate entity that requires additional overhead? Since there is some possible overhead between: SNFIPREP (which evaluates the GDUdb) and SNFIP (which also evaluates the GDUdb) and SNF-IP-RULES and SNFTRUNCATE (which also evaluate the GDUdb) - and I'm wondering if eliminating the SNFIP and SNFIPREP and just sticking with the SNF rules (which already has exit codes 20 and 63) will reduce the Sniffer overhead by 2/3? Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Friday, April 30, 2010 11:14 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration - Global Exit Code nonzero? The test works as an internal test and not as an external test. The main difference being the location of the exit code. See external is the 1st variable whereas the internal it is the 2nd variable and the NONZERO does not work for that. SNIFFER external nonzero C:\Smartermail\Declude\Sniffer\xxx.exe xxxabc12312 0 SNIFFER-TRAVEL SNFx 47 12 0 Also even though there are multiple entries the test only runs once and the resulted exit code is the triggered. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Friday, April 30, 2010 10:31 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration - Global Exit Code nonzero? Hi Dave, Thanks for taking the time to explain it. I see that the sample on your web site has already been corrected to read IPREPUTATIONSNFIPREP and I was simply working off an earlier copy. For the SNF test type, is there a way to have a global match (e.g., NONZERO), instead of having to specify each of the 18 (current) return codes one at a time? The external Sniffer simply allow me to code: SNIFFER external nonzero D:\IMAIL\Declude\SNF\SNFClient.exe10 0 Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Friday, April 30, 2010 10:05 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration SNFIPBLACK SNFIP the 2nd variable value is 5 = Block and works as an exit code. IPREPUTATION works differently. Note: IPREPUTATIONSNFIP please update this to IPREPUTATIONSNFIPREP x 0 10 -5 this should be the default. SNFIPREP represents a scale of -1- 0 - 1 when the 2nd variable (BASEPOINT) is set to 0 this will convert the IP reputation to this scale as the examples below: If final score is 0 no score is added to the email dec0430.log1842 04/30/2010 00:01:20.700 49319588 SNFIPRep the Value of Result = 0.00 If final score is + the 3rd variable score is used in this case 10 dec0430.log7351 04/30/2010 00:07:14.043 49319625 SNFIPRep the Value of Result = 0.267262 If final score is - the 4th variable score is used in this case -5 dec0430.log1192604/30/2010 00:08:50.340 49319647 SNFIPRep the Value of Result = -0.267262 The BASEPOINT is the point value at which an email will be considered Good if the result is to the left or Bad if to the right. (SNIFFER RETURN) x 10 - (BASEPOINT) = Result Example: 0.267262 x 10 - 0 = 2 This is positive then the test is triggered for 10 points. 0.267262 x 10 - 1 = 1 This is positive then the test is triggered for 10 points. 0.267262 x 10 - 2 = 0 Not Triggered. 0.267262 x 10 - 3 = -1 This is negative then the test is not-triggered for -5 points. 0.267262 x 10 - 4 = -2 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 0 = -2 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 1 = -1 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 2 = 0 Not Triggered. -0.267262 x 10 - 3 = -1 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 4 = -2 This is negative then the test is not-triggered for -5 points. David Barker VP Operations Declude Your Email security is our business
RE: [Declude.JunkMail] Sniffer IP Reputation -- Graduated Weight Scheme
Yes, Declude already has TWO weights associated with SNFIPREP (one for positive, one for negative). Just as you said, but multiplying with the positive or negative weight, as need be, one would get two linear slopes from the center point. On top of that, Dave has a basepoint option that can shift the center point left or right. So - it's 99% there. It just needs to prorate the +/- weights (= multiplying) rather than use them absolute values. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete McNeil Sent: Wednesday, May 05, 2010 3:14 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Sniffer IP Reputation -- Graduated Weight Scheme On 5/5/2010 1:30 PM, Andy Schmidt wrote: Hi Dave, Hm - yes,I think if you added 21 lines (from -10 to 0 and to +10) to the config file, you would have could cover the reputation range from -1 to +1 in 0.1 step increments. Not elegant - but would have the same effect as multiplying the reputation range with the defined max weight. I hate to muddy the waters further -- but we solved this problem once when developing the envelope management bit of GBUdb. It might be complicated to explain, but suppose you define the slope at a given point for each line you specify and then have the resulting weight be a linear transform (as was discussed before). Then you would need only two entries by default... One that describes full-scale + and another that defines full scale -. If you find the need to alter the slope then you can add additional points in between. The math works by drawing a straight line from 0 to the next defined point, and from that point to the extreme, and so on. Personally I think it is overkill -- but if you're going to talk about making many many lines for this then the multi-point curve interpolation is the way to go. In practice the best way _seems_ to be to provide only two slopes -- one positive going, one negative going -- and to establish a weight based on those slopes. Theoretically that could be defined on a single Declude test definition line. Is there some constraint that I don't know about causing folks to consider more complexity? Hope this is helpful, _M -- President MicroNeil Research Corporation www.microneil.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Sniffer Integration - Multiple Exit Codes
Thanks Pete. Hopefully these discussions (and seeing your responsiveness) will convince more folks decide to give Sniffer a try! I'm not completely sure what you are asking The golden rule for external tests and for RBLs is - if you have multiple lines using the SAME command (e.g., the 18 SNF lines), or referring to the same external program (e.g., 5 invURIBL lines), or referring to the same blacklist (10 lines checking different return values), THEN only the FIRST line will actually run the test against that resource (e.g., run the external program, lookup the IP in the RBL). The OTHER lines will just evaluate the return code differently without rerunning the test. Now with the internal Sniffer implementation, we have three DIFFERENT commands (SNF, SNFIP, SNFIPREP). So it's worthwhile confirming whether the same golden rule applies here even though these are NOT multiple lines of the SAME command. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete McNeil Sent: Wednesday, May 05, 2010 3:47 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Sniffer Integration - Multiple Exit Codes On 5/5/2010 3:24 PM, Andy Schmidt wrote: Hi Dave (just in case this got overlooked - or I missed the answer), Also even though there are multiple entries the test only runs once and the resulted exit code is the triggered. I know that all 18 SNF rule lines only require one invocation of Sniffer - which are then evaluated 18 different way. Fair enough. I also know that the 3 SNFIP rule lines are only one invocation - which is evaluated 3 different ways. And then there is the SNFIPREP rule. So I need to clarify this in my head. Will all 22 SNF. rules (even though they are using 3 different commands) evaluate ONE invocation of Sniffer (just different return fields) or is EACH of these 3 command groups (SNF, SNFIP, SNFIPREPS) a separate entity that requires additional overhead? If I may -- I'm not completely sure what you are asking -- but if your concern is that the test for SNFIP and SNFIPREPS represent additional overhead then I can answer that. The amount of code that is run to execute these tests is vanishingly small. You should consider the overhead required to run all three tests as being no more than running the SNF pattern scan. The other two (SNFIP and SNFIPREPS) require so little work that their overhead is virtually impossible to measure. _M -- President MicroNeil Research Corporation www.microneil.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Reporting of Tests Failed Incomplete?
Hi Dave, I do have SOME tests suppressed from the SMTP headers: HIDETESTS CATCHALLMAILS IPNOTINMX NOLEGITCONTENT WEIGHTKILL2 WEIGHT8 WEIGHT10 WEIGHTHDR WEIGHTFOOTER NJABL AHBL SORBS SENDERDB WEIGHTGATEWAY So the SMTP header looks correct - and the weight of 9 is accurate: X-Declude-RefID: str=0001.0A020203.4BDEB008.02BD,ss=3,sh,fgs=0 X-Declude: Version 4.10.48; Code 0xe from www.mailglobal.net [64.27.0.60] X-Declude: Triggered [9] SPFPASS, SNIFFER-GENERAL, ZEROHOUR [6] X-IMail-ThreadID: 4d2f8f571d69 However, in the log file, there is not ONE line that actually adds up to the total weight of 9 (in this case: [Content] 7 + [ZeroHour] 6 = 13; minus [IpNotInmx] 2 minus [SPFpass] 2 = [total] 9 One log line misses the ZeroHour test, the other misses the IpNotInMx. I think ONE of these two lines should be implemented in a way so that it lists everything that is non-zero so that a user can easily see HOW the total weight was derived - otherwise, what's the point of logging any tests. q4d2f8f571d69.smd nIPNOTINMX:-2 SPFPASS:-2 CONTENT:7 . Total weight = 9. q4d2f8f571d69.smd NOT bypassing whitelisting of E-mail with weight =19 (9) and at least 1 recipients (1). q4d2f8f571d69.smd NOT bypassing whitelisting of E-mail with weight =14 (9) and at least 4 recipients (1). q4d2f8f571d69.smd NOT bypassing whitelisting of E-mail with weight =12 (9) and at least 6 recipients (1). q4d2f8f571d69.smd Did not find [ smartcouponsa...@tillcrashing.com ] in [ andy_schm...@hm-software.com ] address book q4d2f8f571d69.smd Finish Address Book WhiteList q4d2f8f571d69.smd Tests failed [weight=9]: NOLEGITCONTENT=IGNORE[0] SPFPASS=IGNORE[-2] SNIFFER-GENERAL=IGNORE[0] CONTENT=IGNORE[7] WEIGHT8=SUBJECT[8] ZEROHOUR=WEIGHT[6] q4d2f8f571d69.smd L1 Message OK q4d2f8f571d69.smd Subject: May 2010 local coupon deals. q4d2f8f571d69.smd From: smartcouponsa...@tillcrashing.com To: andy_schm...@hm-software.com IP: 64.27.0.60 ID: q4d2f8f571d69.smd Action(s) taken for [andy_schm...@hm-software.com] = IGNORE SUBJECT [LAST ACTION=SUBJECT] q4d2f8f571d69.smd Cumulative action(s) on this email = IGNORE SUBJECT [LAST ACTION=SUBJECT] Best Regards, Andy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Reporting of Tests Failed Incomplete?
Hi Dave, I agree with you that the total weight of 9 is correct (I had already piecemealed that arithmetic together in my msg). As Commtouch Zerohour was implemented differently that regular tests (because it runs as part of the AV code) it is not listed in this log line. Agreed it should be Good - because, if your programmer was able to add ZeroHour to the Tests Failed line, and also to the SMTP Headers variable, in the various sections of the program flow - then I'd say it was merely an oversight that it was omitted from the ONE log line that should be the complete list of tests used in calculating the score, as you already confirmed. I believe this is the list of non-zero tests you are looking for with the exception of Commtouch ZEROHOUR. Right - so all we need is to get the missing ZEROHOUR included, so that it truly IS a list of non-zero tests. Thanks for checking into this. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, May 03, 2010 12:10 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Reporting of Tests Failed Incomplete? The Tests failed (Triggered) showing tests that ARE triggered. In this case: Tests failed [weight=9]: SPFPASS=IGNORE[-2] CONTENT=IGNORE[7] ZEROHOUR=WEIGHT[6] Total: 11 As nIPNOTINMX:-2 is NOT triggered it cannot be in the same list of emails that ARE triggered, providing the -2 to the final equation we have a correct Total of. Total: 9 As Commtouch Zerohour was implemented differently that regular tests (because it runs as part of the AV code) it is not listed in this log line. Agreed it should be, but this line should be the complete list of tests used in calculating the score. I believe this is the list of non-zero tests you are looking for with the exception of Commtouch ZEROHOUR. q4d2f8f571d69.smd nIPNOTINMX:-2 SPFPASS:-2 CONTENT:7 . Total weight = 9. nIPNOTINMX:-2 SPFPASS:-2 CONTENT:7 Total: 3 ZEROHOUR=6 Total: 9 David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Sniffer Integration - Multiple Exit Codes
Hi Dave (just in case this one got lost), Also even though there are multiple entries the test only runs once and the resulted exit code is the triggered. I know that all 18 SNF rule lines only require one invocation of Sniffer - which are then evaluated 18 different way. Fair enough. I also know that the 3 SNFIP rule lines are only one invocation - which is evaluated 3 different ways. And then there is the SNFIPREP rule. So I need to clarify this in my head. Will all 22 SNF. rules (even though they are using 3 different commands) evaluate ONE invocation of Sniffer (just different return fields) or is EACH of these 3 command groups (SNF, SNFIP, SNFIPREPS) a separate entity that requires additional overhead? Since there is overlap between: SNFIPREP (which evaluates the GDUdb) and SNFIP (which also evaluates the GDUdb) and SNF-IP-RULES and SNFTRUNCATE (which also evaluate the GDUdb) - and I'm wondering if eliminating the SNFIP and SNFIPREP and just sticking with the SNF rules (which already has exit codes 20 and 63) would further reduce the Sniffer overhead by 2/3? Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Friday, April 30, 2010 11:14 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration - Global Exit Code nonzero? The test works as an internal test and not as an external test. The main difference being the location of the exit code. See external is the 1st variable whereas the internal it is the 2nd variable and the NONZERO does not work for that. SNIFFER external nonzero C:\Smartermail\Declude\Sniffer\xxx.exe xxxabc12312 0 SNIFFER-TRAVEL SNFx 47 12 0 Also even though there are multiple entries the test only runs once and the resulted exit code is the triggered. David --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Reporting of Tests Failed Incomplete?
Hi Dave, Thanks - I don't want to upset your development schedule (naturally, I can cope with things as they are) - just wanted to make sure it's on someone else list G. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, May 03, 2010 1:19 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Reporting of Tests Failed Incomplete? I will check with engineering. If this is an easy change I will get it in an interim soon, also with the nonzero for SNF as we discussed in an earlier thread. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Monday, May 03, 2010 1:10 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Reporting of Tests Failed Incomplete? Hi Dave, I agree with you that the total weight of 9 is correct (I had already piecemealed that arithmetic together in my msg). As Commtouch Zerohour was implemented differently that regular tests (because it runs as part of the AV code) it is not listed in this log line. Agreed it should be Good - because, if your programmer was able to add ZeroHour to the Tests Failed line, and also to the SMTP Headers variable, in the various sections of the program flow - then I'd say it was merely an oversight that it was omitted from the ONE log line that should be the complete list of tests used in calculating the score, as you already confirmed. I believe this is the list of non-zero tests you are looking for with the exception of Commtouch ZEROHOUR. Right - so all we need is to get the missing ZEROHOUR included, so that it truly IS a list of non-zero tests. Thanks for checking into this. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, May 03, 2010 12:10 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Reporting of Tests Failed Incomplete? The Tests failed (Triggered) showing tests that ARE triggered. In this case: Tests failed [weight=9]: SPFPASS=IGNORE[-2] CONTENT=IGNORE[7] ZEROHOUR=WEIGHT[6] Total: 11 As nIPNOTINMX:-2 is NOT triggered it cannot be in the same list of emails that ARE triggered, providing the -2 to the final equation we have a correct Total of. Total: 9 As Commtouch Zerohour was implemented differently that regular tests (because it runs as part of the AV code) it is not listed in this log line. Agreed it should be, but this line should be the complete list of tests used in calculating the score. I believe this is the list of non-zero tests you are looking for with the exception of Commtouch ZEROHOUR. q4d2f8f571d69.smd nIPNOTINMX:-2 SPFPASS:-2 CONTENT:7 . Total weight = 9. nIPNOTINMX:-2 SPFPASS:-2 CONTENT:7 Total: 3 ZEROHOUR=6 Total: 9 David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SNFIP option for WHITE?
Excellent - THANKS! -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, May 03, 2010 2:44 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] SNFIP option for WHITE? The exit codes are as follows: Unknown = 0 White = 1 Normal = 2 New = 3 Caution = 4 Black = 5 Truncate = 6 The format in Declude would be. TESTNAMETESTTYPEX EXITCODEWEIGHT-TRIGGERED WEIGHT-NOTTRIGGED SNFIPWHITE SNFIP X 1 -50 David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Saturday, May 01, 2010 2:19 PM To: declude.junkmail@declude.com Subject: FW: [Declude.JunkMail] SNFIP option for WHITE? Dave, Pete confirmed that in addition to the Caution, Black and Truncate categories, there is a WHITE category (which was also mentioned in the Sniffer documentation). So, I seems as if besides the existing three SNFIP options: SNFIPCAUTION SNFIP x 4 5 0 SNFIPBLACK SNFIP x 5 10 0 SNFIPTRUNCATE SNFIP x 6 10 0 there should/could be a: SNFIPWHITE SNFIP x ??? -5 0 Best Regards, Andy -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete McNeil Sent: Saturday, May 01, 2010 11:57 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Sniffer IP Reputation for white listing But your documentation of the reputation system has a graph that shows that there is yet another category: WHITE. I don't know the details of Declude's impelementation. Presumably they could (or maybe even do) implement WHITE. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Sniffer BasePoint
Hi Dave, Let's keep the BasePoint a separate discussion. Here's what you sent on 4/30: (SNIFFER RETURN) x 10 - (BASEPOINT) = Result So - since left of zero (negative) are the good reputation and right of zero (positive) are bad reputation, and you are subtracting the basepoint (lowering a positive Sniffer Score) - so effectively you are moving the center further to the RIGHT. A basepoint of 3 will have the effect that -1.0 though +0.3 is good reputation, +0.3 is the null point and +0.3 to +1.0 is now bad reputation, right? But your sample math doesn't match your formula: 0.267262 x 10 - 0 = 2 This is positive then the test is triggered for 10 points. 0.267262 x 10 - 1 = 1 This is positive then the test is triggered for 10 points. 0.267262 x 10 - 2 = 0 Not Triggered. 0.267262 x 10 - 3 = -1 This is negative then the test is not-triggered for -5 points. 0.267262 x 10 - 4 = -2 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 0 = -2 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 1 = -1 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 2 = 0 Not Triggered. -0.267262 x 10 - 3 = -1 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 4 = -2 This is negative then the test is not-triggered for -5 points. Using math rules (assuming you are simply truncating any decimals, not rounding), you SHOULD be getting: -0.267262 x 10 - 0 = -2 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 1 = -3 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 2 = -4 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 3 = -5 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 4 = -6 This is negative then the test is not-triggered for -5 points. In any case, if you ONLY allow a positive base point that is being subtracted then you can only use the SNFIPREP test to reduce the number of IPs that are considered bad. But, if you are trying to use SNFIPREP for whitelisting and want to limit that number of IPs that are considered good then you need to be able to add the basepoint - which moves the center further to the LEFT. So I think a negative basepoint would be useful (but not urgent in light of the fact that you just send me earlier SNFIP return codes that allow testing for white). Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, May 03, 2010 3:40 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer IP Reputation for white listing As Pete already provided input on this. I am not going to prolix the answer other than to say when implementing Message Sniffer we abided by the Pete's advice Since many legitimate ISPs also produce a lot of spam it might be useful to apply a bias to this weight so that these systems appear closer to zero. So currently we do not allow for a negative value as a BASEPOINT, with that said if you think it is really important to be able to use a negative value as you have described in your post, let me know and I can add it to the dev list. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Saturday, May 01, 2010 1:51 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer IP Reputation for white listing Hi Pete, Funny - our messages overlapped. But I'm glad I was on the right track with my suspicions. Hopefully this will help Declude to refine things. a better way to do it would be to scale the result so that from 0 to -1 the negative weight (let's pick a factor of 5) would rise linearly from 0 to -5 and similarly a positive going reputation would scale linearly from 0 to +5 as the API result scaled from 0 to +1. Right - that's the same scheme I just pointed out to Dave myself - except in my case you could pick a distinct factor for the - vs. the + side of the scale (because Declude already has that option anyhow) (( Abs(Reputation Value) * 10 ) - Base Value) * [Pos or Neg]WeightFactor = Final Weight For this line in the Declude config: IPREPUTATION SNFIPREP x 0 2 -1 it would results in weights between +20 and -10, e.g.: Reputation 0.0: ( ( 0.0 * 10 ) - 0 ) * 2 = 0 Reputation 0.3: ( ( 0.3 * 10 ) - 0 ) * 2 =6 Reputation 1.0: ( ( 1.0 * 10 ) - 0 ) * 2 = 20 Reputation -0.3: ( ( 0.3 * 10 ) - 0 ) * -1 = -3 Reputation -1.0: ( ( 1.0 * 10 ) - 0 ) * -1 = -10 Here's an important question, though: Do you have a distribution chart
RE: [Declude.JunkMail] Sniffer IP Reputation -- Graduated Weight Scheme
Hi Dave, I'm breaking this into two discussions as they are two different topics. The REAL point of Pete's input (and my suggestion) for SNFIPREP is that the reputation scale of -1 through +1 should NOT just result in either ONE positive or ONE negative weight option. Your example: IPREPUTATIONSNFIPREP x 0 10 -5 only result in either a 10 being added or a 5 being subtracted. So you are turning a continuous scale of -1 to +1 into two discrete values - losing all the key benefits of having the reputation scale in the first place. You already have the SNFIP return codes, if someone wanted a fix value for a particular level of reputation. To really make use of the GBUdb, there should be a continuous weight from 0 to 10 for bad reputation and 0 through -5 for good reputation (using your sample of 10 and -5). Basically, for positive GBUdb values, multiply with the 10 (getting a value from 0 to 10 depending on how bad the reputation is), for negative values multiply with -5 to get a weight from 0 to -5 (depending on how good the IP is). This would make the test really useful because it would only cause BIG weight changes for BIG GBUdb values. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, May 03, 2010 3:40 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer IP Reputation for white listing As Pete already provided input on this. I am not going to prolix the answer other than to say when implementing Message Sniffer we abided by the Pete's advice Since many legitimate ISPs also produce a lot of spam it might be useful to apply a bias to this weight so that these systems appear closer to zero. So currently we do not allow for a negative value as a BASEPOINT, with that said if you think it is really important to be able to use a negative value as you have described in your post, let me know and I can add it to the dev list. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Sniffer IP vs. Sniffer IP Reputation vs. Sniffer Truncate -- SUGGESTION
is that you are welcome to score tests however you feel appropriate for your email server. I do agree with you that it could be made more clear, but to advise the list NOT to use the current declude settings is your opinion. What would be helpful is making a suggestion to what settings you use based on your results. David _ From: Andy Schmidt andy_schm...@hm-software.com Sent: Friday, April 30, 2010 9:26 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer IP vs. Sniffer IP Reputation vs. Sniffer Truncate Thanks Pete - that confirms what I feared. Declude's own sample should NOT be used as is because it duplicates the IP results (at minimum) The SNFIPREP test gives you a variable weight based on the IP reputation in GBUdb. This allows you to get some weighting positively or negatively based on the reputation even when that reputation is not in one of the defined GBUdb envelopes. Yes - according to Dave's explanation earlier today, Declude will get a decimal number between -1 and +1. Their Sample/Default configuration treats 0 as normal, treats anything negative as GOOD (and subtracts 5 points) and anything positive as BAD (and adds 10 points). So - even though Sniffer returns information on a vary graduated scale, Declude then returns 3 discrete numbers. In fact, 0 is only returned for 10% of the range - 90% of the range returns either -5 or 10. I presume that even when SNFIP does return Caution, Black, or Truncate that SNFIPREP continues to work and in that case will provide some shading to those values... so, if you will, more or less Black, etc. Based on Dave's explanation, Caution, Black and Truncate would certainly always return a value 0. Consequently, 10 would ALWAYS be added to the weight for those 3 reputations. Their default example basically TRIPLES the 10 weight that is assigned in many cases (once for SNFIP, once for SNFIPREP, and once for SNF). Let's see if Dave's chips in - but it certainly seems to me that Declude's Sniffer sample/default config should NOT be used (because it doesn't do what an innocent user might expect). It's not at all clear that after all their Sniffer rules, 30 would be added to the weight in several cases. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete McNeil Sent: Friday, April 30, 2010 7:07 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Sniffer IP vs. Sniffer IP Reputation vs. Sniffer Truncate On 4/30/2010 5:16 PM, Andy Schmidt wrote: Hi Pete, I'm look over Decludes recommended Sniffer configuration and trying to understand how much overlap there is between these options: IPREPUTATION SNFIPREP x 0 10 -5 SNFIPCAUTION SNFIP x 4 5 0 SNFIPBLACK SNFIP x 5 10 0 SNFIPTRUNCATE SNFIP x 6 10 0 SNFTRUNCATE SNF x 20 10 0 SNIFFER-IP-RULES SNF x 63 10 0 Looking at the Sniffer documentation IP test result codes http://www.armresearch.com/support/articles/software/snfClient/resultCodes.j sp it seems that the SNFIP tests for 4, 5 and 6 (SNFIPCAUTION, SNFIPBLACK, SNFIPTRUNCATE) might coincide with 40, 63 and 20. I am not intimately familiar with Declude's configuration and SNF integration --- not like I used to be anyway (s many platforms now). I _think_ these tests work like this: The SNFIPREP test gives you a variable weight based on the IP reputation in GBUdb. This allows you to get some weighting positively or negatively based on the reputation even when that reputation is not in one of the defined GBUdb envelopes. It's a subtle nudge in the right direction. The SNFIP test gives you a hard result code based only on the IP reputation when that reputation is within one of the envelopes defined for GBUdb. So if the IP reputation is in the Caution, Black, or Truncate range then that test will fire. Presumably all of the IP tests happen before SNF scans the message -- because they can -- I don't know that they do, but I know that IP reputations can be queried before and separately from a scan. (Scans MUST happen in order for GBUdb to build up reputation data however). Finally the SNF test responds to the normal blended result codes that SNFClient would return. So result code 20 is Truncate- meaning that the IP reputation was so bad that SNF stopped the scan and returned the result code. Result code 63 is Black which could mean that an SNF IP rule fired (rare these days) or that no pattern matched but the IP was in the Black range in GBUdb so GBUdb took over and forced the result code from 0 (no pattern found) to 63 (Black). Other result codes are also possible: http://www.armresearch.com/support/articles/software/snfClient/resultCodes.j sp#msgScan David -- if I got any of this wrong please correct me. However, Declude ALSO tests for your Rule Group Result Codes 20 and 63 which are documented here: http://www.armresearch.com/support/articles/software/snfServer/core.jsp 1. It seems to me
RE: [Declude.JunkMail] Statistic programs for Junkmail
I happen to run Invariant Software's Declude Analyzer (for Declude Virus and Declude Spam). -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Dodell Sent: Saturday, May 01, 2010 12:39 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Statistic programs for Junkmail Curious what programs everyone is using to generate the nice reports showing what Junkmail tests are being activated? Thanks David --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Sniffer IP Reputation for white listing
Hi Pete, Funny - our messages overlapped. But I'm glad I was on the right track with my suspicions. Hopefully this will help Declude to refine things. a better way to do it would be to scale the result so that from 0 to -1 the negative weight (let's pick a factor of 5) would rise linearly from 0 to -5 and similarly a positive going reputation would scale linearly from 0 to +5 as the API result scaled from 0 to +1. Right - that's the same scheme I just pointed out to Dave myself - except in my case you could pick a distinct factor for the - vs. the + side of the scale (because Declude already has that option anyhow) (( Abs(Reputation Value) * 10 ) - Base Value) * [Pos or Neg]WeightFactor = Final Weight For this line in the Declude config: IPREPUTATION SNFIPREP x 0 2 -1 it would results in weights between +20 and -10, e.g.: Reputation 0.0: ( ( 0.0 * 10 ) - 0 ) * 2 = 0 Reputation 0.3: ( ( 0.3 * 10 ) - 0 ) * 2 =6 Reputation 1.0: ( ( 1.0 * 10 ) - 0 ) * 2 = 20 Reputation -0.3: ( ( 0.3 * 10 ) - 0 ) * -1 = -3 Reputation -1.0: ( ( 1.0 * 10 ) - 0 ) * -1 = -10 Here's an important question, though: Do you have a distribution chart for the reputation scale? It of course makes a HUGE different, whether the distribution of reputations reported for the inflow of email is evenly distributed between -1.0 and 0.1, or whether it is a bell curve where 80% are in the center area, or whether it's some sort of exponential curve that has very few with good reputation, a modest amount around the 0 point, and then expentionally increasing towards the bad and turn reputations? This way one could decide what factors to use for the + and - sides and where to set the mid point (Declude allows you to shift the mid-point left and right. I'm guessing on how that test is implemented, but if I've guessed correctly then -0.8 would certainly be a good WHITE set point. Thank you - that means in their default (sample) config file, they really should adjust the midpoint away from 0 to -8 (they multiply the reputation scale by 10 to be able to work with integers) IPREPUTATION SNFIPREP x 0 2 -1 probably to IPREPUTATION SNFIPREP x -8 2 -1 but I'd have to check with Dave to see if -8 will indeed set the midpoint to -0.8 or if the sign has to be reversed. Thanks for taking the time to help all of us understand Sniffer in the context of the Declude integration. I'm very happy that Declude took the time and integrated the product. I just would like to make sure it comes with an implementation sample that is a good enough compromise for day-to-day use. Best Regards, Andy -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete McNeil Sent: Saturday, May 01, 2010 11:57 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Sniffer IP Reputation for white listing On 4/30/2010 9:32 PM, Andy Schmidt wrote: snip/ But your documentation of the reputation system has a graph that shows that there is yet another category: WHITE. I don't know the details of Declude's impelementation. Presumably they could (or maybe even do) implement WHITE. The SNFIPREP tests does offer the ability to define at what decimal value (between -1 and +1, in .1 increments) a weight can be subtracted. But the question is - is that SENSIBLE use of your reputation database? Per example, could -0.8 be a sensible threshold to give an email credit for coming from a reputable IP source? I'm guessing on how that test is implemented, but if I've guessed correctly then -0.8 would certainly be a good WHITE set point. My guess is based on using a combined score value from the IP reputation that combines the confidence figure and the probability figure. In that case only a strongly negative p coupled with a strong c would result in a -0.8. Or is it better to let the good reputation be considered AFTER the content scan and then use the combined exit code? As I understand it Declude uses a wheighting system --- except for some short-circuit abilities that means all tests are run, their scores are added together, and then the total is used to determine the disposition of the message. I don't think there is an 'AFTER' in this case. The IP reputation test is useful in cases where a message might be too new to hit a pattern match and where the IP reputation is not quite strong enough to be in one of the GBUdb envelopes. In such a case it might be useful to combine the 'analog' reputation score with the scores from other tests to push the message over the fence one way or another... at least that's how the test was designed to work in the API we provide. It sounds like you're describing the IP Reputation test as having thresholds
FW: [Declude.JunkMail] SNFIP option for WHITE?
Dave, Pete confirmed that in addition to the Caution, Black and Truncate categories, there is a WHITE category (which was also mentioned in the Sniffer documentation). So, I seems as if besides the existing three SNFIP options: SNFIPCAUTION SNFIP x 4 5 0 SNFIPBLACK SNFIP x 5 10 0 SNFIPTRUNCATE SNFIP x 6 10 0 there should/could be a: SNFIPWHITE SNFIP x ??? -5 0 Best Regards, Andy -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete McNeil Sent: Saturday, May 01, 2010 11:57 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Sniffer IP Reputation for white listing But your documentation of the reputation system has a graph that shows that there is yet another category: WHITE. I don't know the details of Declude's impelementation. Presumably they could (or maybe even do) implement WHITE. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] We have opened up truncate.gbudb.net
It's looking very promising! 1. So far, it detects about 10% as SPAM in emails that SORBS, SPAMCOP, SpamHaus Zen and BRBL have let through. 2. In that, it does 20 times better than the total of these AHBL tests: DNS A RR 127.0.0.2: Open Relay DNS A RR 127.0.0.3: Open Proxy DNS A RR 127.0.0.4: Spam Source DNS A RR 127.0.0.5: Provisional Spam Source Listing block (will be removed if spam stops) DNS A RR 127.0.0.6: Formmail Spam DNS A RR 127.0.0.9: End User (non mail system) DNS A RR 127.0.0.14: Compromised System: DDoS DNS A RR 127.0.0.15: Compromised System: Relay DNS A RR 127.0.0.16: Compromised System: Autorooter/Scanner DNS A RR 127.0.0.17: Compromised System: Worm or mass mailing virus DNS A RR 127.0.0.18: Compromised System: Other virus DNS A RR 127.0.0.127: Other and 12 times better than the total of these NJABL tests: NJABL: DNS A RR 127.0.0.2. Open relays and known spam sources. NJABLDUL: DNS A RR 127.0.0.3. Dial-up/dynamic IP ranges. NJABLSOURCES: DNS A RR 127.0.0.4. Lists spam sources. Will include commercial spammers, direct-to-MX, and proxies. IP ranges will be added only if they can be identified with the spammer. NJABLMULTI: DNS A RR 127.0.0.5. Lists multi-stage open relays. Will notify the appropriate NIC one week in advance of listing, to allow them to correct the problem. NJABLFORMMAIL: DNS A RR 127.0.0.8. Lists servers with insecure formmail scripts. NJABLPROXIES: DNS A RR 127.0.0.9. Lists open proxy servers. 3. I don't have a big enough sample, but an EARLY trend is indicating that it possible significantly cuts the amounts of email that Sniffer still has to scan. 4.all of the TXT records say GBUdb Cloud Truncate c 0.2, p 0.9 Thanks - so there ARE TXT records. This way I can configure to pick those up (even if they are generic right now) 5.When we bring the gbudb.com site online we will explain how the IPs are listed. We may develop a link mechanism to look up specific data on each IP after a time. Thanks, specially the first part (a static page explaining the listing method/policy - and that de-listing is automatic once spam stops) will be important so that we can include that link in 5.7.1 rejection string. Don't want to have to start answering individual inquiries. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete McNeil Sent: Friday, April 30, 2010 4:49 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] We have opened up truncate.gbudb.net On 4/29/2010 10:06 PM, Andy Schmidt wrote: Thanks - I activated it in my gateway and will report back after a day or so. Question: Does it have TXT records that holds additional info that can be returned in the 5.7.1 message to the sender? Right now all of the TXT records say GBUdb Cloud Truncate c 0.2, p 0.9 As we continue to develop this that may change to provide other (better?) information. Is there a lookup URL that can be included in the 5.7.1 message that people can use to learn about your service, learn about the listing/de-listing policy (and determine the status of their IP address in case of a false positive)? When we bring the gbudb.com site online we will explain how the IPs are listed. We may develop a link mechanism to look up specific data on each IP after a time. As for listing and de-listing -- that is automatic and is generally described in the Message Sniffer documentation about GBUdb. If the general population of Message Sniffer nodes are reporting that a message source produces virtually nothing but spam then it will be listed. If those reports go away or their character changes then the listing will change also - and fairly quickly: days if traffic for the IP disappears; hours or perhaps minutes if the character of the traffic from the source changes. Best, _M --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Sniffer Integration - Global Exit Code nonzero?
Hi Dave, Thanks for taking the time to explain it. I see that the sample on your web site has already been corrected to read IPREPUTATIONSNFIPREP and I was simply working off an earlier copy. For the SNF test type, is there a way to have a global match (e.g., NONZERO), instead of having to specify each of the 18 (current) return codes one at a time? The external Sniffer simply allow me to code: SNIFFER external nonzero D:\IMAIL\Declude\SNF\SNFClient.exe10 0 Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Friday, April 30, 2010 10:05 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration SNFIPBLACK SNFIP the 2nd variable value is 5 = Block and works as an exit code. IPREPUTATION works differently. Note: IPREPUTATIONSNFIP please update this to IPREPUTATIONSNFIPREP x 0 10 -5 this should be the default. SNFIPREP represents a scale of -1- 0 - 1 when the 2nd variable (BASEPOINT) is set to 0 this will convert the IP reputation to this scale as the examples below: If final score is 0 no score is added to the email dec0430.log1842 04/30/2010 00:01:20.700 49319588 SNFIPRep the Value of Result = 0.00 If final score is + the 3rd variable score is used in this case 10 dec0430.log7351 04/30/2010 00:07:14.043 49319625 SNFIPRep the Value of Result = 0.267262 If final score is - the 4th variable score is used in this case -5 dec0430.log1192604/30/2010 00:08:50.340 49319647 SNFIPRep the Value of Result = -0.267262 The BASEPOINT is the point value at which an email will be considered Good if the result is to the left or Bad if to the right. (SNIFFER RETURN) x 10 - (BASEPOINT) = Result Example: 0.267262 x 10 - 0 = 2 This is positive then the test is triggered for 10 points. 0.267262 x 10 - 1 = 1 This is positive then the test is triggered for 10 points. 0.267262 x 10 - 2 = 0 Not Triggered. 0.267262 x 10 - 3 = -1 This is negative then the test is not-triggered for -5 points. 0.267262 x 10 - 4 = -2 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 0 = -2 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 1 = -1 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 2 = 0 Not Triggered. -0.267262 x 10 - 3 = -1 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 4 = -2 This is negative then the test is not-triggered for -5 points. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com , April 30, 2010 1:26 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration Hi, 1. I'm confused about the Sniffer integration sample: SNFIPBLACK SNFIP x 5 10 0 IPREPUTATIONSNFIP x 5 10 -5 It seems to me as if BOTH lines test the SAME Sniffer return code of 5 - but one line assigns adds a weight of 10 when found, the other also adds a weight of 10, but subtracts 5 when NOT found? So will this add 20 when found? Why use TWO lines to accomplish that? 2. In the past I could simply configure: SNIFFER external nonzero D:\IMAIL\Declude\SNF\SNFClient.exe10 0 if I didn't want to duplicate 18 lines - and risk that at some point a return code will be added that I will miss unless I add another line to the config file. So, does the SNF test have some way to configure ONE line for nonzero to create a baseline weight, and then just add SNF tests for specific return code if I want those specific ones treated with a higher weight? Best Regards, Andy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Sniffer Integration - Global Exit Code nonzero?
Thanks for clearing up that it doesn't work for the 2nd variable (I'm aware that it is an internal and not and external test, and that it is the SECOND variable, and that it only executes once, etc.) As a suggestion, you might consider enabling the nonzero option for the second variable as well. The reasons for preferring one nonzero exit code of (currently 18) individual exit codes are a) The config file will be more compact, b) Fewer lines mean few chances of errors/omissions c) No need to keep worrying about missing the announcement for a new exit code whenever Peter decides to extend the list From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Friday, April 30, 2010 11:14 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration - Global Exit Code nonzero? The test works as an internal test and not as an external test. The main difference being the location of the exit code. See external is the 1st variable whereas the internal it is the 2nd variable and the NONZERO does not work for that. SNIFFER external nonzero C:\Smartermail\Declude\Sniffer\xxx.exe xxxabc12312 0 SNIFFER-TRAVEL SNFx 47 12 0 Also even though there are multiple entries the test only runs once and the resulted exit code is the triggered. David --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Sniffer Integration - Global Exit Code nonzero?
Speed (and stability) and additional test options. The external test runs as a command line, each email is a new instance that needs an environment to be instantiated and later broken down. On top of that, it burns up some of that not-well documented heap memory for command line programs - which CAN cause stability problems in some problems if one runs several command line tools in Declude (although there are some registry settings in Windows to allocate some extra heap). The internal test offers additional tests (such as the reputation test) and other IP based tests that the external test does not - and it runs as part of Declude (not by starting another command line session for each email). From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Jim Comerford Sent: Friday, April 30, 2010 12:02 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration - Global Exit Code nonzero? So what's the difference between the SNIFFER test as Internal vs External? Is one faster than the other? Assuming you did not want to check the individual tests (ie SNIFFER-TRAVEL) is there an advantage to using one over the other? Internal: SNIFFER external nonzero C:\Smartermail\Declude\Sniffer\xxx.exe xxxabc12312 0 SNIFFER-TRAVEL SNFx 47 12 0 External SNIFFER external nonzero D:\IMAIL\Declude\SNF\SNFClient.exe12 0 -Jim From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Friday, April 30, 2010 11:14 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration - Global Exit Code nonzero? The test works as an internal test and not as an external test. The main difference being the location of the exit code. See external is the 1st variable whereas the internal it is the 2nd variable and the NONZERO does not work for that. SNIFFER external nonzero C:\Smartermail\Declude\Sniffer\xxx.exe xxxabc12312 0 SNIFFER-TRAVEL SNFx 47 12 0 Also even though there are multiple entries the test only runs once and the resulted exit code is the triggered. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Friday, April 30, 2010 10:31 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration - Global Exit Code nonzero? Hi Dave, Thanks for taking the time to explain it. I see that the sample on your web site has already been corrected to read IPREPUTATIONSNFIPREP and I was simply working off an earlier copy. For the SNF test type, is there a way to have a global match (e.g., NONZERO), instead of having to specify each of the 18 (current) return codes one at a time? The external Sniffer simply allow me to code: SNIFFER external nonzero D:\IMAIL\Declude\SNF\SNFClient.exe10 0 Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Friday, April 30, 2010 10:05 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration SNFIPBLACK SNFIP the 2nd variable value is 5 = Block and works as an exit code. IPREPUTATION works differently. Note: IPREPUTATIONSNFIP please update this to IPREPUTATIONSNFIPREP x 0 10 -5 this should be the default. SNFIPREP represents a scale of -1- 0 - 1 when the 2nd variable (BASEPOINT) is set to 0 this will convert the IP reputation to this scale as the examples below: If final score is 0 no score is added to the email dec0430.log1842 04/30/2010 00:01:20.700 49319588 SNFIPRep the Value of Result = 0.00 If final score is + the 3rd variable score is used in this case 10 dec0430.log7351 04/30/2010 00:07:14.043 49319625 SNFIPRep the Value of Result = 0.267262 If final score is - the 4th variable score is used in this case -5 dec0430.log1192604/30/2010 00:08:50.340 49319647 SNFIPRep the Value of Result = -0.267262 The BASEPOINT is the point value at which an email will be considered Good if the result is to the left or Bad if to the right. (SNIFFER RETURN) x 10 - (BASEPOINT) = Result Example: 0.267262 x 10 - 0 = 2 This is positive then the test is triggered for 10 points. 0.267262 x 10 - 1 = 1 This is positive then the test is triggered for 10 points. 0.267262 x 10 - 2 = 0 Not Triggered. 0.267262 x 10 - 3 = -1 This is negative then the test is not-triggered for -5 points. 0.267262 x 10 - 4 = -2 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 0 = -2 This is negative then the test
RE: [Declude.JunkMail] We have opened up truncate.gbudb.net
It is - and I agree with you! From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Matt Sent: Friday, April 30, 2010 12:53 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] We have opened up truncate.gbudb.net Is the result code really 127.0.0.1? That is totally non-standard. It should be 127.0.0.2 or higher. Matt On 4/30/2010 11:31 AM, Nick Hayer wrote: you can test the bl directly with nslookup, to see what Declude is doing turn on debug log level. MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm _ From: Michael Cummins mailto:mich...@i-magery.com mich...@i-magery.com Sent: Friday, April 30, 2010 11:20 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] We have opened up truncate.gbudb.net That's odd. This is what I already configured it for on my first guess: TRUNCATE-GBUDB IP4Rtruncate.gbudb.net 127.0.0.120 But I haven't gotten any hits yet. Is there any way to test this from a command prompt, like you can with the invaluement RBLs and nslookup? - Michael Cummins From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick Hayer Sent: Friday, April 30, 2010 11:00 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] We have opened up truncate.gbudb.net here ya go IP4R.GBUBD ip4r truncate.gbudb.net 127.0.0.1 9 0 Above scores a 9 on a hit.. -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm _ From: Michael Cummins mailto:mich...@i-magery.com mich...@i-magery.com Sent: Friday, April 30, 2010 9:36 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] We have opened up truncate.gbudb.net I don't think I set it up properly as an ip4r test in Declude. What would the line look like, if written properly? Thanks for your time and effort. -- Michael Cummins -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete McNeil Sent: Thursday, April 29, 2010 5:06 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] We have opened up truncate.gbudb.net Hi Declude folks, We have been testing a blacklist based on real-time GBUdb data (generated from Message Sniffer). We have decided to experiment with opening up the blacklist for a wider audience and so as of now you can use truncate.gbudb.net as an ip4r test. You should get a result of 127.0.0.1 if the IP is well into the truncate range -- That is: truncate.gbudb.net is designed to be ultra-conservative so that it should be safe to reject connections based on the test in most cases. This also means that it won't block everything -- only the worst of the worst. That said, the folks who have been testing it have reported that it did drop a significant amount of traffic from their systems on average. Please keep us all posted about how it's working for you. Thanks, _M --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Sniffer IP vs. Sniffer IP Reputation vs. Sniffer Truncate
Hi Pete, I'm look over Decludes recommended Sniffer configuration and trying to understand how much overlap there is between these options: IPREPUTATIONSNFIPREPx 0 10 -5 SNFIPCAUTIONSNFIP x 4 5 0 SNFIPBLACK SNFIP x 5 10 0 SNFIPTRUNCATE SNFIP x 6 10 0 SNFTRUNCATE SNF x 20 10 0 SNIFFER-IP-RULESSNF x 63 10 0 Looking at the Sniffer documentation IP test result codes http://www.armresearch.com/support/articles/software/snfClient/resultCodes.j sp it seems that the SNFIP tests for 4, 5 and 6 (SNFIPCAUTION, SNFIPBLACK, SNFIPTRUNCATE) might coincide with 40, 63 and 20. However, Declude ALSO tests for your Rule Group Result Codes 20 and 63 which are documented here: http://www.armresearch.com/support/articles/software/snfServer/core.jsp 1. It seems to me, as if their SNFTRUNCATE is the same as their SNFIPTRUNCATE, and their SNIFFER-IP-RULES is the same as their SNFIPBLACK -- effectively artificially inflating (doubling) the weights for these tests? 2. How do those Caution/Black/Truncate exit codes relate to SNFIPREP. There, any reputation 0 (up to 1) is given an extra weight of 10. But doesn't SNFIPREP report from the same reputation data as the SNFIP (and possibly even group result codes 20 and 63)? In other words, are those IP addresses that generate a reputation factor of 0 ALSO reported as Caution/Black or Truncate - if so, we'd now TRIPLE count that score. Best Regards, Andy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Sniffer Integration - Multiple Exit Codes
Hi Dave, Also even though there are multiple entries the test only runs once and the resulted exit code is the triggered. I know that all 18 SNF rule lines only require one invocation of Sniffer - which are then evaluated 18 different way. Fair enough. I also know that the 3 SNFIP rule lines are only one invocation - which is evaluated 3 different ways. And then there is the SNFIPREP rule. So I need to clarify this in my head. Will all 22 SNF. rules (even though they are using 3 different commands) evaluate ONE invocation of Sniffer (just different return fields) or is EACH of these 3 command groups (SNF, SNFIP, SNFIPREPS) a separate entity that requires additional overhead? Since there is some possible overhead between: SNFIPREP (which evaluates the GDUdb) and SNFIP (which also evaluates the GDUdb) and SNF-IP-RULES and SNFTRUNCATE (which also evaluate the GDUdb) - and I'm wondering if eliminating the SNFIP and SNFIPREP and just sticking with the SNF rules (which already has exit codes 20 and 63) will reduce the Sniffer overhead by 2/3? Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Friday, April 30, 2010 11:14 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration - Global Exit Code nonzero? The test works as an internal test and not as an external test. The main difference being the location of the exit code. See external is the 1st variable whereas the internal it is the 2nd variable and the NONZERO does not work for that. SNIFFER external nonzero C:\Smartermail\Declude\Sniffer\xxx.exe xxxabc12312 0 SNIFFER-TRAVEL SNFx 47 12 0 Also even though there are multiple entries the test only runs once and the resulted exit code is the triggered. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Friday, April 30, 2010 10:31 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration - Global Exit Code nonzero? Hi Dave, Thanks for taking the time to explain it. I see that the sample on your web site has already been corrected to read IPREPUTATIONSNFIPREP and I was simply working off an earlier copy. For the SNF test type, is there a way to have a global match (e.g., NONZERO), instead of having to specify each of the 18 (current) return codes one at a time? The external Sniffer simply allow me to code: SNIFFER external nonzero D:\IMAIL\Declude\SNF\SNFClient.exe10 0 Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Friday, April 30, 2010 10:05 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration SNFIPBLACK SNFIP the 2nd variable value is 5 = Block and works as an exit code. IPREPUTATION works differently. Note: IPREPUTATIONSNFIP please update this to IPREPUTATIONSNFIPREP x 0 10 -5 this should be the default. SNFIPREP represents a scale of -1- 0 - 1 when the 2nd variable (BASEPOINT) is set to 0 this will convert the IP reputation to this scale as the examples below: If final score is 0 no score is added to the email dec0430.log1842 04/30/2010 00:01:20.700 49319588 SNFIPRep the Value of Result = 0.00 If final score is + the 3rd variable score is used in this case 10 dec0430.log7351 04/30/2010 00:07:14.043 49319625 SNFIPRep the Value of Result = 0.267262 If final score is - the 4th variable score is used in this case -5 dec0430.log1192604/30/2010 00:08:50.340 49319647 SNFIPRep the Value of Result = -0.267262 The BASEPOINT is the point value at which an email will be considered Good if the result is to the left or Bad if to the right. (SNIFFER RETURN) x 10 - (BASEPOINT) = Result Example: 0.267262 x 10 - 0 = 2 This is positive then the test is triggered for 10 points. 0.267262 x 10 - 1 = 1 This is positive then the test is triggered for 10 points. 0.267262 x 10 - 2 = 0 Not Triggered. 0.267262 x 10 - 3 = -1 This is negative then the test is not-triggered for -5 points. 0.267262 x 10 - 4 = -2 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 0 = -2 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 1 = -1 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 2 = 0 Not Triggered. -0.267262 x 10 - 3 = -1 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 4 = -2 This is negative then the test is not-triggered for -5 points. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar
RE: [Declude.JunkMail] Sniffer IP vs. Sniffer IP Reputation vs. Sniffer Truncate
Thanks Pete - that confirms what I feared. Declude's own sample should NOT be used as is because it duplicates the IP results (at minimum) The SNFIPREP test gives you a variable weight based on the IP reputation in GBUdb. This allows you to get some weighting positively or negatively based on the reputation even when that reputation is not in one of the defined GBUdb envelopes. Yes - according to Dave's explanation earlier today, Declude will get a decimal number between -1 and +1. Their Sample/Default configuration treats 0 as normal, treats anything negative as GOOD (and subtracts 5 points) and anything positive as BAD (and adds 10 points). So - even though Sniffer returns information on a vary graduated scale, Declude then returns 3 discrete numbers. In fact, 0 is only returned for 10% of the range - 90% of the range returns either -5 or 10. I presume that even when SNFIP does return Caution, Black, or Truncate that SNFIPREP continues to work and in that case will provide some shading to those values... so, if you will, more or less Black, etc. Based on Dave's explanation, Caution, Black and Truncate would certainly always return a value 0. Consequently, 10 would ALWAYS be added to the weight for those 3 reputations. Their default example basically TRIPLES the 10 weight that is assigned in many cases (once for SNFIP, once for SNFIPREP, and once for SNF). Let's see if Dave's chips in - but it certainly seems to me that Declude's Sniffer sample/default config should NOT be used (because it doesn't do what an innocent user might expect). It's not at all clear that after all their Sniffer rules, 30 would be added to the weight in several cases. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete McNeil Sent: Friday, April 30, 2010 7:07 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Sniffer IP vs. Sniffer IP Reputation vs. Sniffer Truncate On 4/30/2010 5:16 PM, Andy Schmidt wrote: Hi Pete, I'm look over Decludes recommended Sniffer configuration and trying to understand how much overlap there is between these options: IPREPUTATION SNFIPREPx 0 10 -5 SNFIPCAUTION SNFIP x 4 5 0 SNFIPBLACKSNFIP x 5 10 0 SNFIPTRUNCATE SNFIP x 6 10 0 SNFTRUNCATE SNF x 20 10 0 SNIFFER-IP-RULES SNF x 63 10 0 Looking at the Sniffer documentation IP test result codes http://www.armresearch.com/support/articles/software/snfClient/resultCodes.j sp it seems that the SNFIP tests for 4, 5 and 6 (SNFIPCAUTION, SNFIPBLACK, SNFIPTRUNCATE) might coincide with 40, 63 and 20. I am not intimately familiar with Declude's configuration and SNF integration --- not like I used to be anyway (s many platforms now). I _think_ these tests work like this: The SNFIPREP test gives you a variable weight based on the IP reputation in GBUdb. This allows you to get some weighting positively or negatively based on the reputation even when that reputation is not in one of the defined GBUdb envelopes. It's a subtle nudge in the right direction. The SNFIP test gives you a hard result code based only on the IP reputation when that reputation is within one of the envelopes defined for GBUdb. So if the IP reputation is in the Caution, Black, or Truncate range then that test will fire. Presumably all of the IP tests happen before SNF scans the message -- because they can -- I don't know that they do, but I know that IP reputations can be queried before and separately from a scan. (Scans MUST happen in order for GBUdb to build up reputation data however). Finally the SNF test responds to the normal blended result codes that SNFClient would return. So result code 20 is Truncate- meaning that the IP reputation was so bad that SNF stopped the scan and returned the result code. Result code 63 is Black which could mean that an SNF IP rule fired (rare these days) or that no pattern matched but the IP was in the Black range in GBUdb so GBUdb took over and forced the result code from 0 (no pattern found) to 63 (Black). Other result codes are also possible: http://www.armresearch.com/support/articles/software/snfClient/resultCodes.j sp#msgScan David -- if I got any of this wrong please correct me. However, Declude ALSO tests for your Rule Group Result Codes 20 and 63 which are documented here: http://www.armresearch.com/support/articles/software/snfServer/core.jsp 1. It seems to me, as if their SNFTRUNCATE is the same as their SNFIPTRUNCATE, and their SNIFFER-IP-RULES is the same as their SNFIPBLACK -- effectively artificially inflating (doubling) the weights for these tests? Yes -- if you have them configured that way. Some of the results
RE: [Declude.JunkMail] Sniffer IP Reputation for white listing
Hi Pete, Other question. The SNFIP tests return Caution or Black or Caution. And the SNF client exit codes also have Truncate/Black. But your documentation of the reputation system has a graph that shows that there is yet another category: WHITE. I don't see this represented as an SNFIP or SNF rule? Any reason why WHITE was left out? The SNFIPREP tests does offer the ability to define at what decimal value (between -1 and +1, in .1 increments) a weight can be subtracted. But the question is - is that SENSIBLE use of your reputation database? Per example, could -0.8 be a sensible threshold to give an email credit for coming from a reputable IP source? Or is it better to let the good reputation be considered AFTER the content scan and then use the combined exit code? -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete McNeil Sent: Friday, April 30, 2010 7:07 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Sniffer IP vs. Sniffer IP Reputation vs. Sniffer Truncate On 4/30/2010 5:16 PM, Andy Schmidt wrote: Hi Pete, I'm look over Decludes recommended Sniffer configuration and trying to understand how much overlap there is between these options: IPREPUTATION SNFIPREPx 0 10 -5 SNFIPCAUTION SNFIP x 4 5 0 SNFIPBLACKSNFIP x 5 10 0 SNFIPTRUNCATE SNFIP x 6 10 0 SNFTRUNCATE SNF x 20 10 0 SNIFFER-IP-RULES SNF x 63 10 0 Looking at the Sniffer documentation IP test result codes http://www.armresearch.com/support/articles/software/snfClient/resultCodes.j sp it seems that the SNFIP tests for 4, 5 and 6 (SNFIPCAUTION, SNFIPBLACK, SNFIPTRUNCATE) might coincide with 40, 63 and 20. I am not intimately familiar with Declude's configuration and SNF integration --- not like I used to be anyway (s many platforms now). I _think_ these tests work like this: The SNFIPREP test gives you a variable weight based on the IP reputation in GBUdb. This allows you to get some weighting positively or negatively based on the reputation even when that reputation is not in one of the defined GBUdb envelopes. It's a subtle nudge in the right direction. The SNFIP test gives you a hard result code based only on the IP reputation when that reputation is within one of the envelopes defined for GBUdb. So if the IP reputation is in the Caution, Black, or Truncate range then that test will fire. Presumably all of the IP tests happen before SNF scans the message -- because they can -- I don't know that they do, but I know that IP reputations can be queried before and separately from a scan. (Scans MUST happen in order for GBUdb to build up reputation data however). Finally the SNF test responds to the normal blended result codes that SNFClient would return. So result code 20 is Truncate- meaning that the IP reputation was so bad that SNF stopped the scan and returned the result code. Result code 63 is Black which could mean that an SNF IP rule fired (rare these days) or that no pattern matched but the IP was in the Black range in GBUdb so GBUdb took over and forced the result code from 0 (no pattern found) to 63 (Black). Other result codes are also possible: http://www.armresearch.com/support/articles/software/snfClient/resultCodes.j sp#msgScan David -- if I got any of this wrong please correct me. However, Declude ALSO tests for your Rule Group Result Codes 20 and 63 which are documented here: http://www.armresearch.com/support/articles/software/snfServer/core.jsp 1. It seems to me, as if their SNFTRUNCATE is the same as their SNFIPTRUNCATE, and their SNIFFER-IP-RULES is the same as their SNFIPBLACK -- effectively artificially inflating (doubling) the weights for these tests? Yes -- if you have them configured that way. Some of the results are predictable. If SNFIP is Black or Caution then you are virutally guaranteed to get a Black or Caution result from SNF -- Unless SNF matches a pattern in which case you will get a pattern result code from the SNF test. If SNFIP is Truncate then SNF should also return Truncate. The weights you assign to these should be set accordingly. 2. How do those Caution/Black/Truncate exit codes relate to SNFIPREP. There, any reputation 0 (up to 1) is given an extra weight of 10. But doesn't SNFIPREP report from the same reputation data as the SNFIP (and possibly even group result codes 20 and 63)? In other words, are those IP addresses that generate a reputation factor of 0 ALSO reported as Caution/Black or Truncate - if so, we'd now TRIPLE count that score. That's not quite true... I presume the SNFIPREP test uses a sliding numeric value that combines the probability factor and the confidence
RE: [Declude.JunkMail] We have opened up truncate.gbudb.net
Thanks - I activated it in my gateway and will report back after a day or so. Question: a) Does it have TXT records that holds additional info that can be returned in the 5.7.1 message to the sender? b) Is there a lookup URL that can be included in the 5.7.1 message that people can use to learn about your service, learn about the listing/de-listing policy (and determine the status of their IP address in case of a false positive)? Best Regards, Andy _ From: Pete McNeil madscient...@microneil.com Sent: Thursday, April 29, 2010 5:15 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] We have opened up truncate.gbudb.net Hi Declude folks, We have been testing a blacklist based on real-time GBUdb data (generated from Message Sniffer). We have decided to experiment with opening up the blacklist for a wider audience and so as of now you can use truncate.gbudb.net as an ip4r test. You should get a result of 127.0.0.1 if the IP is well into the truncate range -- That is: truncate.gbudb.net is designed to be ultra-conservative so that it should be safe to reject connections based on the test in most cases. This also means that it won't block everything -- only the worst of the worst. That said, the folks who have been testing it have reported that it did drop a significant amount of traffic from their systems on average. Please keep us all posted about how it's working for you. Thanks, _M --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Sniffer Integration
Hi, 1. I'm confused about the Sniffer integration sample: SNFIPBLACK SNFIP x 5 10 0 IPREPUTATIONSNFIP x 5 10 -5 It seems to me as if BOTH lines test the SAME Sniffer return code of 5 - but one line assigns adds a weight of 10 when found, the other also adds a weight of 10, but subtracts 5 when NOT found? So will this add 20 when found? Why use TWO lines to accomplish that? 2. In the past I could simply configure: SNIFFER external nonzero D:\IMAIL\Declude\SNF\SNFClient.exe10 0 if I didn't want to duplicate 18 lines - and risk that at some point a return code will be added that I will miss unless I add another line to the config file. So, does the SNF test have some way to configure ONE line for nonzero to create a baseline weight, and then just add SNF tests for specific return code if I want those specific ones treated with a higher weight? Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, January 04, 2010 9:54 AM To: declude.vi...@declude.com; declude.junkmail@declude.com; declude.relea...@declude.com Subject: [Declude.JunkMail] Release 4.10.42 Declude 4.10.42 JM ADD Add IMail support for SQL Database. Declude can check the SQL DB for Autowhitelist JM ADD IPNOSCAN for IMail JM ADD Add a new directive POSTINIFIX uses either ON or OFF in the declude.cfg file. Postini is a large managed email service which amends the header structure. The Postini fix helps Declude correctly identify Postini headers. To configure use POSTINIFIX ON JM ADD Add the Recipient, mailfrom and subject information to the blklst.txt file. The format blklst.txt file is Date|time|spool#|IP|TotalWeight|LastAction|RecpList|mailfrom|subject|testsfa iled JM ADD IPBYPASS can be configured with CIDR JM ADD New Header directive XWHITELIST ON in the global.cfg will give the reason for why the email was WHITELISTED in the header of the email. JM ADD Integrated Message Sniffer with Declude. Will use Declude rulebase. (If you are a current Message Sniffer user this does not apply to you unless you want toswitch and use the Declude rulebase) To configure the SNF files need to be edit by the user, where the [PATH] needs to be the actual path on your server. getRulebase.cmd SET SNIFFER_PATH=[PATH]\declude\scanners\SNF\ Snf_engine.xml file log path='[PATH]\declude\scanners\SNF\'/ rulebase path='[PATH]\declude\scanners\SNF\'/ workspace path='[PATH]\declude\scanners\SNF\'/ update-script on-off='on' call='[PATH]\declude\scanners\SNF\getRulebase.cmd' guard-time='180'/ Global.cfg SNFIPCAUTIONSNFIP x 4 5 0 SNFIPBLACK SNFIP x 5 10 0 SNFIPTRUNCATE SNFIP x 6 10 0 IPREPUTATIONSNFIP x 5 10 -5 SNIFFER-TRAVEL SNF x 47 10 0 SNIFFER-INSURANCE SNF x 48 10 0 SNIFFER-AV-PUSH SNF x 49 10 0 SNIFFER-WAREZ SNF x 50 10 0 SNIFFER-SPAMWARESNF x 51 10 0 SNIFFER-SNAKEOILSNF x 52 12 0 SNIFFER-SCAMS SNF x 53 10 0 SNIFFER-PORNSNF x 54 10 0 SNIFFER-MALWARE SNF x 55 10 0 SNIFFER-ADVERTISING SNF x 56 10 0 SNIFFER-SCHEME SNF x 57 10 0 SNIFFER-CREDIT SNF x 58 10 0 SNIFFER-GAMBLINGSNF x 59 10 0 SNIFFER-GENERAL SNF x 60 10 0 SNIFFER-SPAMSNF x 61 10 0 SNIFFER-OBFUSCATION SNF x 62 10 0 SNIFFER-IP-RULESSNF x 63 10 0 SNFTRUNCATE SNF x 20 10 0 EVA FIX Fix for Virus test not catching the eicar test due to e-mail formatting HJ ADD
[Declude.JunkMail] CommTouch False Positive
Hi, How do I go about reporting ZeroHour false positives? For the past few days, one of my cliens has been trying to email a (legitimate) ZIP file with a DLL that keeps getting blocked by CommTouch. How do I submit these D/Q files to get this problem fixed? Best Regards, Andy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] AllLists.DAT in RAR Format?
Hi, Obviously, I know that I can download third party tools to “unrar” the file – but I REALLY hate nothing more, but than cluttering up production systems with unnecessary shareware/freeware. Windows has built-in ZIP support (“compressed folders”). Is there any justification to pick a NON compatible format for compression the all-lists.dat file? If it was compressed using the native Windows format (considering that Declude is a Windows application), the file could be used instantly! Best Regards, Andy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] CommTouch False Positive
Thanks – done. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Friday, February 19, 2010 11:35 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] CommTouch False Positive You can send us at supp...@declude.com the X-Declude-RefID: and we can report it to Commtouch. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Friday, February 19, 2010 11:19 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] CommTouch False Positive Hi, How do I go about reporting ZeroHour false positives? For the past few days, one of my cliens has been trying to email a (legitimate) ZIP file with a DLL that keeps getting blocked by CommTouch. How do I submit these D/Q files to get this problem fixed? Best Regards, Andy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] AllLists.DAT in RAR Format?
Thanks Dave, I appreciate that. I’ve zipped hundreds of megabytes – so I don’t think this is going to be an issue. Generally, live is hard enough – it’s nice if I don’t have to worry about monitoring even more vendors/authors about vulnerabilities, security fixes, version updates etc to a various freeware products. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Friday, February 19, 2010 12:04 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] AllLists.DAT in RAR Format? No justification other than I was working with RAR because it does not have the size limitations of ZIP. Anyways it is now a .zip David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Friday, February 19, 2010 11:22 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] AllLists.DAT in RAR Format? Importance: High Hi, Obviously, I know that I can download third party tools to “unrar” the file – but I REALLY hate nothing more, but than cluttering up production systems with unnecessary shareware/freeware. Windows has built-in ZIP support (“compressed folders”). Is there any justification to pick a NON compatible format for compression the all-lists.dat file? If it was compressed using the native Windows format (considering that Declude is a Windows application), the file could be used instantly! Best Regards, Andy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Conditional Whitelist - Good Use of SPF!
Hi, Despite all the shortcomings of SPF, there may be one GOOD use: Every once in a while I receive requests to whitelist certain sender email addresses or domains - then I explain that we don't like to do that because it would allow any spam that PRETENDS to come from that domain to pass. What WOULD be a good feature, would be an SPF based domain whitelist! It would be a conditional whitelist of senders that will ONLY be applied, if SPF for that domain PASSES. Best Regards, Andy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Conditional Whitelist - Good Use of SPF!
A true WHITELIST would mean that: a) it could skip over all the other tests right from the start b) it would work even if you have some tests that DELETE emails! Your scheme would not prevent emails from being killed outright by Sniffer or similar content tests. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dean Lawrence Sent: Wednesday, January 20, 2010 9:24 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Conditional Whitelist - Good Use of SPF! Andy, Since there is already an SPF Pass, Fail, and Neutral result, couldn't you just create a rule that if the sender passes SPF that you apply a large negative point value? Then you could apply that rule to only the domains that you want to whitelist. Dean On Wed, Jan 20, 2010 at 8:47 AM, Andy Schmidt andy_schm...@hm-software.com wrote: Hi, Despite all the shortcomings of SPF, there may be one GOOD use: Every once in a while I receive requests to whitelist certain sender email addresses or domains - then I explain that we don't like to do that because it would allow any spam that PRETENDS to come from that domain to pass. What WOULD be a good feature, would be an SPF based domain whitelist! It would be a conditional whitelist of senders that will ONLY be applied, if SPF for that domain PASSES. Best Regards, Andy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- __ Dean Lawrence, CIO/Partner Internet Data Technology 888.GET.IDT1 ext. 701 * fax: 888.438.4381 http://www.idatatech.com/ Corporate Internet Development and Marketing Specialists --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Release 4.10.42
Happy New Year: Can you elaborate on the Sniffer implementation please? a) Is the annual cost of Sniffer now included with Declude? b) If we have no custom rule-base, there would be no reason not to use the Declude rule-base? c) What's the technical implementation of the SNF and SNFIP directives? In the past, this was a command line launch of the Sniffer.exe from Declude. Have you implemented this as a call to their API DLL directly from within Declude? If so, one would expect better performance and reliability - making it another reason to switch? d) Can we use the new SNF and SNFIP directives - but still use our own rulebase, if we chose too? Can you elaborate on IPNOSCAN please? Finally, POSTINIFIX is a poor name for that directive, since it has absolutely nothing to do with Postini - the problem has existed for a long time. I think in November we had all determined that the problem was an age-old problem with Declude correctly parsing valid (standards compliant) Received headers that contain more than one IP address. According to the standard it seems perfectly VALID for a single RECEIVED header to contain TWO IP addresses, one in the FROM clause and one in the BY clause? Obviously, Declude would need to inspect the IP address in the FROM clause and ignore any IP addresses that it encounters in/after the BY clause? I think retiring the postinifix name and picking a more general directive name 'RcvHdrFix' would avoid that people leave this turned off just because they are not using Postini. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, January 04, 2010 9:54 AM To: declude.vi...@declude.com; declude.junkmail@declude.com; declude.relea...@declude.com Subject: [Declude.JunkMail] Release 4.10.42 Declude 4.10.42 JM ADD Add IMail support for SQL Database. Declude can check the SQL DB for Autowhitelist JM ADD IPNOSCAN for IMail JM ADD Add a new directive POSTINIFIX uses either ON or OFF in the declude.cfg file. Postini is a large managed email service which amends the header structure. The Postini fix helps Declude correctly identify Postini headers. To configure use POSTINIFIX ON JM ADD Add the Recipient, mailfrom and subject information to the blklst.txt file. The format blklst.txt file is Date|time|spool#|IP|TotalWeight|LastAction|RecpList|mailfrom|subject|testsfa iled JM ADD IPBYPASS can be configured with CIDR JM ADD New Header directive XWHITELIST ON in the global.cfg will give the reason for why the email was WHITELISTED in the header of the email. JM ADD Integrated Message Sniffer with Declude. Will use Declude rulebase. (If you are a current Message Sniffer user this does not apply to you unless you want toswitch and use the Declude rulebase) To configure the SNF files need to be edit by the user, where the [PATH] needs to be the actual path on your server. getRulebase.cmd SET SNIFFER_PATH=[PATH]\declude\scanners\SNF\ Snf_engine.xml file log path='[PATH]\declude\scanners\SNF\'/ rulebase path='[PATH]\declude\scanners\SNF\'/ workspace path='[PATH]\declude\scanners\SNF\'/ update-script on-off='on' call='[PATH]\declude\scanners\SNF\getRulebase.cmd' guard-time='180'/ Global.cfg SNFIPCAUTIONSNFIP x 4 5 0 SNFIPBLACK SNFIP x 5 10 0 SNFIPTRUNCATE SNFIP x 6 10 0 IPREPUTATIONSNFIP x 5 10 -5 SNIFFER-TRAVEL SNF x 47 10 0 SNIFFER-INSURANCE SNF x 48 10 0 SNIFFER-AV-PUSH SNF x 49 10 0 SNIFFER-WAREZ SNF x 50 10 0 SNIFFER-SPAMWARESNF x 51 10 0 SNIFFER-SNAKEOILSNF x 52 12 0 SNIFFER-SCAMS SNF x 53 10 0 SNIFFER-PORNSNF x 54 10 0 SNIFFER-MALWARE SNF x 55 10 0 SNIFFER-ADVERTISING SNF x 56 10 0 SNIFFER-SCHEME SNF x 57 10 0 SNIFFER-CREDIT SNF x 58 10 0 SNIFFER-GAMBLINGSNF x 59 10 0 SNIFFER-GENERAL SNF x
RE: [Declude.JunkMail] Release 4.10.42
Thanks. I'm very happy to see that you took the time to implement the Sniffer API directly. That's great! As far as the usage - I'm a little confused. It's using your rule page - but cost is not included. So where do I specify my Sniffer license information so that Declude can make sure I'm a licensed Sniffer user? I would have expected some sort of Global.cfg option where I have to provide my license ID that the API is then using? Also: Can you elaborate on IPNOSCAN please? From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, January 04, 2010 11:38 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Release 4.10.42 Hi Andy, Happy New Year. Is the annual cost of Sniffer now included with Declude? The cost of Message Sniffer is not included in Declude Service Agreements. If we have no custom rule-base, there would be no reason not to use the Declude rule-base? Correct, if you have not custom rules you could certainly use the integrated Message Sniffer which should have better performance as it is integrated. What's the technical implementation of the SNF and SNFIP directives? In the past, this was a command line launch of the Sniffer.exe from Declude. Have you implemented this as a call to their API DLL directly from within Declude? If so, one would expect better performance and reliability - making it another reason to switch? Yes we use an API call to the Message Sniffer DLL directly from Declude, which means better performance and realibility as this is no longer an external call. Can we use the new SNF and SNFIP directives - but still use our own rulebase, if we chose too? Currently you cannot use your own rulebase with the integrated Declude, if it is possible to do so in a future release we will work towards this, I will have to check with Message Sniffer to verify. Finally, POSTINIFIX is a poor name for that directive, since it has absolutely nothing to do with Postini - the problem has existed for a long time. I think in November we had all determined that the problem was an age-old problem with Declude correctly parsing valid (standards compliant) Received headers that contain more than one IP address. I agree with you that this is a Declude parsing issue and that POSTINIFIX was not the best name, however I did not want to delay this release because of this, this was a resource/time issue rather than a disagreement with the lists. The discuission from the list last Novemeber were every helpful and we plan to make the change as suggested. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Monday, January 04, 2010 11:18 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Release 4.10.42 Happy New Year: Can you elaborate on the Sniffer implementation please? a) Is the annual cost of Sniffer now included with Declude? b) If we have no custom rule-base, there would be no reason not to use the Declude rule-base? c) What's the technical implementation of the SNF and SNFIP directives? In the past, this was a command line launch of the Sniffer.exe from Declude. Have you implemented this as a call to their API DLL directly from within Declude? If so, one would expect better performance and reliability - making it another reason to switch? d) Can we use the new SNF and SNFIP directives - but still use our own rulebase, if we chose too? Can you elaborate on IPNOSCAN please? Finally, POSTINIFIX is a poor name for that directive, since it has absolutely nothing to do with Postini - the problem has existed for a long time. I think in November we had all determined that the problem was an age-old problem with Declude correctly parsing valid (standards compliant) Received headers that contain more than one IP address. According to the standard it seems perfectly VALID for a single RECEIVED header to contain TWO IP addresses, one in the FROM clause and one in the BY clause? Obviously, Declude would need to inspect the IP address in the FROM clause and ignore any IP addresses that it encounters in/after the BY clause? I think retiring the postinifix name and picking a more general directive name 'RcvHdrFix' would avoid that people leave this turned off just because they are not using Postini. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, January 04, 2010 9:54 AM To: declude.vi...@declude.com; declude.junkmail@declude.com; declude.relea...@declude.com Subject: [Declude.JunkMail] Release 4.10.42 Declude 4.10.42 JM ADD Add IMail support for SQL Database. Declude can check the SQL DB for Autowhitelist JM ADD
RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes
Hi Dave, just sent you a zip file - hope it made it past your virus check. It has a few interesting cases to see if your new code picks up the CORRECT IP address. Always picking the first or the last IP address is not at all necessarily reliable. Received: from unknown (HELO 192.168.10.1) (72.167.113.99) by k2smtpout02-01.prod.mesa1.secureserver.net (64.202.189.90) with ESMTP; 04 Nov 2009 08:29:08 - Received: from 58.92.178.208 ([208.178.92.58]) by smtp.webhost.hm-software.com with Microsoft SMTPSVC(5.0.2195.6713); Mon, 2 Nov 2009 10:43:37 -0500 Received: from admd.net ([:::187.3.43.120]) (AUTH: LOGIN audito...@vazemaia.com.br) by mail4.task.com.br with esmtp; Wed, 04 Nov 2009 01:53:07 -0200 id 006788A4.4AF0FAA3.242C Received: from (]) by mx1.businessprocessware.com [66.232.102.164] (8.13.8/8.13.8) STMP id mzqbrzhqqbq; for jul...@websterwatch.com; Wed, 04 Nov 2009 14:40:40 -0500 Received: from 105.188.233.220.static.exetel.com.au [220.233.188.105] by Mail.Webhost.HM-Software.com with ESMTP (SMTPD-11.0) id 0afd0fb0197a; Thu, 5 Nov 2009 06:45:55 -0500 Received: from mail.headquarters.qts.local ([192.168.0.103]) by mail.headquarters.qts.local ([70.99.176.211]) with mapi; Thu, 5 Nov 2009 09:40:05 -0600 Received: from [195.248.173.117] (HELO 192.168.1.75) by mail.alkar.net (CommuniGate Pro SMTP 5.2.16) with SMTP id 2124311918 for abus...@ultirisk.com; Tue, 03 Nov 2009 14:58:19 +0200 Best Regards, Andy -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Thursday, November 05, 2009 10:57 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Hi Andy, Great suggestion. Can you send some full header examples to me directly so we can review this, if you have the matching pair files even better as we can use them to test specifically. Thanks David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, November 05, 2009 10:50 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Hi Dave, You might want to test this new option very carefully! You could be right, the original Declude code may have had an issue parsing the second IP. I do not know if this was by design or just bad code. I think the explanation/reason was, that Scott was having issues with RECEIVED Headers where the sender's reverse DNS was set up to point to an apparent IP address or where the HELO/EHLO string was using an IP address. He might have encountered RECEIVED headers like this: Received: from 192.168.0.1 [10.1.20.1] (helo=192.168.0.1) by mx-out-manc2.simplymailsolutions.com with esmtp (Exim 4.63) (envelope-from fredrik.karlb...@jameslist.com) id 1N5zih-0005FR-15 for andy_schm...@hm-software.com; Thu, 05 Nov 2009 10:37:35 + And eventually decided to ignore the first IP address and go for the last IP address in the first line - or something like that. This parsing problem is rather old and reported occasionally. I even recall this being an issue with spamrouting causing false positives if the header had more than one IP address - because it would pick up wrong IP addresses and think the routing was suspicious. If I can make a (VERY important) suggestion. Since this clearly is NOT at all a Postini issue and certainly NOT LIMITED to Postini - how about NOT giving that feature/directive a totally misleading/inappropriate name: POSTINIFIXON Example - out of 10 emails in my current inbox, I instantly found THIS (non-Postini) sample: Received: from sha-exch9.shared.ifeltd.com ([10.1.20.9]) by sha-exch9.shared.ifeltd.com ([10.1.20.9]) with mapi; Thu, 5 Nov 2009 10:36:21 + Calling it PostiniFix implies to people who don't use a Postini gateway, that they don't need that option. In reality this is an attempt at (finally) making Declude's Received header parsing RFC-compliant and should be the default way that Declude works all the time so that spamrouting and other features pick up the CORRECT ( from clause IP address ) and not get confused by any optional by clause IP address. If you want to make it an option (that propbably should default to ON if ommitted), I would suggest naming it something like: USEFROMCLAUSEIP ON or IGNOREBYCLAUSEIP ON depending on how your new parsing logic is set up (I would look for the 'BY' clause, if any, and then parse the IP addresses prior to the BY clause - possibly starting from the end - so to mimic
RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes
Hi Matt, Sorry - but some of these are actually headers inserted by my OWN server. So they are NOT forged. Most of them are spam, but some of them were even false positives. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Matt Sent: Thursday, November 05, 2009 4:14 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Andy, One important thing of note here is that the first 5 examples you gave are in fact forged headers, and the information contained within them is fake and not at all useful. While I don't expect Declude to figure out that these are forged Received headers, one shouldn't worry about how they are parsed as they can be malformed anyway (as was the case in several examples shown). As a good rule of thumb, you def-old the entire Received header and then take the data in between the FROM and the BY/WITH/FOR or the end of the header, whichever appears first, and then take the last braketed IP value. If you can't find a bracketed IP value, you should take the last IP shown (which won't be perfect, but this would not be RFC compliant anyway). I would guess that this would take a programmer maybe an hour to code up and test. Matt Andy Schmidt wrote: Hi Dave, just sent you a zip file - hope it made it past your virus check. It has a few interesting cases to see if your new code picks up the CORRECT IP address. Always picking the first or the last IP address is not at all necessarily reliable. Received: from unknown (HELO 192.168.10.1) (72.167.113.99) by k2smtpout02-01.prod.mesa1.secureserver.net (64.202.189.90) with ESMTP; 04 Nov 2009 08:29:08 - Received: from 58.92.178.208 ([208.178.92.58]) by smtp.webhost.hm-software.com with Microsoft SMTPSVC(5.0.2195.6713); Mon, 2 Nov 2009 10:43:37 -0500 Received: from admd.net ([:::187.3.43.120]) (AUTH: LOGIN audito...@vazemaia.com.br) by mail4.task.com.br with esmtp; Wed, 04 Nov 2009 01:53:07 -0200 id 006788A4.4AF0FAA3.242C Received: from (]) by mx1.businessprocessware.com [66.232.102.164] (8.13.8/8.13.8) STMP id mzqbrzhqqbq; for mailto:jul...@websterwatch.com jul...@websterwatch.com; Wed, 04 Nov 2009 14:40:40 -0500 Received: from 105.188.233.220.static.exetel.com.au [220.233.188.105] by Mail.Webhost.HM-Software.com with ESMTP (SMTPD-11.0) id 0afd0fb0197a; Thu, 5 Nov 2009 06:45:55 -0500 Received: from mail.headquarters.qts.local ([192.168.0.103]) by mail.headquarters.qts.local ([70.99.176.211]) with mapi; Thu, 5 Nov 2009 09:40:05 -0600 Received: from [195.248.173.117] (HELO 192.168.1.75) by mail.alkar.net (CommuniGate Pro SMTP 5.2.16) with SMTP id 2124311918 for abus...@ultirisk.com; Tue, 03 Nov 2009 14:58:19 +0200 Best Regards, Andy -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Thursday, November 05, 2009 10:57 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Hi Andy, Great suggestion. Can you send some full header examples to me directly so we can review this, if you have the matching pair files even better as we can use them to test specifically. Thanks David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, November 05, 2009 10:50 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Hi Dave, You might want to test this new option very carefully! You could be right, the original Declude code may have had an issue parsing the second IP. I do not know if this was by design or just bad code. I think the explanation/reason was, that Scott was having issues with RECEIVED Headers where the sender's reverse DNS was set up to point to an apparent IP address or where the HELO/EHLO string was using an IP address. He might have encountered RECEIVED headers like this: Received: from 192.168.0.1 [10.1.20.1] (helo=192.168.0.1) by mx-out-manc2.simplymailsolutions.com with esmtp (Exim 4.63) (envelope-from mailto:fredrik.karlb...@jameslist.com fredrik.karlb...@jameslist.com) id 1N5zih-0005FR-15 for andy_schm...@hm-software.com; Thu, 05 Nov 2009 10:37:35 + And eventually decided to ignore the first IP address and go for the last IP address in the first line - or something like that. This parsing problem is rather old and reported occasionally. I even recall this being an issue with spamrouting causing false positives if the header had more than one IP address - because it would pick up wrong IP addresses and think the routing
RE: [Declude.JunkMail] How to Correctly Parse RECEIVED Headers for IP Address
Hi, Yes, Matt. I concur with your parsing algorithm! Dave - please take notice: So you first throw out all data before the FROM up till the next descriptor BY/WITH/FOR or end of the header, then you search for square brackets with an IP inside and nothing else, and take the last value that appears in that format in the trimmed piece of the Received header. If you don't get any result from that, you search for all IP's that are either surrounded by spaces or parenthesis, and you take the last such value found. Note that the delimiters are very important in getting the correct IP. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Matt Sent: Thursday, November 05, 2009 5:31 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes You are right that I messed up on three of these. The following ones were definitely entirely forged: Received: from admd.net ([:::187.3.43.120]) (AUTH: LOGIN audito...@vazemaia.com.br) by mail4.task.com.br with esmtp; Wed, 04 Nov 2009 01:53:07 -0200 id 006788A4.4AF0FAA3.242C Received: from (]) by mx1.businessprocessware.com [66.232.102.164] (8.13.8/8.13.8) STMP id mzqbrzhqqbq; for mailto:jul...@websterwatch.com jul...@websterwatch.com; Wed, 04 Nov 2009 14:40:40 -0500 All but one of the connecting servers in the other 5 examples forged the HELO value (which is where my brain farted), which some servers don't properly bracket. Regardless, my recommendation on how to parse the proper IP would work in every example except for the forged Received headers above (which is fake data anyway and should be ignored if at all possible, so that is better). The problem is that not all servers properly bracket and order the actual IP, which means that HELO's that come as IP's can be misleading. This is why you have to start off with the best method, and if that doesn't produce results, fall back to another method that is just simply guessing (which is what Declude actually does now). So you first throw out all data before the FROM up till the next descriptor BY/WITH/FOR or end of the header, then you search for square brackets with an IP inside and nothing else, and take the last value that appears in that format in the trimmed piece of the Received header. If you don't get any result from that, you search for all IP's that are either surrounded by spaces or parenthesis, and you take the last such value found. Note that the delimiters are very important in getting the correct IP. Also note that legitimate headers are rare where the IP is neither bracketed or enclosed at the boundary with parenthesis, but it does happen. Matt Andy Schmidt wrote: Hi Matt, Sorry - but some of these are actually headers inserted by my OWN server. So they are NOT forged. Most of them are spam, but some of them were even false positives. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Matt Sent: Thursday, November 05, 2009 4:14 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Andy, One important thing of note here is that the first 5 examples you gave are in fact forged headers, and the information contained within them is fake and not at all useful. While I don't expect Declude to figure out that these are forged Received headers, one shouldn't worry about how they are parsed as they can be malformed anyway (as was the case in several examples shown). As a good rule of thumb, you def-old the entire Received header and then take the data in between the FROM and the BY/WITH/FOR or the end of the header, whichever appears first, and then take the last braketed IP value. If you can't find a bracketed IP value, you should take the last IP shown (which won't be perfect, but this would not be RFC compliant anyway). I would guess that this would take a programmer maybe an hour to code up and test. Matt Andy Schmidt wrote: Hi Dave, just sent you a zip file - hope it made it past your virus check. It has a few interesting cases to see if your new code picks up the CORRECT IP address. Always picking the first or the last IP address is not at all necessarily reliable. Received: from unknown (HELO 192.168.10.1) (72.167.113.99) by k2smtpout02-01.prod.mesa1.secureserver.net (64.202.189.90) with ESMTP; 04 Nov 2009 08:29:08 - Received: from 58.92.178.208 ([208.178.92.58]) by smtp.webhost.hm-software.com with Microsoft SMTPSVC(5.0.2195.6713); Mon, 2 Nov 2009 10:43:37 -0500 Received: from admd.net ([:::187.3.43.120]) (AUTH: LOGIN audito...@vazemaia.com.br) by mail4.task.com.br with esmtp; Wed, 04 Nov 2009 01:53:07 -0200 id 006788A4.4AF0FAA3.242C Received: from (]) by mx1.businessprocessware.com [66.232.102.164] (8.13.8/8.13.8) STMP id mzqbrzhqqbq
RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes
Hi David: I'm interested to better understand this feature. The line you posted looks like a legit received header that Postini indeed should add to the top of the headers when it receives the message from the source? Received: from source ([209.85.221.110]) by http://exprod5mx260.postini.com exprod5mx260.postini.com ([64.18.4.10]) with SMTP; Wed, 25 Mar 2009 14:45:20 CDT Isn't the MX of the recipient domain pointed to Postini's server? So Postini would be the first received header to be inserted before relaying the message to the client's internal mail server? It might help if you actually posted what a header looked like before Postini mangled it and what it looked like after Postini mangled it? I guess, what I'm not grasping is, who inserted the original header that Postini has tampered with - if Postini is the domain's MX? Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, November 04, 2009 2:54 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Hi Scott, Postini is violating RFC RFC 5321: [4.4] An Internet mail program MUST NOT change or delete a Received: line that was previously added to the message header section. SMTP servers MUST prepend Received lines to messages; they MUST NOT change the order of existing lines or insert Received lines in any other location. Postini is changing the headers received line by adding the additional IP as the example below. Received: from source ([209.85.221.110]) by exprod5mx260. http://exprod5mx260.postini.com postini.com ([64.18.4.10]) with SMTP; Wed, 25 Mar 2009 14:45:20 CDT The problem is that a changed received line is an indication of a forged header and is a flag for a bogus received line (a technique often used by spammers). Because of this, the actual IP of the sender is not where it should be, so we are giving our customers the option: POSTINIFIXON Will identify the sending IP as 209.85.221.110 By Default if not present POSTINIFIXOFF Will identify the sending IP as 64.18.4.10 David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude 4.9.39 Postini Received Header Fix
Thanks David for taking the time and helping us gain a better understanding. Always looking to learn. Although, in this case, I still must be missing something. To me, the chain of Received Headers looks intact: 1. Mail received from dnsstuff by declude, apparently forwarded to be relayed to final recipient Received: from 65.newburyport.dnsstuff.com [173.9.86.65] by smtp.declude.com with SMTP; Wed, 30 Sep 2009 11:16:11 -0500 2. Mail handed off to Postini, received by their incoming server: Received: from source ([216.144.195.81]) by exprod5mx277.postini.com ([64.18.4.10]) with SMTP; Wed, 30 Sep 2009 11:16:38 CDT 3. Mail sent from Postini to recipient's mail server (with the clock off by a few minutes): Received: from exprod5mx277.postini.com [64.18.0.101] by mail3.xx.net with SMTP; Wed, 30 Sep 2009 12:12:56 -0400 Header #1 is created by Declude's server - and appears to be intact? Header #3 is created by recipient's mail server after Postini was done? Header #2 is created by Postini's mail server - as it should? So I really don't understand where supposedly Postini changed or deleted a Received header that had been added previously by the Declude server? Header #2 seems to be a header that was prepended by Postini when it received the email - just as it should? I then looked up the reference you cited to see if there was anything wrong with the FORMATTING of Header #2: http://tools.ietf.org/html/rfc5321#section-4.4 Can you tell me where the formatting of header #2 violates which specific aspect of the RFC? -According to the standard it seems perfectly VALID for a single RECEIVED header to contain TWO IP addresses, one in the FROM clause and one in the BY clause? Obviously, Declude would need to inspect the IP address in the FROM clause and ignore any IP addresses that it encounters in/after the BY clause? -It sounds like you're saying that Declude has a general problem with correctly interpreting Received Headers that happen to have two IP addresses? As I'm typing this, I do recall having run into this problem in the past. But, if my understanding is correct, then this would be a problem in the Declude parser, if indeed the headers is formatted in accordance with the RFCs? Best Regards, Andy -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, November 04, 2009 3:57 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Here is a message going through a Postini server. ---EXAMPLE 1--- -- Received: from .x.local ([127.0.0.1]) by xx.xom with Microsoft SMTPSVC(6.0.3790.1830); Wed, 30 Sep 2009 12:18:03 -0400 Return-Path: dbar...@declude.com Received: from exprod5mx277.postini.com [64.18.0.101] by mail3.xx.net with SMTP; Wed, 30 Sep 2009 12:12:56 -0400 Received: from source ([216.144.195.81]) by exprod5mx277.postini.com ([64.18.4.10]) with SMTP; Wed, 30 Sep 2009 11:16:38 CDT Received: from 65.newburyport.dnsstuff.com [173.9.86.65] by smtp.declude.com with SMTP; Wed, 30 Sep 2009 11:16:11 -0500 Reply-To: dbar...@declude.com From: David Barker dbar...@declude.com To: xxx ' x...@x.com --- This line is good. Received: from exprod5mx277.postini.com [64.18.0.101] by mail3.xx.net with SMTP; However this line is a problem. Received: from source ([216.144.195.81]) by exprod5mx277.postini.com ([64.18.4.10]) with SMTP; This IP exprod5mx277.postini.com ([64.18.4.10]) should be on its own line. The problem occurs when there are two IP addresses on the same line. The first IP is considered as BOGUS and Declude picks up the second IP address on this line. For more information please review RFC 5321: [4.4] David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, November 04, 2009 3:11 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Hi David: I'm interested to better understand this feature. The line you posted looks like a legit received header that Postini indeed should add to the top of the headers when it receives the message from the source? Received: from source ([209.85.221.110]) by exprod5mx260.postini.com ([64.18.4.10]) with SMTP; Wed, 25 Mar 2009 14:45:20 CDT Isn't the MX of the recipient domain pointed to Postini's server? So Postini would be the first received header to be inserted before relaying the message
[Declude.JunkMail] Suggestion: Quarantine problematic Q/D files to match GP1/GP2 files
Hi, Doesn't make much sense to ask a user to submit debug logs AFTER a GP fault that only happens sporadically. How about Declude quarantining the Q/D files in question whenever the C:/Declude.GP* files are written? This way, the customer can attempt to reproduce the problem (using the same Q/D files) after setting the log to Debug mode. Best Regards, Andy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Suggestion: Quarantine problematic Q/D files to match GP1/GP2 files
Thanks Dave - I have AutoReview on. So I suppose if that folder is empty, it means that the file processed successfully a second time around. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, August 26, 2009 11:48 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Suggestion: Quarantine problematic Q/D files to match GP1/GP2 files Sensitivity: Personal Hi Andy, In Declude \proc directory there is a directory called REVIEW which is exactly for this purpose. In the Declude.cfg there is a directive that can override this functionality called AUTOREVIEWON If the decludeproc service is unexpectedly stopped email in the \work directory is moved to the \review directory. If AUTOREVIEW is ON then the user has opted to reprocess these files, if the AUTOREVIEW is commented out then the \Review directory will have a copy of the offending file set and we can use these file to try and isolate the problem. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, August 26, 2009 11:04 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Suggestion: Quarantine problematic Q/D files to match GP1/GP2 files Sensitivity: Personal Hi, Doesn't make much sense to ask a user to submit debug logs AFTER a GP fault that only happens sporadically. How about Declude quarantining the Q/D files in question whenever the C:/Declude.GP* files are written? This way, the customer can attempt to reproduce the problem (using the same Q/D files) after setting the log to Debug mode. Best Regards, Andy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Suggestion: Quarantine problematic Q/D files to match GP1/GP2 files
Hi David, Thanks - we are running the 11.01 Preview - and did have SMTP problems. It hasn't occurred since - so if it looks like an external issue, then it might not be worth too deep an investigation. Thanks for your response. Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, August 26, 2009 12:12 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Suggestion: Quarantine problematic Q/D files to match GP1/GP2 files Sensitivity: Personal Correct. And from the looks of the gp1 file it may be something external. I have our engineer looking to see what we can gather from the file. And will get back to you asap. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, August 26, 2009 11:59 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Suggestion: Quarantine problematic Q/D files to match GP1/GP2 files Sensitivity: Personal Thanks Dave - I have AutoReview on. So I suppose if that folder is empty, it means that the file processed successfully a second time around. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, August 26, 2009 11:48 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Suggestion: Quarantine problematic Q/D files to match GP1/GP2 files Sensitivity: Personal Hi Andy, In Declude \proc directory there is a directory called REVIEW which is exactly for this purpose. In the Declude.cfg there is a directive that can override this functionality called AUTOREVIEWON If the decludeproc service is unexpectedly stopped email in the \work directory is moved to the \review directory. If AUTOREVIEW is ON then the user has opted to reprocess these files, if the AUTOREVIEW is commented out then the \Review directory will have a copy of the offending file set and we can use these file to try and isolate the problem. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, August 26, 2009 11:04 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Suggestion: Quarantine problematic Q/D files to match GP1/GP2 files Sensitivity: Personal Hi, Doesn't make much sense to ask a user to submit debug logs AFTER a GP fault that only happens sporadically. How about Declude quarantining the Q/D files in question whenever the C:/Declude.GP* files are written? This way, the customer can attempt to reproduce the problem (using the same Q/D files) after setting the log to Debug mode. Best Regards, Andy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Imail 11
Hi, been using Imail 11 since May. Several annoying bugs - bug fixes for each one within a few days. Looks good now - but it's not worth for anyone installing NOW because 11.0.1 is in technical preview and saves you the hassle of having to ask for 5 or 6 DLL updates (because they are not being made available proactively) Best Regards, Andy From: Michael Graveen Sent: Tuesday, August 11, 2009 7:43 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Imail 11 I went to SmarterMail 4.x a few years ago (from IMail 8.05). I like the web interface. Is it perfect? No. But for the most part the Smarttools folks are pretty responsive with bug fixes (especially compared to Ipswitch's past performance). Version 6 has just been released and I will probably upgrade to that. Hope this helps. Mike Sorry William I did not catch your sarcasm. I don't see those problems with Imail and we have people with 1000s of messages in their inbox but that is version 8.22, I know they had a lot of web mail problems with later versions.. I think roundcube is better than squirrel mail but I don't know if it will work on a windows machine - have never tried to do that. That being said, I am still looking for recommendations on a Mail Serveranyone have thoughts. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of William Stillwell Sent: Tuesday, August 11, 2009 10:33 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Imail 11 You didn't understand my sarcasm did you? I gave up w/Imail on fixing my imail webmail issues, on my servers, if there is more than 1000 messages in a mail box, users get Access Denied when going to different pages in there preview window. If they have less then 500 messages it works fine for them.. It's by no means OWA . William Stillwell --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Imail 11
Imail 11 supports ActiveSync (e.g., I'm using it from my regular cell phone) to synch contacts, emails, appointments, notes,... From: Nick Hayer Sent: Tuesday, August 11, 2009 6:43 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Imail 11 SmarterMail. Its the way to go. Ver 6 will support ActiveSync [ as an addon] and the web interface is excellent. I have one remaining Imail server - 9x version - to convert.. -Nick From: Chuck Schick cha...@warp8.com Sent: Tuesday, August 11, 2009 1:07 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Imail 11 Sorry William I did not catch your sarcasm. I don't see those problems with Imail and we have people with 1000s of messages in their inbox but that is version 8.22, I know they had a lot of web mail problems with later versions.. I think roundcube is better than squirrel mail but I don't know if it will work on a windows machine - have never tried to do that. That being said, I am still looking for recommendations on a Mail Serveranyone have thoughts. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of William Stillwell Sent: Tuesday, August 11, 2009 10:33 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Imail 11 You didn't understand my sarcasm did you? I gave up w/Imail on fixing my imail webmail issues, on my servers, if there is more than 1000 messages in a mail box, users get Access Denied when going to different pages in there preview window. If they have less then 500 messages it works fine for them.. It's by no means OWA . William Stillwell --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] RE: [Declude.Virus] Commtouch ZeroHour - no longer active? What's the best procedure everyone uses to renew it?
Hi Dave, The Diags.txt I had sent was created from THIS MORNING (I had made a point of restarting DecludeProc to get a current status). So CommTouch was definitely reported as OFF at that time. It had been reported as ON in June, the previous time that the server had been started (for security fixes). I cleared the DNS cache and restarted DecludeProc and now Diags.txt reports ON for CommTouch. So thanks for re-activating it. So - that leaves a whole bunch of new concerns: - If you ONLY migrated servers THIS week, then THIS was NOT the reason. CommTouch had stopped after 6/27, which is 11 days ago. (That's the last date your log files showed any CommTouch hits!) However, it's the exact date of my new renewal term! So what precisely happened on 6/28 at midnight? - Irregardless, if you switched IP addresses for some of your servers, that you obviously would have to FIRST update your OWN DNS a week prior (or whatever the old TTL was) to change the TTL for that DNS record to something extremely short (e.g., hours). A week later, after the old TTL had expired, you could THEN change the DNS record to the NEW IP address and update the TTL to the longer period again. If you simply switched IP addresses without prior TTL adjustments, then your customers would NOT see the new IP until the old TTL had run out. Although this was not the problem I my case - which host name are we talking about and how was this migration executed if you feel that your customers have to flush their DNS cache to obtain the new server address? Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, July 08, 2009 11:04 AM To: declude.vi...@declude.com Subject: RE: [Declude.Virus] Commtouch ZeroHour - no longer active? What's the best procedure everyone uses to renew it? Sensitivity: Personal We just migrated servers this week. It is possible your DNS is using cached information. Remember a diags.txt is only created on startup so you may have old information. Can you flush your DNS cache and restart Declude to see if it resolves the problem. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, July 08, 2009 10:20 AM To: declude.vi...@declude.com; declude.junkmail@declude.com Subject: [Declude.Virus] Commtouch ZeroHour - no longer active? What's the best procedure everyone uses to renew it? Sensitivity: Personal Hi, I noticed that ZeroHour stopped catching any viruses after 6/28 - and, after investigating, I now realize it no longer traps any Spam. There were NO changes to any .CFG (or other Declude files). I'm enclosing the most recent Diags.txt (from 6/18, where CommTouch was ON) and then one from today after I made a point of manually restarting DecludeProc. Suddenly, it reports CommTouch as OFF? My customer screen shows: Host Information Declude Imail Perpetual Lic. [omitted] 28 Jun 2010 AVG Activated Current CommTouch Activated It can't be a coincidence that CommTouch stopped working 3 weeks ago, on the exact anniversary date of my (renewed) agreement? Since I only purchased CommTouch a few weeks ago, I'm new to this. So, what do Declude customers have to do after purchasing CommTouch or after renewing their service agreements to make sure that the software will continue to work with a complete function set? This way, I can add yet another reminder to my calendar (besides monitoring the AVG licensing renewal date). Overall Server Virus Summary Report Total Messages Processed: 21,868 Virus Infected Messages: 60 Percentage Infected: 0.27% VIRUS # INFECTED PERCENTAGE OUTLOOK 'BLANK FOLDING' VULNERABILITY 33 0.15% OUTLOOK 'CR' VULNERABILITY 11 0.05% OUTLOOK 'MIME SEGMENT IN MIME PREAMBLE' VULNERABILITY 8 0.04% I-WORM/MYDOOM.O 3 0.01% I-WORM/MYDOOM.BE 1 0.00% I-WORM/MYDOOM.N 1 0.00% NON STANDARD HEADER VULNERABILITY 1 0.00% TROJAN.IFRAME-3 1 0.00% WORM.BAGLE-ZIPPWD-35 1 0.00% Virus Scanner Summary Report (Integrated AVG Scanner) Total Messages Processed: 21,868 Virus Infected Messages: 5 Percentage Infected: 0.02% VIRUS # INFECTED PERCENTAGE I-WORM/MYDOOM.O 3 0.01% I-WORM/MYDOOM.BE 1 0.00% I-WORM/MYDOOM.N 1 0.00% Virus Scanner Summary Report (ClamAV) Total Messages Processed: 21,868 Virus Infected Messages: 2 Percentage Infected: 0.01% VIRUS # INFECTED PERCENTAGE TROJAN.IFRAME-3 1 0.00
[Declude.JunkMail] RE: Database error after upgrading Incorrect HELO in Received Header
Hi, a) As far as the HELOBOGUS test - you likely are missing the various IMAIL 11 fixes that Ipswitch created but only gives out when you ask: http://kb.imailserver.com/cgi-bin/imail.cfg/php/enduser/std_adp.php?p_faqid= 691 With the latest fixed SMTP service and Imail_API DLL, my HELOBOGUS test does not seem to trigger for all messages (but certainly for lots of spam that has 3 times the hold weight). b) Is that Imail domain using the registry or SQL for its user database. All my domains are using the registry and my Declude log appears to look normal, e.g.: 06/24/2009 23:59:58.680 q93ea0001414e0aa2.smd Did not find [ alifeedb...@service.alibaba.com ] in [ merchand...@dollardays.com ] address book 06/24/2009 23:59:58.680 q93ea0001414e0aa2.smd Finish Address Book WhiteList Best Regards, Andy -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Kevin Rogers Sent: Thursday, June 25, 2009 2:35 PM To: declude.vi...@declude.com Subject: Re: [Declude.Virus] Database error after upgrading So I emailed David about this issue and he had me turn off AUTOWHITELIST and that seemed to get rid of the error. It seems that Imail 11 changed the database it uses for contacts and this is why Declude was generating that error. But I'd really like to turn AUTOWHITELIST back on. And, since the upgrade all emails are failing the DYNHELO and HELOBOGUS tests so I've had to reduce their weights for the time being. Has anyone seen this or have any ideas how to correct? Thanks. Kevin Rogers wrote: I upgraded to 4.6.35 because of the AVG scanner issue, but now in my declude logs I am seeing error messages like this: 06/23/2009 00:38:48.986 q8f0c00670096.smd DataBase Error = ['(unknown)' is not a valid path. Make sure that the path name is spelled correctly and that you are connected to the server on which the file resides. Driver's SQLSetConnectAttr failed ] I didn't have these errors before my upgrade. Any ideas? --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] All_list.dat
Hi Dave: Good to see that this is (apparently) now an automated procedure that keeps a current file online for us. Thank you! Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, June 08, 2009 4:56 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] All_list.dat The all_list .dat file located in the \Declude directory. This file contains all the IP address geo-locations, this is used by Declude to identify the country chain displayed as part of the X-Country-Chain within the header. A new all_list.dat will be available every day from the My Account page under the downloads section of declude.com. It has been compressed using .rar, you will need to uncompress the file to replace your existing all_list.dat You do not need to update this file everyday, however it is there for your convenience. We suggest updating this file on a periodic basis of about once every 30-90 days. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] ZEROHOUR vs. TESTSFAILED
Hi, Seems as if ZEROHOUR is not at all handled correctly vis-à-vis the TESTSFAILED variable? 1. Example: I have defined XINHEADERX-Declude: Triggered [%WEIGHT%] %TESTSFAILED% However, since activating ZEROHOUR I know see SMTP headers like this: X-Declude: Triggered [-2] None, ZEROHOUR [0] There are two things wrong with this: a) If Testsfailed returns None, why is the string ZEROHOUR appended? If its None then it should be None and nothing else. b) If ZEROHOUR didnt fail and thus has a weight of 0, then it shouldnt appear in the TESTSFAILED list at all. 2. In one of my filters, I have the line TESTSFAILED 5 CONTAINS ZEROHOUR However, it fails to add 5 to the weight as if it doesnt detect ZEROHOUR in the TestsFailed string which would be consistent with items a) and b) because apparently there is a bug where ZEROHOUR is not correctly included in the TESTSFAILED variable, but instead it is somehow appended behind it! The power of Declude is to be able to tightly configure (through various options) how weights are assigned and (with the help of TESTSFAILED filters) which groupings of tests might be testing/triggering on the same aspect of a message. Currently ZEROHOUR appears to negate all the other advantages of Declude! Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] CommTouch ZeroHour
Uh - okay, that was the reason, why I wasn't able to purchase CommTouch back when. As a hosting provider (which includes providing mailboxes for the clients' domains), that would fall under the umbrella primary function is to provide Internet service. If they would define ISP as Internet ACCESS provider - then this would be a different story. Because we don't provide Internet access and our primary function is not clean-and-forward MX services. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Friday, June 05, 2009 10:49 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] CommTouch ZeroHour Commtouch does have a restriction. The condition is: a. ISP shall mean an internet service provider or managed solution provider. What this means - if you are an ISP as defined by Commtouch, your primary function is to provide Internet service to your customers (like Comcast) or your business provides managed services (Like MXlogic) clean-and-forward of emails. Secondly, if your business is part of the ISP category you can use Commtouch with the added cost of $3.60 per user per year. And finally, the yearly cost and payments to Commtouch for NON-ISP perpetual license Declude customers is being absorbed by Declude. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] CommTouch ZeroHour
Oh? In that case - what's the purchase cost to add CommTouch to our account at this point? -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Friday, June 05, 2009 11:36 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] CommTouch ZeroHour Yes Internet access provider is a better description of ISP and how it is understood by Commtouch. David -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Friday, June 05, 2009 11:30 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] CommTouch ZeroHour Uh - okay, that was the reason, why I wasn't able to purchase CommTouch back when. As a hosting provider (which includes providing mailboxes for the clients' domains), that would fall under the umbrella primary function is to provide Internet service. If they would define ISP as Internet ACCESS provider - then this would be a different story. Because we don't provide Internet access and our primary function is not clean-and-forward MX services. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Upgrade 4.6.35 AVG not scanning - FIX
That's semantics - either are Malicious emails (Phishing are the new Viruses - or sometimes just a precursor). Most malicious email scanners now include phishing in their realm of responsibility. Bottom line: You need to run a scanner, it will find malicious emails, whether you technically would consider them viruses, Trojans, phishing URLs etc. What's bad is, if the scanner suddenly stops working for 2 months. Specially with those really bad Trojans going around 4 weeks ago. So - either AVG had an update to their interface, and it took Declude until now to finally catch up - OR, Declude introduced a bug 2 months ago. I haven't seen an explanation on how this could have happened and go unnoticed until I finally persisted. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick Hayer Sent: Tuesday, June 02, 2009 10:10 AM To: declude.junkmail@declude.com Subject: re: [Declude.JunkMail] Upgrade 4.6.35 AVG not scanning - FIX Was it not working? yawn. Never noticed. On my end AVG is superfluous behind Alligate. We just do not see a virii leakage. We run ClamD for phishing and I do not see in its logs any virus captures. -Nick _ From: David Barker dbar...@declude.com Sent: Monday, June 01, 2009 3:50 PM To: declude.junkmail@declude.com, declude.vi...@declude.com Subject: [Declude.JunkMail] Upgrade 4.6.35 AVG not scanning - FIX If your AVG is not scanning emails, please upgrade immediately to 4.6.35 which is available from the Declude website. If you are unsure whether this means you, we suggest you upgrade, if you need any assistance in this matter please contact supp...@declude.com David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude 4.5.29 Released
Hi, is the jump from 4.4.25 ( release 4.4 ) to 4.5.26 (release 4.5) intentional or a typo? If 4.5 is a new release, one would have expected it to start at 4.5.) - and thus this latest build be referred to as 4.5.3 ? -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Tuesday, February 24, 2009 9:21 AM To: declude.junkmail@declude.com; declude.vi...@declude.com Subject: [Declude.JunkMail] Declude 4.5.29 Released 4.5.29 Hijack logging error fixed 4.5.28 Fix memory leak in SPF test 4.5.27 Diags.txt, shows if AVG and CommTouch are ON or OFF 4.5.26 Change Request Skip AUTOWHITELIST when the sender matches the recipient. Updated Diags.txt, shows the copyright 2009 and the products, Junkmail, Hijack and EVA as either ON or OFF 4.4.25 Fixed IPBYPASS 0 triggered inconsistencies with the IPFILE test 4.4.24 Increased number of Tests run in global.cfg 4.4.23 Bug fix when virus.cfg is not found. EVA code is still executed and vulnerabilities are placed in the root of C:\ directory. With this fix Virus code will not execute if no virus.cfg is found. E-mail will not be scanned for any virus or vulnerabilities A virus log will be created in declude\logs and will inform the user that virus test is OFF. 4.4.22 Removed all reference to versions PRO/STD/LITE. 4.4.21 Removed all reference to EVA versions PRO/STD/LITE. 4.4.20 Fixed Declude leaving an open socket during avg update. Also fixed for possibility of an early terminating thread in the transfer file function. 4.4.19 Temporary fix for CATCHALLMAIL not holding the e-mail when the e-mail is whitelisted and when COPYFILEACTIONWITHHEADER = ON 4.4.18 WHITELIST TO Removed the restriction of abuse@, noc@, postmaster@ and updated ROUTING the foreign IP address list 4.4.17 In fullmsg the header part of the message was being stored and printed twice. 4.4.16 Changed critical section to when accessing the Address book for autowhitelisting to resolve a thread hanging issue with Imail. 4.4.14 Added critical section before opening the Imail MS Access DataBase to prevent crashes 4.4.13 Changed the CommTouch Temp Directory from the default (the machine default tempdir) to ...\Declude\scanners\commTouch\Temp 4.4.12 Updated GP1 files to be amended rather than overwritten. Information will be appended with the system Date and time. Fixed a crash issue, due to decoding of the subject line. Fixed issue of TXT files being left in the work directory. Requires replacement of the avgsdk.dll. 4.4.11 Update Declude encoding of winmail.data (TNEF) and storing the attachment file and its corresponding file name. Improved detection of the Invalid zip vulnerability. 4.4.10 Added error message in logs for additional information as to why txt file could not be moved back to virus directory 4.4.8 Invalid zip vulnerability; updated Declude to be compatible with '7z' file archived compressor 4.4.7 Updated Declude to report on ODBC access issues in IMail. 4.4.6 Updated PCRE to better handle PCRE .dll exceptions 4.4.5 If ZEROHOUR weight value cannot be converted to an integer it will be ignored. This is a fix for a bug reported when ZEROHOUR test action was set, ZEROHOUR wasscoring a value of zero. 4.4.4 Updated FROMNOMATCH test failing when e-mail is sent as an NDR 4.4.3 Updated FROMNOMATCH test failing. According RFC-822 the angle bracket is not a requirement for FROM: in the header part of the email. Changed to handle the angle bracket and without. 4.4.2 Fixed CATCHALLMAIL to be triggered on whitelisted e-mail 4.4.1 Removed references to previous Versions (PRO/STD/LITE). 4.4.0 Release David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Errorlevel not working
Because it does a = comparison, you need to start with the greatest value and work your way lower. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Serge Sent: Sunday, February 08, 2009 7:58 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Errorlevel not working found a solution This works on both cases if errorlevel 1 goto gziperr1 if errorlevel 0 goto gziperr0 but this does not work if errorlevel 0 goto gziperr0 if errorlevel 1 goto gziperr1 but WHY ??? - Original Message - From: Serge se...@cefib.com To: declude.junkmail@declude.com Sent: Monday, February 09, 2009 12:49 AM Subject: Re: [Declude.JunkMail] Errorlevel not working Hello sandy Not true even if i comment echo line, i still get gzip OK errorlevel 0, Unzipping even if the file if corrupted gzip -d -f -t zydt3crn.snf.gz if errorlevel 0 goto gziperr0 if errorlevel 1 goto gziperr1 GOTO END :gziperr0 Echo gzip OK errorlevel 0, Unzipping GOTO END :gziperr1 Echo gzip errorlevel 1 Echo gzip .gz file did not test OK GOTO END :END - Original Message - From: Sanford Whiteman sa...@cypressintegrated.com To: Serge declude.junkmail@declude.com; Message Sniffer Community snif...@sortmonster.com Sent: Monday, February 09, 2009 12:39 AM Subject: Re: [Declude.JunkMail] Errorlevel not working I have a problem with the branching in the batch below even when the test fails and echo %errorlevel% shows 1 the branching still goes to gziperr0 Does enyone knows why and how to fix ? When you echo the errorlevel, the errorlevel is reset to the value returned by echo(). --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: sa...@cypressintegrated.com SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release / Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/downloa d/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/re lease/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] DNS lookup fail, yet e-mail passes spam tests
Hi, I think there are two different issues: a) As stated by others, the mail SERVER is NOT required to have an MX record (seldomly will!) and is not required to be referenced in the domain's MX record (in case it's an outbound server only). b) However, I reject mails from domains that don't have ANY MX or A records. If I can't respond to a domain by mail, then I certainly don't want their mail. Never had a false positive in all these years. Example: @A 200.200.200.200 @MX 10 incoming.domain.com IncomingA 200.200.200.201 OutgoingA 200.200.200.202 It's perfectly fine for you to receive mail from Outgoing.domain.com, even if there is no MX record for Outgoing and even if outgoing.domain.com is not referenced in the domains MX record. However, if the two @ records were missing - THEN this domain cannot be reached by email and I would refuse any mail from any domain.com. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Harry vanderzand Sent: Tuesday, February 03, 2009 10:28 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] DNS lookup fail, yet e-mail passes spam tests Sorry but I am not sure what you mean by outbound in the sample below. I also do not know what specific test should be triggered other than something should be. Here I have mail coming in from a domain. DNS lookup on their MX record fails. Is that not a big flag that this is likely Spam? Maybe I am misunderstanding something here. In the sample below we got mail from an orderlinenews address and the MX record does not exist Thank you Harry Vanderzand Intown Internet 117 Ruskview Road Kitchener, ON, N2M 4S1 519-741-1222 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] DNS lookup fail, yet e-mail passes spam tests
I wouldn't add anything to the score because it's very common (specially for larger organizations) to have dedicated outbound servers, while all MX records point to their anti-spam/anti-virus gateways! The better approach would be to REDUCE the weight score if you receive mail from a mail server hat also DOES appear in the domain's MX records. This way you give credit for a more tight configuration without penalizing perfectly valid/common configurations. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Harry vanderzand Sent: Tuesday, February 03, 2009 11:15 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] DNS lookup fail, yet e-mail passes spam tests I would agree. However if a record exists but the server does not, I would want to add a bit to my weight score. It certainly shows that something is not right However, thank you for the explanation Thank you Harry Vanderzand Intown Internet 117 Ruskview Road Kitchener, ON, N2M 4S1 519-741-1222 From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Tuesday, February 03, 2009 10:57 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] DNS lookup fail, yet e-mail passes spam tests Some email server has the task of sending out email and not receiving email, (eg. An online order system) it would not require and MX record as it does not need to receive email, therefore the fact that an MX record does not exist is not a good indicator for spam. David B From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Harry vanderzand Sent: Tuesday, February 03, 2009 10:28 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] DNS lookup fail, yet e-mail passes spam tests Sorry but I am not sure what you mean by outbound in the sample below. I also do not know what specific test should be triggered other than something should be. Here I have mail coming in from a domain. DNS lookup on their MX record fails. Is that not a big flag that this is likely Spam? Maybe I am misunderstanding something here. In the sample below we got mail from an orderlinenews address and the MX record does not exist Thank you Harry Vanderzand Intown Internet 117 Ruskview Road Kitchener, ON, N2M 4S1 519-741-1222 From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Tuesday, February 03, 2009 10:11 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] DNS lookup fail, yet e-mail passes spam tests Hi Harry, As far as I know mail servers that are strictly outbound don't need to use an MX record. What test do you think this should trigger ? David B From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Harry vanderzand Sent: Tuesday, February 03, 2009 10:03 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] DNS lookup fail, yet e-mail passes spam tests Anyone have any ideas on this topic? Thank you Harry Vanderzand Intown Internet 117 Ruskview Road Kitchener, ON, N2M 4S1 519-741-1222 From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Harry vanderzand Sent: Friday, January 30, 2009 4:04 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] DNS lookup fail, yet e-mail passes spam tests Please see the log entry below. The DNS lookup for the MA and A record failed. Why would that not add weight to any of my tests. Am I missing some? Seems to me that if these fail that it should be weighted as spam 01/30/2009 08:21:53.312 qfeea02ad6d67.smd Start: doprewhitelist 01/30/2009 08:21:53.312 qfeea02ad6d67.smd END: doprewhitelist 01/30/2009 08:21:55.265 qfeea02ad6d67.smd WARNING: DNS server nnn.nnn.nnn.nnn returned a SERVER FAILURE error for MX or A for mail.orderlinenews.ca. 01/30/2009 08:22:01.265 qfeea02ad6d67.smd WARNING: DNS server nnn.nnn.nnn.nnn returned a SERVER FAILURE error for MX or A for orderline.ca. 01/30/2009 08:22:03.437 qfeea02ad6d67.smd Tests failed [weight=0]: FILTER-COUNTRY=IGNORE[0] CATCHALLMAILS=IGNORE[0] 01/30/2009 08:22:03.437 qfeea02ad6d67.smd Action(s) taken for [x...@domain.com] = IGNORE [LAST ACTION=IGNORE] 01/30/2009 08:22:03.437 qfeea02ad6d67.smd Cumulative action(s) on this email = IGNORE [LAST ACTION=IGNORE] Thank you Harry Vanderzand Intown Internet 117 Ruskview Road Kitchener, ON, N2M 4S1 519-741-1222 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the
RE: [Declude.JunkMail] New Blacklist / Whitelist (Barracuda)
Hi, I very much feel it's worth it - as long as you combine it with other tests. Other than Sniffer, it flags MORE emails (about 55 to 60%) than CBL Dyna, Spamcop, InvURIBL, Sorbs, SenderDB etc. Many times when I looked at NEW spam (or a Virus), then Barracuda (besides Sniffer) was the ONLY one detecting it - so it has helped pushing emails beyond the threshold until the other black-lists catch up. Some claim that it MAY be less reliable - but I haven't seen any increase in overall false positive reports, maybe because it's only one of multiple tests that have to fail before an email is actually held. Best Regards, Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Imail Admin Sent: Friday, December 05, 2008 8:56 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] New Blacklist / Whitelist (Barracuda) Hi, A couple of months ago I read the discussion about the new Barracuda BRBL. Then I went to the archives to see how people were implementing it into Declude. I have Declude 4.2.x, so I don't have the features of 4.4. I was unable from reviewing the archives to figure out the best way to implement this. Can someone give me the lines for global.cfg? And do you still think it's worth it? Thanks, Ben - Original Message - From: David Dodell [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Wednesday, October 15, 2008 9:28 PM Subject: Re: [Declude.JunkMail] New Blacklist / Whitelist b) http://www.barracudacentral.org/rbl Hadn't seen this one mentioned? Any experiences? Effective? False Positives? I'm giving this one a try ... I know Barracuda is a large manufacturer of hardware spam firewalls ... reputable company --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] No Reverse DNS in Header?
Hi, I never noticed this scenario before, so I figured I ask: One of the emails I investigated was had a null string RevDNS in the XINHEADER: X-Declude: Version 4.4.20; Code 0xe from [38.108.41.55] The global config defines the following: XINHEADERX-Declude: Version %VERSION%; Code 0x%HEADERCODE% from %REVDNS% [%REMOTEIP%] I can't remember ever seeing a header without a RevDNS - and without any RevDNS tests failing? Here the SMTP and Declude log snippet, as well as the CURRENT Reverse DNS lookup (which matches the HELO string). Of course, we don't know what the DNS information was at the time that Declude saw it - but if it resulted in a null string, then I wonder if we shouldn't see any DNS timeout errors, or similar indication in the Declude log? 11:01 16:18 SMTPD(b9ad01c21fc9) [63.107.174.78] connect 38.108.41.55 port 9176 11:01 16:18 SMTPD(b9ad01c21fc9) [38.108.41.55] EHLO mail.cashcosmetics.info 11/01/2008 16:18:56.820 qb9ad01c21fc9.smd Start: doprewhitelist 11/01/2008 16:18:56.820 qb9ad01c21fc9.smd END: doprewhitelist 11/01/2008 16:19:00.242 qb9ad01c21fc9.smd nIPNOTINMX:-2 SPFPASS:-2 . Total weight = -4. 11/01/2008 16:19:00.242 qb9ad01c21fc9.smd NOT bypassing whitelisting of E-mail with weight =19 (-4) and at least 1 recipients (1). 11/01/2008 16:19:00.242 qb9ad01c21fc9.smd NOT bypassing whitelisting of E-mail with weight =14 (-4) and at least 4 recipients (1). 11/01/2008 16:19:00.242 qb9ad01c21fc9.smd NOT bypassing whitelisting of E-mail with weight =12 (-4) and at least 6 recipients (1). 11/01/2008 16:19:00.367 qb9ad01c21fc9.smd Did not find [ [EMAIL PROTECTED] ] in [EMAIL PROTECTED] address book 11/01/2008 16:19:00.367 qb9ad01c21fc9.smd Finish Address Book WhiteList 11/01/2008 16:19:00.367 qb9ad01c21fc9.smd Tests failed [weight=-4]: NOLEGITCONTENT=IGNORE[0] SPFPASS=IGNORE[-2] 11/01/2008 16:19:00.367 qb9ad01c21fc9.smd L1 Message OK 11/01/2008 16:19:00.367 qb9ad01c21fc9.smd Subject: Mineral Makeup 11/01/2008 16:19:00.367 qb9ad01c21fc9.smd From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 38.108.41.55 ID: h1isqe01g74o 11/01/2008 16:19:00.367 qb9ad01c21fc9.smd Action(s) taken for [EMAIL PROTECTED] = IGNORE [LAST ACTION=IGNORE] 11/01/2008 16:19:00.367 qb9ad01c21fc9.smd Cumulative action(s) on this email = IGNORE [LAST ACTION=IGNORE] set type=ptr 38.108.41.55 Non-authoritative answer: 55.41.108.38.in-addr.arpa canonical name = 55.0-63.41.108.38.in-addr.arpa 55.0-63.41.108.38.in-addr.arpa name = mail.cashcosmetics.info Best Regards, Andy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] URIBL vs. SURBL
Hi, I checked two of my systems and noticed that apparently multi.uribl.com does not have any hits for its black and red lists EVER? I find that hard to believe. My systems DOES check SURBL first, and only would pass a good message to URIBL. Is it really possible that URIBL is fully redundant to SURBL (I would have expected SOME overlap, but not 100%). Does anyone have any experience with multi.uribl.com? Best Regards, Andy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] URIBL vs. SURBL
Hi, Thanks - yep, I found out they are blocking both my DNS servers - my other systems can query their test points. Oh well... If you mail volume is low, we really don't care if you query the public mirrors. But if your hardware or software is hammering our public mirrors with 100's of thousands of queries, then we will ACL off your host. At that point you can either do without our service, or request a data feed. Feel free to raise your concerns with your vendor, as we would be happy to work with them to provide their own resolvers for their customers to hit. The same applies for free software. If you are using SpamAssassin, then great. Since URIBL is part of default SpamAssassin installs, you automatically benefit from our service. However, if you run a large mail system with SpamAssassin, then there is a chance we will block your queries on the public mirrors. We understand you may not realize you are querying URIBL since it is enabled by default, and we will take the necessary steps to notify you, if possible, before blocking your queries from our public mirrors. So my option is their commercial (for fee) feed service. Best Regards, Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, October 17, 2008 3:29 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] URIBL vs. SURBL I get good hits from both lists with invURIBL. uribl.com is more aggressive (IMO) than surbl. I query SURBL first and than uribl second. Even with that config (and skip weights set) I still get more hits on URIBL. F:\Logs\invURIBLgrep -i message body found in multi.uribl.com uribl-logfile1017.txt | wc -l 2030 F:\Logs\invURIBLgrep -i message body found in multi.surbl.org uribl-logfile1017.txt | wc -l 1328 Check your test points for URIBL.com. They have been know to block dns serves that have high query rates since they now offer a data feed service. Darrell -- -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Andy Schmidt wrote: Hi, I checked two of my systems and noticed that apparently multi.uribl.com does not have any hits for its black and red lists EVER? I find that hard to believe. My systems DOES check SURBL first, and only would pass a good message to URIBL. Is it really possible that URIBL is fully redundant to SURBL (I would have expected SOME overlap, but not 100%). Does anyone have any experience with multi.uribl.com? Best Regards, Andy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] New Blacklist / Whitelist
a) Pay $20.00 for another flavor of SPF - or do I see this wrong? http://www.emailreg.org/ b) http://www.barracudacentral.org/rbl Hadn't seen this one mentioned? Any experiences? Effective? False Positives? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] http://tools.declude.com/headercode.php?code=8000004e
That really does NOT help. I know it failed the BADHEADERS test, otherwise I wouldn't use the BADHEADERS tool to look up the cause. The explanation doesn't need to tell me what's okay, I need to know what's NOT. After reading the explanation I'm just as smart as before: Results The E-mail failed the BADHEADERS test. This means the email failed with a violation of the RFC. Your Mailserver accepted this message however it is more than likely a SPAM or Virus message. A proper Date was found - this is a good thing. A proper To Address was found - this is a good thing. A proper From Address was found - this is a good thing. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] country chain
I believe the routing test looks for emails hopping back and forth across major regions. So, if the email was sent from the U.S. to China and then back to the U.S., it should trigger. But, if a multinational company has I/T resources (or registered IP addresses) south or north of the border, or if European consumers have ISP accounts in a neighboring country and use their SMTP servers, it probably should not trigger. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry vanderzand Sent: Wednesday, October 08, 2008 7:03 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] country chain Anybody have any idea why the ROUTING test is not adding to my weight. Here is another sample of where the ROUTING test should have added to the score X-Country-Chain: UNITED STATES-EL SALVADOR-CANADA-destination X-Spam-Tests-Failed: UCEPROTECT-LEVEL2-, NOABUSE, NOPOSTMASTER, FILTER-COUNTRY [6] Harry Vanderzand NEW ADDRESS Effective Jan 24, 2008 Intown Internet 117 Ruskview Road Kitchener, ON, N2M 4S1 519-741-1222 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry vanderzand Sent: Monday, October 06, 2008 11:24 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] country chain I am still trying to figure this out I have the following command in my global.cfg: ROUTING spamrouting x x 6 0 Yet the following sample did not trigger it: X-Country-Chain: NIGERIA-UNITED STATES-CANADA-destination X-Spam-Tests-Failed: FILTER-COUNTRY, WEIGHT10, WEIGHT11 [11] Should there not have been another 6 points added for the path the mail took? Thank you Harry Vanderzand NEW ADDRESS Effective Jan 24, 2008 Intown Internet 117 Ruskview Road Kitchener, ON, N2M 4S1 519-741-1222 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Thursday, October 02, 2008 11:21 AM To: declude.junkmail@declude.com Subject: re: [Declude.JunkMail] country chain The ROUTING test was meant for this. It checks for spam that was sent through multiple countries. Another way is to add weight to individual countries using a filter and the COUNTRIES test which will fail based on a country code: COUNTRIES 10 CONTAINS CN If you wanted to get really complicated, you could create an IP4R test for each country using the blacklist at http://countries.nerd.dk/ Original Message From: Harry vanderzand [EMAIL PROTECTED] Sent: Wednesday, October 01, 2008 11:35 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] country chain When spam goes through several countries as in: X-Country-Chain: UNITED ARAB EMIRATES-POLAND-CANADA-destination Is there a way to add weight to mail that would have travelled this way? Harry Vanderzand NEW ADDRESS Effective Jan 24, 2008 Intown Internet 117 Ruskview Road Kitchener, ON, N2M 4S1 519-741-1222 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] country chain
Hi, I think that counting countries is not necessarily helpful - specially if you think of other continents. In Europe, many AOL IP blocks are registered to the U.K. Knowing that an email went through two or three countries before reaching you does not really imply anything, specially for corporate emails. I also would think that, by now, spammers don't need to bother to relay through many hops any more. With zombies they have the benefit of sending mails from through just 1 or two relays. So, counting countries is likely to trap more legitimate corporate mail than today's spam. The old ROUTING test is the correct approach, in my opinion. If we're looking to add more tests, then I'm sure there are better candidates to be discussed to see if they are worth the investment in time: DomainKeys, Sniffer-API (to avoid command line calls and heap limitations), OCR, ... Best Regards, Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Wednesday, October 08, 2008 9:47 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] country chain If we look at the definition of the ROUTING Test. This test will analyze the route that an E-mail takes, and look for highly inefficient routing that is very common in spam. For example, an E-mail might get caught if it is sent from a dialup in the U.S. to another account in the U.S., but is routed through a server in China, but not if it goes from a mail server in China directly to a U.S. mail server. This may occasionally produce false positives, especially if a mailing list is hosted outside of the United States. This test will probably not work well if your mail server is located outside of the United States. In other words the test is triggered if the following routing occurs: US -- CN -- US Or CN -- US -- NG -- US The other issue faced is that CANADA is part of the US IP block and this too may include EL SALVADOR which in effect is US -- US -- US which would not trigger the test. We may want to create a new test which would trigger if multiple countries are in the routing. Any thoughts would be welcome. David Barker VP Operations Declude Your Email security is our business 978.499.2933 x 7007 office 978.988.1311 fax [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry vanderzand Sent: Wednesday, October 08, 2008 7:03 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] country chain Anybody have any idea why the ROUTING test is not adding to my weight. Here is another sample of where the ROUTING test should have added to the score X-Country-Chain: UNITED STATES-EL SALVADOR-CANADA-destination X-Spam-Tests-Failed: UCEPROTECT-LEVEL2-, NOABUSE, NOPOSTMASTER, FILTER-COUNTRY [6] Harry Vanderzand NEW ADDRESS Effective Jan 24, 2008 Intown Internet 117 Ruskview Road Kitchener, ON, N2M 4S1 519-741-1222 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry vanderzand Sent: Monday, October 06, 2008 11:24 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] country chain I am still trying to figure this out I have the following command in my global.cfg: ROUTING spamrouting x x 6 0 Yet the following sample did not trigger it: X-Country-Chain: NIGERIA-UNITED STATES-CANADA-destination X-Spam-Tests-Failed: FILTER-COUNTRY, WEIGHT10, WEIGHT11 [11] Should there not have been another 6 points added for the path the mail took? Thank you Harry Vanderzand NEW ADDRESS Effective Jan 24, 2008 Intown Internet 117 Ruskview Road Kitchener, ON, N2M 4S1 519-741-1222 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Thursday, October 02, 2008 11:21 AM To: declude.junkmail@declude.com Subject: re: [Declude.JunkMail] country chain The ROUTING test was meant for this. It checks for spam that was sent through multiple countries. Another way is to add weight to individual countries using a filter and the COUNTRIES test which will fail based on a country code: COUNTRIES 10 CONTAINS CN If you wanted to get really complicated, you could create an IP4R test for each country using the blacklist at http://countries.nerd.dk/ Original Message From: Harry vanderzand [EMAIL PROTECTED] Sent: Wednesday, October 01, 2008 11:35 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] country chain When spam goes through several countries as in: X-Country-Chain: UNITED ARAB EMIRATES-POLAND-CANADA-destination Is there a way to add weight to mail that would have travelled this way? Harry Vanderzand NEW ADDRESS Effective Jan 24, 2008 Intown Internet 117 Ruskview Road Kitchener, ON, N2M 4S1 519-741-1222 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an
RE: [Declude.JunkMail] Re:Declude vs Perry (ES)
Hi, Well, we are all outsiders - and don't know what transpired. An alternate scenario would be - the author developed Declude, which of course contains many generic TCP functions, such as DNS lookups to check RBLS, to check MX records, to check SPF, etc. etc. The author would have obviously reused pieces of his own code library, when he also developed DNSstuff! Eventually, they first purchased Declude from the author, then purchased DNSstuff from the SAME author - clearly two entirely different applications. But anyone would reasonably expect that two products by the same author would and should share some common library code for any generic functions. Now, years later, Declude seems to have been mothballed and DNSstuff is suffering from the classic top-heavy syndrome (http://member.dnsstuff.com/info/about.php: 1 software engineer who has to produce enough code to pay 13 salaries.). That can't go on perpetually! So, how convenient that they suddenly discover that two applications developed by the same person share common libraries? Sorry but with the resumes of all these people (all being industry insiders), I find that story a bit hard to swallow. As I said - we don't have the facts, so all we can do is speculate. But looking at what I can see at the surface, I think there might easily be other explanations than what the suit alleges, amongst others, a sly way to negate on whatever obligations might still be owed to the author. Best Regards, Andy Schmidt From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Edmonds Sent: Tuesday, September 09, 2008 1:42 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Re:Declude vs Perry (ES) I am not a lawyer so dont understand 100%. So Scott Perry agreed to sell the code but kept a copy anyway and when the new owners of Declude went to raise capital they found out that Scott Perry had already developed an additional product with the code they had bought. I dont see the problem myself? The new owners of declude are just protecting their interests no? Kindest Regards Craig Edmonds 123 Marbella Internet Services W: www.123marbella.com http://www.123marbella.net/ E : [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: 09 September 2008 16:16 To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Re:Declude vs Perry Hi David - Below was forwarded to me - as a long time Decluder I am very disappointed in seeing something like this - -Nick http://dozierinternetlawpc.cybertriallawyer.com/computer-lawyer DECLUDE, INC. AND DNSSTUFF, LLC. v. R. SCOTT PERRY DISTRICT OF MASSACHUSETTS (BOSTON) 1:08-cv-11072 FILED: 06/25/08 The ownership of source code and the ownership of the code in general used to build a website is often an overlooked issue. Make sure that you have spelled out not only the ownership of the code but also the requirements relating to what code can be retrieved from the public domain. If you are using a web developer who retains ownership of source code then you risk having that developer use the code with future competitors at much lower costs and with the benefit of your intellectual capital in developing the architecture, engineering, and business processes. Declude purchased the Defendant's anti-virus, anti-spam and anti-hijacking software in September, 2000, and sold the products as Declude Virus, Declude Junkmail, and Declude Hijack. The Defendant, R. Scott Perry, allegedly used the same source code in developing an additional product, and when the Plaintiff went to venture capitalists to raise capital, the detailed due diligence revealed that Defendant had retained a copy of the source code contrary to the provisions of the purchase agreement in 2000, and had again sold some of the same code to the Plaintiff in the new product he had launched. The Plaintiff has sued the individual Defendant for copyright infringement, breach of contract, fraud, conversion, unjust enrichment, and unfair and deceptive acts and practices. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Re:Declude vs Perry (ES)
Well, Darin - it may be relevant to look at the timeline. Example: 1. Declude is developed 2. Declude is purchased 3. Developer keeps source code and NOW starts to reuse it to develop DNSstuff.com vs. 1. Declude is developed 2. DNSstuff is developed 3. Declude is purchased from Developer 4. DNSstuff is also purchased from Developer I would see how concerns may be raised in the FIRST case. But in the SECOND case, there are no hidden surprises. Over time, they purchased two different applications that had previously been developed by the same developer, and obviously would share some common generic functions. If I sold you a one of a kind car and then sold you a one of a kind motorcycle - you can't act surprised years later when you find out that I was using the same hex-nuts and headlight bulbs, where appropriate. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, September 09, 2008 2:03 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Re:Declude vs Perry (ES) Did he keep a copy of the code, or did he just use libraries he developed through the years, as all programmers do, that he used for all of his programming? It's not possible to tell that without an in-depth review of source code for both products. Also, bear in mind that programmers tend to do the same tasks the same way, so two completely separate development projects can have very similar looking code just due to the way a particular programmer solves problems and writes his/her code. Also, as someone on another list pointed out, you typically aren't buying the soure code, per se, when you buy all rights to a product. What you typically buy are the rights to all marketing for the product (names/trademarks, domain names, etc.), the customer base and any other data specific to the product, and a non-compete from the seller. While source code is necessary to continue development of the product, and is included in the sale, copyrights on the source code are often meaningless due to the above points. In this case, the additional product is not a competing product. I don't know the terms of the sale, however, so it is possible that the source code was central to the purchase. However, the above two points still apply. Darin. - Original Message - From: Craig mailto:[EMAIL PROTECTED] Edmonds To: declude.junkmail@declude.com Sent: Tuesday, September 09, 2008 1:42 PM Subject: RE: [Declude.JunkMail] Re:Declude vs Perry (ES) I am not a lawyer so dont understand 100%. So Scott Perry agreed to sell the code but kept a copy anyway and when the new owners of Declude went to raise capital they found out that Scott Perry had already developed an additional product with the code they had bought. I dont see the problem myself? The new owners of declude are just protecting their interests no? Kindest Regards Craig Edmonds 123 Marbella Internet Services W: www.123marbella.com http://www.123marbella.net/ E : [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: 09 September 2008 16:16 To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Re:Declude vs Perry Hi David - Below was forwarded to me - as a long time Decluder I am very disappointed in seeing something like this - -Nick http://dozierinternetlawpc.cybertriallawyer.com/computer-lawyer DECLUDE, INC. AND DNSSTUFF, LLC. v. R. SCOTT PERRY DISTRICT OF MASSACHUSETTS (BOSTON) 1:08-cv-11072 FILED: 06/25/08 The ownership of source code and the ownership of the code in general used to build a website is often an overlooked issue. Make sure that you have spelled out not only the ownership of the code but also the requirements relating to what code can be retrieved from the public domain. If you are using a web developer who retains ownership of source code then you risk having that developer use the code with future competitors at much lower costs and with the benefit of your intellectual capital in developing the architecture, engineering, and business processes. Declude purchased the Defendant's anti-virus, anti-spam and anti-hijacking software in September, 2000, and sold the products as Declude Virus, Declude Junkmail, and Declude Hijack. The Defendant, R. Scott Perry, allegedly used the same source code in developing an additional product, and when the Plaintiff went to venture capitalists to raise capital, the detailed due diligence revealed that Defendant had retained a copy of the source code contrary to the provisions of the purchase agreement in 2000, and had again sold some of the same code to the Plaintiff in the new product he had launched. The Plaintiff has sued the individual Defendant for copyright infringement, breach of contract, fraud, conversion, unjust enrichment, and unfair and deceptive acts and practices. Dozier Internet Law
RE: [Declude.JunkMail] SPF Issue
What is the issue? What error message? Was it bounced mail? What did the NDR say? I could be a recipient trying to forward mail to another server, or an end-user trying to send email from home using their local ISP... etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Serge Sent: Sunday, August 31, 2008 10:18 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] SPF Issue Hi all I have som SPF issues It was working fine some times back I use Mixrosoft dns I have (same as parent)Text v=spf1 mx ip4:217.64.107.106 -all mailText v=spf1 mx ip4:217.64.107.106 -all What is wrong with above ? TIA --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Imail version 10
Who isn't? g Yes, we've been running Imail 10 from the start, now 10.01 and are using it with Declude 4.4.16. Best Regards, Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Justin Moose Sent: Friday, August 29, 2008 12:24 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Imail version 10 Is anyone using declude with Imail version 10? Justin Moose Information Technology Manager Sioux Valley Energy DID: (605) 256-1644 Fax: (605) 256-1690 Toll Free: (800) 234 1960 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
