from:"Bill B"

RE: [Declude.JunkMail] GIBBERISHSUB v1.0.4 - Filter updated

2003-10-23 Thread Bill B.

Matt,

Consider adding an entry to ANTI-GIBBERISHSUB for "ezmlm", a very popular
mailing list manager package for qmail.

Bill


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Matthew Bramble
Sent: Wednesday, October 22, 2003 8:12 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] GIBBERISHSUB v1.0.4 - Filter updated


Well, after quite a bit of work, I've finally managed to do a partial
launch of my new site starting with the Declude Filters section.  The
first filter that I have updated and shared on the site is the
GIBBERISHSUB filter which detects random strings of characters in the
subject of messages.

I've updated the format of the files along with the methods and
exclusions whenever appropriate.  The changes to this filter are mainly
the format of the file itself (which has no effect on how it works).  I
am now using a slightly different naming convention for the ANTI files
by inserting a hyphen after the prefix and I added some exclusions to
the list in order to further protect from false positives.  Please share
your own exclusions with me and I will add them to the filter in a
future release.

The site can be reached by following this link:

MailPure :: Filter Software :: Declude Filters
http://www.mailpure.com/software/decludefilters/

I'll have at least one more filter updated before the end of this
evening, and I've got some new ones to share as time permits.

Matt

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Spam action for non-local aliases

2003-09-29 Thread Bill B.

There are a lot of these aliases, so I don't want to set up per-domain entries.  
Shouldn't I be able to use the outbound actions for these, since the actual recipient 
is a non-local user?

I tried that by defining an action in GLOBAL.CFG, and sending a test email from my 
Lycos Mail account to an alias in Imail which forwards to a non-local address... but 
it didn't use the GLOBAL.CFG action.

In GLOBAL.CFG I have "WEIGHTFAILOUT HOLD", and below are the log entries of the test 
email.  It failed WEIGHTFAILOUT, but the action wasn't triggered...

note: I am not using "SWITCHRECIPS ON"


09/29/2003 10:52:24 Q47273b6614888021 Bogus IP: 0.0.0.0
09/29/2003 10:52:25 Q47273b6614888021 WORD:100 nNOLEGIT:-3 .  Total weight = 97
09/29/2003 10:52:25 Q47273b6614888021 Msg failed WORD (Message failed WORD test (11)). 
Action=IGNORE.
09/29/2003 10:52:25 Q47273b6614888021 Msg failed WEIGHTFAIL (Weight of 97 reaches or 
exceeds the limit of 15.). Action=LOG.
09/29/2003 10:52:25 Q47273b6614888021 Msg failed WEIGHTFAILLOW (Weight of 97 reaches 
or exceeds the limit of 20.). Action=IGNORE.
09/29/2003 10:52:25 Q47273b6614888021 Msg failed WEIGHTFAILOUT (Weight of 97 reaches 
or exceeds the limit of 26.). Action=IGNORE.
09/29/2003 10:52:25 Q47273b6614888021 Msg failed WEIGHTFAILALL (Weight of 97 reaches 
or exceeds the limit of 45.). Action=IGNORE.
09/29/2003 10:52:25 Q47273b6614888021 Msg failed CATCHALLMAILS (Weight of 97 reaches 
or exceeds the limit of -100.). Action=IGNORE.
09/29/2003 10:52:25 Q47273b6614888021 L1 Message OK
09/29/2003 10:52:25 Q47273b6614888021 Subject: filter test
09/29/2003 10:52:25 Q47273b6614888021 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED]  
IP: 209.202.220.85 ID: 




-Original Message-
From: "Kevin Bilbee"
Sent: Sun, 28 Sep 2003 21:51:14 -0700
Subject: RE: [Declude.JunkMail] Spam action for non-local aliases


Yuu need to setup declude to do per domain config for the nonlocal domain
(pro version).

Alias:
   [EMAIL PROTECTED]

Points to [EMAIL PROTECTED]


Create a domain directory for the nonlocal.com domain and place a junkmail
file in that directory.



Kevin Bilbee


> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Bill B.
> Sent: Sunday, September 28, 2003 1:19 AM
> To: [EMAIL PROTECTED]
> Subject: [Declude.JunkMail] Spam action for non-local aliases
>
>
> Can anyone think of a method to identify Imail aliases that
> forward to non-local addresses, and apply specific Declude
> actions for those aliases?
>
> Reason is.. we only provide spam filtering for our customer's
> mailboxes, but not for their alias addresses that forward to
> non-local accounts.  And we've had a couple incidents where a
> customer received Spam in their non-local account, which was
> forwarded through our server via an alias that we host.  So when
> they reported the spam, SpamCop saw that the spam was routed
> through our server and temporarily blacklisted our IP.
>
> Any clever ideas how to stop this without adding separate
> .junkmail files for each alias address?
>
> Thanks,
> Bill
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Spam action for non-local aliases

2003-09-28 Thread Bill B.

Can anyone think of a method to identify Imail aliases that forward to non-local 
addresses, and apply specific Declude actions for those aliases?

Reason is.. we only provide spam filtering for our customer's mailboxes, but not for 
their alias addresses that forward to non-local accounts.  And we've had a couple 
incidents where a customer received Spam in their non-local account, which was 
forwarded through our server via an alias that we host.  So when they reported the 
spam, SpamCop saw that the spam was routed through our server and temporarily 
blacklisted our IP.

Any clever ideas how to stop this without adding separate .junkmail files for each 
alias address?

Thanks,
Bill

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Next release

2003-09-16 Thread Bill B.

Awesome Scott!  Does this feature work with "PREWHITELIST  ON" so that we can conserve 
some resources for Auth'd users?

Thanks,
Bill

-Original Message-
From: "R. Scott Perry"
Sent: Tue, 16 Sep 2003 20:05:40 -0400
Subject: Re: [Declude.JunkMail] Next release



>Scott could you give us an idea of what new tests and a possible date of the
>next release of declude junkmail.

We do not have an ETA for the next beta release.  However:

>My remote users are constantly on me about the authentication issue when on
>a dial up. I have thoes users whitelisted but they do not like the side
>effect of receiving spam from their own email address.

We do have an interim release at 
http://www.declude.com/release/175i/declude.exe that includes this ability 
(if you are running a version of IMail that supports it, such as 8.x).  A 
line "WHITELIST AUTH" in the \IMail\Declude\global.cfg file will let that 
interim release know to whitelist all E-mail from users who have authenticated.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] SMTP Relay Limit

2003-09-10 Thread Bill B.

Dan,

If you're going Unix-based, qmail and Postfix are faster more widely used than Exim.  
But with all three you don't have anybody to call if things break.

If you need support, I recommend SurgeMail by Netwin www.surgemail.com  ...I've heard 
good things about the scalability of their product and in evaluating their software 
recently they have provided me with great customer service (though their business 
hours are awekward since they're in New Zealand).  And they have builds for just about 
every OS.

Bill

-Original Message-
From: Dan Patnode
Sent: 10 Sep 2003 16:32:26 -0700
Subject: Re: [Declude.JunkMail] SMTP Relay Limit


Any opinions on Exim?:

http://www.exim.org/


Dan




On Wednesday, September 10, 2003 15:36, Matthew Bramble <[EMAIL PROTECTED]> wrote:
>Dan Patnode wrote:
>
>>Should have been more specific, I'm looking for something used
>by larger ISPs that gives me the confidence of volume and
>stability.  Something attached to a name and a phone number I
>can call when there's a problem.  I don't mind paying for it.
>>
>>Top 2 or 3 names?
>>
>>Thanks,
>>Dan
>>  
>>
>
>What, Microsoft doesn't count?
>
>LOL!
>
>Honestly, what "larger" ISP isn't using Sendmail?  I don't think they 
>answer the phone, but it's free and there are 50,000 different utilities 
>to make it do whatever you want.  Ipswitch would seem to be the leading 
>non-groupware E-mail system for Windows, followed by MDaemon and SLMail 
>(I'm sure there are others of course and the order may be
>different).
>
>It's a crying shame that IMail has such a basic shortcoming.  One might 
>think that was purposeful.
>
>Matt
>
>
>---
>[This E-mail was scanned for viruses by Declude Virus
>(http://www.declude.com)]
>
>---
>This E-mail came from the Declude.JunkMail mailing list.  To
>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>type "unsubscribe Declude.JunkMail".  The archives can be found
>at http://www.mail-archive.com.
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Bogus IP

2003-08-22 Thread Bill B.

What does this line mean in the declude log:

08/22/2003 08:53:39 Q124905aa0274e442 Bogus IP: ?.?.?.?


Thanks,
Bill


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Alligate vs. Message Sniffer...opinions?

2003-08-20 Thread Bill B.

Matthew, your MAILPOLICE tests are configured wrong.  Those are rhsbl tests, not ip4r 
tests.  The config lines should read...

MAILPOLICE-BULK  rhsbl  bulk.rhs.mailpolice.com  127.0.0.2  10  0
MAILPOLICE-PORN  rhsbl  porn.rhs.mailpolice.com  127.0.0.2  10  0


Bill


-Original Message-
From: Matthew Bramble
Sent: Wed, 20 Aug 2003 21:27:15 -0400
Subject: Re: [Declude.JunkMail] Alligate vs. Message Sniffer...opinions?


I'd also like to share my configuration.  We have about 50 E-mail 
domains with about 250 users, with many addresses listed in who-is 
records and on Web sites, along with "nobody" alias redirection for all 
domains.  This results in a lot of garbage coming our way.  We are 
definitely capturing 95%-97% of all the spam currently and our false 
reject rate is less than 1-3 in 1000, most of which is automated 
delivery messages, with user exceptions being mostly of the variety of 
open relay users or that one person that uses Base64 encoding from a 
poorly configured server.  Unfortunately some addresses get litterally 
hundreds of spams a day, often it's their own fault, but they need more 
relief than I have been giving them.

I don't have the time to constantly monitor rejected mail (about ~15,000 
a week), so we generally kill it at a score of 10 unless we tweak the 
settings, in which case we monitor it as I am doing now.  I think our 
setup even without the Alligate is quite solid after a year of playing 
with it occasionally, but it needs more than RFC and blacklist tests to 
close the gap that's left.  This BONDEDSENDER thing also looks like it 
has promise as I found 19 examples today of E-mail that was saved, 
probably all of it was ad-related, and some I would probably consider 
spam, but not the brutal idiotic stuff that goes to harvested 
addresses.  I'm going to capture those messages for review since I can 
only see the senders now.  Anyway, here's teh beef of my config file:

--8<
SBLip4rsbl.spamhaus.org
127.0.0.2100
OSSOFTip4rrelays.osirusoft.com
127.0.0.6100
SPAMCOPip4rbl.spamcop.net
127.0.0.2100
FIVETEN-BULKip4rblackholes.five-ten-sg.com
127.0.0.4100
MAILPOLICE-BULKip4rbulk.rhs.mailpolice.com
127.0.0.2100
MAILPOLICE-PORNip4rporn.rhs.mailpolice.com
127.0.0.2100
OSSRCip4rrelays.osirusoft.com
127.0.0.470
EASYNET-DNSBLip4rblackholes.easynet.nl127.0.0.2 
70
EASYNET-PROXIESip4rproxies.blackholes.easynet.nl
127.0.0.2 70
FIVETEN-SPAMSUPPORTip4rblackholes.five-ten-sg.com
127.0.0.770
FIVETEN-MISCip4rblackholes.five-ten-sg.com
127.0.0.970
BLITZEDALLip4ropm.blitzed.org*
70
DSBLip4rlist.dsbl.org*
50
MONKEYPROXIESip4rproxies.relays.monkeys.com*
50
OSFORMip4rrelays.osirusoft.com
127.0.0.850
OSPROXYip4rrelays.osirusoft.com
127.0.0.950
FIVETEN-SPAMip4rblackholes.five-ten-sg.com
127.0.0.250
FIVETEN-MULTISTAGEip4rblackholes.five-ten-sg.com
127.0.0.550
FIVETEN-SINGLESTAGEip4rblackholes.five-ten-sg.com
127.0.0.650
FIVETEN-FREEip4rblackholes.five-ten-sg.com
127.0.0.1250
MONKEYFORMMAILip4rformmail.relays.monkeys.com*
40
ORDBip4rrelays.ordb.org*
40
OSDULip4rrelays.osirusoft.com
127.0.0.340
OSRELAYip4rrelays.osirusoft.com
127.0.0.240
OSSMARTip4rrelays.osirusoft.com
127.0.0.540
V6NETip4rspammers.v6net.org
127.0.0.240
OSLISTip4rrelays.osirusoft.com
127.0.0.720
DSNrhsbldsn.rfc-ignorant.org
127.0.0.210
NOABUSErhsblabuse.rfc-ignorant.org
127.0.0.410
NOPOSTMASTERrhsblpostmaster.rfc-ignorant.org
127.0.0.310
BONDEDSENDERip4rquery.bondedsender.org
127.0.0.10-200

MAILFROMenvfromxx70
ROUTINGspamroutingxx70
HELOBOGUShelovalidxx50
SPAMHEADERSspamheadersxx50
BADHEADERSbadheadersxx30
BASE64base64xx30
PERCENTpercentxx20
IPNOTINMXipno

Re: [Declude.JunkMail] New spamcop style RBL..

2003-07-27 Thread Bill B.

I was thinking more along the lines of seeing in the report that particular IPs send 
us 100% spam, so then I'd manually add those IPs to our firewall rules.

But I just signed up today and I haven't seen my first Trustic report yet, so I don't 
know whats possible yet.

Bill


-Original Message-
From: "Joshua Levitsky"
Sent: Sun, 27 Jul 2003 12:13:12 -0400
Subject: Re: [Declude.JunkMail] New spamcop style RBL..



- Original Message - 
From: "Bill B." <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, July 27, 2003 11:29 AM
Subject: Re: [Declude.JunkMail] New spamcop style RBL..


> Hmm... I wonder how effectively that data could be used to generate lists
of IPs to block at the firewall level.  That'll be interesting to look at.

You should send them a message on their contact form about maybe an XML
export of records.. or I guess you could do a zone xfer and then export from
that data to something your firewall would know what to do with unless
your firewall can use DNS records for blocking. (That would be a cool
firewall feature.)

-Josh

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] New spamcop style RBL..

2003-07-27 Thread Bill B.

Hmm... I wonder how effectively that data could be used to generate lists of IPs to 
block at the firewall level.  That'll be interesting to look at.

Bill

-Original Message-
From: "Omar K."
Sent: Sun, 27 Jul 2003 18:32:53 +0200
Subject: RE: [Declude.JunkMail] New spamcop style RBL..

Yes, same here, I noticed that it is tagging IP's that have not been caught
by easynet or osirusoft.

Another really cool thing about this service, is the stat report they send
you at the end of the day, tells you what IP's they blocked for you, what
IP's you gave a good positive, and other general stat.  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bill B.
Sent: Sunday, July 27, 2003 4:50 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] New spamcop style RBL..

I just registered and turned it on, and it seems to have a lot of spam IPs
listed.  I'll keep an eye out for false positives.

Bill

-Original Message-
From: "Joshua Levitsky"
Sent: Sun, 27 Jul 2003 10:43:24 -0400
Subject: Re: [Declude.JunkMail] New spamcop style RBL..

- Original Message - 
From: "Smart Business Lists" <[EMAIL PROTECTED]>
To: "Joshua Levitsky" <[EMAIL PROTECTED]>
Sent: Sunday, July 27, 2003 9:20 AM
Subject: Re: [Declude.JunkMail] New spamcop style RBL..

> Saturday, July 26, 2003 you wrote:
> JL> http://www.trustic.com/
> JL> Trustic is a new solution to the problem of unsolicited email.
>
>   It is going to be a subscription service -
>
> "Companies, and individuals who receive a large amount of email
> will be required to pay for access to the block list."

Yes, but it depends on what "large" is. It was created by the guy that made
Yahoo's groups before Yahoo owned them. I am willing to try it during the
beta and block some mail, and hope that it has a setup like Spamcop for
pricing. I actually donate to spamcop to make submissions. I would be
willing to give Trustic something to help them stay in business. Not a
lot... but something and right now it is free so give it a try...

-Josh

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] New spamcop style RBL..

2003-07-27 Thread Bill B.

I just registered and turned it on, and it seems to have a lot of spam IPs listed.  
I'll keep an eye out for false positives.

Bill

-Original Message-
From: "Joshua Levitsky"
Sent: Sun, 27 Jul 2003 10:43:24 -0400
Subject: Re: [Declude.JunkMail] New spamcop style RBL..

- Original Message - 
From: "Smart Business Lists" <[EMAIL PROTECTED]>
To: "Joshua Levitsky" <[EMAIL PROTECTED]>
Sent: Sunday, July 27, 2003 9:20 AM
Subject: Re: [Declude.JunkMail] New spamcop style RBL..

> Saturday, July 26, 2003 you wrote:
> JL> http://www.trustic.com/
> JL> Trustic is a new solution to the problem of unsolicited email.
>
>   It is going to be a subscription service -
>
> "Companies, and individuals who receive a large amount of email
> will be required to pay for access to the block list."

Yes, but it depends on what "large" is. It was created by the guy that made
Yahoo's groups before Yahoo owned them. I am willing to try it during the
beta and block some mail, and hope that it has a setup like Spamcop for
pricing. I actually donate to spamcop to make submissions. I would be
willing to give Trustic something to help them stay in business. Not a
lot... but something and right now it is free so give it a try...

-Josh

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] AUTH emails can be flagged

2003-07-02 Thread Bill B.

Scott,

I noticed that IMail 8.0 HF1 now includes the anticipated "A" lines in the Q*.SMD 
files when a user is authenticated via SMTP AUTH.  The format is:

[EMAIL PROTECTED]

Can you incorporate this into a new test so that we can reduce the weight on emails 
that are sent using SMTP Authentication?

Thanks,
Bill


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Tar Pitting

2003-06-18 Thread Bill B.


> and send mail only at the speed that IMail can handle

I'm curious, what rate did you find Imail capable of handling before it stopped 
responding?

Bill


-Original Message-
From: [EMAIL PROTECTED]
Sent: Wed, 18 Jun 2003 13:36:44 -0700
Subject: Re: [Declude.JunkMail] Tar Pitting



Alligate for example, and I am sure most other gateways should level this out
for you anyway, and I don't think tarpitting would make a whole lot of
difference. When we are forwarding to IMail, we set the forwarding threads
fairly conservatively, and send mail only at the speed that IMail can handle
it. It is spooled and send at a constant rate. I have seen the queue get
backed up during heavy periods, and then clear up when the load lightens. We
crashed IMail (sent processor load to 100%) a couple of times during testing
by sending it too much mail and it simply stopped responding.

Tarpitting is more to discourage spammers from sending to your server
(hopefully) and to reduce their output. We have seen a lot of them time out
after 30 seconds. Some of these are home made spam blaster programs that are
single threaded, do their own MX resolution, and can only send out messages
one at a time. It really puts the hurt on them when it takes 5-10 minutes to
send one message, so they tend to put timeouts in them and disconnect. 

Brian
 
On 06/18/03 1:08pm you wrote...
>Rick,
>
>Makes me wonder if spammers cause traffic surges/spikes that slow our
>servers down and if this would also smooth those spikes down.  Suppose a
>given sending server had 100 copies of a particular message, running only 5
>sessions (speculation) at a time, could the sessions be dragged into off
>peak hours.  If the firewall (or Alligator) could be configured to open the
>flood gates between midnight and 5am, the cues would be empty by the next
>morning.
>
>Dan
>
>
>On Wednesday, June 18, 2003 12:39, Rick Davidson <[EMAIL PROTECTED]>
>wrote:
>>I find the idea intriguing as well but if you start to slow down
>connections
>>wouldnt that just hold TCP connections open longer possibly making fewer
>>connections available on the server?
>>
>>One of the methods of thwarting file sharing sites is to trickle download
>>many files so that others cannot make connections, would this not have the
>>same affect as tar pitting spammers? Especially since the pro spammers send
>>the same spam run through many different servers.
>>
>>Just thinking outloud.
>>
>>Rick Davidson
>>Buckeye Internet Inc
>>www.buckeyeweb.com
>>440-953-1900 ext: 222
>>
>>- Original Message - 
>>From: "Dan Patnode" <[EMAIL PROTECTED]>
>>To: <[EMAIL PROTECTED]>
>>Sent: Wednesday, June 18, 2003 3:16 PM
>>Subject: Re: [Declude.JunkMail] Tar Pitting
>>
>>
>>I'm intrigued by this idea.  During a given minute of time I may get 1000
>>messages.  1/4 of them are slown down (occupying more SMTP/Declude
>>sessions), but the burdon is spread out.
>>
>>Can this be applied to increase server capacity?  If I throttle, at the
>>firewall, the IPs of spammers, will the load on my server be
>>less?
>>
>>Has anyone tried this on a maxed out server?
>>
>>Dan
>>
>>
>>On Sunday, June 15, 2003 16:01, Rifat Levis <[EMAIL PROTECTED]> wrote:
>>>
>>>People intersted in tarpitting and Declude firewall integration can read
>>>this.
>>>
>>>
>>>
>>>I just finished the tarpitting protection for my IMAIL server
>>>I am sending logs to the kiwi syslog server and forwarding it to SQL to
>>>analyse data
>>>
>>>When in a 2 min period a single ip send mail to more than 5 unknown
>account
>>>I am blocking the ip address on my netscreen firewall for 1
>>>hour.
>>>
>>>
>>>The next step of this is to integrate Declude to the firewall
>>>
>>>I have 3 weight
>>>weight 10 warn
>>>weight 15 warn
>>>weight 20 delete
>>>
>>>Instead of deleting weight 20 i will forward it to an account to send data
>>>to SQL analyse it and then block it for 1 hour .
>>>
>>>NOTE : I am sure that KAMI will be interested :)
>>>
>>>Best Regards
>>>Rifat Levis
>>>
>>>---
>>>[This E-mail was scanned for viruses by Declude Virus
>>>(http://www.declude.com)]
>>>
>>>---
>>>This E-mail came from the Declude.JunkMail mailing list.  To
>>>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>>>type "unsubscribe Declude.JunkMail".  The archives can be found
>>>at http://www.mail-archive.com.
>>>
>>
>>---
>>[This E-mail was scanned for viruses by Declude Virus
>>(http://www.declude.com)]
>>
>>---
>>This E-mail came from the Declude.JunkMail mailing list.  To
>>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>>type "unsubscribe Declude.JunkMail".  The archives can be found
>>at http://www.mail-archive.com.
>>
>>
>>---
>>[This E-mail was scanned for viruses by Declude Virus
>>(http://www.declude.com)]
>>
>>---
>>This E-mail came from the Declude.JunkMail mailing list.  To
>>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>>type "unsubscribe Declude.JunkMail".  The archives can be found
>>at http://www.mail-archive.com.
>>
>
>---
>[This E

Re: [Declude.JunkMail] How to stop this...

2003-06-16 Thread Bill B.

You can set up a filter to add a weight for that IP speciffically:

HELO  10  CONTAINS  216.220.106.24

Or you could set up a filter to add a weight to any email that uses an IP as its HELO:

HELO  10  ENDSWITH  0
HELO  10  ENDSWITH  1
HELO  10  ENDSWITH  2
HELO  10  ENDSWITH  3
HELO  10  ENDSWITH  4
HELO  10  ENDSWITH  5
HELO  10  ENDSWITH  6
HELO  10  ENDSWITH  7
HELO  10  ENDSWITH  8
HELO  10  ENDSWITH  9


Bill


-Original Message-
From: "David"
Sent: Mon, 16 Jun 2003 22:57:22 +0300
Subject: [Declude.JunkMail] How to stop this...


Hi all,

Sorry about the subject being so generic but I was not sure how to call the
following.  I have been seeing the following in the headers of some email:

Received: from 216.220.106.24 [218.151.108.224] by mail.heliosfunds.com

The first IP is the IP of the mail server.  I am not sure how to refer to
this but is there a test in JunkMail that tests for this?

Thanks,

David

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration integration integration integration integration integration integrationintegration integration integration integration integration integrationintegration integration

2003-06-16 Thread Bill B.

This approach is a bit different than IMGate because it creates a dynamic tarpit, 
based on the "spamminess" of the email.  The more tests it fails, the slower the 
connection gets...IN REAL TIME!  Thats that cool part.  From what I understand, IMGate 
can only drop the connection...it cannot slow the connection down.

With TarProxy, spam tests can be run at each stage of the SMTP session, before the 
next stage begins.  For example...

EVENT: Remote Host Connects - dnsbl tests are executed and incremental delays are 
applied or connection is dropped.

EVENT: Remote Host sends EHLO - HELO-based tests are executed and incremental delays 
are applied or connection is dropped.

EVENT: Remote Host sends MAIL FROM - Domain-based tests are executed and incremental 
delays are applied or connection is dropped.

EVENT: Remote Host sends RCPT TO - Recipient-based tests are executed and incremental 
delays are applied or connection is dropped.

EVENT: Remote Host sends DATA - Content filtering is executed and incremental delays 
are applied or connection is dropped.



-Original Message-
From: Smart Business Lists
Sent: Mon, 16 Jun 2003 08:42:56 -0500
Subject: Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration 
integration integration integration integration integration integration integration


Bill,

Monday, June 16, 2003 you wrote:
BB> Thats what TarProxy sort of does.  TarProxy accepts the
BB> inbound SMTP connections and relays them to a backend SMTP
BB> host (imail's smtpd).  What I'm saying would be great, is if
BB> TarProxy could call "Declude-like" tests during the SMTP
BB> session... before Imail gets its hands on the email.

Well why not just go with IMGATE and Postfix - already does all
that and much, much more.



Terry Fritts


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration integration integrationintegration integration integration integration

2003-06-16 Thread Bill B.


> (or be run on a mail gateway that sits in front of the IMail/Declude server).

Thats what TarProxy sort of does.  TarProxy accepts the inbound SMTP connections and 
relays them to a backend SMTP host (imail's smtpd).  What I'm saying would be great, 
is if TarProxy could call "Declude-like" tests during the SMTP session... before Imail 
gets its hands on the email.

If Declude could be called as an external test by a 3rd party app, it might even be 
possible.  Declude would just have to return a return value (ie: the weight), instead 
of handing off to smtp32.exe after its done.

Bill



-Original Message-
From: "Bill Landry"
Sent: Mon, 16 Jun 2003 06:22:04 -0700
Subject: Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration 
integration integration integration


Tarpitting can't be integrated with Declude because Declude does not answer
the client SMTP connection, IMail does (SMTPD).  Only after IMail has
received the message does it get delivered to Declude.  So, any tarpitting
would have to be integrated with IMail, not Declude (or be run on a mail
gateway that sits in front of the IMail/Declude server).

Bill
----- Original Message - 
From: "Bill B." <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, June 16, 2003 6:02 AM
Subject: Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall
integration integration integration integration


Cool.  We've been playing around with a few methods of tarpitting.  Check
out TarProxy by Marty Lamb (http://www.martiansoftware.com/tarproxy/)...
this tool seems to have alot of promise.  It allows you to hook into each
stage of the SMTP session and apply incremental delays or drop the
connection based on external tests.

Wouldn't it be great if we could integrate Declude with a tool like this!

Bill



-Original Message-
From: "Rifat Levis"
Sent: Mon, 16 Jun 2003 15:51:52 +0300
Subject: Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall
integration integration


Hi Bill ,

I wrote a small VB program .
--
Here is more details about the system.

I am using the KIWI syslog server software to send the logs to the SQL
You can specify in IMAIL  syslogs server ip address .(IF you run KIWI on the
same machine ,you have to stop IMAIL syslog )

I have wrote a small Visual Basic Program which scan the SQL database for "
ERR  INVALID USER " lines every 2 min.

And my little program Open a telnet connection to the firewall ADD the ip
address to block .
Then the program remove the ip address after 1 hour.

On my firewall i wrote a global policie group to deny access to port 25
So the software add the ip address and specify that it belong to that group
lls.

I decided also to integrate DECLUDE JUNKMAIL with my firewall.
For weight over 20 i will block for 1 hour
For weight over 30 will block for 2 hour
And so on.

Rifat





- Original Message - 
From: "Bill B." <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, June 16, 2003 3:11 PM
Subject: Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall
integration integration


Rifat,

What software are you using to do the tarpitting?  Are you running it on the
same server as IMail, or on a separate box?

Bill


-Original Message-
From: "Rifat Levis"
Sent: Mon, 16 Jun 2003 02:01:45 +0300
Subject: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration



People intersted in tarpitting and Declude firewall integration can read
this.



I just finished the tarpitting protection for my IMAIL server
I am sending logs to the kiwi syslog server and forwarding it to SQL to
analyse data

When in a 2 min period a single ip send mail to more than 5 unknown account
I am blocking the ip address on my netscreen firewall for 1 hour.


The next step of this is to integrate Declude to the firewall

I have 3 weight
weight 10 warn
weight 15 warn
weight 20 delete

Instead of deleting weight 20 i will forward it to an account to send data
to SQL analyse it and then block it for 1 hour .

NOTE : I am sure that KAMI will be interested :)

Best Regards
Rifat Levis

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.J

Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integrationintegration integration

2003-06-16 Thread Bill B.

Cool.  We've been playing around with a few methods of tarpitting.  Check out TarProxy 
by Marty Lamb (http://www.martiansoftware.com/tarproxy/)... this tool seems to have 
alot of promise.  It allows you to hook into each stage of the SMTP session and apply 
incremental delays or drop the connection based on external tests.

Wouldn't it be great if we could integrate Declude with a tool like this!

Bill



-Original Message-
From: "Rifat Levis"
Sent: Mon, 16 Jun 2003 15:51:52 +0300
Subject: Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration 
integration


Hi Bill ,

I wrote a small VB program .
--
Here is more details about the system.

I am using the KIWI syslog server software to send the logs to the SQL
You can specify in IMAIL  syslogs server ip address .(IF you run KIWI on the
same machine ,you have to stop IMAIL syslog )

I have wrote a small Visual Basic Program which scan the SQL database for "
ERR  INVALID USER " lines every 2 min.

And my little program Open a telnet connection to the firewall ADD the ip
address to block .
Then the program remove the ip address after 1 hour.

On my firewall i wrote a global policie group to deny access to port 25
So the software add the ip address and specify that it belong to that group
lls.

I decided also to integrate DECLUDE JUNKMAIL with my firewall.
For weight over 20 i will block for 1 hour
For weight over 30 will block for 2 hour
And so on.

Rifat





- Original Message - 
From: "Bill B." <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, June 16, 2003 3:11 PM
Subject: Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall
integration integration


Rifat,

What software are you using to do the tarpitting?  Are you running it on the
same server as IMail, or on a separate box?

Bill


-Original Message-
From: "Rifat Levis"
Sent: Mon, 16 Jun 2003 02:01:45 +0300
Subject: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration



People intersted in tarpitting and Declude firewall integration can read
this.



I just finished the tarpitting protection for my IMAIL server
I am sending logs to the kiwi syslog server and forwarding it to SQL to
analyse data

When in a 2 min period a single ip send mail to more than 5 unknown account
I am blocking the ip address on my netscreen firewall for 1 hour.


The next step of this is to integrate Declude to the firewall

I have 3 weight
weight 10 warn
weight 15 warn
weight 20 delete

Instead of deleting weight 20 i will forward it to an account to send data
to SQL analyse it and then block it for 1 hour .

NOTE : I am sure that KAMI will be interested :)

Best Regards
Rifat Levis

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integrationintegration

2003-06-16 Thread Bill B.

Rifat,

What software are you using to do the tarpitting?  Are you running it on the same 
server as IMail, or on a separate box? 

Bill


-Original Message-
From: "Rifat Levis"
Sent: Mon, 16 Jun 2003 02:01:45 +0300
Subject: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration



People intersted in tarpitting and Declude firewall integration can read
this.



I just finished the tarpitting protection for my IMAIL server
I am sending logs to the kiwi syslog server and forwarding it to SQL to
analyse data

When in a 2 min period a single ip send mail to more than 5 unknown account
I am blocking the ip address on my netscreen firewall for 1 hour.


The next step of this is to integrate Declude to the firewall

I have 3 weight
weight 10 warn
weight 15 warn
weight 20 delete

Instead of deleting weight 20 i will forward it to an account to send data
to SQL analyse it and then block it for 1 hour .

NOTE : I am sure that KAMI will be interested :)

Best Regards
Rifat Levis

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Spamdomains: Altavista

2003-06-13 Thread Bill B.

No, they don't have any paid email service.  They used to outsource their free mail 
service to critical path, but were paying too much for it with little ROI, so they 
just cut it out all together.

However I'd bet their corporate users still use @altavista.com, so always adding a 
weight may cause problems if your users receive mail from Altavista corportate.  But I 
bet all their employees will be switching to @overture.com email accounts soon anyway, 
so it might not be an issue.

Bill


-Original Message-
From: "Kami Razvan"
Sent: Fri, 13 Jun 2003 11:51:57 -0400
Subject: RE: [Declude.JunkMail] Spamdomains: Altavista


Hi Bill:

This is good to know... 

Do they have any paid service or any email with Altavista is not correct?
If they are not serving it then this email should not exist.

Regards,
Kami

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bill B.
Sent: Friday, June 13, 2003 10:50 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Spamdomains: Altavista


Altavista discontinued their free email service about 2 years ago.  So if
you're still seeing spam using their domain, you could probably just add a
weight to any email from @altavista.com.

Bill


-Original Message-
From: "Kami Razvan"
Sent: Fri, 13 Jun 2003 06:58:41 -0400
Subject: [Declude.JunkMail] Spamdomains: Altavista


Hi;
 
Anyone knows much about Altavista for SPAMDOMAINS.
 
Regards,
Kami


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Spamdomains: att.net

2003-06-13 Thread Bill B.

Here is my latest spamdomains list as well.  I updated the att.net as you mentioned, 
however I'd list it as "@att." in order to prevent false positives w/ something like 
"@matt.com".

Bill


-Original Message-
From: "Sheldon Koehler"
Sent: Fri, 13 Jun 2003 09:09:51 -0700
Subject: Re: [Declude.JunkMail] Spamdomains: att.net


> > I started out with Bill B.'s file and have been following this list with
> > changes. So far SPAMDOMAINS has worked like a dream.
>
> Could you post what you have so far? I was waiting for a good example file
> before I jumped in to using the test.

Attached is my latest version. But if you followed the list starting with
Bill B.'s version it should be pretty much the same. Thanks Bill!!!

Sheldon


Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com
Ten Forward Communications   360-457-9023
Nationwide access, neighborhood support!

"Whenever you find yourself on the side of the majority, it's time
to pause and reflect." Mark Twain






sd.zip
Description: Zip archive

Re: [Declude.JunkMail] Spamdomains: Altavista

2003-06-13 Thread Bill B.

Altavista discontinued their free email service about 2 years ago.  So if you're still 
seeing spam using their domain, you could probably just add a weight to any email from 
@altavista.com.

Bill


-Original Message-
From: "Kami Razvan"
Sent: Fri, 13 Jun 2003 06:58:41 -0400
Subject: [Declude.JunkMail] Spamdomains: Altavista


Hi;
 
Anyone knows much about Altavista for SPAMDOMAINS.
 
Regards,
Kami


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] OT stunnel

2003-06-12 Thread Bill B.

Markus, the attached two files should help you.

Bill

-Original Message-
From: "Markus Gufler"
Sent: Thu, 12 Jun 2003 16:41:13 +0200
Subject: [Declude.JunkMail] OT stunnel

Sore for this OT question.

Is there anyone who can provide or knows about a good instalation and
configuration guide for stunnel for windows?
Looks like a little bit of time consuming work to read the entire man
page.

Markus

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

TO GENERATE A .pem FILE DO THE FOLLOWING:

Start -> Run mmc.exe

Under the Console Menu choose Add/Remove Snap-in.

Choose Add then Certificates (for Computer Account, Local Computer)

Under the Console Menu choose Save As and save as Certificates Manager.

Open up the Certificates Manager (it will have been placed into the administration 
tools on your Start Menu)

Find the certificate you want to use (Look under Personal Certificates). Right click 
the certificate and choose Export.

When asked, reply Yes, export the private key. The correct export type is the 
Personal Information Exchange PKCS12 format.

Enter a password twice, then the name of the file to export to.

The Certificates Manager will now export the file to disk.

Using the openssl tool we can extract both the private key and the certificate from 
the exported file :

Openssl pkcs12 -in  -out cert.pem -nodes

You will need to enter the password to extract the keys.

This will create a file called cert.pem

stunnel.conf
Description: Binary data

Re: [Declude.JunkMail] cs.com - SPAMDOMAINS

2003-06-08 Thread Bill B.

That is compuserve (aol).  Our logs show the legit email from that domain coming from 
IPs having revdns similar to this:

imo-m07.mx.aol.com

...so I'd add this entry to spamdomains:

@cs.com  .aol.com

...the @ symbol will keep it from matching senders such as "[EMAIL PROTECTED]"

Bill


-Original Message-
From: "Kami Razvan"
Sent: Sun, 8 Jun 2003 16:26:43 -0400
Subject: [Declude.JunkMail] cs.com - SPAMDOMAINS


Hi;
 
Does anyone know what entry we should have for cs.com?
 
Considering it is a 2 letter domain I think this can cause problem with the
way spamdomain test works.  We get a lot of spam with @cs.com and it would
be good if we can put an entry for it.
 
Example header:
===
X-Mailfrom: 53lkikq5.cs.com
X-Note: Sent from: [EMAIL PROTECTED]
X-Note: Sent from Reverse DNS:  u231n155.eastlink.ca ([24.222.231.155]).
X-Hello: u231n155.eastlink.ca
X-Note: Recipient(s):  --DELETED--
X-Country-Chain: UNITED STATES->CANADA->UNITED STATES->destination
X-Spam-Prob: 0.988397
===
 
Ideas?
 
Regards,
Kami


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] SpamIPs Test Idea

2003-06-08 Thread Bill B.

Ahh, I get it.  But it would have to compare the REMOTEIP to the HELO string, not to 
the REVDNS.  Because "styggen.com" in the header below indicates the HELO string sent 
by the remote mail server, rather than the REVDNS value.

> Received: from styggen.com [24.208.153.243] by mx2.spamsoap.com

It would be difficult to maintain an accurate list of ISP CIDRs though.  So what about 
a variation of this idea where the test would force REVDNS and HELO strings to contain 
a partial match.  For example, an entry like this...

.rr.com  .rr.net

...would required a REVDNS that contains ".rr.com", to use a HELO string containing 
either ".rr.com" or ".rr.net".  Or perhaps the other way around.

Bill 


-Original Message-
From: Dan Patnode
Sent: 08 Jun 2003 12:47:11 -0700
Subject: Re: [Declude.JunkMail] SpamIPs Test Idea


Thanks for the question Bill,

Looking back at my original posting, I showed RNDS, then said "all the domains those 
IPs use".  The intent is to ignore MAILFROM (which Spam Domains already checks) and 
compare only  IP with RDNS.


Scott,

Would that still be effective?


Dan


On Sunday, June 8, 2003 11:49, Bill B. <[EMAIL PROTECTED]> wrote:
>I'm not sure that I agree with this test.  I use Earthlink DSL
>at home, and I never send out emails using my "@earthlink.net"
>address.  I always use my personal or business address, neither
>of which are provided by Earthlink.
>
>I'd bet that a large percentage of DSL, Cable and Dial-up
>customers do not use the email account that their ISP provides,
>but they use their ISP's outgoing mail server because they are
>forced to due to port 25 filtering.
>
>Bill
>
>
>-Original Message-
>From: "R. Scott Perry"
>Sent: Sun, 08 Jun 2003 09:36:56 -0400
>Subject: Re: [Declude.JunkMail] SpamIPs Test Idea
>
>
>
>>Another idea for a new test, a close cousin to the SpamDomains test:
>>
>> >Received: from styggen.com [24.208.153.243] by mx2.spamsoap.com
>> >(SMTPD32-7.15) id A288E80090; Fri, 06 Jun 2003 10:42:32 -0700
>>
>>This message came from a road runner IP.  How about a test where we build 
>>a list of CIDRs for a given ISP, then match it with all the domains those 
>>IPs use.  In this case, the file entry would be (I know rr doesn't use .net)
>>
>>24.208.0.0/14rr.com   rr.net
>>
>>In this case, it would match the IP, look for both RR entries, find 
>>styggen.com and fail the message.
>
>That's a pretty neat idea.  That would work well for ISPs that don't allow 
>their customers to run a mailserver, as it would provide an easy way to 
>catch (most) mail from spammers on their networks, while allowing the 
>legitimate E-mail through.
>
>-Scott
>---
>Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
>Declude Virus: Catches known viruses and is the leader in mailserver 
>vulnerability detection.
>Find out what you have been missing: Ask for a free 30-day
>evaluation.
>
>---
>[This E-mail was scanned for viruses by Declude Virus
>(http://www.declude.com)]
>
>---
>This E-mail came from the Declude.JunkMail mailing list.  To
>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>type "unsubscribe Declude.JunkMail".  The archives can be found
>at http://www.mail-archive.com.
>
>
>
>---
>[This E-mail was scanned for viruses by Declude Virus
>(http://www.declude.com)]
>
>---
>This E-mail came from the Declude.JunkMail mailing list.  To
>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>type "unsubscribe Declude.JunkMail".  The archives can be found
>at http://www.mail-archive.com.
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] SpamIPs Test Idea

2003-06-08 Thread Bill B.

I'm not sure that I agree with this test.  I use Earthlink DSL at home, and I never 
send out emails using my "@earthlink.net" address.  I always use my personal or 
business address, neither of which are provided by Earthlink.

I'd bet that a large percentage of DSL, Cable and Dial-up customers do not use the 
email account that their ISP provides, but they use their ISP's outgoing mail server 
because they are forced to due to port 25 filtering.

Bill


-Original Message-
From: "R. Scott Perry"
Sent: Sun, 08 Jun 2003 09:36:56 -0400
Subject: Re: [Declude.JunkMail] SpamIPs Test Idea



>Another idea for a new test, a close cousin to the SpamDomains test:
>
> >Received: from styggen.com [24.208.153.243] by mx2.spamsoap.com
> >(SMTPD32-7.15) id A288E80090; Fri, 06 Jun 2003 10:42:32 -0700
>
>This message came from a road runner IP.  How about a test where we build 
>a list of CIDRs for a given ISP, then match it with all the domains those 
>IPs use.  In this case, the file entry would be (I know rr doesn't use .net)
>
>24.208.0.0/14rr.com   rr.net
>
>In this case, it would match the IP, look for both RR entries, find 
>styggen.com and fail the message.

That's a pretty neat idea.  That would work well for ISPs that don't allow 
their customers to run a mailserver, as it would provide an easy way to 
catch (most) mail from spammers on their networks, while allowing the 
legitimate E-mail through.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] SMTP authorized versus random email

2003-06-08 Thread Bill B.

Kami,

Eric Shanbrom from IPSwitch told me that they would be adding a new line to the Q*.SMD 
queue files which would indicate whether the SMTP session was authenticated.  The line 
would begin with an "A" and contain the Authorized User that sent the email.  This 
line would get added by STMPD32 if the user AUTHed, or by IMail1 when using imail1.exe 
to send emails (from IWebMsg or command line).

Eric originally said this would be added in v7.14, but it was not.  Perhaps it was 
added in v8.0; however, we're not running 8.0 yet so I don't know if it was actually 
added or not.  But if it was, this would make it possible for Scott to add a test that 
flags authenticated SMTP sessions.

Bill


-Original Message-
From: "Kami Razvan"
Sent: Sun, 8 Jun 2003 11:18:46 -0400
Subject: [Declude.JunkMail] SMTP authorized versus random email


Hi;
 
If we require SMTP authorization before an email is sent from our server
then if I get an email that has my email in the FROM address & is not sent
by me has to have my email placed there randomly or as a means to bypass our
filters.  Right? Wrong?
 
I guess if there was a way to mandate emails with From addresses that exist
in the server have to pass certain criterion before being considered
legitimately from the sender.  One such test is simply knowing all the users
on the server and treating those with certain criterion.
 
Is there anyway this can be flagged or a header added for emails that are
coming from the local user base and if so if they are authenticated or not?
 
Regards,
Kami


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] spamdomains list

2003-06-06 Thread Bill B.

Dan,

Those will work, but only because the revdns for legit email from those domains will 
always match "outblaze.com" and will never match "accountant.com" and the others.

I'd leave those "@" symbols if I were you, because these outblaze domains use generic 
dictionary words.  So without the @ you will run the risk of matching unintended 
domains such as "myaccountant.com", "business-in-asia.com"

Bill


-Original Message-
From: Dan Patnode
Sent: 06 Jun 2003 15:33:26 -0700
Subject: Re: [Declude.JunkMail] spamdomains list


So then these also won't work:

@2die4.com  outblaze.com
@accountant.com outblaze.com
@adexec.com outblaze.com
@africamail.com outblaze.com
@allergist.com  outblaze.com
@alumnidirector.com outblaze.com
@archaeologist.com  outblaze.com
@arcticmail.com outblaze.com
@artlover.com   outblaze.com
@asia.com   outblaze.com

I'll take the @'s out

Dan



On Thursday, June 5, 2003 13:33, R. Scott Perry <[EMAIL PROTECTED]> wrote:
>
>>@tin.itTin.it
>>@tin.itTuttopmi.it
>>@tin.itFlexmail.it
>>
>>Scott, would you confirm?
>
>I'm not sure this will work.
>
>The problem is that when Declude JunkMail sees the line "@tin.it  Tin.it", 
>if the reverse DNS is "mail.Tuttopmi.it", Declude JunkMail will fail the 
>test (even though it matches the next line, Declude JunkMail won't know 
>that that should cancel out a previous line that failed).
>
>-Scott
>---
>Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
>Declude Virus: Catches known viruses and is the leader in mailserver 
>vulnerability detection.
>Find out what you have been missing: Ask for a free 30-day
>evaluation.
>
>---
>[This E-mail was scanned for viruses by Declude Virus
>(http://www.declude.com)]
>
>---
>This E-mail came from the Declude.JunkMail mailing list.  To
>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>type "unsubscribe Declude.JunkMail".  The archives can be found
>at http://www.mail-archive.com.
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Spamdomains

2003-06-03 Thread Bill B.

Actually, I didn't even notice... That was "quest" not "qwest".  The previous entry 
for "qwest." should be fine:

qwest.

But just to be safe, it could be changed to:

@qwest..qwest.



-----Original Message-
From: "Bill B."
Sent: Mon, 02 Jun 2003 23:44:38 EST
Subject: Re: Spamdomains


Thanks for pointing that out.  Perhaps the following will work better:

@qwest.  .quest.

I have also added these:

ameritech.netyahoo.com
@go.com  .go.com



-Original Message-
From: Dan Patnode
Sent: 02 Jun 2003 21:32:03 -0700
Subject: Spamdomains


Interesting FP today:

Msg failed SpamDomains (Spamdomain 'quest.' found: Address of [EMAIL PROTECTED] sent 
from invalid imo-r06.mx.aol.com.). 

quest is not the same as qwest AND mapquest is owned by aol.

Dan






---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Spamdomains

2003-06-03 Thread Bill B.

Thanks for pointing that out.  Perhaps the following will work better:

@qwest.  .quest.

I have also added these:

ameritech.netyahoo.com
@go.com  .go.com



-Original Message-
From: Dan Patnode
Sent: 02 Jun 2003 21:32:03 -0700
Subject: Spamdomains


Interesting FP today:

Msg failed SpamDomains (Spamdomain 'quest.' found: Address of [EMAIL PROTECTED] sent 
from invalid imo-r06.mx.aol.com.). 

quest is not the same as qwest AND mapquest is owned by aol.

Dan




---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] updated spamdomains list

2003-05-31 Thread Bill B.

Here is my updated list that we're using based on todays's discussions and further 
review of our log data.  Let me know if anybody sees any errors or omissions.

Would anybody like to expand on the Lycos domains?  I know they offer free email 
accounts at several of their international domain names, however the RevDNS doesn't 
always include ".lycos."

Bill





sd.zip
Description: Zip archive

Re: [Declude.JunkMail] spamdomains list

2003-05-31 Thread Bill B.

Are you running the latest beta (1.70)?  From the release notes, a REVDNS timeout 
sould not cause SPAMDOMAINS to fail...

- SPAMDOMAINS test will now not get triggered if reverse DNS times out

Bill


-Original Message-
From: "Frederick Samarelli"
Sent: Fri, 30 May 2003 15:49:30 -0400
Subject: Re: [Declude.JunkMail] spamdomains list


John,

In your list you your have: microsoft.com msn.com

How can we prevent this from happening. This is a good MS email but failed
the test.

Msg failed SPAMDOMAINS (Spamdomain 'microsoft.com' found: Address of
[EMAIL PROTECTED]
sent from invalid [No Reverse DNS].). Action=WARN.

- Original Message - 
From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, May 30, 2003 3:15 PM
Subject: RE: [Declude.JunkMail] spamdomains list


> > > If someone has a comprehensive spamdomains listing they are happy
> > > with,could they post it for others to analyze/use?
> >
> >Uh, see the orginal post that started this thread.
>
> I would, except the list archives are still down.

Would not be in the archives even if they were up. This thread was started
at about 7:40 this morning (PDT), and if you received the follow-up post you
would also have received the orginal post by Bill B.

Attached is the file that Bill sent to this list at 7:40 THIS morning. (PDT)
(About 4 1/2 hours ago.)

John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] spamdomains list

2003-05-31 Thread Bill B.

Ok, that makes sense.  It might be benefitial if Declude were to strip the @ symbol 
when doing the revdns comparison.  That would allow the @mail.com entry to match any 
revdns that has "mail.com" or "outblaze.com" in it.

Bill


-Original Message-
From: "R. Scott Perry"
Sent: Fri, 30 May 2003 14:53:24 -0400
Subject: Re: [Declude.JunkMail] spamdomains list



>How about this?...is this format allowed in order to prevent 
>"anythingmail.com" and "ihateyahoo.com" from matching:
>
>@mail.comoutblaze.com
>@yahoo.

Since reverse DNS entries won't have an "@" in them, only the first one 
would work, and would require that mail from @mail.com have a reverse DNS 
entry that includes "outblaze.com" in it.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] spamdomains list

2003-05-31 Thread Bill B.

How about this?...is this format allowed in order to prevent "anythingmail.com" and 
"ihateyahoo.com" from matching:

@mail.comoutblaze.com
@yahoo.


Bill


-Original Message-
From: "R. Scott Perry"
Sent: Fri, 30 May 2003 14:06:11 -0400
Subject: Re: [Declude.JunkMail] spamdomains list



>Ah, so I assume a line like this could cause problems then because it 
>would required that "anythingmail.com" must have either mail.com or 
>outblaze.com in their REVDNS.  Is that correct?
>
>mail.comoutblaze.com

Correct.

However, the potential problems with this are minimal, because if the 
mailserver for "anythingmail.com" has a reverse DNS entry pointing back to 
"*.anythingmail.com", it won't fail the test.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] spamdomains list

2003-05-31 Thread Bill B.

Ah, so I assume a line like this could cause problems then because it would required 
that "anythingmail.com" must have either mail.com or outblaze.com in their REVDNS.  Is 
that correct?

mail.comoutblaze.com


Bill


-Original Message-
From: "R. Scott Perry"
Sent: Fri, 30 May 2003 13:27:24 -0400
Subject: Re: [Declude.JunkMail] spamdomains list



>I was under the impression that the spamdomains list could not include 
>partial domains, such as "yahoo.".  Scott, could you help out on this 
>one?...are partial domain entries like this allowed?
>
>yahoo.yahoo.com

This will work fine.

For the SPAMDOMAINS test, you can have *anything* you want.  So with a line 
"yahoo. yahoo.com", any E-mail with a return address that includes 
"yahoo." in it would need to have a reverse DNS entry that contains either 
"yahoo." or "yahoo.com".

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] spamdomains list

2003-05-31 Thread Bill B.

I was under the impression that the spamdomains list could not include partial 
domains, such as "yahoo.".  Scott, could you help out on this one?...are partial 
domain entries like this allowed?

yahoo.yahoo.com



-Original Message-
From: "Bill Landry"
Sent: Fri, 30 May 2003 07:36:00 -0700
Subject: Re: [Declude.JunkMail] spamdomains list


One comment.  Instead of having:

yahoo.com
yahoo.ca yahoo.com
yahoo.de yahoo.com
yahoo.dk yahoo.com
yahoo.es yahoo.com
yahoo.fr yahoo.com
yahoo.it yahoo.com
yahoo.no yahoo.com
yahoo.se yahoo.com
yahoo.co.jp yahoo.com
yahoo.co.uk yahoo.com
yahoo.com.ar yahoo.com
yahoo.com.au yahoo.com
yahoo.com.br yahoo.com
yahoo.com.cn yahoo.com
yahoo.com.hk yahoo.com
yahoo.co.kr yahoo.com
yahoo.com.mx yahoo.com
yahoo.com.tw yahoo.com

Why not just consolidate this down to:

yahoo.yahoo.com

Bill
- Original Message - 
From: "Bill B." <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, May 30, 2003 7:20 AM
Subject: [Declude.JunkMail] spamdomains list


> Attached is a list of spamdomains and their coresponding aliases that I've
compiled thus far.  Anybody want to comment or expand upon this?
>
> Bill
>
>
>
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] spamdomains list

2003-05-31 Thread Bill B.


> Does this mean if the address comes in as [EMAIL PROTECTED] - it's
> rev DNS can be either earthlink.net or earthlink.com ??? and the other
> way around if it's [EMAIL PROTECTED] - ?

Exactly.  Scott added this in 1.70.

> My feeling here is why would a netscape user be sending with an AOL
> address and vice-versa. So am I off here?

Netscape is owned by AOL, and f you send an email from a free netscape.net address it 
uses an AOL mail server.  I included both variations since they are the same company.

Bill



-Original Message-
From: "paul"
Sent: Fri, 30 May 2003 11:02:34 -0400
Subject: Re: [Declude.JunkMail] spamdomains list


> Attached is a list of spamdomains and their coresponding aliases that I've
compiled thus far.  Anybody want to comment or expand upon this?

Please forgive my ignorance here, I have nearly every message from this list
for the past 6 months on my machine, so I have looked, but missed it I
guess. Anyway, what's the deal with this in the spamdomains list??

earthlink.com earthlink.net
earthlink.net earthlink.com

Does this mean if the address comes in as [EMAIL PROTECTED] - it's rev DNS
can be either earthlink.net or earthlink.com ??? and the other way around if
it's [EMAIL PROTECTED] - ?

What confuses me are these:

aol.com  netscape.net
netscape.net aol.com

My feeling here is why would a netscape user be sending with an AOL address
and vice-versa. So am I off here?

Thanks for any help

Paul


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] spamdomains list

2003-05-31 Thread Bill B.

Attached is a list of spamdomains and their coresponding aliases that I've compiled 
thus far.  Anybody want to comment or expand upon this?

Bill




sd.zip
Description: Zip archive

[Declude.JunkMail] base64 false-positive

2003-05-31 Thread Bill B.

Scott,

Emails with a message body that just contains blank lines and that contains an 
attachment, are still failing the BASE64 test.

Attached is a sample.

Bill





base64fail.zip
Description: Zip archive

Re: [Declude.JunkMail] Spamdomains

2003-05-30 Thread Bill B.

Thats correct, my mistake.  It should be netscape.net

Bill


-Original Message-
From: Joshua Levitsky
Sent: Thu, 29 May 2003 22:33:21 -0400
Subject: Re: [Declude.JunkMail] Spamdomains



On Thursday, May 29, 2003, at 07:23  PM, Bill B. wrote:

> Somebody mentioned aol.com and netscape.com a while ago, but I cant 
> recall which format it was.  Perhaps somebody else remembers...
>
> aol.com   netscape.com
>  AND/OR
> netscape.com  aol.com
>
>
> Bill

I think you mean netscape.net no? I might be over-tired but I think 
netscape.com is only internal employess at Netscape... (I am 
[EMAIL PROTECTED] for instance. ;)  )

-Josh

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Spamdomains

2003-05-30 Thread Bill B.

Somebody mentioned aol.com and netscape.com a while ago, but I cant recall which 
format it was.  Perhaps somebody else remembers...

aol.com netscape.com
 AND/OR
netscape.comaol.com


Bill


-Original Message-
From: Dan Patnode
Sent: 29 May 2003 16:12:11 -0700
Subject: [Declude.JunkMail] Spamdomains


I generally avoid sounding like a cheer leader, but this test is sweet! (inside a 
weighting system) 


The structure of the text file is a simple list of domains, like:

Ameritech.net
Amrer.net
Angelfire.com
Aol.com


When a domain FPs on a predictable variation, just tab over and put in the domain it 
was supposed to be.  I've found these so far:

Msn.com Hotmail.com
Hotmail.com Msn.com
Sympatico.caBellnexxia.net
Earthlink.net   Earthlink.com
Earthlink.com   Earthlink.net
Mac.com Apple.com
Excite.com  excitenetwork.com


Would everyone please share these and they find them?


BTW, Declude supports only 2 exceptions but I can't imagine needing 3.  If a given 
domain needs 2 exceptions, just make 2 entries.

Dan:)

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] new message header

2003-05-30 Thread Bill B.

I see new "X-Spam-Prob:" headers being added after upgrading to Declude 1.70.  What is 
that for?

Bill


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Declude JunkMail v1.69 (beta) released

2003-05-30 Thread Bill B.

Since the archives are down, can somebody post an example of the line that goes in the 
GLOBAL.CFG file for the SPAMDOMAINS test, as well as suggestions for the contents of 
the spamdomains.txt file?

Thanks,
Bill



-Original Message-
From: "Bill Landry"
Sent: Thu, 29 May 2003 01:24:19 -0700
Subject: Re: [Declude.JunkMail] Declude JunkMail v1.69 (beta) released


Check the footer of these list messages and you will see a link to the
Declude JunkMail archive site:

http://www.mail-archive.com  (I notice that the site is down right
now)

Then do a search on SPAMDOMAINS and DOSENDERACTIONS and you will find
Scott's explanations on how to implement and use these features.  Scott does
not add beta features to the manual until they make it into a release
version.

Bill

- Original Message - 
From: "Darryl Koster" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, May 28, 2003 8:18 PM
Subject: RE: [Declude.JunkMail] Declude JunkMail v1.69 (beta) released


>
> Scott,
>
> I am confused,
> How do I find out about SPAMDOMAINS test? DOSENDERACTIONS etc..I cannot
find
> anything about any of this in the manual.
>
> Darryl Koster
> ~~
> Status Technologies Inc.   President/Owner
> "Let Us Help You Get The Status You Deserve!"
> http://www.statustechnologies.com
> P: (905) 435-0145  TF (NA) 888-909-9004  F: (905) 435-0873
>
>
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry
> Sent: Wednesday, May 28, 2003 5:06 PM
> To: [EMAIL PROTECTED]
> Subject: [Declude.JunkMail] Declude JunkMail v1.69 (beta) released
>
>
> We have just released Declude JunkMail v1.69 (beta).  See
> http://www.declude.com/junkmail/manual.htm .  Notable changes since the
> last beta include:
>
> o COMMENTS test will now also work with any made-up tag beginning with
> " o SPAMDOMAINS test will now allow an alias (IE "hotmail.com msn.com" to
> check @hotmail.com,
>but allows either hotmail.com or msn.com in reverse DNS entry).
> o Filters will now process 8-bit characters.
> o DOSENDERACTIONS ON option to allow for actions based on the sender of
> the E-mail (in Declude Junkmail Pro).
> o PREWHITELIST ON option to automatically bypass spam tests for E-mail
> from whitelisted IPs or whitelisted return address.
>
> Other additions and fixes can be found in the release notes, at
> http://www.declude.com/relnotes.htm . Anyone with an up-to-date Service
> Agreement is entitled to free upgrades (see
> http://www.declude.com/agree.htm for information on the Declude Service
> Agreement).
>
> ---
>
> Quick Resource Reference:
>
> Tech Support:  [EMAIL PROTECTED]
> Mailing List: Send E-mail to [EMAIL PROTECTED] with "subscribe
> declude.junkmail your name" in the body
> New Releases List: Send E-mail to [EMAIL PROTECTED] with "subscribe
> declude.releases your name" in the body
> Troubleshooting: See manual URL above; look at "Troubleshooting" section
> Emergency Uninstall:  See manual URL above; look at "Emergency Uninstall"
> section
> Urgent Support: urgent @declude.com (for urgent/time-sensitive issues
only)
> Declude Addons/Tools URL: http://www.declude.com/tools
> Manual: http://www.declude.com/junkmail/manual.htm
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Wish list reminder... :-)

2003-05-29 Thread Bill B.

Will this work with the AUTOWHITELIST feature?

Bill

-Original Message-
From: "R. Scott Perry"
Sent: Wed, 28 May 2003 15:26:19 -0400
Subject: Re: [Declude.JunkMail] Wish list reminder...  :-)

>Scott, I'm just wondering what your thoughts are on these proposed changes?

We are doing some thinking on ways to improve performance.  Although we 
have very few reports of performance issues with Declude JunkMail, we like 
our software to be as efficient as possible.

v1.70 will have a "PREWHITELIST" configuration option, that when set to ON, 
will allow certain whitelisting to bypass the spam scanning.  It will work 
with "WHITELIST FROM" and "WHITELIST IP", so any E-mail addresses, domains, 
or IPs that are whitelisted can automatically bypass the spam tests.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] override MaxQueProc

2003-04-06 Thread Bill B.

> you would still end up with no more than 10 SMTP processes 
> most of the time (since the SMTP process would normally finish in a bit 
> less time than Declude JunkMail).

I actually don't care about the number of SMTP processes all that much.  The point of 
what I am trying to accomplish is limit the number of Declude processes to 10 (for 
example), without running the risk of having long delays due to emails entering 
Imail's queue.

Currently, if I sent MaxQueProc to 10, I run that risk.

But if I could set Declude to a max of 10 processes and Imail to a max of 30, the 
chance of having those long queue delays occuring is minimized.

Bill



-Original Message-
From: "R. Scott Perry"
Sent: Sun, 06 Apr 2003 21:18:43 -0400
Subject: Re: [Declude.JunkMail] override MaxQueProc



>I ran a test this afternoon, lowering MaxQueProc to 2, but it didn't 
>behave quite as I had expected.  First, all of the emails were scanned by 
>Declude, which is good.  And emails were being delayed via overflow folder 
>as expected.  BUT, some emails were left behind in Imail's spool folder 
>after being processed by Declude.
>
>What I think may have caused this is:
>1) Declude received it
>2) Possibly delayed via the overflow folder
>3) Declude processed it
>4) Declude handed it off to smtp32.exe
>5) smtp32.exe saw too many smtp32.exe processes running and did not 
>process it; instead it stuck it in the Imail spool folder.
>
>Does this sound like what could have occurred?

That does indeed sound like what happened.

>If so, then I do still see benefit in having a config variable to allow 
>Declude to use a different value for MaxQueProc.

I'm still not sure that it would make a noticeable difference.  For 
example, if there was a maximum of 10 Declude processes and a maximum of 30 
SMTP processes, you would still end up with no more than 10 SMTP processes 
most of the time (since the SMTP process would normally finish in a bit 
less time than Declude JunkMail).
  -Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] override MaxQueProc

2003-04-04 Thread Bill B.

Ok, it sounds like lowering MaxQueProc will do what I need to do then.  I don't want 
to bypass Declude, I just want to put a bottle neck at Declude so that if Declude is 
too busy, the emails get moved to the overflow until Declude becomes less busy.  I was 
just confuse on how it all worked.

Thanks,
Bill



-Original Message-
From: "R. Scott Perry"
Sent: Fri, 04 Apr 2003 15:04:54 -0500
Subject: Re: [Declude.JunkMail] override MaxQueProc



>If I lower MaxQueProc to 20, wouldn't the 21st email never reach Declude 
>because Imail will not call declude.exe if 20 declude.exe's are already 
>running?  So then the Q* and D* files would end up sitting in the 
>\imail\spool folder until Imail's next queue run.
>
>Or is that not the way it works?

Declude will still get them (normally, before they are moved to the spool 
by IMail).  Otherwise, E-mail would bypass Declude during heavy loads, 
which normally isn't desirable.
-Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] override MaxQueProc

2003-04-04 Thread Bill B.

If I lower MaxQueProc to 20, wouldn't the 21st email never reach Declude because Imail 
will not call declude.exe if 20 declude.exe's are already running?  So then the Q* and 
D* files would end up sitting in the \imail\spool folder until Imail's next queue run.

Or is that not the way it works?


-Original Message-
From: "R. Scott Perry"
Sent: Fri, 04 Apr 2003 14:38:21 -0500
Subject: Re: [Declude.JunkMail] override MaxQueProc



>I like the fact that email in the overflow directory hasn't been scanned 
>yet.  What I'm trying to do is minimize CPU spikes.  If you average out 
>our CPU utilization it is around 20-30%, but frequently we'll spike to 
>100% for a bit when there are alot of emails being processed by 
>Declude.  So I want to put a limit on the number of emails that can be 
>scanned by Declude at any given moment.
>
>But I do not want to lower Imail's registry setting because I do not want 
>to end up with alot of delayed emails due to Imail's queue 
>architecture.  It seems that the logical way to accomplish this is to keep 
>MaxQueProc at 30 and have a separate limit used by Declude.

The problem here is that both Declude and the SMTP processes go hand-in-hand.

If you keep the MaxQueProc setting at 30, but there was also a way to tell 
Declude to wait until 20 processes were being used, then when the 21st 
E-mail arrived, Declude would just move it to the overflow directory, so 
you would end up with virtually the same results as if the MaxQueProc 
setting were at 20.

I think the problem is that you're trying to reduce the rate that E-mail is 
scanned, while still delivering it at the original rate.
   -Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] override MaxQueProc

2003-04-04 Thread Bill B.

I like the fact that email in the overflow directory hasn't been scanned yet.  What 
I'm trying to do is minimize CPU spikes.  If you average out our CPU utilization it is 
around 20-30%, but frequently we'll spike to 100% for a bit when there are alot of 
emails being processed by Declude.  So I want to put a limit on the number of emails 
that can be scanned by Declude at any given moment.

But I do not want to lower Imail's registry setting because I do not want to end up 
with alot of delayed emails due to Imail's queue architecture.  It seems that the 
logical way to accomplish this is to keep MaxQueProc at 30 and have a separate limit 
used by Declude.

I think this would be a valuable feature to add into Declude, unless I am missing 
something.  If you agree, can you add it to the feature request list?

Thanks,
Bill


-Original Message-
From: "R. Scott Perry"
Sent: Fri, 04 Apr 2003 14:03:06 -0500
Subject: Re: [Declude.JunkMail] override MaxQueProc



>Is there a GLOBAL.CFG setting that will tell Declude to override the value 
>set in IMail's MaxQueProc registry?
>
>What I'd like to do is keep IMail's MaxQueProc registry key set to 30, so 
>that Declude is almost always called by Imail, but I'd like to lower the 
>value that Declude uses to determine whether it should send the email to 
>smtp32.exe or if it should stick it into the "overflow" queue.
>
>Can this be done?

Unfortunately, this can't be done.

Note that Declude checks the number of processes before it scans the 
E-mail, so E-mail that is in the overflow directory hasn't been scanned by 
Declude yet.
-Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] override MaxQueProc

2003-04-04 Thread Bill B.

Is there a GLOBAL.CFG setting that will tell Declude to override the value set in 
IMail's MaxQueProc registry?

What I'd like to do is keep IMail's MaxQueProc registry key set to 30, so that Declude 
is almost always called by Imail, but I'd like to lower the value that Declude uses to 
determine whether it should send the email to smtp32.exe or if it should stick it into 
the "overflow" queue.

Can this be done?

Bill

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] MX pointing to "localhost"

2003-03-23 Thread Bill B.

Hey Scott,

Got another one for you.  Check out the DNS for this spammer's domain:  e247.com

The MX points to "localhost".  The MAILFROM test does not catch this yet, but probably 
should.

Bill


-Original Message-
From: "R. Scott Perry"
Sent: Thu, 13 Mar 2003 10:34:41 -0500
Subject: Re: [Declude.JunkMail] HELO contains



>We are seeing a case where the mail server will connect to itself.  Check 
>out the DNS for this spammer's domain:  hotoptions.net
>
>It has no MX record, but an A record pointing to: 127.0.0.1
>
>If an email from this domain is bounced due to a full mailbox, this will 
>cause Imail to attempt to deliver the email to 127.0.0.1 which causes a 
>mail loop.  After 5 loops Imail kills it.
>
>Is there a Declude test we can use to block these based on the MX/A that 
>the domain name resolves to?
>
>If not, perhaps the MAILFROM test could be modified to count this as a bad 
>domain.

The MAILFROM test will detect this in the next release.  :)
-Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] whitelist file

2003-03-21 Thread Bill B.

What I am seeing is if I add any entry in my whitelist file in the follwoing format, 
it will cause ALL emails sent to the user who's whitelist file contains this entry to 
be whitelisted, regardless of the senders address.  So it appears to be a bug...

@example.com



-Original Message-
From: "Kami Razvan"
Sent: Fri, 21 Mar 2003 11:48:22 -0500
Subject: RE: [Declude.JunkMail] whitelist file


Hi;

Yes but I suggest if you want to whitelist the entire domain then do it as:

.TopikSolutions.com

Or just TopikSolutions.com

That will cover all variations including personal emails from their people.

Regards,
Kami

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bill B.
Sent: Friday, March 21, 2003 11:19 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] whitelist file


Is this syntax correct to whitelist an entire domain in the whitelist file?

@bounce.topiksolutions.com

It appears to be whitelisting everything when I add this.  We're running
Declude v1.68i4

Thanks,
Bill

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] whitelist file

2003-03-21 Thread Bill B.

Is this syntax correct to whitelist an entire domain in the whitelist file?

@bounce.topiksolutions.com

It appears to be whitelisting everything when I add this.  We're running Declude 
v1.68i4

Thanks,
Bill

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] HiJack - releasing emails

2003-03-13 Thread Bill B.

When HiJack releases a delayed email, does it just move it back to the spool folder to 
be delivered on the next queue run?  Or does it deliver it immediately as soon as it 
releases it?

Bill


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Sniffer

2003-03-12 Thread Bill B.

Ron,

We use sniffer as a weighted test, giving it a weight of 12 and tagging emails as spam 
at 15.  Some false positives do occur just like with any other spam test...However, 
using it as a heavily weighted test has been extremely effective for us, while keeping 
false positives to a minimum.

I highly recommend purchasing sniffer.

Bill


-Original Message-
From: "Ron Harris"
Sent: Wed, 12 Mar 2003 23:16:34 -0700
Subject: [Declude.JunkMail] Sniffer


We have been testing the evaluation copy of SortMonsters Message Sniffer and
I would like some opinions from people in this forum.

I am considering purchasing the product if I can set it up per domain (we
use JunkMail Pro) and not spend much time sifting through e-mail to make
sure it does not catch false positives.

Is Message Sniffer reliable at catching only spam and not legitimate e-mail?
Our eval copy of Message Sniffer has treated many legitimate e-mail as spam,
particularly messages from the Declude forum, the Nanog forum and an
Exchange forum.

I am very interested in learning your opinions.

Ron

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] HELO contains

2003-03-12 Thread Bill B.

Scott,

We are seeing a case where the mail server will connect to itself.  Check out the DNS 
for this spammer's domain:  hotoptions.net

It has no MX record, but an A record pointing to: 127.0.0.1

If an email from this domain is bounced due to a full mailbox, this will cause Imail 
to attempt to deliver the email to 127.0.0.1 which causes a mail loop.  After 5 loops 
Imail kills it.

Is there a Declude test we can use to block these based on the MX/A that the domain 
name resolves to?

If not, perhaps the MAILFROM test could be modified to count this as a bad domain.

Bill



-Original Message-
From: "R. Scott Perry"
Sent: Wed, 12 Mar 2003 18:17:33 -0500
Subject: Re: [Declude.JunkMail] HELO contains



>SOO..  My question is this.. Could I create a wordfilter rule that
>goes like
>HELO 10 CONTAINS imail.fament.com
>or will that shoot myself in the foot for some reason ?

That will work fine, just so long as you don't have any other mailservers 
that identify themselves as "imail.fament.com".  If your IMail server is 
the only one that does, the filter will work fine.

>If it really is the HELO string then I don't see this as a problem
>since my understanding is that my mail server do NOT connect to itself
>and should then never send the helo imail.fament.com to itself ?!

Correct.  There might be odd cases where the IMail server would connect to 
itself, but if that happens, you've got another problem on your hands (as 
it would cause a mail loop).
 -Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] DNS server returned server failure for

2003-03-12 Thread Bill B.

I see "server failures" on a bunch of obviously fake hostnames:

WARNING: DNS server 216.12.134.208 returned a SERVER FAILURE error for MX or A for Me.
WARNING: DNS server 216.12.134.208 returned a SERVER FAILURE error for MX or A for 
host3.
WARNING: DNS server 216.12.134.208 returned a SERVER FAILURE error for MX or A for 
mailer1.
WARNING: DNS server 216.12.134.208 returned a SERVER FAILURE error for MX or A for 
jinge.

...Anything we can do to add a weight to these?  We do also see server failures on 
some hostnames were do have an A record, so I see the delema.  But it would be nice to 
at least add a weighting to the obvious fakes.

Bill


-Original Message-
From: "R. Scott Perry"
Sent: Wed, 12 Mar 2003 09:00:14 -0500
Subject: RE: [Declude.JunkMail] DNS server returned server failure for



>I have suffered from this also, so much so that I have even explored the use
>of SimpleDNS without success thinking that this was a external DNS problem.
>I was hoping that by bringing the DNS (as a DNS cache) locally to the mail
>server did infact reduce the frequency of this error, unfortunately it did
>not solve the occurance of this error.

Just to clarify why this is happening.

When Declude JunkMail is looking up the MX or A record for a hostname (such 
as for the HELOBOGUS test, or checking the domain of the return address), 
it will record this message if the local DNS server reports a "server 
failure" message.  Technically, this message indicates a problem with the 
local DNS server.

However, it seems that the RFCs do not cover what a caching DNS server is 
supposed to do if it receives a "server failure" message from a remote DNS 
server.  When this happens, some DNS servers will pass on the "server 
failure" message.

Declude JunkMail treats the "server failure" as a temporary error, and 
makes the assumption that the E-mail is not spam.  If that was changed, 
more spam could get caught (as a server failure almost always indicates 
that the DNS record doesn't exist).  But, if there was a real server 
failure on the local DNS server (if the Internet connection went out, for 
example, or if there was a DDoS attack on the root servers), then all 
E-mail would fail the spam tests.
-Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] spam w/ all images

2003-03-10 Thread Bill B.

I haven't tried SPAMCHK yet, but I've heard you guys talking about it on the list.  
Maybe I'll give it a try.

Thanks

-Original Message-
From: "Markus Gufler"
Sent: Mon, 10 Mar 2003 09:40:55 +0100
Subject: RE: [Declude.JunkMail] spam w/ all images

Hi Bill,

If the email contains only images and no text the images are linked to
external sources (http://www.domain.com/image.g_i_f ) SPAMCHK gives a
certain weight if there are external images.

We've tried to filter mails containing ONLY images (after removing all
HTML there should not remain any character)
We've found 1 or 2 of 1. Most of the "only-image-spams" has a short
text at the end "if y_ou do not w_ant..."

The question is how to distinguish this spam from emails like:
"Hi Bill, her you can see the pictures from our family last week on xyz
national park ... [pic1] [pic2] ..."

Markus

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Bill B.
> Sent: Sunday, March 09, 2003 6:51 AM
> To: [EMAIL PROTECTED]
> Subject: [Declude.JunkMail] spam w/ all images
> 
> 
> Scott,
> 
> How about adding a test for if the text/html segment of an 
> email contains all  tags, with no actual text?  Seems 
> like that sort of spam is getting more prevelent lately.
> 
> Bill
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] spam w/ all images

2003-03-08 Thread Bill B.

Scott,

How about adding a test for if the text/html segment of an email contains all  
tags, with no actual text?  Seems like that sort of spam is getting more prevelent 
lately.

Bill

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] COPYTO

2003-03-06 Thread Bill B.

WOW, you're fast!  Thanks,

Bill


-Original Message-
From: "R. Scott Perry"
Sent: Thu, 06 Mar 2003 10:59:47 -0500
Subject: Re: [Declude.JunkMail] COPYTO



>I use the COPYTO action for one of my tests, however if an email is sent 
>to multiple recipients I notice that its adding the COPYTO recipient once 
>for each recipient when this test fails.
>
>Any way to make it only add the COPYTO recipient once, regardless of how 
>many original recipients there were?

There is a new interim release at 
http://www.declude.com/release/167i/declude.exe that will ensure that the 
COPYTO action will not add an address if it has already been added.
-Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] COPYTO

2003-03-06 Thread Bill B.

I use the COPYTO action for one of my tests, however if an email is sent to multiple 
recipients I notice that its adding the COPYTO recipient once for each recipient when 
this test fails.

Any way to make it only add the COPYTO recipient once, regardless of how many original 
recipients there were?

I realize Imail will ignore multiple copies of the same recipient in the Q* file, and 
it will only deliver 1 copy of the email to that recipient...  But I have some custom 
scripts that run after Declude is called, those duplicate recipients in the Q* file is 
causing me a problem.

Thanks,
Bill

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] %NRECIPS% - doubled

2003-03-05 Thread Bill B.

Thanks, that fixed it.

Bill


-Original Message-
From: "R. Scott Perry"
Sent: Wed, 05 Mar 2003 13:48:42 -0500
Subject: Re: [Declude.JunkMail] %NRECIPS% - doubled



>It appears that the %NRECIPS% variable is always showing double its true 
>value.  I ran a bunch of tests and it looks like it is always double the 
>true number of recipients.  Any ideas why?
>
>I'm running Declude v1.67i13

There is a new interim release at 
http://www.declude.com/release/167i/declude.exe that should take care of 
this issue.
-Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] %NRECIPS% - doubled

2003-03-05 Thread Bill B.

Scott,

It appears that the %NRECIPS% variable is always showing double its true value.  I ran 
a bunch of tests and it looks like it is always double the true number of recipients.  
Any ideas why?

I'm running Declude v1.67i13

Thanks,
Bill

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Tuning Declude

2003-02-14 Thread Bill B.

Dan,

Sniffer has made a huge difference for us.  We weight the test a 12 and flag emails as 
Spam at 15.  We only ran for a couple of months without it, but I watch our logs very 
closely and the benefit of using Sniffer is significant.

Sniffer is an entirely different type of test from Declude.  It tests the content of 
the email for identifiable strings, phone numbers, URLs, email addresses, etc that 
will only be found in emails from known spammers.

Most people on this list including myself highly recommend adding the Sniffer product. 
 The Declude/Sniffer combo is a match made in heaven.

Bill


-Original Message-
From: "Dan Geiser"
Sent: Fri, 14 Feb 2003 14:45:06 -0500
Subject: Re: [Declude.JunkMail] Tuning Declude


Hello, All,
For most of you who use Message Sniffer:

Do you find that using it along with the default testsWEIGHT10 and WEIGHT20
are sufficient for your needs?

How integral of an addition to Declude.JunkMail is Message Sniffer?  Does it
make an earth-shattering difference in what your spam-filtering, does it
just add an additional level of nuance that can't be gotten through the
tests which Declude has, or is it just an entirely different type of test?

What made you decide to add Message Sniffer into the mix for your Declude
installation?  How long did you run Declude.JunkMail without SNIFFER before
putting it into play?

Thanks For Your Time,
Dan

- Original Message -
From: "Bill Newberg" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, February 13, 2003 7:19 PM
Subject: RE: [Declude.JunkMail] Tuning Declude


> >>What is SNIFFER?  I can't find any mention of it in the
> > >Declude.JunkMail manual,
> > http://www.declude.com/JunkMail/manual.htm.
> > >There is however a reference to it in both GLOBAL.CFG and
> > >$default$.junkmail.  Is SNIFFER the same as Mesage Sniffer,
> > >http://www.sortmonster.com/?
> >
> > They are one and the same.  The test name is SNIFFER, the
> > product name is
> > Message Sniffer.  It is a third party program used to detect
> > spam, that can
> > be hooked into Declude JunkMail.
>
> I added Sniffer to Declude JunkMail recently and I am very pleased. It is
a
> great addition to Declude.
>
> Regards,
>
> Bill Newberg


This E-mail is scanned and free from viruses. www.nexustechgroup.com

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] displaying modified headers in bounce msg

2003-02-07 Thread Bill B.

ok, thanks.  It would be nice, but its definitely not a priority.

Bill


-Original Message-
From: "R. Scott Perry"
Sent: Fri, 07 Feb 2003 18:35:09 -0500
Subject: Re: [Declude.JunkMail] displaying modified headers in bounce
 msg



>My question is, is there any way to instert the modified headers into the 
>bounce email's message body so that the X- headers that declude adds are 
>displayed?

No, there isn't.  It's been added to the suggestion database, but it may 
require having the proper order in the global.cfg file (to make sure that 
all warning headers get added before the BOUNCE action is processed).
-Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] displaying modified headers in bounce msg

2003-02-07 Thread Bill B.

I have several XINHEADER/XOUTHEADER lines in my GLOBAL.CFG file to provide some useful 
information.  And I have a couple of tests that uses the BOUNCE action, which instert 
the headers and/or full message into the bounced email using the declude variables 
%HEADERS% and %FULLMSG%.  However, these variables insert the original unmodified 
headers.

My question is, is there any way to instert the modified headers into the bounce 
email's message body so that the X- headers that declude adds are displayed?

Thanks,
Bill



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] external tests

2003-02-07 Thread Bill B.

Okay.  I only had it occur twice over the past day with a new external test we built.  
We are gonna fix it, but I was curious how that was handled.  Thanks,

Bill

-Original Message-
From: "R. Scott Perry"
Sent: Fri, 07 Feb 2003 10:25:14 -0500
Subject: Re: [Declude.JunkMail] external tests



>How does Declude handle an external test that hangs?  Does Declude just 
>keep waiting on a response from the external test?...or does it eventually 
>timeout and continue on?

It will time out after an hour.

If it happens rarely, this wouldn't be a problem.  If there was a problem 
where the external test was never ending, for all E-mail that was scanned, 
then it could cause some mail delivery problems.
   -Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] external tests

2003-02-07 Thread Bill B.

How does Declude handle an external test that hangs?  Does Declude just keep waiting 
on a response from the external test?...or does it eventually timeout and continue on?

Bill

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] NRECIPS variable

2003-02-06 Thread Bill B.

Awesome!  Thanks Scott.


-Original Message-
From: "R. Scott Perry"
Sent: Thu, 06 Feb 2003 10:14:30 -0500
Subject: Re: [Declude.JunkMail] NRECIPS variable



>Is there a way I can get access to the real number of recipients even if 
>it is over 100 (without parsing the Q*.SMD file)?
>Perhaps a new variable %NTOTALRECIPS% ?

In the next release, %NRECIPS% will reflect the actual number of 
recipients, without the limit of 100 being imposed.
 -Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] NRECIPS variable

2003-02-06 Thread Bill B.

Is there a way I can get access to the real number of recipients even if it is over 
100 (without parsing the Q*.SMD file)?
Perhaps a new variable %NTOTALRECIPS% ?



-Original Message-
From: "R. Scott Perry"
Sent: Thu, 06 Feb 2003 08:11:50 -0500
Subject: Re: [Declude.JunkMail] NRECIPS variable



>I have an custom external test that gets passed the %NRECIPS% 
>variable.  The test is never seeing a value for NRECIPS greater than 
>99.  Is there something in the Declude code limiting this value to 99?

In some places in Declude JunkMail there is a limit of 100 recipients, 
which is the recommended maximum number of recipients per E-mail per RFC821.
 -Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] NRECIPS variable

2003-02-05 Thread Bill B.

I have an custom external test that gets passed the %NRECIPS% variable.  The test is 
never seeing a value for NRECIPS greater than 99.  Is there something in the Declude 
code limiting this value to 99?

Bill


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Declude JunkMail v1.67 (beta) released

2003-02-04 Thread Bill B.

> COMMENTS  comments  5  x  10  0
> where the "5" means that 5 such comments have to be encountered

This means 5 OR MORE comments have to be encountered right?  Not exactly 5?

Bill


-Original Message-
From: "R. Scott Perry"
Sent: Mon, 03 Feb 2003 19:05:41 -0500
Subject: RE: [Declude.JunkMail] Declude JunkMail v1.67 (beta) released



>Does the "comments" test require non-whitespace before&after the comments in
>order to trigger?
>So that most legit messages will not trigger it?

Yes.

So the most common types of comments, such as:

 

or:

 alert( "Hello, World" );   

will not count.

The test is defined in the global.cfg file as follows:

 COMMENTS  comments  5  x  10  0

where the "5" means that 5 such comments have to be encountered (the 10 is 
the weight that will be added for E-mail that fails the 
test).  Alternatively, you can use:

 COMMENTS  comments  weight  x  10  0

In this case, the weight of the E-mail will be increased by the number of 
anti-filtering comments that are found (plus the base weight of the 
test).  So if there are 3 in there, the weight will be increased by 13 (10 
for failing the test, and 1 for each anti-filtering comment found).  If 
there are 40 such comments, a total of 50 would be added to the weight of 
the E-mail.
   -Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] COPYTO action on an Outgoing test

2003-01-27 Thread Bill B.

Cool that fixed it.  Thanks, as always, for the fast response.

Bill


-Original Message-
From: "R. Scott Perry"
Sent: Mon, 27 Jan 2003 15:08:59 -0500
Subject: Re: [Declude.JunkMail] COPYTO action on an Outgoing test



>Hey Scott, let me know if you have received that email now or not, because 
>I noticed the email was getting held by declude because the debug file 
>contained lots for words that set off our filters.  But I added a whitlist 
>rule, so it should have gotten to you now.  But let me know if not.

This is an issue with Declude JunkMail, and has been fixed in the latest 
interim release (http://www.declude.com/release/166i/declude.exe).
-Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] COPYTO action on an Outgoing test

2003-01-27 Thread Bill B.

Hey Scott, let me know if you have received that email now or not, because I noticed 
the email was getting held by declude because the debug file contained lots for words 
that set off our filters.  But I added a whitlist rule, so it should have gotten to 
you now.  But let me know if not.

Thanks,
Bill


-Original Message-
From: "Bill B."
Sent: Mon, 27 Jan 2003 13:48:00 EST
Subject: Re: [Declude.JunkMail] COPYTO action on an Outgoing test


Sure thing.  I just resent it, but this time to "[EMAIL PROTECTED]"


-Original Message-
From: "R. Scott Perry"
Sent: Mon, 27 Jan 2003 13:41:42 -0500
Subject: Re: [Declude.JunkMail] COPYTO action on an Outgoing test



>Here it is, and I actually sent a bunch of debug information on this 
>problem to [EMAIL PROTECTED] on Sunday morning...

Could you re-send that information?  We don't have a record of it here, and 
it could be very useful in solving the problem.
 -Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] COPYTO action on an Outgoing test

2003-01-27 Thread Bill B.

Sure thing.  I just resent it, but this time to "[EMAIL PROTECTED]"


-Original Message-
From: "R. Scott Perry"
Sent: Mon, 27 Jan 2003 13:41:42 -0500
Subject: Re: [Declude.JunkMail] COPYTO action on an Outgoing test



>Here it is, and I actually sent a bunch of debug information on this 
>problem to [EMAIL PROTECTED] on Sunday morning...

Could you re-send that information?  We don't have a record of it here, and 
it could be very useful in solving the problem.
 -Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] COPYTO action on an Outgoing test

2003-01-27 Thread Bill B.

Here it is, and I actually sent a bunch of debug information on this problem to 
[EMAIL PROTECTED] on Sunday morning...

Diagnostics ON (Declude v1.66i11).

Declude JunkMail:  Config file found (d:\imail\Declude\global.CFG).
Declude Virus: Config file found (d:\imail\Declude\Virus.CFG).
Declude Hijack:Config file found (d:\imail\Declude\Hijack.CFG).
Declude Confirm:   Not installed (no d:\imail\Declude\Confirm.CFG file).

42 spam tests defined: LIST KILL WORD COUNTRY DSBL MONKEYFORMMAIL
MONKEYPROXIES ORDB OSDUL OSFORM OSLIST OSPROXY OSRELAY OSSMART OSSOFT OSSRC 
NJABL NJABLDUL NJA BLSOURCES NJABLMULTI NJABLFORMMAIL NJABLPROXIES SPAMCOP
WIREHUBDNSBL DSN NOABUSE NOPOSTMASTER BADHEADERS HELOBOGUS MAILFROM REVDNS
ROUTING SPAMHEADERS BASE64 IPMX HABEAS DNA WEIGHTFAIL WEIGHTFAILOUT
WEIGHTFAILALL PERCENT BULKOUT

IMail reports Official Host Name as: "mail01.excedent.us".
IMail's SendName registry seems OK:  "d:\imail\Declude.exe".

Declude JunkMail Status: PRO version registered.
Declude Virus Status:Pro Version Registered.
Declude Hijack Status:   Registered.

End of diagnostics.


-Original Message-
From: "R. Scott Perry"
Sent: Mon, 27 Jan 2003 12:50:32 -0500
Subject: Re: [Declude.JunkMail] COPYTO action on an Outgoing test



>Is anybody using the COPYTO action for an Outgoing test (requires Declude 
>Pro)?  I can't seem to get it to work.  It always copies the email to a 
>blank recipient.  I've got this line in the global.cfg file...

Which version of Declude JunkMail are you running ("\IMail\Declude -diag" 
from a command prompt will show you)?
-Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] COPYTO action on an Outgoing test

2003-01-27 Thread Bill B.

Is anybody using the COPYTO action for an Outgoing test (requires Declude Pro)?  I 
can't seem to get it to work.  It always copies the email to a blank recipient.  I've 
got this line in the global.cfg file...

SOMETEST  COPYTO  [EMAIL PROTECTED]

...but the sender of the email where this outgoing test fails always receives a bounce 
email saying...

Invalid final delivery userid: @localhost

Running Declude in debug mode shows that it is being copied to a blank address...

Msg failed SOMETEST. Action=COPYTO.
Copying spam to .
AlterRecip( 3, [EMAIL PROTECTED], );
AlterRecip: Loading queuefile
Copying E-mail to .  Altering queuefile.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: Re[2]: [Declude.JunkMail] OT: Dictionary Attacks

2003-01-24 Thread Bill B.

I use those same settings.  But in addition, you can configure BlackICE to auto-block 
the "too many smtp errors" event (dictionary attack) by editing your issuelist.csv 
file.

Look for this line:
2001015,SMTP too many errors,0,agg,-1,7,,Spam,The SMTP

And change the "agg" to "IP|RST":
2001015,SMTP too many errors,0,IP|RST,-1,7,,Spam,The SMTP

This will tell BlackICE to auto-block the offending IP Address for 24 hours.  Don't 
expect the people at ISS to support this though.  They urged me not to edit that file 
when I asked.  But it does work.

Bill


-Original Message-
From: Roger Heath
Sent: Thu, 23 Jan 2003 16:50:21 -0600
Subject: Re[2]: [Declude.JunkMail] OT: Dictionary Attacks


Reply to: Don Schreiner
  Re: [Declude.JunkMail] OT: Dictionary Attacks on Thursday 11:51:25 AM

>From an earlier msg:

Our  servers  are  very  stable  with  this firewall. It does not
autoblock  these  but you can manually block them. I noticed that
they  do  not  show up in the log any more, so it appears to work
fine.  I  know  you can set to autoblock select events by editing
the blackice.ini can be edited for example:

http.urllimit.count=60
http.urllimit.interval=50

will  temporarily  block  too  many  URL  requests, like web site
copying... These are the settings to block dictionary attacks. It
detects too many errors brought on by many failed logins...

[Settings]
smtp.error.count=10   ;total errors within
smtp.error.interval=120   ;this amount of time(sec)then blocked

--
Roger Heath
[EMAIL PROTECTED]
www.rleeheath.com


- Copy of Original Message(s): -

D> Bill,

D> Also running BI as of few weeks ago and tinkering with firewal.ini.
D> Would you mind sharing the .ini changes you made. You can e-mail me off
D> list. Thanks.

D> Sincerely,

D> Don Schreiner
D> CompBiz, Inc.
D> www.compbiz.net
D> 407-322-8654
D> 800-408-3688

D> -Original Message-
D> From: [EMAIL PROTECTED]
D> [mailto:[EMAIL PROTECTED]] On Behalf Of Bill B.
D> Sent: Thursday, January 23, 2003 12:16 PM
D> To: [EMAIL PROTECTED]
D> Subject: Re: [Declude.JunkMail] OT: Dictionary Attacks


D> We started running BlackICE last month and it has been working nice for
D> us.  It requires a few config changes to get it to auto-block IPs that
D> send you dictionary attacks, but it is definitely a good solution.

D> Bill


D> -Original Message-
D> From: "R. Scott Perry"
D> Sent: Thu, 23 Jan 2003 10:58:09 -0500
D> Subject: Re: [Declude.JunkMail] OT: Dictionary Attacks



>>It seems this morning that we have several dictionary attacks happening

>>on one of Imail servers. Is there an easy to stop the person doing 
>>this? I have looked through the log files and cannot easily spot the 
>>person(s) doing this.
>>
>>Is there software that will prevent people from performing Dictionary 
>>Attacks in the future?
>>
>>The POP3 and Delcude processes are using like 50-09% of the CPU.
>>
>>Let me know if there is anything I can do...

D> Are you sure that it is a dictionary attack?  If the POP3 process has 
D> higher usage than normal, then E-mails are being sent to your users
D> (which 
D> would mean that it either isn't a dictionary attack, or a hybrid attack 
D> where they send spam as part of the dictionary attack).

D> You might want to check the archives of the IMail Forum for ideas on how
D> to 
D> stop a dictionary attack.  Some tricks are using a "nobody" alias (which
D> I 
D> believe you are), or using a product like BlackIce Server to stop it.

D> Unfortunately, Declude can't stop these, because it doesn't have access
D> to 
D> the TCP/IP connection (which is where it would need to be stopped).
D>   -Scott

D> ---
D> [This E-mail was scanned for viruses by Declude Virus
D> (http://www.declude.com)]

D> ---
D> This E-mail came from the Declude.JunkMail mailing list.  To
D> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
D> "unsubscribe Declude.JunkMail".  The archives can be found at
D> http://www.mail-archive.com.



D> ---
D> [This E-mail was scanned for viruses by Declude Virus
D> (http://www.declude.com)]

D> ---
D> This E-mail came from the Declude.JunkMail mailing list.  To
D> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
D> "unsubscribe Declude.JunkMail".  The archives can be found at
D> http://www.mail-archive.com.
D> --
D> Scanned by CompBiz for Viruses http://www.CompBiz.Net.
D> Save 15 Percent on Virus Software by visiting
D> http://www.compbiz.net/software_mcafee.cfm for details!


D> ---
D> [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

D&g

Re: [Declude.JunkMail] OT: Dictionary Attacks

2003-01-23 Thread Bill B.

We started running BlackICE last month and it has been working nice for us.  It 
requires a few config changes to get it to auto-block IPs that send you dictionary 
attacks, but it is definitely a good solution.

Bill


-Original Message-
From: "R. Scott Perry"
Sent: Thu, 23 Jan 2003 10:58:09 -0500
Subject: Re: [Declude.JunkMail] OT: Dictionary Attacks



>It seems this morning that we have several dictionary attacks happening on
>one of Imail servers. Is there an easy to stop the person doing this? I have
>looked through the log files and cannot easily spot the person(s) doing
>this.
>
>Is there software that will prevent people from performing Dictionary
>Attacks in the future?
>
>The POP3 and Delcude processes are using like 50-09% of the CPU.
>
>Let me know if there is anything I can do...

Are you sure that it is a dictionary attack?  If the POP3 process has 
higher usage than normal, then E-mails are being sent to your users (which 
would mean that it either isn't a dictionary attack, or a hybrid attack 
where they send spam as part of the dictionary attack).

You might want to check the archives of the IMail Forum for ideas on how to 
stop a dictionary attack.  Some tricks are using a "nobody" alias (which I 
believe you are), or using a product like BlackIce Server to stop it.

Unfortunately, Declude can't stop these, because it doesn't have access to 
the TCP/IP connection (which is where it would need to be stopped).
  -Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Declude JunkMail v1.66 (beta) released

2003-01-20 Thread Bill B.

Two ideas that come to mind for handling the action are:

1) Use the strongest action defined in the user's .junkmail file

2) Or, set the action in the line that points to the BLACKLISTFILE.  ie:

BLACKLISTFILE  HOLD  D:\IMail\Declude\domain\user\blacklist.txt


-Original Message-
From: "R. Scott Perry"
Sent: Mon, 20 Jan 2003 08:46:08 -0500
Subject: Re: [Declude.JunkMail] Declude JunkMail v1.66 (beta) released



>Is there (or will there be) a similar "BLACKLISTFILE" feature?

The trick here is that you need more than just the BLACKLISTFILE option, as 
you would also need to determine how to handle E-mail in the blacklist (the 
action and/or weight).  However, it is something that we would like to add.
   -Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Declude JunkMail v1.66 (beta) released

2003-01-19 Thread Bill B.

Is there (or will there be) a similar "BLACKLISTFILE" feature?

Bill

-Original Message-
From: "R. Scott Perry"
Sent: Fri, 17 Jan 2003 15:24:34 -0500
Subject: RE: [Declude.JunkMail] Declude JunkMail v1.66 (beta) released

>Just to ask the obvious but to be sure...
>
>Now the whitelist is a different file- just like fromfile?
>
>WHITELIST   WHITELISTFILE   D:\IMail\Declude\Whitelist.txt  x
>0   0
>
>Is this the format?

Sorry, I should have specified.

The per-user/per-domain whitelisting works by adding a line in the format 
"WHITELISTFILE  D:\IMail\Declude\Whitelist.txt" to one of the per-user or 
per-domain configuration files (any of the *.JunkMail files).  This will 
point to a text file, that currently can have one E-mail address or partial 
E-mail address per line, such as:

[EMAIL PROTECTED]
[EMAIL PROTECTED]
@example.org
...

 -Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Return address

2003-01-19 Thread Bill B.

How about this...

MAILFROM 0 ENDSWITH 0
MAILFROM 0 ENDSWITH 1
MAILFROM 0 ENDSWITH 2
...etc



-Original Message-
From: "Bill Landry"
Sent: Sun, 19 Jan 2003 13:15:57 -0800
Subject: RE: [Declude.JunkMail] Return address 


The only way I can think of to currently block an e-mail address with an IP
after the @ symbol would be something like:

MAILFROM0   CONTAINS@1
MAILFROM0   CONTAINS@2

However, this would also flag e-mail addresses like:

[EMAIL PROTECTED]
[EMAIL PROTECTED]

I don't see how, with the current implementation of the filter file, that
you could check just the extension of the e-mail address (i.e., .net, .com,
.org, etc.).  Maybe Scott would consider that as a future feature add. :)
Maybe:

MAILEXTBOGUSextinvalid  x   x   5   0

Where the e-mail address extension contains anything but valid/approved
letter combinations.  Or, maybe the MAILFROM (global.cfg) test could include
the extension testing, if it is not already doing this.

Bill

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Kami Razvan
Sent: Sunday, January 19, 2003 12:17 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Return address 


Scott.. Thanks..

I guess this still leaves the other variation up for attack..

[EMAIL PROTECTED]

We have seen this also.. When they are sending email with userID and IP.

I guess one way to decipher this is if the last characters after the last
period are not letters.

Can that be a filter?

Regards,
Kami

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry
Sent: Sunday, January 19, 2003 2:50 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Return address 



>Is it a viable solution to filter the header for:
>
>From: <>

No -- a spammer would probably send an E-mail with a return address ("MAIL 
FROM") of "<>", but have a header like "From: Youwill berich 
<[EMAIL PROTECTED]>".

You could filter with something like:

 MAILFROM2   CONTAINS<>

 -Scott

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This e-mail was scanned for viruses by Pointshare's Virus Scanning Service]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] all_list.dat

2002-12-31 Thread Bill B.

Should we be downloading an updated copy of all_list.dat periodically?  If
so, how often and from where?

Thanks,
Bill


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Interesting anti-spam concept

2002-12-06 Thread Bill B.

I don't know if it would actually work, but this is an interesting
concept...
http://www.newscientist.com/news/news.jsp?id=ns3152

Bill

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Message Sniffer Confidence

2002-11-08 Thread Bill B

We weight sniffer as a 12 and block at 15.  This works very well for us.

Bill

-Original Message-
From: "Trent M. Davenport"
Sent: Fri, 8 Nov 2002 10:24:28 -0800
Subject: [Declude.JunkMail] Message Sniffer Confidence

So, after seeing the last 2 months that message sniffer is around 90%
accurate, what confidence has everyone put in it?  We offer our clients 2
levels of SPAM blocking.  Regular (using a WEIGHT20) and Aggressive (using a
WEIGHT10).  Because we're an ISP, we have to be really careful about
deleting legitimate email.

We purchased Message Sniffer and implemented it and it is catching a bunch
of messages, but the default weight is 7.  With the percentage as high as it
is, I'd like to give it a 17 so that if a message fails it plus 1 other
test, it'll fail the regular test.  Need I be that cautious?

Just looking for feedback from other users of Sniffer.

Trent
---
Trent M. Davenport - Systems Administrator
Northern Television Systems Ltd - WHTV
203-4103 4th Avenue, Whitehorse, YT Y1A 1H6
(867) 393-2225 X204, (867) 393-2224 FAX
www.whtvcable.com ( [EMAIL PROTECTED] )

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Declude JunkMail v1.62 (beta) released

2002-11-05 Thread Bill B

The part I'm not quite sure how to handle is knowing which domain's blacklist file to 
use in my exe when there are multiple recipients.  For example, if I were to set up my 
test like this...

DOMBLACKLIST external nonzero "D:\domblacklist.exe %LOCALHOST% %MAILFROM%" 100 0

...what would the value of %LOCALHOST% be if the inbound email were sent to two users 
on different local domains on our server?

Bill


-Original Message-
From: Smart Business Lists
Sent: Tue, 5 Nov 2002 12:58:55 -0600
Subject: Re: [Declude.JunkMail] Declude JunkMail v1.62 (beta) released


Bill,

Tuesday, November 5, 2002 you wrote:
BB> 1) Do you see it being possible to code something like this using
BB> an external test?

The external test works great.  I just wrote one in perl and I am very
pleased.  I'm doing very little right now but it is an excellent
concept.

The only real problem I had was that I was using a hold action based
on weight and I was trying to make my external test routeto.  But hold
has priority and was activated first.  At Scott's suggestion I had my
external test return a large negative weight and it is working very
nicely now.

So in general the external test is very capable but whether you can do
what you intend specifically or not is another issue.


Terry Fritts

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Declude JunkMail v1.62 (beta) released

2002-11-05 Thread Bill B

What I am looking into writing based on that new feature is per-domain and possibly 
even per-user blacklist/whitelists.  Being able to pass variables to external tests 
almost makes this possible, but I think there might be a problem for inbound emails 
that have multiple recipients.  With multiple recipients the external test wouldn't be 
able to determine which blacklist/whitelist to use.

So I have two questions...

1) Do you see it being possible to code something like this using an external test?

2) If not (or even if so), is per-domain and per-user blacklists and whitelists 
something that is soon to be added to Declude anyway?

Bill



-Original Message-
From: "R. Scott Perry"
Sent: Tue, 05 Nov 2002 13:17:14 -0500
Subject: Re: [Declude.JunkMail] Declude JunkMail v1.62 (beta) released



>With regards to this new feature:
>o External tests can now have variables in their definitions.
>
>Does that mean we can define an external test like this in order to pass 
>parameters to the test?:
>
>DOMBLACKLIST external nonzero "D:\domblacklist.exe %LOCALHOST% %MAILFROM%" 
>100 0

That is correct.
 -Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Declude JunkMail v1.62 (beta) released

2002-11-05 Thread Bill B

With regards to this new feature:
   o External tests can now have variables in their definitions.

Does that mean we can define an external test like this in order to pass parameters to 
the test?:

DOMBLACKLIST external nonzero "D:\domblacklist.exe %LOCALHOST% %MAILFROM%" 100 0



-Original Message-
From: "R. Scott Perry"
Sent: Mon, 04 Nov 2002 14:16:28 -0500
Subject: [Declude.JunkMail] Declude JunkMail v1.62 (beta) released


We have just released Declude v1.62 (beta).  See 
http://www.declude.com/junkmail/manual.htm .  Changes include:

   o Will now handle multiple return codes in ip4r tests.
   o Will now record the action for each test that fails.
   o Changes handling of invalid "[?.?.?.?]".
   o External tests can now have variables in their definitions.
   o Adds a failsafe for invalid CIDR ranges in IP blacklists.
   o Adds COUNTRY (of remote mailserver) and COUNTRIES (of any mailservers 
in chain) to filter.
   o Adds %COUNTRYCHAIN% variable.
   o Adds "ipnotinmx" test, which catches E-mail sent from an IP not in the 
MX records of sending domain.
   o HABEAS whitelist type, for whitelisting E-mails with Habeas headers 
("WHITELIST HABEAS").
   o New "habeas" test type, to allow for negative weighting of E-mails 
with Habeas headers.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] move to different user

2002-11-05 Thread Bill B


WEIGHT20 ROUTETO junkmail@%LOCALHOST%


Bill



-Original Message-
From: Robert Shubert
Sent: Tue, 05 Nov 2002 12:10:14 -0500
Subject: [Declude.JunkMail] move to different user


Is there a way to have declude change the destination address of the
email when it's marked as spam?

I have several users at a domain: [EMAIL PROTECTED] and [EMAIL PROTECTED]

The administrator of the domain wants spam to be just sent into
[EMAIL PROTECTED] for all the users of the domain. I didn't see that I
could do a processing rule in IMail that would move mail between users.
Can I have declude do this for me?

Robert Shubert
Tronics
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] multiple return codes

2002-11-05 Thread Bill B

How does the new feature for handling multiple return codes in ip4r tests work?  Does 
this mean we can combine the following into a single test?

OSDUL ip4r relays.osirusoft.com 127.0.0.3 5 0
OSFORM ip4r relays.osirusoft.com 127.0.0.8 5 0
OSLIST ip4r relays.osirusoft.com 127.0.0.7 5 0
OSPROXY ip4r relays.osirusoft.com 127.0.0.9 7 0
OSRELAY ip4r relays.osirusoft.com 127.0.0.2 5 0
OSSMART ip4r relays.osirusoft.com 127.0.0.5 5 0
OSSOFT ip4r relays.osirusoft.com 127.0.0.6 5 0
OSSRC ip4r relays.osirusoft.com 127.0.0.4 4 0

...is this currently 8 separate queries to "relays.osirusoft.com"?


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Declude log test analyzer

2002-10-29 Thread Bill B

I was playing with their latest Beta this morning and it didn't seem to recognize the 
Declude logs...but maybe it just did not recognize LOGLEVEL MID.  I'll play around 
with it some more.

Bill


-Original Message-
From: "R. Scott Perry"
Sent: Tue, 29 Oct 2002 10:14:24 -0500
Subject: RE: [Declude.JunkMail] Declude log test analyzer



>I'd stay with their current, and you'll either have to build your own filter
>for Declude logs or ask them to build it for you, they will for registered
>users without a charge, and if it is a common log format add it to their
>permanent list. The different levels of info used in the various Declude log
>levels might throw it a bit, I'm not sure.

Their latest beta version now includes support for Declude log files (see 
http://www.sawmill.net/formats/Declude.html ).
 -Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: Re[2]: [Declude.JunkMail] Declude log test analyzer

2002-10-29 Thread Bill B

Which version of sawmill are you using?  I just tried their current beta (6.4b5) and 
it crashed hard while processing Imail logs and didn't even recognized the Declude log 
format.

Bill


-Original Message-
From: sbsi lists
Sent: Mon, 28 Oct 2002 16:30:30 -0600
Subject: Re[2]: [Declude.JunkMail] Declude log test analyzer


Hi Dan,

DC> I can also recommend Sawmillyou can configure fairy
DC> sophisticated filters to slice and dice the logs (and logs of many
DC> different formats). The support folks there were willing to help
DC> me get a filter set up and it looks like a worthy product to
DC> support.

http://www.sawmill.net

I'd second that -- have used it to read some Imail logs when testing
it and he seems to do a really nice job on getting any changes in
there that you'd like and/or that make sense.

And, it's very affordable ...

-jason


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] client Question

2002-10-24 Thread Bill B

Thats correct...It reads it each time a message is received.  We plan to work on a 
similar tool using ASP here in the next month or two.

Bill

-Original Message-
From: grb
Sent: Thu, 24 Oct 2002 19:54:47 -0500
Subject: Re: [Declude.JunkMail] client Question

Hey Rich,

Not sure I understand you correctly, are you offering a system in which a client can 
adjust their weighting on their own? If so, do you have an example of this feature of 
your service? This sounds great.

After reading this, you got me thinking, I could write a Cold Fusion application that 
could create weighting through a Access DB and client based admin systemhas 
someone already done this...if not, I may be able to come up with something for those 
running Cold Fusion.

for those that run CF, my email is [EMAIL PROTECTED] if ya'll want to discuss 
this.

If I understand declude correctly, if a change is made to the default or global file 
within a given directory, we do not have to restart the smtp service with Imail or 
restart the smtp service under the services control panel, correct? Declude pulls 
these files each time and would read any change that is made on the fly, correct?

thanks 

gb

>The previous Spam filtering we were doing didn't give the customer the option of 
>setting their own filters.  Many now leave things at the default for the server, 
>others have refined their filters to their liking.  Still others don't have any idea 
>what the filters do, and what they don't understand is a bad thing.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Recommendation: Symbol Wildcard forFilters

2002-10-23 Thread Bill B

While we are on this topic...

Has anybody had experience with a decent content filtering application?  Not exactly 
spam content filters, but more along the lines of policy-based filters...where a 
corporation could estabilsh policies for what types of content to allow their 
employees to send & receive.

These apps usually describe themselves as "prevents confidential data loss", 
"safeguards your organization from embarassment & costly lawsuits".

I would imagine that an application such as this could be integrated with Declude as 
an external test.  Any ideas?

Bill



-Original Message-
From: "R. Scott Perry"
Sent: Wed, 23 Oct 2002 08:22:33 -0400
Subject: Re: [Declude.JunkMail] Recommendation: Symbol Wildcard
 forFilters



> > That's something that a number of people have requested, but has two
> > drawbacks: It requires lots of programming time to create, and lots of CPU
> > time.
>
>Hmmm...  Not to be a pest, but I'm wondering if this wouldn't actually
>IMPROVE performance?

The problem is that it requires going through the E-mail one character at a 
time and running a test against each of the filters.  Each of those tests 
is much more involved than a string match (which most of the time just 
requires comparing 2 bytes).

If all that is being added is a single character that is used to replace a 
single character, it wouldn't be so bad.  But once you go a step beyond 
that -- a single character representing punctuation but not letters, for 
example, or "*", or regexp expressions, it can get much more complex quickly.

>RULE "free~" finds "free" "free!" "free." "free?" etc. but not "freedom"
>or "freeze" -- all in one pass.  It covers STARTSWITH, CONTAINS, IS and
>ENDSWITH in one shot.
>
>RULE "~sex" finds "sex" "sexy" "sexiest" "sexaholic" "sex!!!" etc. but
>not "Essex" or "unisex" -- all in one pass.  Again, operators
>STARTSWITH, CONTAINS, IS and ENDSWITH are all covered.  One rule.

True -- it would likely save CPU time over having multiple filter entries.

Again, this is something that we are looking into, but we just haven't made 
any final decisions about.
   -Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] off topic : Imail Headers

2002-10-16 Thread Bill B


I stuck these in our GLOBAL.CFG file to provide that information on each inbound and 
outbound email...

XINHEADER   X-Note: Sent from %MAILFROM% - %REVDNS% ([%REMOTEIP%]).
XOUTHEADER  X-Note: Sent from %MAILFROM% - %REVDNS% ([%REMOTEIP%]).


Bill



-Original Message-
From: "Emiel Berlo, van"
Sent: Tue, 15 Oct 2002 23:08:47 +0200
Subject: [Declude.JunkMail] off topic : Imail Headers


Hello you all,
 
I know it is a little of topic,
 
But the following question is going through my head for a few days and I
couldn't find much (= very little)
about it.
 
Is there a way to change the imail internet headers ?
The headers imail puts in every send email.
 
e.g. I would like to add the ip address of the sender on the webmail to
be able
to track down who send it. (like hotmail also puts an
X-something-IP-address field)
 
Any help would be great,
 
Emiel.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] hijack & web mail

2002-10-11 Thread Bill B

Thats what I figured.  Thanks

Bill

-Original Message-
From: "John Tolmachoff"
Sent: Fri, 11 Oct 2002 06:30:04 -0700
Subject: RE: [Declude.JunkMail] hijack & web mail

I think the point is that someone in Web mail is not going to be sending out
hundreds and thousands of spam. Just too hard and time consuming to sit
there and add in all those addresses.

I do not think Hijack will track web mail users, as it goes by the IP
address in the SMTP incoming envelope.

John Tolmachoff
IT Manager, Network Engineer
RelianceSoft, Inc.
Fullerton, CA  92835
www.reliancesoft.com

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] hijack & webmail

2002-10-11 Thread Bill B


Is Declude HiJack able to protect against webmail users sending too much mail 
also?...or does it just protect SMTP?

Bill


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Per User - Alias Account

2002-10-02 Thread Bill B


We're doing that very thing...it works well.

Bill


-Original Message-
From: "Trent M. Davenport"
Sent: Wed, 2 Oct 2002 14:32:55 -0700
Subject: RE: [Declude.JunkMail] Per User - Alias Account


I'll try that and let you know how it goes.

Trent
---
Trent M. Davenport - Systems Administrator
Northern Television Systems Ltd - WHTV
203-4103 4th Avenue, Whitehorse, YT Y1A 1H6
(867) 393-2225 X204, (867) 393-2224 FAX
www.whtvcable.com   (
[EMAIL PROTECTED]   )



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry
Sent: October 2, 2002 2:29 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Per User - Alias Account



>What if you created a mailbox instead of an alias on the first virtual
>domain that only forwarded and did not store?  Would JunkMail process
before
>Imail forwarded?

Good idea -- Declude JunkMail would scan based on the name of the mailbox,
before the E-mail was forwarded.
  -Scott

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] another HiJack question

2002-09-27 Thread Bill B


With Declude HiJack, if we restart the Declude Console, what happens to the IP 
Addresses that are currently locked out?  Does HiJack know to continue to block those 
IPs that still have mail held in "hold2"?

I know that if you remove the mail from hold2 and restart Declude Console, the IP is 
no longer blocked...but my question is about what happens if we leave their mail in 
hold2 when we restart.

Thanks,
Bill


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Whitelisting one address

2002-09-27 Thread Bill B


Instead of whitelisting, you could use a wordfilter to add a negative weighting like 
this:

MAILFROM-50 ENDSWITH.mil

Bill


-Original Message-
From: "Mike Goetz"
Sent: Fri, 27 Sep 2002 09:50:25 -0400
Subject: [Declude.JunkMail] Whitelisting one address


In my bounce messages I entered a little note saying if you feel this
message has been bounced in error, please contact [EMAIL PROTECTED]
 .  But those people who fail the open
relay tests will not be able to get mail through to that address.  Is there
a way with the standard version of Declude to make mail go to that address
regardless of its intent; spam or valid?

Also, another question.  We get a lot of government mail that is being
trapped.  Usually theyre addresses like [EMAIL PROTECTED]
  .  What I did was WHITELIST FROM
@.mil to let all mail from .mil to come through unchallenged.  But theyre
still getting trapped.  Did I not whitelist the domain correctly?

Thanks!


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] fromfile problem

2002-09-27 Thread Bill B


Oh...actually I do remember that being discussed a while back.  Thanks Scott.

Bill



-Original Message-
From: "R. Scott Perry"
Sent: Fri, 27 Sep 2002 09:46:28 -0400
Subject: Re: [Declude.JunkMail] fromfile problem



>@ANONYMOUS  @ANONYMOUS
>ANONYMOUS@  ANONYMOUS@
>
>I use several combinations like this, but I am noticing that the ones 
>which end with the "@" symbol are not working.  Any ideas why?

The "@" forces Declude JunkMail to use an exact match (that started with 
v1.58, so that "[EMAIL PROTECTED]" wouldn't catch "[EMAIL PROTECTED]", for 
example).  So "ANONYMOUS@" would only match an E-mail address that was just 
"ANONYMOUS@".  There is currently no way to specify just a username.
-Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] fromfile problem

2002-09-27 Thread Bill B


I use the "fromfile" test that was suggested by Tom on this list, which adds a 
weighting for many common items in Spam addresses such as these below:

@ANONYMOUS  @ANONYMOUS
.ANONYMOUS  .ANONYMOUS
ANONYMOUS.  ANONYMOUS.
ANONYMOUS@  ANONYMOUS@
-ANONYMOUS  -ANONYMOUS
ANONYMOUS-  ANONYMOUS-
@BOUNCE @BOUNCE
.BOUNCE .BOUNCE
BOUNCE. BOUNCE.
BOUNCE@ BOUNCE@
-BOUNCE -BOUNCE
BOUNCE- BOUNCE-

I use several combinations like this, but I am noticing that the ones which end with 
the "@" symbol are not working.  Any ideas why?

Here is an example of one it missed from the logs...

09/27/2002 00:12:29 Qdaac06290108404a BADHEADERS:5 SNIFFER:12 .  Total weight = 17
09/27/2002 00:12:29 Qdaac06290108404a Msg failed BADHEADERS (This E-mail was sent from 
a broken mail client [801e].).
09/27/2002 00:12:29 Qdaac06290108404a Msg failed SNIFFER (Message failed SNIFFER: 12.).
09/27/2002 00:12:29 Qdaac06290108404a Msg failed WEIGHTFAIL (Weight of 17 reaches or 
exceeds the limit of 15.).
09/27/2002 00:12:29 Qdaac06290108404a Subject: Double Your Earnings Power...
09/27/2002 00:12:29 Qdaac06290108404a From: [EMAIL PROTECTED] To: 
[EMAIL PROTECTED] 


...other than that problem, this test has made a great addition by just adding a small 
weighting for addresses that contain these patterns.

Thanks,
Bill


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] MAILFROM failing on "user@domain@host"

2002-09-26 Thread Bill B


Scott,

Mail from one of our users continuously fails the MAILFROM test, but I'm not sure that 
it should be failing.  The only funny thing this message has is the mail server 
hostname appended to the end of the address, but I thought that was valid.

Can you have a look?  Below are the message headers from the D*.SMD file and the 
contents of the Q*.SMD file, as well as the lines from the smtp logs...


D*.SMD:

Received: from weabsunprd12.weac.com [64.236.243.243] by mail01.excedent.us with ESMTP
  (SMTPD32-7.13) id AE73D740042; Thu, 26 Sep 2002 16:30:43 -0400
Received: from weabsundev02.weac.com (weabsundev02.weac.com [205.173.141.23])
by weabsunprd12.weac.com (8.10.2+Sun/8.8.8) with ESMTP id g8QKUgR09321
for <[EMAIL PROTECTED]>; Thu, 26 Sep 2002 13:30:43 -0700 (PDT)
Received: from innoventJeff ([168.161.184.242])
by weabsundev02.weac.com (8.8.8+Sun/8.8.8) with ESMTP id NAA03413
for <[EMAIL PROTECTED]>; Thu, 26 Sep 2002 13:30:42 -0700 (PDT)
From: "Jeff Mericle" <[EMAIL PROTECTED]>
To: "Keith Mericle" <[EMAIL PROTECTED]>
Date: Thu, 26 Sep 2002 13:30:49 -0700
MIME-Version: 1.0
Subject: Re: FW: Canceled: Actuate Enterprise Conference Call
Reply-to: [EMAIL PROTECTED]
Message-ID: <3D930C09.14872.30003FEC@localhost>
Priority: normal
In-reply-to: <[EMAIL PROTECTED]>
X-mailer: Pegasus Mail for Windows (v4.01)
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Content-description: Mail message body
X-Note: Sent from [EMAIL PROTECTED]@mx.digical.com - 
h-64-236-243-243.twi.com ([64.236.243.243]).
X-Note: Scanned for SPAM by Excedent
X-Note: HELOBOGUS, MAILFROM (14)


Q*.SMD:

Qd:\imail\spool\D6e730d74004282ea.SMD
Hmail01.excedent.us
Wd:\imail\mail01_excedent_com
E0,
S<[EMAIL PROTECTED]@mx.digical.com>
NRCPT To:<[EMAIL PROTECTED]>
R<[EMAIL PROTECTED]>


SMTP LOG:

20020926 163043 127.0.0.1   SMTPD (0D740042) [64.236.243.243] EHLO 
weabsunprd12.weac.com
20020926 163044 127.0.0.1   SMTPD (0D740042) [64.236.243.243] MAIL 
From:<[EMAIL PROTECTED]@mx.digical.com>





---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

1 2 >

1 - 100 of 120 matches

Mail list logo