RE: [Declude.JunkMail] GIBBERISHSUB v1.0.4 - Filter updated
Matt, Consider adding an entry to ANTI-GIBBERISHSUB for ezmlm, a very popular mailing list manager package for qmail. Bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Matthew Bramble Sent: Wednesday, October 22, 2003 8:12 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] GIBBERISHSUB v1.0.4 - Filter updated Well, after quite a bit of work, I've finally managed to do a partial launch of my new site starting with the Declude Filters section. The first filter that I have updated and shared on the site is the GIBBERISHSUB filter which detects random strings of characters in the subject of messages. I've updated the format of the files along with the methods and exclusions whenever appropriate. The changes to this filter are mainly the format of the file itself (which has no effect on how it works). I am now using a slightly different naming convention for the ANTI files by inserting a hyphen after the prefix and I added some exclusions to the list in order to further protect from false positives. Please share your own exclusions with me and I will add them to the filter in a future release. The site can be reached by following this link: MailPure :: Filter Software :: Declude Filters http://www.mailpure.com/software/decludefilters/ I'll have at least one more filter updated before the end of this evening, and I've got some new ones to share as time permits. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spam action for non-local aliases
There are a lot of these aliases, so I don't want to set up per-domain entries. Shouldn't I be able to use the outbound actions for these, since the actual recipient is a non-local user? I tried that by defining an action in GLOBAL.CFG, and sending a test email from my Lycos Mail account to an alias in Imail which forwards to a non-local address... but it didn't use the GLOBAL.CFG action. In GLOBAL.CFG I have WEIGHTFAILOUT HOLD, and below are the log entries of the test email. It failed WEIGHTFAILOUT, but the action wasn't triggered... note: I am not using SWITCHRECIPS ON 09/29/2003 10:52:24 Q47273b6614888021 Bogus IP: 0.0.0.0 09/29/2003 10:52:25 Q47273b6614888021 WORD:100 nNOLEGIT:-3 . Total weight = 97 09/29/2003 10:52:25 Q47273b6614888021 Msg failed WORD (Message failed WORD test (11)). Action=IGNORE. 09/29/2003 10:52:25 Q47273b6614888021 Msg failed WEIGHTFAIL (Weight of 97 reaches or exceeds the limit of 15.). Action=LOG. 09/29/2003 10:52:25 Q47273b6614888021 Msg failed WEIGHTFAILLOW (Weight of 97 reaches or exceeds the limit of 20.). Action=IGNORE. 09/29/2003 10:52:25 Q47273b6614888021 Msg failed WEIGHTFAILOUT (Weight of 97 reaches or exceeds the limit of 26.). Action=IGNORE. 09/29/2003 10:52:25 Q47273b6614888021 Msg failed WEIGHTFAILALL (Weight of 97 reaches or exceeds the limit of 45.). Action=IGNORE. 09/29/2003 10:52:25 Q47273b6614888021 Msg failed CATCHALLMAILS (Weight of 97 reaches or exceeds the limit of -100.). Action=IGNORE. 09/29/2003 10:52:25 Q47273b6614888021 L1 Message OK 09/29/2003 10:52:25 Q47273b6614888021 Subject: filter test 09/29/2003 10:52:25 Q47273b6614888021 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 209.202.220.85 ID: -Original Message- From: Kevin Bilbee Sent: Sun, 28 Sep 2003 21:51:14 -0700 Subject: RE: [Declude.JunkMail] Spam action for non-local aliases Yuu need to setup declude to do per domain config for the nonlocal domain (pro version). Alias: [EMAIL PROTECTED] Points to [EMAIL PROTECTED] Create a domain directory for the nonlocal.com domain and place a junkmail file in that directory. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Bill B. Sent: Sunday, September 28, 2003 1:19 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Spam action for non-local aliases Can anyone think of a method to identify Imail aliases that forward to non-local addresses, and apply specific Declude actions for those aliases? Reason is.. we only provide spam filtering for our customer's mailboxes, but not for their alias addresses that forward to non-local accounts. And we've had a couple incidents where a customer received Spam in their non-local account, which was forwarded through our server via an alias that we host. So when they reported the spam, SpamCop saw that the spam was routed through our server and temporarily blacklisted our IP. Any clever ideas how to stop this without adding separate .junkmail files for each alias address? Thanks, Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Spam action for non-local aliases
Can anyone think of a method to identify Imail aliases that forward to non-local addresses, and apply specific Declude actions for those aliases? Reason is.. we only provide spam filtering for our customer's mailboxes, but not for their alias addresses that forward to non-local accounts. And we've had a couple incidents where a customer received Spam in their non-local account, which was forwarded through our server via an alias that we host. So when they reported the spam, SpamCop saw that the spam was routed through our server and temporarily blacklisted our IP. Any clever ideas how to stop this without adding separate .junkmail files for each alias address? Thanks, Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Next release
Awesome Scott! Does this feature work with PREWHITELIST ON so that we can conserve some resources for Auth'd users? Thanks, Bill -Original Message- From: R. Scott Perry Sent: Tue, 16 Sep 2003 20:05:40 -0400 Subject: Re: [Declude.JunkMail] Next release Scott could you give us an idea of what new tests and a possible date of the next release of declude junkmail. We do not have an ETA for the next beta release. However: My remote users are constantly on me about the authentication issue when on a dial up. I have thoes users whitelisted but they do not like the side effect of receiving spam from their own email address. We do have an interim release at http://www.declude.com/release/175i/declude.exe that includes this ability (if you are running a version of IMail that supports it, such as 8.x). A line WHITELIST AUTH in the \IMail\Declude\global.cfg file will let that interim release know to whitelist all E-mail from users who have authenticated. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SMTP Relay Limit
Dan, If you're going Unix-based, qmail and Postfix are faster more widely used than Exim. But with all three you don't have anybody to call if things break. If you need support, I recommend SurgeMail by Netwin www.surgemail.com ...I've heard good things about the scalability of their product and in evaluating their software recently they have provided me with great customer service (though their business hours are awekward since they're in New Zealand). And they have builds for just about every OS. Bill -Original Message- From: Dan Patnode Sent: 10 Sep 2003 16:32:26 -0700 Subject: Re: [Declude.JunkMail] SMTP Relay Limit Any opinions on Exim?: http://www.exim.org/ Dan On Wednesday, September 10, 2003 15:36, Matthew Bramble [EMAIL PROTECTED] wrote: Dan Patnode wrote: Should have been more specific, I'm looking for something used by larger ISPs that gives me the confidence of volume and stability. Something attached to a name and a phone number I can call when there's a problem. I don't mind paying for it. Top 2 or 3 names? Thanks, Dan What, Microsoft doesn't count? LOL! Honestly, what larger ISP isn't using Sendmail? I don't think they answer the phone, but it's free and there are 50,000 different utilities to make it do whatever you want. Ipswitch would seem to be the leading non-groupware E-mail system for Windows, followed by MDaemon and SLMail (I'm sure there are others of course and the order may be different). It's a crying shame that IMail has such a basic shortcoming. One might think that was purposeful. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Bogus IP
What does this line mean in the declude log: 08/22/2003 08:53:39 Q124905aa0274e442 Bogus IP: ?.?.?.? Thanks, Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New spamcop style RBL..
I just registered and turned it on, and it seems to have a lot of spam IPs listed. I'll keep an eye out for false positives. Bill -Original Message- From: Joshua Levitsky Sent: Sun, 27 Jul 2003 10:43:24 -0400 Subject: Re: [Declude.JunkMail] New spamcop style RBL.. - Original Message - From: Smart Business Lists [EMAIL PROTECTED] To: Joshua Levitsky [EMAIL PROTECTED] Sent: Sunday, July 27, 2003 9:20 AM Subject: Re: [Declude.JunkMail] New spamcop style RBL.. Saturday, July 26, 2003 you wrote: JL http://www.trustic.com/ JL Trustic is a new solution to the problem of unsolicited email. It is going to be a subscription service - Companies, and individuals who receive a large amount of email will be required to pay for access to the block list. Yes, but it depends on what large is. It was created by the guy that made Yahoo's groups before Yahoo owned them. I am willing to try it during the beta and block some mail, and hope that it has a setup like Spamcop for pricing. I actually donate to spamcop to make submissions. I would be willing to give Trustic something to help them stay in business. Not a lot... but something and right now it is free so give it a try... -Josh --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New spamcop style RBL..
Hmm... I wonder how effectively that data could be used to generate lists of IPs to block at the firewall level. That'll be interesting to look at. Bill -Original Message- From: Omar K. Sent: Sun, 27 Jul 2003 18:32:53 +0200 Subject: RE: [Declude.JunkMail] New spamcop style RBL.. Yes, same here, I noticed that it is tagging IP's that have not been caught by easynet or osirusoft. Another really cool thing about this service, is the stat report they send you at the end of the day, tells you what IP's they blocked for you, what IP's you gave a good positive, and other general stat. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill B. Sent: Sunday, July 27, 2003 4:50 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New spamcop style RBL.. I just registered and turned it on, and it seems to have a lot of spam IPs listed. I'll keep an eye out for false positives. Bill -Original Message- From: Joshua Levitsky Sent: Sun, 27 Jul 2003 10:43:24 -0400 Subject: Re: [Declude.JunkMail] New spamcop style RBL.. - Original Message - From: Smart Business Lists [EMAIL PROTECTED] To: Joshua Levitsky [EMAIL PROTECTED] Sent: Sunday, July 27, 2003 9:20 AM Subject: Re: [Declude.JunkMail] New spamcop style RBL.. Saturday, July 26, 2003 you wrote: JL http://www.trustic.com/ JL Trustic is a new solution to the problem of unsolicited email. It is going to be a subscription service - Companies, and individuals who receive a large amount of email will be required to pay for access to the block list. Yes, but it depends on what large is. It was created by the guy that made Yahoo's groups before Yahoo owned them. I am willing to try it during the beta and block some mail, and hope that it has a setup like Spamcop for pricing. I actually donate to spamcop to make submissions. I would be willing to give Trustic something to help them stay in business. Not a lot... but something and right now it is free so give it a try... -Josh --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New spamcop style RBL..
I was thinking more along the lines of seeing in the report that particular IPs send us 100% spam, so then I'd manually add those IPs to our firewall rules. But I just signed up today and I haven't seen my first Trustic report yet, so I don't know whats possible yet. Bill -Original Message- From: Joshua Levitsky Sent: Sun, 27 Jul 2003 12:13:12 -0400 Subject: Re: [Declude.JunkMail] New spamcop style RBL.. - Original Message - From: Bill B. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, July 27, 2003 11:29 AM Subject: Re: [Declude.JunkMail] New spamcop style RBL.. Hmm... I wonder how effectively that data could be used to generate lists of IPs to block at the firewall level. That'll be interesting to look at. You should send them a message on their contact form about maybe an XML export of records.. or I guess you could do a zone xfer and then export from that data to something your firewall would know what to do with unless your firewall can use DNS records for blocking. (That would be a cool firewall feature.) -Josh --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] AUTH emails can be flagged
Scott, I noticed that IMail 8.0 HF1 now includes the anticipated A lines in the Q*.SMD files when a user is authenticated via SMTP AUTH. The format is: [EMAIL PROTECTED] Can you incorporate this into a new test so that we can reduce the weight on emails that are sent using SMTP Authentication? Thanks, Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Tar Pitting
and send mail only at the speed that IMail can handle I'm curious, what rate did you find Imail capable of handling before it stopped responding? Bill -Original Message- From: [EMAIL PROTECTED] Sent: Wed, 18 Jun 2003 13:36:44 -0700 Subject: Re: [Declude.JunkMail] Tar Pitting Alligate for example, and I am sure most other gateways should level this out for you anyway, and I don't think tarpitting would make a whole lot of difference. When we are forwarding to IMail, we set the forwarding threads fairly conservatively, and send mail only at the speed that IMail can handle it. It is spooled and send at a constant rate. I have seen the queue get backed up during heavy periods, and then clear up when the load lightens. We crashed IMail (sent processor load to 100%) a couple of times during testing by sending it too much mail and it simply stopped responding. Tarpitting is more to discourage spammers from sending to your server (hopefully) and to reduce their output. We have seen a lot of them time out after 30 seconds. Some of these are home made spam blaster programs that are single threaded, do their own MX resolution, and can only send out messages one at a time. It really puts the hurt on them when it takes 5-10 minutes to send one message, so they tend to put timeouts in them and disconnect. Brian On 06/18/03 1:08pm you wrote... Rick, Makes me wonder if spammers cause traffic surges/spikes that slow our servers down and if this would also smooth those spikes down. Suppose a given sending server had 100 copies of a particular message, running only 5 sessions (speculation) at a time, could the sessions be dragged into off peak hours. If the firewall (or Alligator) could be configured to open the flood gates between midnight and 5am, the cues would be empty by the next morning. Dan On Wednesday, June 18, 2003 12:39, Rick Davidson [EMAIL PROTECTED] wrote: I find the idea intriguing as well but if you start to slow down connections wouldnt that just hold TCP connections open longer possibly making fewer connections available on the server? One of the methods of thwarting file sharing sites is to trickle download many files so that others cannot make connections, would this not have the same affect as tar pitting spammers? Especially since the pro spammers send the same spam run through many different servers. Just thinking outloud. Rick Davidson Buckeye Internet Inc www.buckeyeweb.com 440-953-1900 ext: 222 - Original Message - From: Dan Patnode [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 18, 2003 3:16 PM Subject: Re: [Declude.JunkMail] Tar Pitting I'm intrigued by this idea. During a given minute of time I may get 1000 messages. 1/4 of them are slown down (occupying more SMTP/Declude sessions), but the burdon is spread out. Can this be applied to increase server capacity? If I throttle, at the firewall, the IPs of spammers, will the load on my server be less? Has anyone tried this on a maxed out server? Dan On Sunday, June 15, 2003 16:01, Rifat Levis [EMAIL PROTECTED] wrote: People intersted in tarpitting and Declude firewall integration can read this. I just finished the tarpitting protection for my IMAIL server I am sending logs to the kiwi syslog server and forwarding it to SQL to analyse data When in a 2 min period a single ip send mail to more than 5 unknown account I am blocking the ip address on my netscreen firewall for 1 hour. The next step of this is to integrate Declude to the firewall I have 3 weight weight 10 warn weight 15 warn weight 20 delete Instead of deleting weight 20 i will forward it to an account to send data to SQL analyse it and then block it for 1 hour . NOTE : I am sure that KAMI will be interested :) Best Regards Rifat Levis --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at
Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integrationintegration
Rifat, What software are you using to do the tarpitting? Are you running it on the same server as IMail, or on a separate box? Bill -Original Message- From: Rifat Levis Sent: Mon, 16 Jun 2003 02:01:45 +0300 Subject: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration People intersted in tarpitting and Declude firewall integration can read this. I just finished the tarpitting protection for my IMAIL server I am sending logs to the kiwi syslog server and forwarding it to SQL to analyse data When in a 2 min period a single ip send mail to more than 5 unknown account I am blocking the ip address on my netscreen firewall for 1 hour. The next step of this is to integrate Declude to the firewall I have 3 weight weight 10 warn weight 15 warn weight 20 delete Instead of deleting weight 20 i will forward it to an account to send data to SQL analyse it and then block it for 1 hour . NOTE : I am sure that KAMI will be interested :) Best Regards Rifat Levis --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integrationintegration integration
Cool. We've been playing around with a few methods of tarpitting. Check out TarProxy by Marty Lamb (http://www.martiansoftware.com/tarproxy/)... this tool seems to have alot of promise. It allows you to hook into each stage of the SMTP session and apply incremental delays or drop the connection based on external tests. Wouldn't it be great if we could integrate Declude with a tool like this! Bill -Original Message- From: Rifat Levis Sent: Mon, 16 Jun 2003 15:51:52 +0300 Subject: Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration Hi Bill , I wrote a small VB program . -- Here is more details about the system. I am using the KIWI syslog server software to send the logs to the SQL You can specify in IMAIL syslogs server ip address .(IF you run KIWI on the same machine ,you have to stop IMAIL syslog ) I have wrote a small Visual Basic Program which scan the SQL database for ERR INVALID USER lines every 2 min. And my little program Open a telnet connection to the firewall ADD the ip address to block . Then the program remove the ip address after 1 hour. On my firewall i wrote a global policie group to deny access to port 25 So the software add the ip address and specify that it belong to that group lls. I decided also to integrate DECLUDE JUNKMAIL with my firewall. For weight over 20 i will block for 1 hour For weight over 30 will block for 2 hour And so on. Rifat - Original Message - From: Bill B. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 16, 2003 3:11 PM Subject: Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration Rifat, What software are you using to do the tarpitting? Are you running it on the same server as IMail, or on a separate box? Bill -Original Message- From: Rifat Levis Sent: Mon, 16 Jun 2003 02:01:45 +0300 Subject: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration People intersted in tarpitting and Declude firewall integration can read this. I just finished the tarpitting protection for my IMAIL server I am sending logs to the kiwi syslog server and forwarding it to SQL to analyse data When in a 2 min period a single ip send mail to more than 5 unknown account I am blocking the ip address on my netscreen firewall for 1 hour. The next step of this is to integrate Declude to the firewall I have 3 weight weight 10 warn weight 15 warn weight 20 delete Instead of deleting weight 20 i will forward it to an account to send data to SQL analyse it and then block it for 1 hour . NOTE : I am sure that KAMI will be interested :) Best Regards Rifat Levis --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration integration integrationintegration integration integration integration
(or be run on a mail gateway that sits in front of the IMail/Declude server). Thats what TarProxy sort of does. TarProxy accepts the inbound SMTP connections and relays them to a backend SMTP host (imail's smtpd). What I'm saying would be great, is if TarProxy could call Declude-like tests during the SMTP session... before Imail gets its hands on the email. If Declude could be called as an external test by a 3rd party app, it might even be possible. Declude would just have to return a return value (ie: the weight), instead of handing off to smtp32.exe after its done. Bill -Original Message- From: Bill Landry Sent: Mon, 16 Jun 2003 06:22:04 -0700 Subject: Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration integration integration Tarpitting can't be integrated with Declude because Declude does not answer the client SMTP connection, IMail does (SMTPD). Only after IMail has received the message does it get delivered to Declude. So, any tarpitting would have to be integrated with IMail, not Declude (or be run on a mail gateway that sits in front of the IMail/Declude server). Bill - Original Message - From: Bill B. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 16, 2003 6:02 AM Subject: Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration integration integration Cool. We've been playing around with a few methods of tarpitting. Check out TarProxy by Marty Lamb (http://www.martiansoftware.com/tarproxy/)... this tool seems to have alot of promise. It allows you to hook into each stage of the SMTP session and apply incremental delays or drop the connection based on external tests. Wouldn't it be great if we could integrate Declude with a tool like this! Bill -Original Message- From: Rifat Levis Sent: Mon, 16 Jun 2003 15:51:52 +0300 Subject: Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration Hi Bill , I wrote a small VB program . -- Here is more details about the system. I am using the KIWI syslog server software to send the logs to the SQL You can specify in IMAIL syslogs server ip address .(IF you run KIWI on the same machine ,you have to stop IMAIL syslog ) I have wrote a small Visual Basic Program which scan the SQL database for ERR INVALID USER lines every 2 min. And my little program Open a telnet connection to the firewall ADD the ip address to block . Then the program remove the ip address after 1 hour. On my firewall i wrote a global policie group to deny access to port 25 So the software add the ip address and specify that it belong to that group lls. I decided also to integrate DECLUDE JUNKMAIL with my firewall. For weight over 20 i will block for 1 hour For weight over 30 will block for 2 hour And so on. Rifat - Original Message - From: Bill B. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 16, 2003 3:11 PM Subject: Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration Rifat, What software are you using to do the tarpitting? Are you running it on the same server as IMail, or on a separate box? Bill -Original Message- From: Rifat Levis Sent: Mon, 16 Jun 2003 02:01:45 +0300 Subject: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration People intersted in tarpitting and Declude firewall integration can read this. I just finished the tarpitting protection for my IMAIL server I am sending logs to the kiwi syslog server and forwarding it to SQL to analyse data When in a 2 min period a single ip send mail to more than 5 unknown account I am blocking the ip address on my netscreen firewall for 1 hour. The next step of this is to integrate Declude to the firewall I have 3 weight weight 10 warn weight 15 warn weight 20 delete Instead of deleting weight 20 i will forward it to an account to send data to SQL analyse it and then block it for 1 hour . NOTE : I am sure that KAMI will be interested :) Best Regards Rifat Levis --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail
Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration integration integration integration integration integration integrationintegration integration integration integration integration integrationintegration integration
This approach is a bit different than IMGate because it creates a dynamic tarpit, based on the spamminess of the email. The more tests it fails, the slower the connection gets...IN REAL TIME! Thats that cool part. From what I understand, IMGate can only drop the connection...it cannot slow the connection down. With TarProxy, spam tests can be run at each stage of the SMTP session, before the next stage begins. For example... EVENT: Remote Host Connects - dnsbl tests are executed and incremental delays are applied or connection is dropped. EVENT: Remote Host sends EHLO - HELO-based tests are executed and incremental delays are applied or connection is dropped. EVENT: Remote Host sends MAIL FROM - Domain-based tests are executed and incremental delays are applied or connection is dropped. EVENT: Remote Host sends RCPT TO - Recipient-based tests are executed and incremental delays are applied or connection is dropped. EVENT: Remote Host sends DATA - Content filtering is executed and incremental delays are applied or connection is dropped. -Original Message- From: Smart Business Lists Sent: Mon, 16 Jun 2003 08:42:56 -0500 Subject: Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration integration integration integration integration integration integration Bill, Monday, June 16, 2003 you wrote: BB Thats what TarProxy sort of does. TarProxy accepts the BB inbound SMTP connections and relays them to a backend SMTP BB host (imail's smtpd). What I'm saying would be great, is if BB TarProxy could call Declude-like tests during the SMTP BB session... before Imail gets its hands on the email. Well why not just go with IMGATE and Postfix - already does all that and much, much more. Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] How to stop this...
You can set up a filter to add a weight for that IP speciffically: HELO 10 CONTAINS 216.220.106.24 Or you could set up a filter to add a weight to any email that uses an IP as its HELO: HELO 10 ENDSWITH 0 HELO 10 ENDSWITH 1 HELO 10 ENDSWITH 2 HELO 10 ENDSWITH 3 HELO 10 ENDSWITH 4 HELO 10 ENDSWITH 5 HELO 10 ENDSWITH 6 HELO 10 ENDSWITH 7 HELO 10 ENDSWITH 8 HELO 10 ENDSWITH 9 Bill -Original Message- From: David Sent: Mon, 16 Jun 2003 22:57:22 +0300 Subject: [Declude.JunkMail] How to stop this... Hi all, Sorry about the subject being so generic but I was not sure how to call the following. I have been seeing the following in the headers of some email: Received: from 216.220.106.24 [218.151.108.224] by mail.heliosfunds.com The first IP is the IP of the mail server. I am not sure how to refer to this but is there a test in JunkMail that tests for this? Thanks, David --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spamdomains: Altavista
Altavista discontinued their free email service about 2 years ago. So if you're still seeing spam using their domain, you could probably just add a weight to any email from @altavista.com. Bill -Original Message- From: Kami Razvan Sent: Fri, 13 Jun 2003 06:58:41 -0400 Subject: [Declude.JunkMail] Spamdomains: Altavista Hi; Anyone knows much about Altavista for SPAMDOMAINS. Regards, Kami --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spamdomains: att.net
Here is my latest spamdomains list as well. I updated the att.net as you mentioned, however I'd list it as @att. in order to prevent false positives w/ something like @matt.com. Bill -Original Message- From: Sheldon Koehler Sent: Fri, 13 Jun 2003 09:09:51 -0700 Subject: Re: [Declude.JunkMail] Spamdomains: att.net I started out with Bill B.'s file and have been following this list with changes. So far SPAMDOMAINS has worked like a dream. Could you post what you have so far? I was waiting for a good example file before I jumped in to using the test. Attached is my latest version. But if you followed the list starting with Bill B.'s version it should be pretty much the same. Thanks Bill!!! Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain sd.zip Description: Zip archive
Re: [Declude.JunkMail] Spamdomains: Altavista
No, they don't have any paid email service. They used to outsource their free mail service to critical path, but were paying too much for it with little ROI, so they just cut it out all together. However I'd bet their corporate users still use @altavista.com, so always adding a weight may cause problems if your users receive mail from Altavista corportate. But I bet all their employees will be switching to @overture.com email accounts soon anyway, so it might not be an issue. Bill -Original Message- From: Kami Razvan Sent: Fri, 13 Jun 2003 11:51:57 -0400 Subject: RE: [Declude.JunkMail] Spamdomains: Altavista Hi Bill: This is good to know... Do they have any paid service or any email with Altavista is not correct? If they are not serving it then this email should not exist. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill B. Sent: Friday, June 13, 2003 10:50 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Spamdomains: Altavista Altavista discontinued their free email service about 2 years ago. So if you're still seeing spam using their domain, you could probably just add a weight to any email from @altavista.com. Bill -Original Message- From: Kami Razvan Sent: Fri, 13 Jun 2003 06:58:41 -0400 Subject: [Declude.JunkMail] Spamdomains: Altavista Hi; Anyone knows much about Altavista for SPAMDOMAINS. Regards, Kami --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT stunnel
Markus, the attached two files should help you. Bill -Original Message- From: Markus Gufler Sent: Thu, 12 Jun 2003 16:41:13 +0200 Subject: [Declude.JunkMail] OT stunnel Sore for this OT question. Is there anyone who can provide or knows about a good instalation and configuration guide for stunnel for windows? Looks like a little bit of time consuming work to read the entire man page. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. TO GENERATE A .pem FILE DO THE FOLLOWING: Start - Run mmc.exe Under the Console Menu choose Add/Remove Snap-in. Choose Add then Certificates (for Computer Account, Local Computer) Under the Console Menu choose Save As and save as Certificates Manager. Open up the Certificates Manager (it will have been placed into the administration tools on your Start Menu) Find the certificate you want to use (Look under Personal Certificates). Right click the certificate and choose Export. When asked, reply Yes, export the private key. The correct export type is the Personal Information Exchange PKCS12 format. Enter a password twice, then the name of the file to export to. The Certificates Manager will now export the file to disk. Using the openssl tool we can extract both the private key and the certificate from the exported file : Openssl pkcs12 -in infile -out cert.pem -nodes You will need to enter the password to extract the keys. This will create a file called cert.pem stunnel.conf Description: Binary data
Re: [Declude.JunkMail] SpamIPs Test Idea
I'm not sure that I agree with this test. I use Earthlink DSL at home, and I never send out emails using my @earthlink.net address. I always use my personal or business address, neither of which are provided by Earthlink. I'd bet that a large percentage of DSL, Cable and Dial-up customers do not use the email account that their ISP provides, but they use their ISP's outgoing mail server because they are forced to due to port 25 filtering. Bill -Original Message- From: R. Scott Perry Sent: Sun, 08 Jun 2003 09:36:56 -0400 Subject: Re: [Declude.JunkMail] SpamIPs Test Idea Another idea for a new test, a close cousin to the SpamDomains test: Received: from styggen.com [24.208.153.243] by mx2.spamsoap.com (SMTPD32-7.15) id A288E80090; Fri, 06 Jun 2003 10:42:32 -0700 This message came from a road runner IP. How about a test where we build a list of CIDRs for a given ISP, then match it with all the domains those IPs use. In this case, the file entry would be (I know rr doesn't use .net) 24.208.0.0/14rr.com rr.net In this case, it would match the IP, look for both RR entries, find styggen.com and fail the message. That's a pretty neat idea. That would work well for ISPs that don't allow their customers to run a mailserver, as it would provide an easy way to catch (most) mail from spammers on their networks, while allowing the legitimate E-mail through. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamIPs Test Idea
Ahh, I get it. But it would have to compare the REMOTEIP to the HELO string, not to the REVDNS. Because styggen.com in the header below indicates the HELO string sent by the remote mail server, rather than the REVDNS value. Received: from styggen.com [24.208.153.243] by mx2.spamsoap.com It would be difficult to maintain an accurate list of ISP CIDRs though. So what about a variation of this idea where the test would force REVDNS and HELO strings to contain a partial match. For example, an entry like this... .rr.com .rr.net ...would required a REVDNS that contains .rr.com, to use a HELO string containing either .rr.com or .rr.net. Or perhaps the other way around. Bill -Original Message- From: Dan Patnode Sent: 08 Jun 2003 12:47:11 -0700 Subject: Re: [Declude.JunkMail] SpamIPs Test Idea Thanks for the question Bill, Looking back at my original posting, I showed RNDS, then said all the domains those IPs use. The intent is to ignore MAILFROM (which Spam Domains already checks) and compare only IP with RDNS. Scott, Would that still be effective? Dan On Sunday, June 8, 2003 11:49, Bill B. [EMAIL PROTECTED] wrote: I'm not sure that I agree with this test. I use Earthlink DSL at home, and I never send out emails using my @earthlink.net address. I always use my personal or business address, neither of which are provided by Earthlink. I'd bet that a large percentage of DSL, Cable and Dial-up customers do not use the email account that their ISP provides, but they use their ISP's outgoing mail server because they are forced to due to port 25 filtering. Bill -Original Message- From: R. Scott Perry Sent: Sun, 08 Jun 2003 09:36:56 -0400 Subject: Re: [Declude.JunkMail] SpamIPs Test Idea Another idea for a new test, a close cousin to the SpamDomains test: Received: from styggen.com [24.208.153.243] by mx2.spamsoap.com (SMTPD32-7.15) id A288E80090; Fri, 06 Jun 2003 10:42:32 -0700 This message came from a road runner IP. How about a test where we build a list of CIDRs for a given ISP, then match it with all the domains those IPs use. In this case, the file entry would be (I know rr doesn't use .net) 24.208.0.0/14rr.com rr.net In this case, it would match the IP, look for both RR entries, find styggen.com and fail the message. That's a pretty neat idea. That would work well for ISPs that don't allow their customers to run a mailserver, as it would provide an easy way to catch (most) mail from spammers on their networks, while allowing the legitimate E-mail through. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] cs.com - SPAMDOMAINS
That is compuserve (aol). Our logs show the legit email from that domain coming from IPs having revdns similar to this: imo-m07.mx.aol.com ...so I'd add this entry to spamdomains: @cs.com .aol.com ...the @ symbol will keep it from matching senders such as [EMAIL PROTECTED] Bill -Original Message- From: Kami Razvan Sent: Sun, 8 Jun 2003 16:26:43 -0400 Subject: [Declude.JunkMail] cs.com - SPAMDOMAINS Hi; Does anyone know what entry we should have for cs.com? Considering it is a 2 letter domain I think this can cause problem with the way spamdomain test works. We get a lot of spam with @cs.com and it would be good if we can put an entry for it. Example header: === X-Mailfrom: 53lkikq5.cs.com X-Note: Sent from: [EMAIL PROTECTED] X-Note: Sent from Reverse DNS: u231n155.eastlink.ca ([24.222.231.155]). X-Hello: u231n155.eastlink.ca X-Note: Recipient(s): --DELETED-- X-Country-Chain: UNITED STATES-CANADA-UNITED STATES-destination X-Spam-Prob: 0.988397 === Ideas? Regards, Kami --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] spamdomains list
Dan, Those will work, but only because the revdns for legit email from those domains will always match outblaze.com and will never match accountant.com and the others. I'd leave those @ symbols if I were you, because these outblaze domains use generic dictionary words. So without the @ you will run the risk of matching unintended domains such as myaccountant.com, business-in-asia.com Bill -Original Message- From: Dan Patnode Sent: 06 Jun 2003 15:33:26 -0700 Subject: Re: [Declude.JunkMail] spamdomains list So then these also won't work: @2die4.com outblaze.com @accountant.com outblaze.com @adexec.com outblaze.com @africamail.com outblaze.com @allergist.com outblaze.com @alumnidirector.com outblaze.com @archaeologist.com outblaze.com @arcticmail.com outblaze.com @artlover.com outblaze.com @asia.com outblaze.com I'll take the @'s out Dan On Thursday, June 5, 2003 13:33, R. Scott Perry [EMAIL PROTECTED] wrote: @tin.itTin.it @tin.itTuttopmi.it @tin.itFlexmail.it Scott, would you confirm? I'm not sure this will work. The problem is that when Declude JunkMail sees the line @tin.it Tin.it, if the reverse DNS is mail.Tuttopmi.it, Declude JunkMail will fail the test (even though it matches the next line, Declude JunkMail won't know that that should cancel out a previous line that failed). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] base64 false-positive
Scott, Emails with a message body that just contains blank lines and that contains an attachment, are still failing the BASE64 test. Attached is a sample. Bill base64fail.zip Description: Zip archive
[Declude.JunkMail] updated spamdomains list
Here is my updated list that we're using based on todays's discussions and further review of our log data. Let me know if anybody sees any errors or omissions. Would anybody like to expand on the Lycos domains? I know they offer free email accounts at several of their international domain names, however the RevDNS doesn't always include .lycos. Bill sd.zip Description: Zip archive
Re: [Declude.JunkMail] Declude JunkMail v1.69 (beta) released
Since the archives are down, can somebody post an example of the line that goes in the GLOBAL.CFG file for the SPAMDOMAINS test, as well as suggestions for the contents of the spamdomains.txt file? Thanks, Bill -Original Message- From: Bill Landry Sent: Thu, 29 May 2003 01:24:19 -0700 Subject: Re: [Declude.JunkMail] Declude JunkMail v1.69 (beta) released Check the footer of these list messages and you will see a link to the Declude JunkMail archive site: http://www.mail-archive.com (I notice that the site is down right now) Then do a search on SPAMDOMAINS and DOSENDERACTIONS and you will find Scott's explanations on how to implement and use these features. Scott does not add beta features to the manual until they make it into a release version. Bill - Original Message - From: Darryl Koster [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, May 28, 2003 8:18 PM Subject: RE: [Declude.JunkMail] Declude JunkMail v1.69 (beta) released Scott, I am confused, How do I find out about SPAMDOMAINS test? DOSENDERACTIONS etc..I cannot find anything about any of this in the manual. Darryl Koster ~~ Status Technologies Inc. President/Owner Let Us Help You Get The Status You Deserve! http://www.statustechnologies.com P: (905) 435-0145 TF (NA) 888-909-9004 F: (905) 435-0873 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Wednesday, May 28, 2003 5:06 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Declude JunkMail v1.69 (beta) released We have just released Declude JunkMail v1.69 (beta). See http://www.declude.com/junkmail/manual.htm . Notable changes since the last beta include: o COMMENTS test will now also work with any made-up tag beginning with !. o SPAMDOMAINS test will now allow an alias (IE hotmail.com msn.com to check @hotmail.com, but allows either hotmail.com or msn.com in reverse DNS entry). o Filters will now process 8-bit characters. o DOSENDERACTIONS ON option to allow for actions based on the sender of the E-mail (in Declude Junkmail Pro). o PREWHITELIST ON option to automatically bypass spam tests for E-mail from whitelisted IPs or whitelisted return address. Other additions and fixes can be found in the release notes, at http://www.declude.com/relnotes.htm . Anyone with an up-to-date Service Agreement is entitled to free upgrades (see http://www.declude.com/agree.htm for information on the Declude Service Agreement). --- Quick Resource Reference: Tech Support: [EMAIL PROTECTED] Mailing List: Send E-mail to [EMAIL PROTECTED] with subscribe declude.junkmail your name in the body New Releases List: Send E-mail to [EMAIL PROTECTED] with subscribe declude.releases your name in the body Troubleshooting: See manual URL above; look at Troubleshooting section Emergency Uninstall: See manual URL above; look at Emergency Uninstall section Urgent Support: urgent @declude.com (for urgent/time-sensitive issues only) Declude Addons/Tools URL: http://www.declude.com/tools Manual: http://www.declude.com/junkmail/manual.htm --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spamdomains
Somebody mentioned aol.com and netscape.com a while ago, but I cant recall which format it was. Perhaps somebody else remembers... aol.com netscape.com AND/OR netscape.comaol.com Bill -Original Message- From: Dan Patnode Sent: 29 May 2003 16:12:11 -0700 Subject: [Declude.JunkMail] Spamdomains I generally avoid sounding like a cheer leader, but this test is sweet! (inside a weighting system) The structure of the text file is a simple list of domains, like: Ameritech.net Amrer.net Angelfire.com Aol.com When a domain FPs on a predictable variation, just tab over and put in the domain it was supposed to be. I've found these so far: Msn.com Hotmail.com Hotmail.com Msn.com Sympatico.caBellnexxia.net Earthlink.net Earthlink.com Earthlink.com Earthlink.net Mac.com Apple.com Excite.com excitenetwork.com Would everyone please share these and they find them? BTW, Declude supports only 2 exceptions but I can't imagine needing 3. If a given domain needs 2 exceptions, just make 2 entries. Dan:) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spamdomains
Thats correct, my mistake. It should be netscape.net Bill -Original Message- From: Joshua Levitsky Sent: Thu, 29 May 2003 22:33:21 -0400 Subject: Re: [Declude.JunkMail] Spamdomains On Thursday, May 29, 2003, at 07:23 PM, Bill B. wrote: Somebody mentioned aol.com and netscape.com a while ago, but I cant recall which format it was. Perhaps somebody else remembers... aol.com netscape.com AND/OR netscape.com aol.com Bill I think you mean netscape.net no? I might be over-tired but I think netscape.com is only internal employess at Netscape... (I am [EMAIL PROTECTED] for instance. ;) ) -Josh --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] override MaxQueProc
you would still end up with no more than 10 SMTP processes most of the time (since the SMTP process would normally finish in a bit less time than Declude JunkMail). I actually don't care about the number of SMTP processes all that much. The point of what I am trying to accomplish is limit the number of Declude processes to 10 (for example), without running the risk of having long delays due to emails entering Imail's queue. Currently, if I sent MaxQueProc to 10, I run that risk. But if I could set Declude to a max of 10 processes and Imail to a max of 30, the chance of having those long queue delays occuring is minimized. Bill -Original Message- From: R. Scott Perry Sent: Sun, 06 Apr 2003 21:18:43 -0400 Subject: Re: [Declude.JunkMail] override MaxQueProc I ran a test this afternoon, lowering MaxQueProc to 2, but it didn't behave quite as I had expected. First, all of the emails were scanned by Declude, which is good. And emails were being delayed via overflow folder as expected. BUT, some emails were left behind in Imail's spool folder after being processed by Declude. What I think may have caused this is: 1) Declude received it 2) Possibly delayed via the overflow folder 3) Declude processed it 4) Declude handed it off to smtp32.exe 5) smtp32.exe saw too many smtp32.exe processes running and did not process it; instead it stuck it in the Imail spool folder. Does this sound like what could have occurred? That does indeed sound like what happened. If so, then I do still see benefit in having a config variable to allow Declude to use a different value for MaxQueProc. I'm still not sure that it would make a noticeable difference. For example, if there was a maximum of 10 Declude processes and a maximum of 30 SMTP processes, you would still end up with no more than 10 SMTP processes most of the time (since the SMTP process would normally finish in a bit less time than Declude JunkMail). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] override MaxQueProc
Ok, it sounds like lowering MaxQueProc will do what I need to do then. I don't want to bypass Declude, I just want to put a bottle neck at Declude so that if Declude is too busy, the emails get moved to the overflow until Declude becomes less busy. I was just confuse on how it all worked. Thanks, Bill -Original Message- From: R. Scott Perry Sent: Fri, 04 Apr 2003 15:04:54 -0500 Subject: Re: [Declude.JunkMail] override MaxQueProc If I lower MaxQueProc to 20, wouldn't the 21st email never reach Declude because Imail will not call declude.exe if 20 declude.exe's are already running? So then the Q* and D* files would end up sitting in the \imail\spool folder until Imail's next queue run. Or is that not the way it works? Declude will still get them (normally, before they are moved to the spool by IMail). Otherwise, E-mail would bypass Declude during heavy loads, which normally isn't desirable. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] MX pointing to localhost
Hey Scott, Got another one for you. Check out the DNS for this spammer's domain: e247.com The MX points to localhost. The MAILFROM test does not catch this yet, but probably should. Bill -Original Message- From: R. Scott Perry Sent: Thu, 13 Mar 2003 10:34:41 -0500 Subject: Re: [Declude.JunkMail] HELO contains We are seeing a case where the mail server will connect to itself. Check out the DNS for this spammer's domain: hotoptions.net It has no MX record, but an A record pointing to: 127.0.0.1 If an email from this domain is bounced due to a full mailbox, this will cause Imail to attempt to deliver the email to 127.0.0.1 which causes a mail loop. After 5 loops Imail kills it. Is there a Declude test we can use to block these based on the MX/A that the domain name resolves to? If not, perhaps the MAILFROM test could be modified to count this as a bad domain. The MAILFROM test will detect this in the next release. :) -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] whitelist file
Is this syntax correct to whitelist an entire domain in the whitelist file? @bounce.topiksolutions.com It appears to be whitelisting everything when I add this. We're running Declude v1.68i4 Thanks, Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] whitelist file
What I am seeing is if I add any entry in my whitelist file in the follwoing format, it will cause ALL emails sent to the user who's whitelist file contains this entry to be whitelisted, regardless of the senders address. So it appears to be a bug... @example.com -Original Message- From: Kami Razvan Sent: Fri, 21 Mar 2003 11:48:22 -0500 Subject: RE: [Declude.JunkMail] whitelist file Hi; Yes but I suggest if you want to whitelist the entire domain then do it as: .TopikSolutions.com Or just TopikSolutions.com That will cover all variations including personal emails from their people. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill B. Sent: Friday, March 21, 2003 11:19 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] whitelist file Is this syntax correct to whitelist an entire domain in the whitelist file? @bounce.topiksolutions.com It appears to be whitelisting everything when I add this. We're running Declude v1.68i4 Thanks, Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] HiJack - releasing emails
When HiJack releases a delayed email, does it just move it back to the spool folder to be delivered on the next queue run? Or does it deliver it immediately as soon as it releases it? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DNS server returned server failure for
I see server failures on a bunch of obviously fake hostnames: WARNING: DNS server 216.12.134.208 returned a SERVER FAILURE error for MX or A for Me. WARNING: DNS server 216.12.134.208 returned a SERVER FAILURE error for MX or A for host3. WARNING: DNS server 216.12.134.208 returned a SERVER FAILURE error for MX or A for mailer1. WARNING: DNS server 216.12.134.208 returned a SERVER FAILURE error for MX or A for jinge. ...Anything we can do to add a weight to these? We do also see server failures on some hostnames were do have an A record, so I see the delema. But it would be nice to at least add a weighting to the obvious fakes. Bill -Original Message- From: R. Scott Perry Sent: Wed, 12 Mar 2003 09:00:14 -0500 Subject: RE: [Declude.JunkMail] DNS server returned server failure for I have suffered from this also, so much so that I have even explored the use of SimpleDNS without success thinking that this was a external DNS problem. I was hoping that by bringing the DNS (as a DNS cache) locally to the mail server did infact reduce the frequency of this error, unfortunately it did not solve the occurance of this error. Just to clarify why this is happening. When Declude JunkMail is looking up the MX or A record for a hostname (such as for the HELOBOGUS test, or checking the domain of the return address), it will record this message if the local DNS server reports a server failure message. Technically, this message indicates a problem with the local DNS server. However, it seems that the RFCs do not cover what a caching DNS server is supposed to do if it receives a server failure message from a remote DNS server. When this happens, some DNS servers will pass on the server failure message. Declude JunkMail treats the server failure as a temporary error, and makes the assumption that the E-mail is not spam. If that was changed, more spam could get caught (as a server failure almost always indicates that the DNS record doesn't exist). But, if there was a real server failure on the local DNS server (if the Internet connection went out, for example, or if there was a DDoS attack on the root servers), then all E-mail would fail the spam tests. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HELO contains
Scott, We are seeing a case where the mail server will connect to itself. Check out the DNS for this spammer's domain: hotoptions.net It has no MX record, but an A record pointing to: 127.0.0.1 If an email from this domain is bounced due to a full mailbox, this will cause Imail to attempt to deliver the email to 127.0.0.1 which causes a mail loop. After 5 loops Imail kills it. Is there a Declude test we can use to block these based on the MX/A that the domain name resolves to? If not, perhaps the MAILFROM test could be modified to count this as a bad domain. Bill -Original Message- From: R. Scott Perry Sent: Wed, 12 Mar 2003 18:17:33 -0500 Subject: Re: [Declude.JunkMail] HELO contains SOO.. My question is this.. Could I create a wordfilter rule that goes like HELO 10 CONTAINS imail.fament.com or will that shoot myself in the foot for some reason ? That will work fine, just so long as you don't have any other mailservers that identify themselves as imail.fament.com. If your IMail server is the only one that does, the filter will work fine. If it really is the HELO string then I don't see this as a problem since my understanding is that my mail server do NOT connect to itself and should then never send the helo imail.fament.com to itself ?! Correct. There might be odd cases where the IMail server would connect to itself, but if that happens, you've got another problem on your hands (as it would cause a mail loop). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Sniffer
Ron, We use sniffer as a weighted test, giving it a weight of 12 and tagging emails as spam at 15. Some false positives do occur just like with any other spam test...However, using it as a heavily weighted test has been extremely effective for us, while keeping false positives to a minimum. I highly recommend purchasing sniffer. Bill -Original Message- From: Ron Harris Sent: Wed, 12 Mar 2003 23:16:34 -0700 Subject: [Declude.JunkMail] Sniffer We have been testing the evaluation copy of SortMonsters Message Sniffer and I would like some opinions from people in this forum. I am considering purchasing the product if I can set it up per domain (we use JunkMail Pro) and not spend much time sifting through e-mail to make sure it does not catch false positives. Is Message Sniffer reliable at catching only spam and not legitimate e-mail? Our eval copy of Message Sniffer has treated many legitimate e-mail as spam, particularly messages from the Declude forum, the Nanog forum and an Exchange forum. I am very interested in learning your opinions. Ron --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] spam w/ all images
I haven't tried SPAMCHK yet, but I've heard you guys talking about it on the list. Maybe I'll give it a try. Thanks -Original Message- From: Markus Gufler Sent: Mon, 10 Mar 2003 09:40:55 +0100 Subject: RE: [Declude.JunkMail] spam w/ all images Hi Bill, If the email contains only images and no text the images are linked to external sources (http://www.domain.com/image.g_i_f ) SPAMCHK gives a certain weight if there are external images. We've tried to filter mails containing ONLY images (after removing all HTML there should not remain any character) We've found 1 or 2 of 1. Most of the only-image-spams has a short text at the end if y_ou do not w_ant... The question is how to distinguish this spam from emails like: Hi Bill, her you can see the pictures from our family last week on xyz national park ... [pic1] [pic2] ... Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill B. Sent: Sunday, March 09, 2003 6:51 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] spam w/ all images Scott, How about adding a test for if the text/html segment of an email contains all IMG tags, with no actual text? Seems like that sort of spam is getting more prevelent lately. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] COPYTO
I use the COPYTO action for one of my tests, however if an email is sent to multiple recipients I notice that its adding the COPYTO recipient once for each recipient when this test fails. Any way to make it only add the COPYTO recipient once, regardless of how many original recipients there were? I realize Imail will ignore multiple copies of the same recipient in the Q* file, and it will only deliver 1 copy of the email to that recipient... But I have some custom scripts that run after Declude is called, those duplicate recipients in the Q* file is causing me a problem. Thanks, Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] COPYTO
WOW, you're fast! Thanks, Bill -Original Message- From: R. Scott Perry Sent: Thu, 06 Mar 2003 10:59:47 -0500 Subject: Re: [Declude.JunkMail] COPYTO I use the COPYTO action for one of my tests, however if an email is sent to multiple recipients I notice that its adding the COPYTO recipient once for each recipient when this test fails. Any way to make it only add the COPYTO recipient once, regardless of how many original recipients there were? There is a new interim release at http://www.declude.com/release/167i/declude.exe that will ensure that the COPYTO action will not add an address if it has already been added. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] %NRECIPS% - doubled
Scott, It appears that the %NRECIPS% variable is always showing double its true value. I ran a bunch of tests and it looks like it is always double the true number of recipients. Any ideas why? I'm running Declude v1.67i13 Thanks, Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] %NRECIPS% - doubled
Thanks, that fixed it. Bill -Original Message- From: R. Scott Perry Sent: Wed, 05 Mar 2003 13:48:42 -0500 Subject: Re: [Declude.JunkMail] %NRECIPS% - doubled It appears that the %NRECIPS% variable is always showing double its true value. I ran a bunch of tests and it looks like it is always double the true number of recipients. Any ideas why? I'm running Declude v1.67i13 There is a new interim release at http://www.declude.com/release/167i/declude.exe that should take care of this issue. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Tuning Declude
Dan, Sniffer has made a huge difference for us. We weight the test a 12 and flag emails as Spam at 15. We only ran for a couple of months without it, but I watch our logs very closely and the benefit of using Sniffer is significant. Sniffer is an entirely different type of test from Declude. It tests the content of the email for identifiable strings, phone numbers, URLs, email addresses, etc that will only be found in emails from known spammers. Most people on this list including myself highly recommend adding the Sniffer product. The Declude/Sniffer combo is a match made in heaven. Bill -Original Message- From: Dan Geiser Sent: Fri, 14 Feb 2003 14:45:06 -0500 Subject: Re: [Declude.JunkMail] Tuning Declude Hello, All, For most of you who use Message Sniffer: Do you find that using it along with the default testsWEIGHT10 and WEIGHT20 are sufficient for your needs? How integral of an addition to Declude.JunkMail is Message Sniffer? Does it make an earth-shattering difference in what your spam-filtering, does it just add an additional level of nuance that can't be gotten through the tests which Declude has, or is it just an entirely different type of test? What made you decide to add Message Sniffer into the mix for your Declude installation? How long did you run Declude.JunkMail without SNIFFER before putting it into play? Thanks For Your Time, Dan - Original Message - From: Bill Newberg [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 7:19 PM Subject: RE: [Declude.JunkMail] Tuning Declude What is SNIFFER? I can't find any mention of it in the Declude.JunkMail manual, http://www.declude.com/JunkMail/manual.htm. There is however a reference to it in both GLOBAL.CFG and $default$.junkmail. Is SNIFFER the same as Mesage Sniffer, http://www.sortmonster.com/? They are one and the same. The test name is SNIFFER, the product name is Message Sniffer. It is a third party program used to detect spam, that can be hooked into Declude JunkMail. I added Sniffer to Declude JunkMail recently and I am very pleased. It is a great addition to Declude. Regards, Bill Newberg This E-mail is scanned and free from viruses. www.nexustechgroup.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] external tests
How does Declude handle an external test that hangs? Does Declude just keep waiting on a response from the external test?...or does it eventually timeout and continue on? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] external tests
Okay. I only had it occur twice over the past day with a new external test we built. We are gonna fix it, but I was curious how that was handled. Thanks, Bill -Original Message- From: R. Scott Perry Sent: Fri, 07 Feb 2003 10:25:14 -0500 Subject: Re: [Declude.JunkMail] external tests How does Declude handle an external test that hangs? Does Declude just keep waiting on a response from the external test?...or does it eventually timeout and continue on? It will time out after an hour. If it happens rarely, this wouldn't be a problem. If there was a problem where the external test was never ending, for all E-mail that was scanned, then it could cause some mail delivery problems. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] displaying modified headers in bounce msg
I have several XINHEADER/XOUTHEADER lines in my GLOBAL.CFG file to provide some useful information. And I have a couple of tests that uses the BOUNCE action, which instert the headers and/or full message into the bounced email using the declude variables %HEADERS% and %FULLMSG%. However, these variables insert the original unmodified headers. My question is, is there any way to instert the modified headers into the bounce email's message body so that the X- headers that declude adds are displayed? Thanks, Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] displaying modified headers in bounce msg
ok, thanks. It would be nice, but its definitely not a priority. Bill -Original Message- From: R. Scott Perry Sent: Fri, 07 Feb 2003 18:35:09 -0500 Subject: Re: [Declude.JunkMail] displaying modified headers in bounce msg My question is, is there any way to instert the modified headers into the bounce email's message body so that the X- headers that declude adds are displayed? No, there isn't. It's been added to the suggestion database, but it may require having the proper order in the global.cfg file (to make sure that all warning headers get added before the BOUNCE action is processed). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] NRECIPS variable
Is there a way I can get access to the real number of recipients even if it is over 100 (without parsing the Q*.SMD file)? Perhaps a new variable %NTOTALRECIPS% ? -Original Message- From: R. Scott Perry Sent: Thu, 06 Feb 2003 08:11:50 -0500 Subject: Re: [Declude.JunkMail] NRECIPS variable I have an custom external test that gets passed the %NRECIPS% variable. The test is never seeing a value for NRECIPS greater than 99. Is there something in the Declude code limiting this value to 99? In some places in Declude JunkMail there is a limit of 100 recipients, which is the recommended maximum number of recipients per E-mail per RFC821. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] NRECIPS variable
I have an custom external test that gets passed the %NRECIPS% variable. The test is never seeing a value for NRECIPS greater than 99. Is there something in the Declude code limiting this value to 99? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude JunkMail v1.67 (beta) released
COMMENTS comments 5 x 10 0 where the 5 means that 5 such comments have to be encountered This means 5 OR MORE comments have to be encountered right? Not exactly 5? Bill -Original Message- From: R. Scott Perry Sent: Mon, 03 Feb 2003 19:05:41 -0500 Subject: RE: [Declude.JunkMail] Declude JunkMail v1.67 (beta) released Does the comments test require non-whitespace beforeafter the comments in order to trigger? So that most legit messages will not trigger it? Yes. So the most common types of comments, such as: !-- This is a comment at the beginning of a line -- or: alert( Hello, World ); !-- This says hello to the world -- will not count. The test is defined in the global.cfg file as follows: COMMENTS comments 5 x 10 0 where the 5 means that 5 such comments have to be encountered (the 10 is the weight that will be added for E-mail that fails the test). Alternatively, you can use: COMMENTS comments weight x 10 0 In this case, the weight of the E-mail will be increased by the number of anti-filtering comments that are found (plus the base weight of the test). So if there are 3 in there, the weight will be increased by 13 (10 for failing the test, and 1 for each anti-filtering comment found). If there are 40 such comments, a total of 50 would be added to the weight of the E-mail. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] COPYTO action on an Outgoing test
Is anybody using the COPYTO action for an Outgoing test (requires Declude Pro)? I can't seem to get it to work. It always copies the email to a blank recipient. I've got this line in the global.cfg file... SOMETEST COPYTO [EMAIL PROTECTED] ...but the sender of the email where this outgoing test fails always receives a bounce email saying... Invalid final delivery userid: @localhost Running Declude in debug mode shows that it is being copied to a blank address... Msg failed SOMETEST. Action=COPYTO. Copying spam to . AlterRecip( 3, [EMAIL PROTECTED], ); AlterRecip: Loading queuefile Copying E-mail to . Altering queuefile. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] COPYTO action on an Outgoing test
Here it is, and I actually sent a bunch of debug information on this problem to [EMAIL PROTECTED] on Sunday morning... Diagnostics ON (Declude v1.66i11). Declude JunkMail: Config file found (d:\imail\Declude\global.CFG). Declude Virus: Config file found (d:\imail\Declude\Virus.CFG). Declude Hijack:Config file found (d:\imail\Declude\Hijack.CFG). Declude Confirm: Not installed (no d:\imail\Declude\Confirm.CFG file). 42 spam tests defined: LIST KILL WORD COUNTRY DSBL MONKEYFORMMAIL MONKEYPROXIES ORDB OSDUL OSFORM OSLIST OSPROXY OSRELAY OSSMART OSSOFT OSSRC NJABL NJABLDUL NJA BLSOURCES NJABLMULTI NJABLFORMMAIL NJABLPROXIES SPAMCOP WIREHUBDNSBL DSN NOABUSE NOPOSTMASTER BADHEADERS HELOBOGUS MAILFROM REVDNS ROUTING SPAMHEADERS BASE64 IPMX HABEAS DNA WEIGHTFAIL WEIGHTFAILOUT WEIGHTFAILALL PERCENT BULKOUT IMail reports Official Host Name as: mail01.excedent.us. IMail's SendName registry seems OK: d:\imail\Declude.exe. Declude JunkMail Status: PRO version registered. Declude Virus Status:Pro Version Registered. Declude Hijack Status: Registered. End of diagnostics. -Original Message- From: R. Scott Perry Sent: Mon, 27 Jan 2003 12:50:32 -0500 Subject: Re: [Declude.JunkMail] COPYTO action on an Outgoing test Is anybody using the COPYTO action for an Outgoing test (requires Declude Pro)? I can't seem to get it to work. It always copies the email to a blank recipient. I've got this line in the global.cfg file... Which version of Declude JunkMail are you running (\IMail\Declude -diag from a command prompt will show you)? -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] COPYTO action on an Outgoing test
Sure thing. I just resent it, but this time to [EMAIL PROTECTED] -Original Message- From: R. Scott Perry Sent: Mon, 27 Jan 2003 13:41:42 -0500 Subject: Re: [Declude.JunkMail] COPYTO action on an Outgoing test Here it is, and I actually sent a bunch of debug information on this problem to [EMAIL PROTECTED] on Sunday morning... Could you re-send that information? We don't have a record of it here, and it could be very useful in solving the problem. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] COPYTO action on an Outgoing test
Hey Scott, let me know if you have received that email now or not, because I noticed the email was getting held by declude because the debug file contained lots for words that set off our filters. But I added a whitlist rule, so it should have gotten to you now. But let me know if not. Thanks, Bill -Original Message- From: Bill B. Sent: Mon, 27 Jan 2003 13:48:00 EST Subject: Re: [Declude.JunkMail] COPYTO action on an Outgoing test Sure thing. I just resent it, but this time to [EMAIL PROTECTED] -Original Message- From: R. Scott Perry Sent: Mon, 27 Jan 2003 13:41:42 -0500 Subject: Re: [Declude.JunkMail] COPYTO action on an Outgoing test Here it is, and I actually sent a bunch of debug information on this problem to [EMAIL PROTECTED] on Sunday morning... Could you re-send that information? We don't have a record of it here, and it could be very useful in solving the problem. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: Re[2]: [Declude.JunkMail] OT: Dictionary Attacks
I use those same settings. But in addition, you can configure BlackICE to auto-block the too many smtp errors event (dictionary attack) by editing your issuelist.csv file. Look for this line: 2001015,SMTP too many errors,0,agg,-1,7,,Spam,The SMTP And change the agg to IP|RST: 2001015,SMTP too many errors,0,IP|RST,-1,7,,Spam,The SMTP This will tell BlackICE to auto-block the offending IP Address for 24 hours. Don't expect the people at ISS to support this though. They urged me not to edit that file when I asked. But it does work. Bill -Original Message- From: Roger Heath Sent: Thu, 23 Jan 2003 16:50:21 -0600 Subject: Re[2]: [Declude.JunkMail] OT: Dictionary Attacks Reply to: Don Schreiner Re: [Declude.JunkMail] OT: Dictionary Attacks on Thursday 11:51:25 AM From an earlier msg: Our servers are very stable with this firewall. It does not autoblock these but you can manually block them. I noticed that they do not show up in the log any more, so it appears to work fine. I know you can set to autoblock select events by editing the blackice.ini can be edited for example: http.urllimit.count=60 http.urllimit.interval=50 will temporarily block too many URL requests, like web site copying... These are the settings to block dictionary attacks. It detects too many errors brought on by many failed logins... [Settings] smtp.error.count=10 ;total errors within smtp.error.interval=120 ;this amount of time(sec)then blocked -- Roger Heath [EMAIL PROTECTED] www.rleeheath.com - Copy of Original Message(s): - D Bill, D Also running BI as of few weeks ago and tinkering with firewal.ini. D Would you mind sharing the .ini changes you made. You can e-mail me off D list. Thanks. D Sincerely, D Don Schreiner D CompBiz, Inc. D www.compbiz.net D 407-322-8654 D 800-408-3688 D -Original Message- D From: [EMAIL PROTECTED] D [mailto:[EMAIL PROTECTED]] On Behalf Of Bill B. D Sent: Thursday, January 23, 2003 12:16 PM D To: [EMAIL PROTECTED] D Subject: Re: [Declude.JunkMail] OT: Dictionary Attacks D We started running BlackICE last month and it has been working nice for D us. It requires a few config changes to get it to auto-block IPs that D send you dictionary attacks, but it is definitely a good solution. D Bill D -Original Message- D From: R. Scott Perry D Sent: Thu, 23 Jan 2003 10:58:09 -0500 D Subject: Re: [Declude.JunkMail] OT: Dictionary Attacks It seems this morning that we have several dictionary attacks happening on one of Imail servers. Is there an easy to stop the person doing this? I have looked through the log files and cannot easily spot the person(s) doing this. Is there software that will prevent people from performing Dictionary Attacks in the future? The POP3 and Delcude processes are using like 50-09% of the CPU. Let me know if there is anything I can do... D Are you sure that it is a dictionary attack? If the POP3 process has D higher usage than normal, then E-mails are being sent to your users D (which D would mean that it either isn't a dictionary attack, or a hybrid attack D where they send spam as part of the dictionary attack). D You might want to check the archives of the IMail Forum for ideas on how D to D stop a dictionary attack. Some tricks are using a nobody alias (which D I D believe you are), or using a product like BlackIce Server to stop it. D Unfortunately, Declude can't stop these, because it doesn't have access D to D the TCP/IP connection (which is where it would need to be stopped). D -Scott D --- D [This E-mail was scanned for viruses by Declude Virus D (http://www.declude.com)] D --- D This E-mail came from the Declude.JunkMail mailing list. To D unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type D unsubscribe Declude.JunkMail. The archives can be found at D http://www.mail-archive.com. D --- D [This E-mail was scanned for viruses by Declude Virus D (http://www.declude.com)] D --- D This E-mail came from the Declude.JunkMail mailing list. To D unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type D unsubscribe Declude.JunkMail. The archives can be found at D http://www.mail-archive.com. D -- D Scanned by CompBiz for Viruses http://www.CompBiz.Net. D Save 15 Percent on Virus Software by visiting D http://www.compbiz.net/software_mcafee.cfm for details! D --- D [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] D --- D This E-mail came from the Declude.JunkMail mailing list. To D unsubscribe, just send an E-mail to [EMAIL PROTECTED], and D type unsubscribe Declude.JunkMail. The archives can be found D at http://www.mail-archive.com. D -- D ActivatorMail(tm) ver.122102 Scanned for all viruses by D www.activatormail.com intelligent anti-virus anti-spam service -- ActivatorMail(tm) ver.122102 Scanned for all viruses by www.activatormail.com
Re: [Declude.JunkMail] OT: Dictionary Attacks
We started running BlackICE last month and it has been working nice for us. It requires a few config changes to get it to auto-block IPs that send you dictionary attacks, but it is definitely a good solution. Bill -Original Message- From: R. Scott Perry Sent: Thu, 23 Jan 2003 10:58:09 -0500 Subject: Re: [Declude.JunkMail] OT: Dictionary Attacks It seems this morning that we have several dictionary attacks happening on one of Imail servers. Is there an easy to stop the person doing this? I have looked through the log files and cannot easily spot the person(s) doing this. Is there software that will prevent people from performing Dictionary Attacks in the future? The POP3 and Delcude processes are using like 50-09% of the CPU. Let me know if there is anything I can do... Are you sure that it is a dictionary attack? If the POP3 process has higher usage than normal, then E-mails are being sent to your users (which would mean that it either isn't a dictionary attack, or a hybrid attack where they send spam as part of the dictionary attack). You might want to check the archives of the IMail Forum for ideas on how to stop a dictionary attack. Some tricks are using a nobody alias (which I believe you are), or using a product like BlackIce Server to stop it. Unfortunately, Declude can't stop these, because it doesn't have access to the TCP/IP connection (which is where it would need to be stopped). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude JunkMail v1.66 (beta) released
Two ideas that come to mind for handling the action are: 1) Use the strongest action defined in the user's .junkmail file 2) Or, set the action in the line that points to the BLACKLISTFILE. ie: BLACKLISTFILE HOLD D:\IMail\Declude\domain\user\blacklist.txt -Original Message- From: R. Scott Perry Sent: Mon, 20 Jan 2003 08:46:08 -0500 Subject: Re: [Declude.JunkMail] Declude JunkMail v1.66 (beta) released Is there (or will there be) a similar BLACKLISTFILE feature? The trick here is that you need more than just the BLACKLISTFILE option, as you would also need to determine how to handle E-mail in the blacklist (the action and/or weight). However, it is something that we would like to add. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Return address IP
How about this... MAILFROM 0 ENDSWITH 0 MAILFROM 0 ENDSWITH 1 MAILFROM 0 ENDSWITH 2 ...etc -Original Message- From: Bill Landry Sent: Sun, 19 Jan 2003 13:15:57 -0800 Subject: RE: [Declude.JunkMail] Return address IP The only way I can think of to currently block an e-mail address with an IP after the @ symbol would be something like: MAILFROM0 CONTAINS@1 MAILFROM0 CONTAINS@2 However, this would also flag e-mail addresses like: [EMAIL PROTECTED] [EMAIL PROTECTED] I don't see how, with the current implementation of the filter file, that you could check just the extension of the e-mail address (i.e., .net, .com, .org, etc.). Maybe Scott would consider that as a future feature add. :) Maybe: MAILEXTBOGUSextinvalid x x 5 0 Where the e-mail address extension contains anything but valid/approved letter combinations. Or, maybe the MAILFROM (global.cfg) test could include the extension testing, if it is not already doing this. Bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kami Razvan Sent: Sunday, January 19, 2003 12:17 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Return address IP Scott.. Thanks.. I guess this still leaves the other variation up for attack.. [EMAIL PROTECTED] We have seen this also.. When they are sending email with userID and IP. I guess one way to decipher this is if the last characters after the last period are not letters. Can that be a filter? Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Sunday, January 19, 2003 2:50 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Return address IP Is it a viable solution to filter the header for: From: No -- a spammer would probably send an E-mail with a return address (MAIL FROM) of , but have a header like From: Youwill berich [EMAIL PROTECTED]. You could filter with something like: MAILFROM2 CONTAINS -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This e-mail was scanned for viruses by Pointshare's Virus Scanning Service] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude JunkMail v1.66 (beta) released
Is there (or will there be) a similar BLACKLISTFILE feature? Bill -Original Message- From: R. Scott Perry Sent: Fri, 17 Jan 2003 15:24:34 -0500 Subject: RE: [Declude.JunkMail] Declude JunkMail v1.66 (beta) released Just to ask the obvious but to be sure... Now the whitelist is a different file- just like fromfile? WHITELIST WHITELISTFILE D:\IMail\Declude\Whitelist.txt x 0 0 Is this the format? Sorry, I should have specified. The per-user/per-domain whitelisting works by adding a line in the format WHITELISTFILE D:\IMail\Declude\Whitelist.txt to one of the per-user or per-domain configuration files (any of the *.JunkMail files). This will point to a text file, that currently can have one E-mail address or partial E-mail address per line, such as: [EMAIL PROTECTED] [EMAIL PROTECTED] @example.org ... -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] all_list.dat
Should we be downloading an updated copy of all_list.dat periodically? If so, how often and from where? Thanks, Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Message Sniffer Confidence
We weight sniffer as a 12 and block at 15. This works very well for us. Bill -Original Message- From: Trent M. Davenport Sent: Fri, 8 Nov 2002 10:24:28 -0800 Subject: [Declude.JunkMail] Message Sniffer Confidence So, after seeing the last 2 months that message sniffer is around 90% accurate, what confidence has everyone put in it? We offer our clients 2 levels of SPAM blocking. Regular (using a WEIGHT20) and Aggressive (using a WEIGHT10). Because we're an ISP, we have to be really careful about deleting legitimate email. We purchased Message Sniffer and implemented it and it is catching a bunch of messages, but the default weight is 7. With the percentage as high as it is, I'd like to give it a 17 so that if a message fails it plus 1 other test, it'll fail the regular test. Need I be that cautious? Just looking for feedback from other users of Sniffer. Trent --- Trent M. Davenport - Systems Administrator Northern Television Systems Ltd - WHTV 203-4103 4th Avenue, Whitehorse, YT Y1A 1H6 (867) 393-2225 X204, (867) 393-2224 FAX www.whtvcable.com ( [EMAIL PROTECTED] ) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] multiple return codes
How does the new feature for handling multiple return codes in ip4r tests work? Does this mean we can combine the following into a single test? OSDUL ip4r relays.osirusoft.com 127.0.0.3 5 0 OSFORM ip4r relays.osirusoft.com 127.0.0.8 5 0 OSLIST ip4r relays.osirusoft.com 127.0.0.7 5 0 OSPROXY ip4r relays.osirusoft.com 127.0.0.9 7 0 OSRELAY ip4r relays.osirusoft.com 127.0.0.2 5 0 OSSMART ip4r relays.osirusoft.com 127.0.0.5 5 0 OSSOFT ip4r relays.osirusoft.com 127.0.0.6 5 0 OSSRC ip4r relays.osirusoft.com 127.0.0.4 4 0 ...is this currently 8 separate queries to relays.osirusoft.com? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] move to different user
WEIGHT20 ROUTETO junkmail@%LOCALHOST% Bill -Original Message- From: Robert Shubert Sent: Tue, 05 Nov 2002 12:10:14 -0500 Subject: [Declude.JunkMail] move to different user Is there a way to have declude change the destination address of the email when it's marked as spam? I have several users at a domain: [EMAIL PROTECTED] and [EMAIL PROTECTED] The administrator of the domain wants spam to be just sent into [EMAIL PROTECTED] for all the users of the domain. I didn't see that I could do a processing rule in IMail that would move mail between users. Can I have declude do this for me? Robert Shubert Tronics --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude JunkMail v1.62 (beta) released
With regards to this new feature: o External tests can now have variables in their definitions. Does that mean we can define an external test like this in order to pass parameters to the test?: DOMBLACKLIST external nonzero D:\domblacklist.exe %LOCALHOST% %MAILFROM% 100 0 -Original Message- From: R. Scott Perry Sent: Mon, 04 Nov 2002 14:16:28 -0500 Subject: [Declude.JunkMail] Declude JunkMail v1.62 (beta) released We have just released Declude v1.62 (beta). See http://www.declude.com/junkmail/manual.htm . Changes include: o Will now handle multiple return codes in ip4r tests. o Will now record the action for each test that fails. o Changes handling of invalid [?.?.?.?]. o External tests can now have variables in their definitions. o Adds a failsafe for invalid CIDR ranges in IP blacklists. o Adds COUNTRY (of remote mailserver) and COUNTRIES (of any mailservers in chain) to filter. o Adds %COUNTRYCHAIN% variable. o Adds ipnotinmx test, which catches E-mail sent from an IP not in the MX records of sending domain. o HABEAS whitelist type, for whitelisting E-mails with Habeas headers (WHITELIST HABEAS). o New habeas test type, to allow for negative weighting of E-mails with Habeas headers. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude JunkMail v1.62 (beta) released
What I am looking into writing based on that new feature is per-domain and possibly even per-user blacklist/whitelists. Being able to pass variables to external tests almost makes this possible, but I think there might be a problem for inbound emails that have multiple recipients. With multiple recipients the external test wouldn't be able to determine which blacklist/whitelist to use. So I have two questions... 1) Do you see it being possible to code something like this using an external test? 2) If not (or even if so), is per-domain and per-user blacklists and whitelists something that is soon to be added to Declude anyway? Bill -Original Message- From: R. Scott Perry Sent: Tue, 05 Nov 2002 13:17:14 -0500 Subject: Re: [Declude.JunkMail] Declude JunkMail v1.62 (beta) released With regards to this new feature: o External tests can now have variables in their definitions. Does that mean we can define an external test like this in order to pass parameters to the test?: DOMBLACKLIST external nonzero D:\domblacklist.exe %LOCALHOST% %MAILFROM% 100 0 That is correct. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude JunkMail v1.62 (beta) released
The part I'm not quite sure how to handle is knowing which domain's blacklist file to use in my exe when there are multiple recipients. For example, if I were to set up my test like this... DOMBLACKLIST external nonzero D:\domblacklist.exe %LOCALHOST% %MAILFROM% 100 0 ...what would the value of %LOCALHOST% be if the inbound email were sent to two users on different local domains on our server? Bill -Original Message- From: Smart Business Lists Sent: Tue, 5 Nov 2002 12:58:55 -0600 Subject: Re: [Declude.JunkMail] Declude JunkMail v1.62 (beta) released Bill, Tuesday, November 5, 2002 you wrote: BB 1) Do you see it being possible to code something like this using BB an external test? The external test works great. I just wrote one in perl and I am very pleased. I'm doing very little right now but it is an excellent concept. The only real problem I had was that I was using a hold action based on weight and I was trying to make my external test routeto. But hold has priority and was activated first. At Scott's suggestion I had my external test return a large negative weight and it is working very nicely now. So in general the external test is very capable but whether you can do what you intend specifically or not is another issue. Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: Re[2]: [Declude.JunkMail] Declude log test analyzer
Which version of sawmill are you using? I just tried their current beta (6.4b5) and it crashed hard while processing Imail logs and didn't even recognized the Declude log format. Bill -Original Message- From: sbsi lists Sent: Mon, 28 Oct 2002 16:30:30 -0600 Subject: Re[2]: [Declude.JunkMail] Declude log test analyzer Hi Dan, DC I can also recommend Sawmillyou can configure fairy DC sophisticated filters to slice and dice the logs (and logs of many DC different formats). The support folks there were willing to help DC me get a filter set up and it looks like a worthy product to DC support. http://www.sawmill.net I'd second that -- have used it to read some Imail logs when testing it and he seems to do a really nice job on getting any changes in there that you'd like and/or that make sense. And, it's very affordable ... -jason --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude log test analyzer
I was playing with their latest Beta this morning and it didn't seem to recognize the Declude logs...but maybe it just did not recognize LOGLEVEL MID. I'll play around with it some more. Bill -Original Message- From: R. Scott Perry Sent: Tue, 29 Oct 2002 10:14:24 -0500 Subject: RE: [Declude.JunkMail] Declude log test analyzer I'd stay with their current, and you'll either have to build your own filter for Declude logs or ask them to build it for you, they will for registered users without a charge, and if it is a common log format add it to their permanent list. The different levels of info used in the various Declude log levels might throw it a bit, I'm not sure. Their latest beta version now includes support for Declude log files (see http://www.sawmill.net/formats/Declude.html ). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] client Question
Thats correct...It reads it each time a message is received. We plan to work on a similar tool using ASP here in the next month or two. Bill -Original Message- From: grb Sent: Thu, 24 Oct 2002 19:54:47 -0500 Subject: Re: [Declude.JunkMail] client Question Hey Rich, Not sure I understand you correctly, are you offering a system in which a client can adjust their weighting on their own? If so, do you have an example of this feature of your service? This sounds great. After reading this, you got me thinking, I could write a Cold Fusion application that could create weighting through a Access DB and client based admin systemhas someone already done this...if not, I may be able to come up with something for those running Cold Fusion. for those that run CF, my email is [EMAIL PROTECTED] if ya'll want to discuss this. If I understand declude correctly, if a change is made to the default or global file within a given directory, we do not have to restart the smtp service with Imail or restart the smtp service under the services control panel, correct? Declude pulls these files each time and would read any change that is made on the fly, correct? thanks gb The previous Spam filtering we were doing didn't give the customer the option of setting their own filters. Many now leave things at the default for the server, others have refined their filters to their liking. Still others don't have any idea what the filters do, and what they don't understand is a bad thing. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Recommendation: Symbol Wildcard forFilters
While we are on this topic... Has anybody had experience with a decent content filtering application? Not exactly spam content filters, but more along the lines of policy-based filters...where a corporation could estabilsh policies for what types of content to allow their employees to send receive. These apps usually describe themselves as prevents confidential data loss, safeguards your organization from embarassment costly lawsuits. I would imagine that an application such as this could be integrated with Declude as an external test. Any ideas? Bill -Original Message- From: R. Scott Perry Sent: Wed, 23 Oct 2002 08:22:33 -0400 Subject: Re: [Declude.JunkMail] Recommendation: Symbol Wildcard forFilters That's something that a number of people have requested, but has two drawbacks: It requires lots of programming time to create, and lots of CPU time. Hmmm... Not to be a pest, but I'm wondering if this wouldn't actually IMPROVE performance? The problem is that it requires going through the E-mail one character at a time and running a test against each of the filters. Each of those tests is much more involved than a string match (which most of the time just requires comparing 2 bytes). If all that is being added is a single character that is used to replace a single character, it wouldn't be so bad. But once you go a step beyond that -- a single character representing punctuation but not letters, for example, or *, or regexp expressions, it can get much more complex quickly. RULE free~ finds free free! free. free? etc. but not freedom or freeze -- all in one pass. It covers STARTSWITH, CONTAINS, IS and ENDSWITH in one shot. RULE ~sex finds sex sexy sexiest sexaholic sex!!! etc. but not Essex or unisex -- all in one pass. Again, operators STARTSWITH, CONTAINS, IS and ENDSWITH are all covered. One rule. True -- it would likely save CPU time over having multiple filter entries. Again, this is something that we are looking into, but we just haven't made any final decisions about. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] hijack webmail
Is Declude HiJack able to protect against webmail users sending too much mail also?...or does it just protect SMTP? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] hijack web mail
Thats what I figured. Thanks Bill -Original Message- From: John Tolmachoff Sent: Fri, 11 Oct 2002 06:30:04 -0700 Subject: RE: [Declude.JunkMail] hijack web mail I think the point is that someone in Web mail is not going to be sending out hundreds and thousands of spam. Just too hard and time consuming to sit there and add in all those addresses. I do not think Hijack will track web mail users, as it goes by the IP address in the SMTP incoming envelope. John Tolmachoff IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Per User - Alias Account
We're doing that very thing...it works well. Bill -Original Message- From: Trent M. Davenport Sent: Wed, 2 Oct 2002 14:32:55 -0700 Subject: RE: [Declude.JunkMail] Per User - Alias Account I'll try that and let you know how it goes. Trent --- Trent M. Davenport - Systems Administrator Northern Television Systems Ltd - WHTV 203-4103 4th Avenue, Whitehorse, YT Y1A 1H6 (867) 393-2225 X204, (867) 393-2224 FAX www.whtvcable.com http://www.whtvcable.com ( [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry Sent: October 2, 2002 2:29 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Per User - Alias Account What if you created a mailbox instead of an alias on the first virtual domain that only forwarded and did not store? Would JunkMail process before Imail forwarded? Good idea -- Declude JunkMail would scan based on the name of the mailbox, before the E-mail was forwarded. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] fromfile problem
I use the fromfile test that was suggested by Tom on this list, which adds a weighting for many common items in Spam addresses such as these below: @ANONYMOUS @ANONYMOUS .ANONYMOUS .ANONYMOUS ANONYMOUS. ANONYMOUS. ANONYMOUS@ ANONYMOUS@ -ANONYMOUS -ANONYMOUS ANONYMOUS- ANONYMOUS- @BOUNCE @BOUNCE .BOUNCE .BOUNCE BOUNCE. BOUNCE. BOUNCE@ BOUNCE@ -BOUNCE -BOUNCE BOUNCE- BOUNCE- I use several combinations like this, but I am noticing that the ones which end with the @ symbol are not working. Any ideas why? Here is an example of one it missed from the logs... 09/27/2002 00:12:29 Qdaac06290108404a BADHEADERS:5 SNIFFER:12 . Total weight = 17 09/27/2002 00:12:29 Qdaac06290108404a Msg failed BADHEADERS (This E-mail was sent from a broken mail client [801e].). 09/27/2002 00:12:29 Qdaac06290108404a Msg failed SNIFFER (Message failed SNIFFER: 12.). 09/27/2002 00:12:29 Qdaac06290108404a Msg failed WEIGHTFAIL (Weight of 17 reaches or exceeds the limit of 15.). 09/27/2002 00:12:29 Qdaac06290108404a Subject: Double Your Earnings Power... 09/27/2002 00:12:29 Qdaac06290108404a From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] ...other than that problem, this test has made a great addition by just adding a small weighting for addresses that contain these patterns. Thanks, Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] fromfile problem
Oh...actually I do remember that being discussed a while back. Thanks Scott. Bill -Original Message- From: R. Scott Perry Sent: Fri, 27 Sep 2002 09:46:28 -0400 Subject: Re: [Declude.JunkMail] fromfile problem @ANONYMOUS @ANONYMOUS ANONYMOUS@ ANONYMOUS@ I use several combinations like this, but I am noticing that the ones which end with the @ symbol are not working. Any ideas why? The @ forces Declude JunkMail to use an exact match (that started with v1.58, so that [EMAIL PROTECTED] wouldn't catch [EMAIL PROTECTED], for example). So ANONYMOUS@ would only match an E-mail address that was just ANONYMOUS@. There is currently no way to specify just a username. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Whitelisting one address
Instead of whitelisting, you could use a wordfilter to add a negative weighting like this: MAILFROM-50 ENDSWITH.mil Bill -Original Message- From: Mike Goetz Sent: Fri, 27 Sep 2002 09:50:25 -0400 Subject: [Declude.JunkMail] Whitelisting one address In my bounce messages I entered a little note saying if you feel this message has been bounced in error, please contact [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] . But those people who fail the open relay tests will not be able to get mail through to that address. Is there a way with the standard version of Declude to make mail go to that address regardless of its intent; spam or valid? Also, another question. We get a lot of government mail that is being trapped. Usually theyre addresses like [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] . What I did was WHITELIST FROM @.mil to let all mail from .mil to come through unchallenged. But theyre still getting trapped. Did I not whitelist the domain correctly? Thanks! --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] HOPHIGH
How affective is scanning at multiple Hops? I'm not setting HOPHIGH right now...but I'm currious if the people who are using it are seeing its benefits, or if it is causing them any problems. And what is the recommended HOPHIGH setting (assuming HOP is set to 0)? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HOPHIGH
Thanks guys...sounds like I should have been using this setting earlier. I'll start it out at 1 like Dan suggested and bump after watching it for a while. Bill -Original Message- From: Dan Patnode Sent: 26 Sep 2002 13:02:47 -0700 Subject: Re: [Declude.JunkMail] HOPHIGH Bill, Mine is set to 2 (for a total of 3). I started at 0, then 1 and found that spam still got around my filters that would have been caught at 2. I changed it to 2 4+ months ago and haven't looked back. Your mileage may vary. I haven't seen a need to set it at 3. Dan On Thursday, September 26, 2002 11:19, Bill B [EMAIL PROTECTED] wrote: How affective is scanning at multiple Hops? I'm not setting HOPHIGH right now...but I'm currious if the people who are using it are seeing its benefits, or if it is causing them any problems. And what is the recommended HOPHIGH setting (assuming HOP is set to 0)? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] MAILFROM failing on user@domain@host
Scott, Mail from one of our users continuously fails the MAILFROM test, but I'm not sure that it should be failing. The only funny thing this message has is the mail server hostname appended to the end of the address, but I thought that was valid. Can you have a look? Below are the message headers from the D*.SMD file and the contents of the Q*.SMD file, as well as the lines from the smtp logs... D*.SMD: Received: from weabsunprd12.weac.com [64.236.243.243] by mail01.excedent.us with ESMTP (SMTPD32-7.13) id AE73D740042; Thu, 26 Sep 2002 16:30:43 -0400 Received: from weabsundev02.weac.com (weabsundev02.weac.com [205.173.141.23]) by weabsunprd12.weac.com (8.10.2+Sun/8.8.8) with ESMTP id g8QKUgR09321 for [EMAIL PROTECTED]; Thu, 26 Sep 2002 13:30:43 -0700 (PDT) Received: from innoventJeff ([168.161.184.242]) by weabsundev02.weac.com (8.8.8+Sun/8.8.8) with ESMTP id NAA03413 for [EMAIL PROTECTED]; Thu, 26 Sep 2002 13:30:42 -0700 (PDT) From: Jeff Mericle [EMAIL PROTECTED] To: Keith Mericle [EMAIL PROTECTED] Date: Thu, 26 Sep 2002 13:30:49 -0700 MIME-Version: 1.0 Subject: Re: FW: Canceled: Actuate Enterprise Conference Call Reply-to: [EMAIL PROTECTED] Message-ID: 3D930C09.14872.30003FEC@localhost Priority: normal In-reply-to: [EMAIL PROTECTED] X-mailer: Pegasus Mail for Windows (v4.01) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body X-Note: Sent from [EMAIL PROTECTED]@mx.digical.com - h-64-236-243-243.twi.com ([64.236.243.243]). X-Note: Scanned for SPAM by Excedent X-Note: HELOBOGUS, MAILFROM (14) Q*.SMD: Qd:\imail\spool\D6e730d74004282ea.SMD Hmail01.excedent.us Wd:\imail\mail01_excedent_com E0, S[EMAIL PROTECTED]@mx.digical.com NRCPT To:[EMAIL PROTECTED] R[EMAIL PROTECTED] SMTP LOG: 20020926 163043 127.0.0.1 SMTPD (0D740042) [64.236.243.243] EHLO weabsunprd12.weac.com 20020926 163044 127.0.0.1 SMTPD (0D740042) [64.236.243.243] MAIL From:[EMAIL PROTECTED]@mx.digical.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] hijack question
here it is... 09/20/2002 12:18:34 Q4a5a438800aa39c6 [EMAIL PROTECTED] is not local [0] 0. 09/20/2002 12:18:34 Q4a5a438800aa39c6 Outgoing from 128.242.197.219: Sent over 80 E-mails within 30 minutes; quarantining to hold2. 09/20/2002 12:18:34 Q4a5a438800aa39c6 Outgoing from 128.242.197.219: SPAM: HOLDING -Original Message- From: R. Scott Perry Sent: Tue, 24 Sep 2002 11:29:32 -0400 Subject: Re: [Declude.JunkMail] hijack question It was originally sent to [EMAIL PROTECTED] which is not a domain on our Imail server. This domain is on a Verio server. But this guy has Mail Forwarded set up for this account to forward to [EMAIL PROTECTED], which is a domain on our Imail server. So it was forwarded from the Verio server to our server, and then that is the first time our server saw it and when Declude HiJack saw it as Outgoing instead of Incoming. You should have lines in the hi.log file that say something like [EMAIL PROTECTED] is not local [0] 0 -- what do those lines say? -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] hijack question
Whats even weirder is he's got his other account still forwarding to an account on our server, but Declude HiJack is now logging these forwarded messages as Incoming... 09/24/2002 09:31:27 Q692f009d009eea55 Incoming from 128.242.197.219: OK. ...the only difference is on the 20th we were running Imail 7.10 with Declude 1.60, and now we're running Imail 7.13 with Declude 1.61. Could it have been a problem with the older version of either of those? Bill -Original Message- From: Bill B . Sent: Tue, 24 Sep 2002 12:18:04 EDT Subject: Re: [Declude.JunkMail] hijack question here it is... 09/20/2002 12:18:34 Q4a5a438800aa39c6 [EMAIL PROTECTED] is not local [0] 0. 09/20/2002 12:18:34 Q4a5a438800aa39c6 Outgoing from 128.242.197.219: Sent over 80 E-mails within 30 minutes; quarantining to hold2. 09/20/2002 12:18:34 Q4a5a438800aa39c6 Outgoing from 128.242.197.219: SPAM: HOLDING -Original Message- From: R. Scott Perry Sent: Tue, 24 Sep 2002 11:29:32 -0400 Subject: Re: [Declude.JunkMail] hijack question It was originally sent to [EMAIL PROTECTED] which is not a domain on our Imail server. This domain is on a Verio server. But this guy has Mail Forwarded set up for this account to forward to [EMAIL PROTECTED], which is a domain on our Imail server. So it was forwarded from the Verio server to our server, and then that is the first time our server saw it and when Declude HiJack saw it as Outgoing instead of Incoming. You should have lines in the hi.log file that say something like [EMAIL PROTECTED] is not local [0] 0 -- what do those lines say? -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] hijack question
It is the official hostname for a virtual domain. It is not a domain alias. -Original Message- From: R. Scott Perry Sent: Tue, 24 Sep 2002 12:53:26 -0400 Subject: Re: [Declude.JunkMail] hijack question 09/20/2002 12:18:34 Q4a5a438800aa39c6 [EMAIL PROTECTED] is not local [0] 0. Where does whittier.net appear in the IMail settings? Does it appear as an official domain name, or a domain alias? Or does it appear somewhere else? That message should only occur if IMail does not recognize whittier.net as a local domain. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] hijack question
One of our client's got locked out by HiJack (hold2), but it appears to be because of inbound mail, not outgoing mail. This client has an email account at another provider which forwards to an account on our server. He had a few hundred emails from an automated program sent to his other account in a short amount of time...and these were all automatically forwarded to his account on our server. But hijack apparently saw these inbound forwarded messages as outgoing even though they were being delivered to a local mailbox...and it began holding all mail that came from that other mail server's IP Address. It shouldn't do this should it? I can send you an example of the held mail along with the log entries if you'd like. Thanks, Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Common items in Spam addresses
Tom, Here's another one that I've been using for a while in addition to the ones you list: -SENTTO SENTTO1 SENTTO- SENTTO2 @SENTTO SENTTO3 SENTTO@ SENTTO4 .SENTTO SENTTO5 SENTTO. SENTTO6 ...and today I saw a www- come through which I am considering adding. Bill -Original Message- From: Tom Sent: Tue, 17 Sep 2002 18:35:10 -0400 Subject: [Declude.JunkMail] Common items in Spam addresses I have compiled yet another list of items commonly found in spam and mass marketing addresses. You can use this list of words at your own risk. I suggest you use it with a weight value and not something drastic like delete. Some of these words may also be commonly used for list services so make sure your weight value does not exceed your limit causing yahoo and bounce to be deleted. It should take more than 2 tests to fail in some cases. However, you are in control so make the best of it. Good Luck, Tom Image`fx - @BOUNCE BOUNCE1 .BOUNCE BOUNCE2 BOUNCE. BOUNCE3 BOUNCE@ BOUNCE4 -BOUNCE BOUNCE5 BOUNCE- BOUNCE6 -GENERICGENERIC1 GENERIC-GENERIC2 .GENERICGENERIC3 GENERIC.GENERIC4 @GENERICGENERIC5 GENERIC@GENERIC6 -RETURN RETURN1 RETURN- RETURN2 @RETURN RETURN3 RETURN@ RETURN4 .RETURN RETURN5 RETURN. RETURN6 @OPT-IN OPT-IN1 .OPT-IN OPT-IN2 OPT-IN. OPT-IN3 OPT-IN@ OPT-IN4 @OPT-OUTOPT-OUT1 .OPT-OUTOPT-OUT2 OPT-OUT.OPT-OUT3 OPT-OUT@OPT-OUT4 @PROXY PROXY1 .PROXY PROXY2 PROXY. PROXY3 PROXY@ PROXY4 -PROXY PROXY5 PROXY- PROXY6 @SPECIALS SPECIAL1 .SPECIALS SPECIAL2 SPECIALS. SPECIAL3 SPECIALS@ SPECIAL4 -SPECIALS SPECIAL5 SPECIALS- SPECIAL6 www.WWW1 @wwwWWW2 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] dictionary attacks
Thanks Terry Scott, I think I'll give BlackICE a try. I will let you all know what I think about it. Anything that does application-level SMTP firewalling should work. I wish there was simpler a product that I could just run to listen to port 25, filter out the bad stuff, and pipe the good stuff to Imail through an alternate SMTP port. Bill -Original Message- From: Smart Business Lists Sent: Tue, 17 Sep 2002 08:47:46 -0500 Subject: Re: [Declude.JunkMail] dictionary attacks Bill, Monday, September 16, 2002 you wrote: BB I have seen talk on the Imail Forum about people attempting to BB script something to combat Dictionary Attacks by blocking IPs that BB send over too many RCPT TO commands that result in ERR invalid BB user. I wrote such a program that is currently in use on my servers. It tails the IMAIL log file and checks for SMTPD ERR lines with invalid user, etc, and records each entry with the associated IP. Once a trigger count has been exceeded the program adds the IP to the SMTPD32.ACC file and toggles the service. Certain IP's have to be excluded however such as any backup mail servers, client servers, internal networks, and so on. It is actually thrilling to watch a client blacklist themselves though. It is amazing to me that someone can generate so many errors trying to hit the same wrong e-mail address. There are a number of significant problems with this approach not the least of which is the secondary servers. The attack on the primary stops of course when the service is stopped but most attackers simply move to one of the secondaries and soon the secondary is sending the same RCPT TO commands. So you have to do something different at the secondary and you cannot block it for obvious reasons. At the secondary itself even if it is running IMAIL you cannot use the same program to stop this attack on the primary because the attack is of course going in the opposite direction. So you have make some modifications. And we have have very few attacks that the attacker does not switch to one of the secondary servers. In addition the log file is apparently not flushed on each write by IMAIL so it is not really possible to stop every attack at just the trigger point. The most that have gotten by my program is about 15 and that does seem close enough to me. There are problems also with different IMAIL log file systems, different domains to be included and excluded, IP ranges that should be included and excluded, and a number of other issues as well as a variety of reporting and management options. Eventually the acc file should be listed, sorted by ip, and then recreated so that the ip's are added in proper net blocks as I'm convinced that improves efficiency dramatically. BB Or is there anything out there that is already written and BB available? I did not find anything and it took we a while to get my program running. I'm running a modified program on the secondary that allows me to control there as well but that does not work of course in the case of a non IMAIL secondary. I am about 90% complete with converting the program to a service, adding a config file for options, and so on. But haven't decided whether I'll complete it or not - and that's just for my own use. In my opinion to make it distributable to a general population would require considerable additional expenditure of resources for an end result that is at best tenuous and subject to sudden incompatibility. Also, I can imagine feature requests and maintenance being formidable issues. I think this really should be done by IMAIL inside the smtp dialogue but even then I am unclear on what to do with the secondary servers except white list them of course. BB I have also seen talk about running BlackICE BB (http://www.netice.com/) to automatically block IPs that cause too BB many SMTP Errors. Does anybody have an opinion on if this is the BB best solution right now? Roger Heath reported that he had enjoyed good success with this approach using the Black Ice Server version. I tried repeatedly over probably a dozen or more e-mail messages to get a demo of the server version but ISS, the owner of BlackICE, insisted that I had to use a much more expensive product. As far as I could find there was no demo product available for the BlackICE server product. I finally gave up the battle so I never tested the approach. I guess the best thing to do would be to pay the $300 for the server product and see if it works the way you want. If not then you're just out $300. There again though I think you'd have to while list the secondary servers. You might want to consider doing what I did initially when I began investigating this whole issue: You can find a
[Declude.JunkMail] delivery receipts
Will an action of HOLD keep IMail from attempting to send a delivery receipt for an email? We are having a problem with delivery receipts that are addressed to invalid senders filling up our mail queues. So I'm hoping that by putting an action of HOLD on the MAILFROM test this will help reduce the queue size. Thanks, Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: FW: [Declude.JunkMail] delivery receipts
John, the MAILFROM test I am using is not a fromfile test that uses an external file. Its the name given to the envfrom test, the built-in Declude test which tests for a valid domain in the Senders address. I ran a few tests a bit ago by sending myself some emails using invalid Sender addresses. And applying a HOLD action to this test does seem to stop Imail from sending the delivery receipt. Bill -Original Message- From: John Tolmachoff Sent: Wed, 4 Sep 2002 07:49:56 -0700 Subject: FW: [Declude.JunkMail] delivery receipts OK, I will help to test. My thought: Bill, put this address in the MAILFROM file; [EMAIL PROTECTED] Send me an address to send to. I will send an e-mail to that address through [EMAIL PROTECTED] with requesting return receipts and delivery confirmation and we can see what happens. John Tolmachoff IT Manager, Network Engineer 211 E. Imperial Hwy., Suite 106 Fullerton, CA 92835 714-578-7999, ext. 104 [EMAIL PROTECTED] www.reliancesoft.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bill B. Sent: Wednesday, September 04, 2002 6:49 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] delivery receipts Will an action of HOLD keep IMail from attempting to send a delivery receipt for an email? We are having a problem with delivery receipts that are addressed to invalid senders filling up our mail queues. So I'm hoping that by putting an action of HOLD on the MAILFROM test this will help reduce the queue size. Thanks, Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] aliases mail forwarding
Here is where I was getting confused... If you use the MAILBOX action, for example: CATCHALLMAILS MAILBOX spam ...when you use this action on an emaill address that has Mail Forwarding turned on, it will still forward the message even though Declude attempts to drop it into the sub-mailbox. I guess that's an IMail thing. Turning on declude debugging shows that it does in fact attempt to put it into the sub-mailbox... 08/29/2002 08:36:55 Q15660575013a39d5 Using [incoming] CFG file d:\imail\Declude\excedentmail.com\wboebel.junkmail. 08/29/2002 08:36:55 Q15660575013a39d5 ...X. 08/29/2002 08:36:55 Q15660575013a39d5 Test #27 [CATCHALLMAILS weight=0] triggered; action = 10 [] 08/29/2002 08:36:55 Q15660575013a39d5 Msg failed CATCHALLMAILS (). 08/29/2002 08:36:55 Q15660575013a39d5 Moving spam to [EMAIL PROTECTED]'s mailbox spam. 08/29/2002 08:36:55 Q15660575013a39d5 AlterRecip( 1, [EMAIL PROTECTED], spam); 08/29/2002 08:36:55 Q15660575013a39d5 AlterRecip: Loading queuefile 08/29/2002 08:36:55 Q15660575013a39d5 AlterRecip: Changing mailbox to spam. Altering queuefile. 08/29/2002 08:36:55 Q15660575013a39d5 Subject: test 3 08/29/2002 08:36:55 Q15660575013a39d5 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] 08/29/2002 08:36:55 Q15660575013a39d5 Looping... 08/29/2002 08:36:55 Q15660575013a39d5 Done Looping 08/29/2002 08:36:55 Q15660575013a39d5 AlterRecip( 5, (null), (null)); 08/29/2002 08:36:55 Q15660575013a39d5 AlterRecip: Saving queuefile 08/29/2002 08:36:55 Q15660575013a39d5 X-Note: Sent from [EMAIL PROTECTED] - f7.law4.hotmail.com ([216.33.149.7]). 08/29/2002 08:36:55 Q15660575013a39d5 AlterMessage 08/29/2002 08:36:55 Q15660575013a39d5 Set process priority back to 32. 08/29/2002 08:36:55 Q15660575013a39d5 Adding warning 08/29/2002 08:36:55 Q15660575013a39d5 Final action=0. 08/29/2002 08:36:55 Q15660575013a39d5 d:\imail\spool\Q15660575013a39d5.SMD 08/29/2002 08:36:55 Q15660575013a39d5 Unlocked d:\imail\spool\Q15660575013a39d5.SMD. 08/29/2002 08:36:55 Q15660575013a39d5 Passing to SMTP3: d:\imail\smtp32.exe d:\imail\spool\Q15660575013a39d5.SMD. 08/29/2002 08:36:55 Q15660575013a39d5 Total Time: 312ms -Original Message- From: R. Scott Perry Sent: Thu, 29 Aug 2002 08:17:47 -0400 Subject: Re: [Declude.JunkMail] aliases mail forwarding Yep, I was careful about that. Since I put different text into the warning for the CATCHALLEMAIL test in each $default$.junkmail I was able to reliably tell which configuration was being used for each email. I was very confused up until then, so using the CATCHALLEMAIL test was very handy and a good general debugging idea. In that case, I would suggest using the debug mode, which should help clear this up. To use the debug mode, you can change the LOGLEVEL LOW line in \IMail\Declude\global.cfg to LOGLEVEL DEBUG. Then, send an E-mail through like you were before, and then switch back to LOGLEVEL LOW. You can then E-mail me the \IMail\spool\dec.log file (as an attachment), and I can take a look at it to see what is happening. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] aliases mail forwarding
Scott or whomever, Can you think of any way based on this, to force IMail to retain the message in the sub-mailbox instead of forwarding it? I don't see a way, but I figured I'd ask. Thanks -Original Message- From: Bill B . Sent: Thu, 29 Aug 2002 8:59:39 EDT Subject: Re: [Declude.JunkMail] aliases mail forwarding Here is where I was getting confused... If you use the MAILBOX action, for example: CATCHALLMAILS MAILBOX spam ...when you use this action on an emaill address that has Mail Forwarding turned on, it will still forward the message even though Declude attempts to drop it into the sub-mailbox. I guess that's an IMail thing. Turning on declude debugging shows that it does in fact attempt to put it into the sub-mailbox... 08/29/2002 08:36:55 Q15660575013a39d5 Using [incoming] CFG file d:\imail\Declude\excedentmail.com\wboebel.junkmail. 08/29/2002 08:36:55 Q15660575013a39d5 ...X. 08/29/2002 08:36:55 Q15660575013a39d5 Test #27 [CATCHALLMAILS weight=0] triggered; action = 10 [] 08/29/2002 08:36:55 Q15660575013a39d5 Msg failed CATCHALLMAILS (). 08/29/2002 08:36:55 Q15660575013a39d5 Moving spam to [EMAIL PROTECTED]'s mailbox spam. 08/29/2002 08:36:55 Q15660575013a39d5 AlterRecip( 1, [EMAIL PROTECTED], spam); 08/29/2002 08:36:55 Q15660575013a39d5 AlterRecip: Loading queuefile 08/29/2002 08:36:55 Q15660575013a39d5 AlterRecip: Changing mailbox to spam. Altering queuefile. 08/29/2002 08:36:55 Q15660575013a39d5 Subject: test 3 08/29/2002 08:36:55 Q15660575013a39d5 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] 08/29/2002 08:36:55 Q15660575013a39d5 Looping... 08/29/2002 08:36:55 Q15660575013a39d5 Done Looping 08/29/2002 08:36:55 Q15660575013a39d5 AlterRecip( 5, (null), (null)); 08/29/2002 08:36:55 Q15660575013a39d5 AlterRecip: Saving queuefile 08/29/2002 08:36:55 Q15660575013a39d5 X-Note: Sent from [EMAIL PROTECTED] - f7.law4.hotmail.com ([216.33.149.7]). 08/29/2002 08:36:55 Q15660575013a39d5 AlterMessage 08/29/2002 08:36:55 Q15660575013a39d5 Set process priority back to 32. 08/29/2002 08:36:55 Q15660575013a39d5 Adding warning 08/29/2002 08:36:55 Q15660575013a39d5 Final action=0. 08/29/2002 08:36:55 Q15660575013a39d5 d:\imail\spool\Q15660575013a39d5.SMD 08/29/2002 08:36:55 Q15660575013a39d5 Unlocked d:\imail\spool\Q15660575013a39d5.SMD. 08/29/2002 08:36:55 Q15660575013a39d5 Passing to SMTP3: d:\imail\smtp32.exe d:\imail\spool\Q15660575013a39d5.SMD. 08/29/2002 08:36:55 Q15660575013a39d5 Total Time: 312ms -Original Message- From: R. Scott Perry Sent: Thu, 29 Aug 2002 08:17:47 -0400 Subject: Re: [Declude.JunkMail] aliases mail forwarding Yep, I was careful about that. Since I put different text into the warning for the CATCHALLEMAIL test in each $default$.junkmail I was able to reliably tell which configuration was being used for each email. I was very confused up until then, so using the CATCHALLEMAIL test was very handy and a good general debugging idea. In that case, I would suggest using the debug mode, which should help clear this up. To use the debug mode, you can change the LOGLEVEL LOW line in \IMail\Declude\global.cfg to LOGLEVEL DEBUG. Then, send an E-mail through like you were before, and then switch back to LOGLEVEL LOW. You can then E-mail me the \IMail\spool\dec.log file (as an attachment), and I can take a look at it to see what is happening. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] aliases mail forwarding
awesome, that worked. Thanks Tom. Bill -Original Message- From: Tom Baker | Netsmith Inc Sent: Thu, 29 Aug 2002 11:42:31 -0500 Subject: RE: [Declude.JunkMail] aliases mail forwarding Easy, instead of mail forwarding use auto-responders but, don't have a response Which the web-messaging won't let you SETUP, but you can view The actual way is via the filenames in the user folder mail forwarding creates a file called D:\imail\domain.com\users\Forward.ima (which contains the destiation address) Instead, use PER MAILBOX forwarding D:\imail\domain.com\users\main.fwd Unless there is a 'spam.fwd' the SPAM mailbox will be retained, while all 'main' mail will be forwarded. (rename forward.ima to main.fwd) -Tom -Original Message- From: Bill B. [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 29, 2002 10:18 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] aliases mail forwarding Scott or whomever, Can you think of any way based on this, to force IMail to retain the message in the sub-mailbox instead of forwarding it? I don't see a way, but I figured I'd ask. Thanks -Original Message- From: Bill B . Sent: Thu, 29 Aug 2002 8:59:39 EDT Subject: Re: [Declude.JunkMail] aliases mail forwarding Here is where I was getting confused... If you use the MAILBOX action, for example: CATCHALLMAILS MAILBOX spam ...when you use this action on an emaill address that has Mail Forwarding turned on, it will still forward the message even though Declude attempts to drop it into the sub-mailbox. I guess that's an IMail thing. Turning on declude debugging shows that it does in fact attempt to put it into the sub-mailbox... 08/29/2002 08:36:55 Q15660575013a39d5 Using [incoming] CFG file d:\imail\Declude\excedentmail.com\wboebel.junkmail. 08/29/2002 08:36:55 Q15660575013a39d5 ...X. 08/29/2002 08:36:55 Q15660575013a39d5 Test #27 [CATCHALLMAILS weight=0] triggered; action = 10 [] 08/29/2002 08:36:55 Q15660575013a39d5 Msg failed CATCHALLMAILS (). 08/29/2002 08:36:55 Q15660575013a39d5 Moving spam to [EMAIL PROTECTED]'s mailbox spam. 08/29/2002 08:36:55 Q15660575013a39d5 AlterRecip( 1, [EMAIL PROTECTED], spam); 08/29/2002 08:36:55 Q15660575013a39d5 AlterRecip: Loading queuefile 08/29/2002 08:36:55 Q15660575013a39d5 AlterRecip: Changing mailbox to spam. Altering queuefile. 08/29/2002 08:36:55 Q15660575013a39d5 Subject: test 3 08/29/2002 08:36:55 Q15660575013a39d5 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] 08/29/2002 08:36:55 Q15660575013a39d5 Looping... 08/29/2002 08:36:55 Q15660575013a39d5 Done Looping 08/29/2002 08:36:55 Q15660575013a39d5 AlterRecip( 5, (null), (null)); 08/29/2002 08:36:55 Q15660575013a39d5 AlterRecip: Saving queuefile 08/29/2002 08:36:55 Q15660575013a39d5 X-Note: Sent from [EMAIL PROTECTED] - f7.law4.hotmail.com ([216.33.149.7]). 08/29/2002 08:36:55 Q15660575013a39d5 AlterMessage 08/29/2002 08:36:55 Q15660575013a39d5 Set process priority back to 32. 08/29/2002 08:36:55 Q15660575013a39d5 Adding warning 08/29/2002 08:36:55 Q15660575013a39d5 Final action=0. 08/29/2002 08:36:55 Q15660575013a39d5 d:\imail\spool\Q15660575013a39d5.SMD 08/29/2002 08:36:55 Q15660575013a39d5 Unlocked d:\imail\spool\Q15660575013a39d5.SMD. 08/29/2002 08:36:55 Q15660575013a39d5 Passing to SMTP3: d:\imail\smtp32.exe d:\imail\spool\Q15660575013a39d5.SMD. 08/29/2002 08:36:55 Q15660575013a39d5 Total Time: 312ms -Original Message- From: R. Scott Perry Sent: Thu, 29 Aug 2002 08:17:47 -0400 Subject: Re: [Declude.JunkMail] aliases mail forwarding Yep, I was careful about that. Since I put different text into the warning for the CATCHALLEMAIL test in each $default$.junkmail I was able to reliably tell which configuration was being used for each email. I was very confused up until then, so using the CATCHALLEMAIL test was very handy and a good general debugging idea. In that case, I would suggest using the debug mode, which should help clear this up. To use the debug mode, you can change the LOGLEVEL LOW line in \IMail\Declude\global.cfg to LOGLEVEL DEBUG. Then, send an E-mail through like you were before, and then switch back to LOGLEVEL LOW. You can then E-mail me the \IMail\spool\dec.log file (as an attachment), and I can take a look at it to see what is happening. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses
Re: [Declude.JunkMail] Address Book Only in Declude?
Ya, that is an issue. We are currently working on a solution that will do two things... 1) run clean up code each time the user logs out of webmail, which trims the size of the spam mailbox if it is greater than a certain size. 2) an automated script that checks for spam mailboxes that have exceeded a certain size, since not all users user webmail. We don't use Imail's webmail, we have custom code running on a bunch of Linux boxes which allows us to do things like #1 more easily. Bill -Original Message- From: Charles Frolick Sent: Thu, 29 Aug 2002 11:21:30 -0500 Subject: RE: [Declude.JunkMail] Address Book Only in Declude? I do have one question, how do you manage the size of the spam folder when they use that option? I would love to use the MAILBOX action, but have no way of cleaning out the spam folder without affecting the other folders, including inbox, as well. We currently do not use aging as a restriction for those who use webmail exclusively, we opted for size limits instead. Chuck Frolick ArgoNet, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tom Baker | Netsmith Inc Sent: Thursday, August 29, 2002 11:09 AM To: '[EMAIL PROTECTED]' Subject: RE: [Declude.JunkMail] Address Book Only in Declude? Ok, I will stop posting on this thread after this. For a working-example on how I have achieved this with imail and cold fusion I have setup a test account. Login = [EMAIL PROTECTED] Pass = declude Manager: http://users.bsc.net/ WebMail: http://mail.bsc.net/ From the manager you can *import* an Outlook Express address book, Or build your own, you can adjust the filter levels, and block individual users. These features just manage the rules.ima, which you can watch by going to the web-mail Interface and clicking Change Processing Rules Anyone on this list is welcome to upload dummy address book's and play with this account I just wanted to demonstrate to others how I have creatively achieved this with IMAIL 6 / Cold Fusion. * note: I built this interface before I became aware of the power of WEIGHT, changing the filter-definitions to work with weights instead of individual headers is on my to-do list, so if anyone actually does look at this please don't flame me on how I could improve that. I am already aware :) -Original Message- From: Tom Baker|Netsmith Inc [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 29, 2002 10:44 AM To: '[EMAIL PROTECTED]' Subject: RE: [Declude.JunkMail] Address Book Only in Declude? Excuse the typo everyone, I meant to put a not (!) in that long string H!~THIS... -Original Message- From: Tom Baker|Netsmith Inc [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 29, 2002 10:41 AM To: '[EMAIL PROTECTED]' Subject: RE: [Declude.JunkMail] Address Book Only in Declude? Oh, for an address book only You must also add one last entry at the bottom of rules.ima H~THISWILLNEVERMATCHBECAUSEITSAREALLYLONGBOGUSSSTRING:NUL That will force anything not matched in the above of rules.ima to be deleted Ex: --rules.ima-- H~[EMAIL PROTECTED]:main F~declude.com:main F~[EMAIL PROTECTED]:main H~THISWILLNEVERMATCHBECAUSEITSAREALLYLONGBOGUSSSTRING:NUL --/rules.ima-- Anything that does not match the first 3 lines will be deleted -Original Message- From: Tom Baker|Netsmith Inc [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 29, 2002 10:38 AM To: '[EMAIL PROTECTED]' Subject: RE: [Declude.JunkMail] Address Book Only in Declude? Yes, this is how I already accomplished this for my users. I have a cold fusion interface which verified login/password, then manages their rules.ima Anyone they want to allow it writes at the top of the rules.ima... F~[EMAIL PROTECTED]:MAIN Any junk-mail they want to block it sends to SPAM folder H~X-RBL-WARNING:SPAM The problem with authorization is that IMAIL passwords are stored in registry, so you have to make your script verify their password via POP3, or use the IMAIL/REG password Decryption routine that I wrote. Could easily be replicated in .asp as well -Original Message- From: John Tolmachoff [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 29, 2002 9:53 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Address Book Only in Declude? Not to be sarcastic, but wouldn't that be done in a rules.ima file that is configurable by the user? John Tolmachoff IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Roger Heath Sent: Thursday, August 29, 2002 7:32 AM To: R. Scott Perry Subject: [Declude.JunkMail] Address Book Only in Declude? I just got the following request from one of my users: R How do I arrange to receive only emails from members of my address book? In my opinion this could be the biggest feature added to Declude at this time. Here's how I'd like it to work: Declude looks at a text