RE: [Declude.JunkMail] Log Analyzer - Comments Needed
Keith, I have a beta available and I am looking for individuals to test it out. If you are interested the beta will be made available as early as Monday. Please let me know if you are interested. Darrell LaRock -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson Sent: Thursday, February 06, 2003 4:35 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Log Analyzer - Comments Needed Darrell, That is awesome. I get those same requests from our clients weekly. I appreciate your time in writing it. Keith -Original Message- From: Darrell L. [mailto:[EMAIL PROTECTED] Sent: Thursday, February 06, 2003 11:35 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Log Analyzer - Comments Needed *Sorry if this is outside the realm in which the forum should be used. Several of my customers have started asking me for reports on what Declude is blocking for their domain or a certain user. Obtaining this information was challenging manually sifting through the logs - to say the least. I then decided to write an analyzer that could accomplish what I needed. It's a good portion of the way wrote, and I am thinking about making it public at some point when it is completely finished. However, I was looking for features that people would like that I may not have thought of at this point. Currently right now it can do the following 1.) Report on Number of messages that fails each test. 2.) Comprehensive reporting on each individual tests. Reports can be generated based on (to, from, domain, subjects, date, time). 3.) Report on individual domains and which messages failed which tests 4.) Report on individual users and which messages failed which tests. 5.) It is a console application written in C# (.net). It is self contained and does not need any external databases like SQL Server or MSDE. Things Still to be added 1.) Ability to email the reports Thanks Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Where I'm At Now and Where Should I Be Going?
In my experience SPAMCOP has been very good at weeding out SPAM and we hold/block using this test alone. We do occasionally get a false positive or two, but no more or less than any of RBL's that list known open relays. Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Friday, February 28, 2003 11:36 AM To: Declude JunkMail Subject: [Declude.JunkMail] Where I'm At Now and Where Should I Be Going? Hello, All, I am pushing hard to learn as much about Declude.JunkMail as my time allows during the trial period. I think I installed on February 11th so I'm about 17 days into the trial. I was hoping to get some feedback from the list as far as things I might have looked over and might want to consider looking into next. Just to bring things up to speed... I am currently testing Declude.JunkMail Beta v1.67. I have isolated 2 in-house hosts (out of the 90 we have on our IMail server) for testing purposes. For each host I did some pre-analysis to find out what an ideal hold weight would be for each. For the first host, with the domain name NEXUSTECHGROUP.COM, I came up with WEIGHT13 as my hold weight. For the second host, with the domain name PAGEROVER.COM, I came up with WEIGHT12 as my hold weight. NEXUSTECHGROUP.COM probably gets about 90% legitimate e-mail and PAGEROVER.COM probably gets about 95% (or higher) spam e-mail. Once I set up the hold weight most spam immediately started being caught by Declude. Those who receive e-mail at those domains were very impressed. But there are still the occasional spam e-mail which make it under the threshold of the hold weight. To further fine tune Declude.JunkMail I have done 2 things, one which was my idea (and I'm comfortable with) and another which was done to please my boss, which I don't necessarily agree with: Fine Tuning #1: This is the one I am comfortable with... In addition to the hold weight I also hold e-mail for a test that I created called SENDERBLOCK. SENDERBLOCK is defined in GLOBAL.CFG as SENDERBLOCK fromfile D:\iMail\declude\senderblock.txt x 0 0. This is based upon the test described in the Your own sender blacklists section of the Declude.JunkMail. Whenever a spam e-mail slips under my hold weight I add the sender's domain (provided it's an obvious spamming domain) to this list. That test has helped to filter a few more spam e-mails out of my user's inboxes. Fine Tuning #2: This one I'm less comfortable with... My boss noticed that a number of the spam e-mails that were still slipping in underneath the hold weight were failing the test SPAMCOP. He wanted to know how come I wasn't filtering out all e-mails that failed that test as, from his estimation, the SPAMCOP test was using a list of known spammers. I explained in detail the information I gleamed from the Declude.JunkMail web site and the SPAMCOP web site about the accuracy of the SPAMCOP test. I know that the SPAMCOP test finds mail server which have a high incidence of spam to legitimate e-mail but that real e-mail can pass through those servers. I told him I'd rather continue to filter on spam domains (via SENDERBLOCK) and that I was trying to avoid catching any legitimate e-mail altogether. I'm trying to set the bar low enough so that a) most spam is caught, b) no legitimate e-mail is caught and then c) filtering further for actual identified spam e-mails. He thinks it's too much overhead to add each domain name whereas I think over time as I add more and more domains to the list the number of domains I have to add will go down considerably. Needless to say I gave in and just started holding for the SPAMCOP test because I really didn't feel like taking the time to turn him over to my spam blocking philosophy. So that's basically where I'm at right now and from this I've come up with a number of questions and/or comments I am looking for feedback on. Mostly I'm looking for best practices sorts of answers from the community as a whole... #1) Are there are any other tests, which I am missing, like the SENDERBLOCK test which I might want to consider adding to my bag of tricks to continue to filter out spam e-mail which slide in under my hold weight and also fall in line with my philosophy, i.e. catching legit e-mail is a bad thing? #2) Am I correct in my assumption that holding for SPAMCOP is a bad idea or is there so little legitimate e-mail passing through a server on the SPAMCOP list that if I am holding on that test the chance of actually catching legit e-mail is pretty low? #3) In addition to what I've learned about about Declude.JunkMail itself, I've also started using two of the 3rd-party freeware tools that have been released by Declude devotees, SpamReview and Delog. SpamReview is great and I use it every day to take a quick look at all of the e-mail that is being held by Declude.JunkMail. I haven't gotten to work with Delog as much but it seems pretty cool. Are there any other 3rd-party
RE: Re[2]: DSN:Re: Re[2]: [Declude.JunkMail] A Question of Ethics
I'll trust you on that, and apologize for the roundhouse classification. Yet in your several dozen cases where divorces were contemplated, employee terminations took place, even people who were sent back to prison and kids who have been grounded examples, clearly your tool was used as spyware. And these are the cases which you brought under discussion. This is only in reference to a business environment. I suppose you can say that any monitoring tool or piece of software could be spyware. I know in several instances where employee's were let go or suspended due to inappropriate activity were based solely on the analysis of firewall logs that record all internet activity. In our Computer Security Policy we do not specifically say that the firewall is logging everyone's internet surfing activities. However in the computer security document it is spelled out that they are using company equipment and the company reserves the right to monitor any and all activity. Would you say in this instance that the tools (firewall logging) used would be classified as spyware? Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Filtering on a header
When you are attempting to filter on a header for example this header X-Mailer: The Bat! (v1.52f) Business Would the following line in my filter file work HEADERS 10 CONTAINS X-Mailer: The Bat! (v1.52f) Business Or should I use HEADERS 10 IS X-Mailer: The Bat! (v1.52f) Business Is their any real difference in efficiency between IS and CONTAINS in the above example? Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Tuning Declude
Scott, But I guess the obvious question is why did the SPAMHEADERS return the lookup code [c040400f]? Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Wednesday, February 19, 2003 3:24 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Tuning Declude Here's an example of one a message that failed both: X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [c040400f]. X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam [c040400f] In this case, the E-mail failed the BADHEADERS test because of the bogus Date: header, but failed the SPAMHEADERS test because the headers contained a lot of consecutive blank spaces (such as Hi! -qeurx). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filtering on a header
Does anyone have a list or a similar resource to peruse. Darrell LaRock -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Sheldon Koehler Sent: Thursday, February 20, 2003 1:48 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Filtering on a header When you are attempting to filter on a header for example this header X-Mailer: The Bat! (v1.52f) Business Only the first one will work. The key here is that Declude JunkMail is looking at the *entire* headers (it isn't going through each one, line-by-line). So IS would only work if you had the entire headers in the filter. Oooh! I seem to have missed this idea completely. Is there a list of the spamming software we can look for? Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Tuning Declude
Is it possible then to have the tool on the website updated to reflect the information you provided below? i.e. BADHEADERS - Broken or missing date SPAMHEADERS - consecutive spaces in the subject I am sorry to beat this to death, it's just that when you use the tool it gives the perception that it failed both tests for the same reason. Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Thursday, February 20, 2003 3:42 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Tuning Declude But I guess the obvious question is why did the SPAMHEADERS return the lookup code [c040400f]? Because that is the code. G That code indicates that the E-mail failed both the BADHEADERS and SPAMHEADERS tests, due to the broken Date: header and the large number of consecutive spaces in the subject. The same code is shared by both tests. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Whitelist Did not Work?
The whitelisting of postmaster@ used to work, but this time it didn't. Any thoughts. 20030202 194515 127.0.0.1 SMTPD (958D00E6) [209.94.11.105] connect 148.78.247.23 port 56646 20030202 194515 127.0.0.1 SMTPD (958D00E6) [148.78.247.23] EHLO apollo.email.starband.net 20030202 194515 127.0.0.1 SMTPD (958D00E6) [148.78.247.23] MAIL From:[EMAIL PROTECTED] 20030202 194515 127.0.0.1 SMTPD (958D00E6) [148.78.247.23] RCPT To:[EMAIL PROTECTED] 20030202 194515 127.0.0.1 SMTPD (958D00E6) [148.78.247.23] e:\imail\spool\Dbb9b958d00e6613f.SMD 3338 02/02/2003 19:45:26 Qbb9b958d00e6613f SPAMCOP:10 . Total weight = 10 02/02/2003 19:45:26 Qbb9b958d00e6613f Msg failed SPAMCOP (Blocked - see http://spamcop.net/bl.shtml?148.78.247.23). Action=WARN. 02/02/2003 19:45:26 Qbb9b958d00e6613f Msg failed WEIGHT10 (Weight of 10 reaches or exceeds the limit of 10.). Action=BOUNCE. 02/02/2003 19:45:26 Qbb9b958d00e6613f Subject: FW: UnDeliverable Mail 02/02/2003 19:45:26 Qbb9b958d00e6613f From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] GLOBAL CONFIG WHITELIST TO postmaster@ WHITELIST TO abuse@ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Whitelist Did not Work?
Scott, Any plans on changing that? If you host a mail server that has many domains you sure can burn up a bunch of whitelist addresses quickly that way. Darrell Darrell LaRock -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Monday, February 03, 2003 5:00 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Whitelist Did not Work? The whitelisting of postmaster@ used to work, but this time it didn't. Any thoughts. GLOBAL CONFIG WHITELIST TO postmaster@ WHITELIST TO abuse@ The WHITELIST TO command requires an exact match -- so you would need to enter WHITELIST TO [EMAIL PROTECTED] and WHITELIST TO [EMAIL PROTECTED]. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Logging
When using MID for logging is the From: address comparable to the x-declude-sender? 01/29/2003 04:37:47 Qa0e78ee900be105a From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Thanks Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Message Sniffer holding all e-mails
I have a registered version of Sniffer and for some reason for a couple hours I had the same problem. It was within several days of installing Sniffer although I had the registered version. We were never able to pin-point it to the Sniffer software, but something happened... Do you happen to have some of the legit mail saved that Sniffer failed on. This would be helpful to the folks especially to see if it duplicates what happened to me. Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bill Newberg Sent: Tuesday, January 28, 2003 12:49 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Message Sniffer holding all e-mails I installed the demo version of Message Sniffer and configured it in Declude according to the directions on the website. It is failing every e-mail received. Any ideas what could be wrong? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Logfile Question
Scott, Will declude transactions ever interleave in the log file? It appears they are always like this in the log file MESSAGE1 FAILED THIS MESSAGE1 FAILED THIS MESSAGE1 FAILED THIS MESSAGE2 FAILED THIS MESSAGE2 FAILED THIS Instead of this MESSAGE1 FAILED THIS MESSAGE1 FAILED THIS MESSAGE2 FAILED THIS MESSAGE1 FAILED THIS MESSAGE2 FAILED THIS Can you confirm if this is the always the case. Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] External Test Writing
I am in the process of working on a Log analyzer for Declude that can provide me with the information I need to report on each month. I wanted to include a Spam Subject reporting feature. In any of the log files (declude or Imail) I have been unable to find any references to subject. I have since wrote a program that will extract the information out of a message header. Although, I haven't tied the test into declude yet. I do have some questions 1.) When writing an external test for declude is their anything I should avoid doing. Is their any best tips or practices to follow? 2.) Is their an RFC that deals specifically with how messages should be formatted? Max Line lengths, Max Header Lengths? 3.) Is their an easier way to get this information other then implementing the external test to extract the info. Thanks Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] External Test Writing
Scott, Do you think it would be better to extract the info through a declude external test or bump up the logging? Darrell Darrell LaRock Information Systems Analyst Gannett Television 716-849-2272 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Thursday, January 23, 2003 11:50 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] External Test Writing 1.) When writing an external test for declude is their anything I should avoid doing. Is their any best tips or practices to follow? You should be able to do just about anything you want in an external test. We recently added a bit more flexibility, so that you can alter or even delete the E-mail files (of course, you would need to be very careful in doing so!). 2.) Is their an RFC that deals specifically with how messages should be formatted? Max Line lengths, Max Header Lengths? That would be RFC821 (see section 4.5.3). RFC822 is also useful, as well as the proposed RFC2821/RFC2822. 3.) Is their an easier way to get this information other then implementing the external test to extract the info. If you are looking for the Subject: header, you should be able to get that in the log file by using LOGLEVEL MID or LOGLEVEL HIGH. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Results with our configuration
John, From your post I gathered that your log level is atleast mid. Is this a normal configuration or just a one time deal to look at the mail. Darrell Darrell LaRock Information Systems Analyst Gannett Television 716-849-2272 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Tolmachoff Sent: Thursday, January 23, 2003 1:22 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Results with our configuration I wanted to post yesterdays results of Declude Junkmail: We hold on a weight of 20 and delete at 40. Messages held are reviewed using Spam Review software. There were no False Positives in the messages deleted. This was reviewed by manually going through the Declude Junkmail log for all messages deleted and looking at the subject line and sender and recipient. 3485 messages were processed by Declude Junkmail. 889 were deleted. 85 were held. Of the held, 16 were False Positives. Total found and deleted: 958 (27.49%) Individual tests like SPAMCHECK and NOXMAIL generate a number of false positives, but that is what the while filters and MATCH program is for. However, those tests are also responsible for the majority of the messages deleted. Tests used: (numbers after action is weight we use) ORDB WARN 2 OSDUL WARN 2 OSFORM WARN 2 OSLIST WARN 2 OSPROXY WARN 2 OSRELAY WARN 2 OSSMART WARN 2 OSSOFT WARN 2 OSSRC WARN 10 SPAMCOP WARN 12 DSN WARN 10 NOABUSE WARN 3 NOPOSTMASTER WARN 3 BADHEADERS WARN 5 BASE64 WARN 12 HELOBOGUS WARN 3 IPNOTINMX LOG 0 -3 MAILFROM WARN 15 PERCENT WARN 15 REVDNS WARN 2 ROUTING WARN 10 SPAMHEADERS WARN 5 ADULT1 WARN 50 JUNK WARN 30 SPAMCHECK WARN Weight NOXSPAM1 WARN 20 NOXSPAM2 WARN 15 NOXSPAM3 WARN 15 NOXADULT1 WARN 20 NOXADULT2 WARN 15 NOXADULT3 WARN 15 REVIEWER1 ROUTETO [EMAIL PROTECTED] WHITEFILTER1 WARN WHITEFILTER2 WARN WHITEFILTER3 WARN WHITEFILTER4 WARN GRAYFILTER1 WARN GRAYFILTER2 WARN GRAYFILTER3 WARN GRAYFILTER4 WARN MATCH WARN -40 Kami, I have not yet had time to try your lists. John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com
[Declude.JunkMail] Negative Weight On A Domain Name
If I was going to setup Negative Weight on certain domains instead of white listing them would I use just a standard sender blacklist with negative weight i.e. DereaseWeight fromfile C:\IMail\Declude\badaddresses.txt x 0 5 Then inside the file I would use @mail.southwest.com Since the Declude sender is X-Declude-Sender: [EMAIL PROTECTED] [12.5.136.142] Thanks Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Negative Weight On A Domain Name
Just for clarification, The first weight is the weight applied if the test is failed, and the second weight is if the test is passed. In my case I would have @mail.southwest.com entered in the file and I want to decrease the weight of the mail if the message is from the @mail.southwest.com domain. DecreaseWeight fromfile C:\IMail\Declude\AddressesToDecWeightOn.txt x -5 0 Is this correct? Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Tuesday, January 21, 2003 9:39 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Negative Weight On A Domain Name If I was going to setup Negative Weight on certain domains instead of white listing them would I use just a standard sender blacklist with negative weight i.e. DereaseWeight fromfile C:\IMail\Declude\badaddresses.txt x 0 5 Then inside the file I would use @mail.southwest.com Since the Declude sender is X-Declude-Sender: [EMAIL PROTECTED] [12.5.136.142] In this case, the only change I would make is to use -5 instead of 5 in the test definition, so that it will lower the weight: DereaseWeight fromfile C:\IMail\Declude\badaddresses.txt x 0 -5 -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Negative Weight On A Domain Name
Scott, Thank you for the clarification, the end of your message was what the intended behavior I was looking for. Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Tuesday, January 21, 2003 10:21 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Negative Weight On A Domain Name The first weight is the weight applied if the test is failed, and the second weight is if the test is passed. Ah, I see what you're getting at. It gets confusing because there are two meanings of negative weight (negative meaning that the E-mail didn't fail the spam test, or negative as in a negative number added to the weight). Assuming @mail.southwest.com is in the blacklist: DereaseWeight fromfile C:\IMail\Declude\badaddresses.txt x 0 5 The above would cause E-mail from @mail.southwest.com to have 0 points, and mail from any other address would have 5 points. Instead, I'm guessing you would want: DereaseWeight fromfile C:\IMail\Declude\badaddresses.txt x -5 0 With this, 5 points will be deducted from mail from @mail.southwest.com, but other mail won't be affected. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Bounce Message and the localhost variable
I have domains that are local that I host and several domains that I am a gateway for. Now when a message gets bounced for a local domain the following line works fine. It will substitute the %localhost% for the domain that the message was addressed to. If you feel this message is in error please forward this message to postmaster@%LOCALHOST% However, for domains I gateway for it does not substitute the correct the domain in that line. It always defaults to the mail servers primary domain name instead of the domain in which the mail was addressed to which is not the desired behavior. Any thoughts? Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Passing SPAM that should be bounced
Scott, Essentially all I am doing is acting as a gateway for another domain. This way they can utilize the virus scanning and spam detection we have in place. What I am trying to implement is called Acting as a gateway for domains on other servers in the manual. Now from the manual and what you indicated I need to setup per domain configuration for this domain to get around the describe behavior (Declude would treat the mail as outgoing). Now the manual says this under the Acting as a gateway for domains on other servers heading - The only catch as far as Declude JunkMail is concerned is that IMail will treat the E-mail to the gateway domain as outgoing mail, since it is not stored on the IMail server. Therefore, by default, the outgoing actions in the \IMail\Declude\global.cfg file will be used. To get around this, you can set up per-domain configuration files for the gateway domains. However, when looking at the per domain configuration it does not say anything about copying in the global config where the outgoing tests are specified. Can you explain this in a little more depth to me? Also, since you mentioned that Declude will only scan the email once. The behavior I am seeing now is that the message intended for the remote domain is being scanned inbound. Now if I enabled outgoing scanning - would it not process that mail again because it was already scanned inbound? Would it use the information it already gathered from the first scan? To summarize. In addition to scanning all inbound mail for my local domains, I want to filter mail for this domain that I am a gateway for. Scott I hope this makes sense... Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Tuesday, January 14, 2003 9:01 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Passing SPAM that should be bounced 1.) Since the mail was already incoming and has gone through all the spam checks inbound is there anyway to override the current behavior of discarding those results and actually have the message react to the incoming spam checks. Declude JunkMail will only scan an E-mail once. E-mail can be very confusing because every E-mail handled by a mailserver is technically incoming E-mail (as in the IMail server receives it from somewhere else), whereas some of those are local deliveries and some are remote deliveries. In any case, an E-mail should only be scanned once by Declude (unless it arrives more than once). 2.) If I can't override the default behavior, can I setup per domain outgoing processing for just this domain - even though this domain does not exist on this mail server? Yes, but not the way I think you want. You can set up per-domain settings for the *recipient* domain. But, you can't set up per-domain settings for the *sender* domain. In this case, I'm guessing you would want the per-user settings for the sender domain, which isn't possible (remember, spammers love to use the same return address as the To: address). 3.) If it is possible to setup per domain filtering for this domain even though it does not exist on this server, Should I whitelist the incoming mail so it doesn't go through all those checks? Or is Whitelisting global in regards that it applies to both incoming and outgoing mail? The whitelisting applies to whatever type of whitelist it is. For example, WHITELIST IP 192.0.2.25 will whitelist E-mail coming from 192.0.2.25, no matter whether it is incoming or outgoing E-mail. Please advise on what you think would be the best course of action here. The ultimate problem seems to be that the backup mailserver isn't really a backup mailserver -- it seems to accept all E-mail, and send it out. If the backup mailserver accepts an E-mail, sends it to the primary mailserver, and then the primary mailserver sends it out to a remote location, you probably have a problem. Unless there is a good reason for this (for example, forwarding on the primary mailserver that is causing the E-mail to be sent to a remote location), you are running an open relay on the backup mailserver. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Passing SPAM that should be bounced
John Thanks for the follow-up. My confusion is in that Declude/Imail treat the domain I am gatewaying for as outgoing mail. Now with per domain settings it only references copying the $default$.JunkMail file to the per domain folder. However, the outgoing tests are defined in the global config. Once I enable the tests in the global config file it appears as if *ALL* outgoing mail will be scanned. This is what I want to avoid. The only outbound mail I want to scan is for the domain I provide the gateway services for. Any thoughts? Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Tolmachoff Sent: Wednesday, January 15, 2003 10:58 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Passing SPAM that should be bounced Now the manual says this under the Acting as a gateway for domains on other servers heading - The only catch as far as Declude JunkMail is concerned is that IMail will treat the E-mail to the gateway domain as outgoing mail, since it is not stored on the IMail server. Therefore, by default, the outgoing actions in the \IMail\Declude\Global.cfg file will be used. To get around this, you can set up per-domain configuration files for the gateway domains. However, when looking at the per domain configuration it does not say anything about copying in the global config where the outgoing tests are specified. Can you explain this in a little more depth to me? Darrell, if you want the settings for that domain to be different than the test actions in the Global.cfg, you need to follow this section of the manual: ### Per-Domain Configuration The Standard and Pro versions of Declude JunkMail allow you to have different settings for each domain that you have. In order to do this, you first need to create a subdirectory off of the Declude directory, with the same name as the domain you wish to change. For example, to add a per-domain configuration for example.com, you would create the directory \IMail\Declude\example.com. Note that this needs to be the official domain name, not a domain alias (so if you have a domain mail.example.com with example.com as an alias, the directory should be \IMail\Declude\mail.example.com\). The exception is that if you have a user alias, the domain you use in the alias will take priority (for example, if the alias is sales that points to [EMAIL PROTECTED], you would need to use the directory example.com). It may be necessary to use two different directories, if you have users aliases pointing to domain aliases (a quirk in IMail). The next step is to copy the $default$.JunkMail file into that directory. Then, edit that file to reflect the settings you want for that domain. Or, to quickly disable spam control for a specific domain, you can whitelist all mail to the domain by using the WHITELIST TODOMAIN @example.com setting in the Global.cfg file. Note that you should not delete the \IMail\Declude\$default$.JunkMail file. If that file does not exist, there will be no default settings for E-mail addressed to domains that do not have their own per-domain settings. ### John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Passing SPAM that should be bounced
Scott, Things are starting to come together slowly now :) Correct me if I am wrong. Normally outgoing mail actions are specified in the Global.Config file. However, when using per domain settings it only looks at the actions in the $default$.JunkMail file for that domain. Thanks Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Wednesday, January 15, 2003 11:02 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Passing SPAM that should be bounced Essentially all I am doing is acting as a gateway for another domain. This way they can utilize the virus scanning and spam detection we have in place. Ah, I see now. I had thought that you were acting as a backup mailserver (in case they were down), rather than a gateway (to scan all their E-mail). What I am trying to implement is called Acting as a gateway for domains on other servers in the manual. Now from the manual and what you indicated I need to setup per domain configuration for this domain to get around the describe behavior (Declude would treat the mail as outgoing). That is correct. So if you are a gateway for the example.com domain, then you could set up a file \IMail\Declude\example.com\$default$.JunkMail that would be used for E-mail to @example.com (instead of the outgoing actions from the global.cfg file being used). Now the manual says this under the Acting as a gateway for domains on other servers heading - The only catch as far as Declude JunkMail is concerned is that IMail will treat the E-mail to the gateway domain as outgoing mail, since it is not stored on the IMail server. Therefore, by default, the outgoing actions in the \IMail\Declude\global.cfg file will be used. To get around this, you can set up per-domain configuration files for the gateway domains. However, when looking at the per domain configuration it does not say anything about copying in the global config where the outgoing tests are specified. Can you explain this in a little more depth to me? It's easier to understand if you realize that the global.cfg file serves two purposes: [1] It handles server-wide settings (such as the activation code, X- headers, etc.), and [2] It has the actions that are used for outgoing E-mail (which is handled the same way as the \IMail\Declude\$default$.JunkMail and per-user/per-domain configuration files). If there is a per-user or per-domain configuration file for a user, then Declude JunkMail will use it. Otherwise, Declude JunkMail will use the \Imail\Declude\global.cfg file (if the recipient is not on the local server - outgoing mail), or the \IMail\Declude\$default$.JunkMail file (if the recipient is on the local server - incoming mail). In your case, you can copy the \IMail\Declude\$default$.JunkMail file to \IMail\Declude\example.com\$default$.JunkMail (assuming the domain that you are acting as a gateway for is example.com). If you want, you can change any settings in that file, which will be applied only on mail to the example.com domain. Also, since you mentioned that Declude will only scan the email once. The behavior I am seeing now is that the message intended for the remote domain is being scanned inbound. Now if I enabled outgoing scanning - would it not process that mail again because it was already scanned inbound? It will still only be processed once. When the E-mail arrives, Declude JunkMail will see that it is outgoing E-mail, and either use the actions in the \IMail\Declude\global.cfg file or the per-domain settings (the \IMail\Declude\example.com\$default$.JunkMail file). It will not be scanned as incoming E-mail (even though it is technically incoming, as in it is received by the IMail server, it is not destined to a local user, so it will be scanned as an outgoing E-mail rather than an incoming E-mail). Would it use the information it already gathered from the first scan? It will only get scanned once. Here's an overview of what happens: [1] The remote mailserver connects to IMail, and gives the E-mail to IMail. [2] IMail starts Declude, which scans the E-mail [3] Declude hands the E-mail back to IMail, which delivers it (either to a local user, or via SMTP to a remote recipient). So whether the E-mail is to/from a local user, to/from a remote user, and/or backup/gateway E-mail, it will just get scanned once. The only way it would get scanned more than once is if Step 1 occurred more than once, which shouldn't happen (that could happen if you forward your mail to AOL, and then have the AOL account set to forward it back to you, for example). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at
[Declude.JunkMail] Passing SPAM that should be bounced
It appears as if Declude is allowing mail that fails spam tests that have been funneled through our backup mail server to pass. #GLOBAL CONFIG IPBYPASS 12.25.87.100 Here is the relevant portion of logs and configs 20030114 162019 127.0.0.1 SMTPD (6B090098) [209.94.11.105] connect 12.25.87.100 port 3044 20030114 162019 127.0.0.1 SMTPD (6B090098) [12.25.87.100] EHLO mail2.gannett-tv.com 20030114 162019 127.0.0.1 SMTPD (6B090098) [12.25.87.100] MAIL FROM:[EMAIL PROTECTED] 20030114 162019 127.0.0.1 SMTPD (6B090098) [12.25.87.100] RCPT TO:[EMAIL PROTECTED] 20030114 162020 127.0.0.1 SMTPD (6B090098) [12.25.87.100] e:\imail\spool\D7f136b090098ed15.SMD 20885 Now the Declude Logs 01/14/2003 16:20:25 Q7f136b090098ed15 Msg failed FXBLACKLIST ( ID-20021207-000934). Action=IGNORE. 01/14/2003 16:20:25 Q7f136b090098ed15 Msg failed HELOBOGUS (Domain newman has no MX or A records.). Action=IGNORE. 01/14/2003 16:20:25 Q7f136b090098ed15 Msg failed WEIGHT10 (Weight of 12 reaches or exceeds the limit of 10.). Action=IGNORE. 01/14/2003 16:20:25 Q7f136b090098ed15 R1 Message OK Back to the Imail Logs 20030114 162025 127.0.0.1 SMTP (1724) processing e:\imail\spool\Q7f136b090098ed15.SMD 20030114 162025 127.0.0.1 SMTP (1724) Trying wusatv9.com (0) 20030114 162025 127.0.0.1 SMTP (1724) Connect wusatv9.com [209.70.145.3:25] (1) 20030114 162025 127.0.0.1 SMTP (1724) 220 aegis.wusatv9.com SMTP/smap Ready. 20030114 162025 127.0.0.1 SMTP (1724) EHLO mail1.gannett-tv.com 20030114 162025 127.0.0.1 SMTP (1724) 500 Command unrecognized 20030114 162025 127.0.0.1 SMTP (1724) HELO mail1.gannett-tv.com 20030114 162025 127.0.0.1 SMTP (1724) 250 (mail1.gannett-tv.com) pleased to meet you. 20030114 162025 127.0.0.1 SMTP (1724) MAIL FROM:[EMAIL PROTECTED] 20030114 162025 127.0.0.1 SMTP (1724) 250 [EMAIL PROTECTED]... Sender Ok 20030114 162025 127.0.0.1 SMTP (1724) RCPT To:[EMAIL PROTECTED] 20030114 162025 127.0.0.1 SMTP (1724) 250 [EMAIL PROTECTED] OK 20030114 162025 127.0.0.1 SMTP (1724) DATA 20030114 162025 127.0.0.1 SMTP (1724) 354 Enter mail, end with . on a line by itself 20030114 162026 127.0.0.1 SMTP (1724) . 20030114 162027 127.0.0.1 SMTP (1724) 250 Mail accepted 20030114 162027 127.0.0.1 SMTP (1724) rdeliver wusatv9.com [EMAIL PROTECTED] (1) [EMAIL PROTECTED] 20947 20030114 162027 127.0.0.1 SMTP (1724) QUIT 20030114 162027 127.0.0.1 SMTP (1724) 221 Closing connection 20030114 162027 127.0.0.1 SMTP (1724) finished e:\imail\spool\Q7f136b090098ed15.SMD status=1 Declude -diag E:\imaildeclude -diag Declude (C) Copyright 2000-2002 Computerized Horizons. All Rights Reserved. Diagnostics ON (Declude v1.63). Declude JunkMail: Config file found (E:\imail\Declude\global.CFG). Declude Virus: Not installed (no E:\imail\Declude\Virus.CFG file). Declude Hijack:Not installed (no E:\imail\Declude\Hijack.CFG file). Declude Confirm: Not installed (no E:\imail\Declude\Confirm.CFG file). 34 spam tests defined: LOOSENSPAMHEADERS WORDFILTER BLACKLIST FXBLACKLIST IPBLAC KLIST OLDEMPLOYEE ORDB OSDUL OSFORM OSLIST OSRELAY OSSMART OSSOFT OSSRC SPAMCOP MONKEYPROXIES MONKEYFORMMAIL DSBL NJABL DSN NOABUSE NOPOSTMASTER BADHEADERS HELO BOGUS MAILFROM PERCENT REVDNS ROUTING SPAMHEADERS HEUR10 SNIFFER WEIGHT10 WEIGHT 5 CATCHALLMAILS IMail reports Official Host Name as: mail1.gannett-tv.com. IMail's SendName registry seems OK: e:\imail\Declude.exe. Declude JunkMail Status: PRO version registered. Declude Virus Status:NOT REGISTERED: No activation code. Declude Hijack Status: NOT REGISTERED: No activation code. End of diagnostics. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Passing SPAM that should be bounced
Scott, A couple of questions 1.) Since the mail was already incoming and has gone through all the spam checks inbound is there anyway to override the current behavior of discarding those results and actually have the message react to the incoming spam checks. 2.) If I can't override the default behavior, can I setup per domain outgoing processing for just this domain - even though this domain does not exist on this mail server? 3.) If it is possible to setup per domain filtering for this domain even though it does not exist on this server, Should I whitelist the incoming mail so it doesn't go through all those checks? Or is Whitelisting global in regards that it applies to both incoming and outgoing mail? Please advise on what you think would be the best course of action here. Darrell LaRock -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Tuesday, January 14, 2003 5:48 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Passing SPAM that should be bounced It appears as if Declude is allowing mail that fails spam tests that have been funneled through our backup mail server to pass. That's because outgoing mail isn't normally scanned (with Declude JunkMail Pro, the outgoing actions in the \IMail\Declude\global.cfg file will be used). Now the Declude Logs 01/14/2003 16:20:25 Q7f136b090098ed15 Msg failed FXBLACKLIST (ID-20021207-000934). Action=IGNORE. 01/14/2003 16:20:25 Q7f136b090098ed15 Msg failed HELOBOGUS (Domain newman has no MX or A records.). Action=IGNORE. 01/14/2003 16:20:25 Q7f136b090098ed15 Msg failed WEIGHT10 (Weight of 12 reaches or exceeds the limit of 10.). Action=IGNORE. 01/14/2003 16:20:25 Q7f136b090098ed15 R1 Message OK In this case, the E-mail is outgoing E-mail, so the actions from the global.cfg file (IGNORE) are used. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Sniffer Weight
I am in the process of installing Sniffer this week. After some reading I noticed this on their website. IMPORTANT: Ebay, Yahoo groups, and other lists frequently include advertisements that may trigger matches in sniffer's rule base. While we are creating standard white-rules to mitigate the effects of this, How has this impacted your sniffer configurations? What type of weight in relation to your weighting system do you assign? Darreell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] HELOBOGUS - WHY?
I had this piece of mail fail the helobogus test. I am wondering why? Here are the message headers. Received: from babel.avstarnews.com [12.24.201.132] by mail1.gannett-tv.com with ESMTP (SMTPD32-7.12) id A6A397880132; Wed, 08 Jan 2003 17:30:59 -0500 Received: by BABEL with Internet Mail Service (5.5.2653.19) id CRNNAKGW; Wed, 8 Jan 2003 16:29:30 -0600 Message-ID: 449249DE8813D711907B0090273F213704E08D@BABEL From: [EMAIL PROTECTED] To: x [EMAIL PROTECTED] Subject: Server Remirroring Procedure Date: Wed, 8 Jan 2003 16:29:26 -0600 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Darrell LaRock --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Blacklisting based on % of bad addresses
Several people have mentioned about getting bogged down with postmaster errors to return addresses. I assume you mean that you bounce messages from Declude. Is there any reason why people shy away from using bogus address on your system so the undeliverable messages are discarded? Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Charles Frolick Sent: Tuesday, December 03, 2002 12:14 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Blacklisting based on % of bad addresses Does anyone know if any of the Imail log analyzers reports number of good and bad deliveries by remote servers? I want to look at blacklisting remote addresses that send high percentage of messages to invalid addresses. These are most likely from mailing lists and therefore likely spam. I keep getting bogged down by postmaster errors to invalid return addresses, and it only keeps getting worse. I want to start tracking and blacklisting servers or originating IP's, anything, that causes these problems routinely. Thanks, Chuck Frolick ArgoNet, Inc. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Bounce Message
For those who have a small enough volume and bounce messages that fail your spam tests how do you word your bounce messages. For example we use the following line The message was rejected because it failed the following SPAM detection tests and has been marked as SPAM. This tends to get a few replies from angry folks saying that they are not spammers. So I figure the best approach would be to explain that we are not rejecting their specific message, but messages from their server. Does anyone have some crafty wording that has been working along these lines. Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Product of HOP?
Is this a product of HOP or a hiccup on spamcop's side? 11/26/2002 17:37:21 Qf79f094e00364534 Msg failed SPAMCOP (Blocked - see http://spamcop.net/bl.shtml?205.188.139.134). Action=WARN. 20021126 173719 127.0.0.1 SMTPD (094E0036) [152.163.225.100] EHLO imo-r04.mx.aol.com 20021126 173719 127.0.0.1 SMTPD (094E0036) [152.163.225.100] MAIL From:[EMAIL PROTECTED] 20021126 173719 127.0.0.1 SMTPD (094E0036) [152.163.225.100] RCPT To:[EMAIL PROTECTED] 20021126 173719 127.0.0.1 SMTPD (094E0036) [152.163.225.100] e:\imail\spool\Df79f094e00364534.SMD 1510 In this instance spamcop shows the ip address as 205.188.139.134. My guess right now is that even though the mail was received from 152.163.225.100 it had to have passed through 205.188.139.134? Thanks Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: Re: [Declude.JunkMail] Increase in SPAMCOP listing
I had the same thing happen to me yesterday as well. Got several complaints from AOL users. Darrell LaRock -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brian Milburn Sent: Wednesday, November 27, 2002 10:00 AM To: [EMAIL PROTECTED] Subject: DSN:Re: [Declude.JunkMail] Increase in SPAMCOP listing Hi John, I have noticed this as well. Yesterday Spamcop failed several legitimate messages from AOL users. Maybe they are not clearing out the false reports as regularly as they normally do because of the holiday week. -Brian On 11/27/02 6:51am you wrote... Has any one else noticed an increase in the number of legit companies listed on SPAMCOP? I have been having to increase my white filter list. Examples: Ebay.com Techrepublic.com winntmag.com John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] IPBYPASS - Not sure if this is working??
I am not 100% sure IPBYPASS is working. I am running Declude 1.60. The following email was found in the spool directory. It has no markings that it was scanned by declude. Although checking the logs it failed many tests for declude. I did not find any markings in the file listed below that it was scanned by declude? File: Da436386800b47455.SMD Received: from mail2.gannett-tv.com [12.25.87.100] by mail1.gannett-tv.com with ESMTP (SMTPD32-7.12) id A436386800B4; Wed, 20 Nov 2002 10:03:18 -0500 Received: from nea43.etracks.com ([209.19.106.43]) by mail2.gannett-tv.com with Microsoft SMTPSVC(5.0.2195.5329); Wed, 20 Nov 2002 10:03:23 -0500 Received: (from [EMAIL PROTECTED]) by nea43.etracks.com (1.0/1.0) id 1tbKHOG2WTzcj71hNCIdfdNveOoeaeOosOQrcz06 for [EMAIL PROTECTED]; Wed, 20 Nov 2002 06:53:35 -0800 (PST) Date: Wed, 20 Nov 2002 06:53:35 -0800 (PST) Message-ID: [EMAIL PROTECTED] To: [EMAIL PROTECTED] From: eLuckyDay [EMAIL PROTECTED] Subject: Your next car at your price. X-Accept-Language: en MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=EF990506TS01 Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 20 Nov 2002 15:03:24.0080 (UTC) FILETIME=[F8F7FB00:01C290A5] LOG FILES Imail Log file 20021120 100318 127.0.0.1 SMTPD (386800B4) [209.94.11.105] connect 12.25.87.100 port 1297 20021120 100318 127.0.0.1 SMTPD (386800B4) [12.25.87.100] EHLO mail2.gannett-tv.com 20021120 100318 127.0.0.1 SMTPD (386800B4) [12.25.87.100] MAIL FROM:[EMAIL PROTECTED] 20021120 100318 127.0.0.1 SMTPD (386800B4) [12.25.87.100] RCPT TO:[EMAIL PROTECTED] 20021120 100318 127.0.0.1 SMTPD (386800B4) [12.25.87.100] e:\imail\spool\Da436386800b47455.SMD 6691 Declude Log File 11/20/2002 10:03:39 Qa436386800b47455 Msg failed BLACKLIST (). 11/20/2002 10:03:39 Qa436386800b47455 Msg failed FXBLACKLIST ( ID-20021118-000726). 11/20/2002 10:03:39 Qa436386800b47455 Msg failed OSSRC (http://groups.google.com/groups?q=etrackshl=enlr=ie=UTF-8scoring=d) . 11/20/2002 10:03:39 Qa436386800b47455 Msg failed HEUR10 (Heuristic spam detection level 10 [1.00]). 11/20/2002 10:03:39 Qa436386800b47455 Msg failed WEIGHT10 (Weight of 25 reaches or exceeds the limit of 10.). 11/20/2002 10:03:39 Qa436386800b47455 Msg failed WEIGHT15 (Weight of 25 reaches or exceeds the limit of 15.). 11/20/2002 10:03:39 Qa436386800b47455 Msg failed WEIGHT20 (Weight of 25 reaches or exceeds the limit of 20.). Global COnfig IPBYPASS 12.25.87.100 Any thoughts Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] IPBYPASS - Not sure if this is working??
Scott, What I was referring to with IPBYASS is the 12.25.87.100 is a backup mail server that needed to be skipped. My HOP Settings are as follow's HOP 0 HOPHIGH 2 I did not find any reference in the imail logs to the Q File. There was no other references in the log files pertaining to a436386800b47455. I am almost positive that the mail wasn't delivered. However, not seeing the declude generic headers added and seeing how the email was scanned and the declude log's showing it was scanned concerned me. It led me down the trail that maybe mail being routed through the backup server was getting through somehow. Also, the D* file no longer exists - does Imail purge D* files that do not have an associated Q file? Darrell Darrell LaRock Information Systems Analyst Gannett Television 716-849-2272 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Wednesday, November 20, 2002 10:32 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] IPBYPASS - Not sure if this is working?? I am not 100% sure IPBYPASS is working. I am running Declude 1.60. The following email was found in the spool directory. It has no markings that it was scanned by declude. That's not an IPBYPASS issue. The IPBYPASS (and HOP/HOPHIGH) options let Declude JunkMail know which hop to scan (IE the computer connecting to your mailserver, the computer connecting to your backup mailserver, etc.). No matter what the settings are, you should still see the 'generic' Declude headers (such as X-Note:, X-Declude-Sender:, etc.). File: Da436386800b47455.SMD Was there also a Q*.SMD file for this E-mail (without one, IMail won't try to deliver the E-mail)? LOG FILES Imail Log file 20021120 100318 127.0.0.1 SMTPD (386800B4) [12.25.87.100] e:\imail\spool\Da436386800b47455.SMD 6691 Were there any references to a436386800b47455 in the log file after this (showing IMail trying to deliver the E-mail)? -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] IPBYPASS - Not sure if this is working??
Scott, The logs still do not reflect that the mail was delivered. Although there are no traces of it in the spool directory. I also checked for locked files _* and did not find any. I do have a declude.gp1 and declude.gp2 but they are dated 10/16/2002. I understand there is not much to go on, is there anything I can monitor to make sure all is well. Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Wednesday, November 20, 2002 11:08 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] IPBYPASS - Not sure if this is working?? What I was referring to with IPBYASS is the 12.25.87.100 is a backup mail server that needed to be skipped. My HOP Settings are as follow's HOP 0 HOPHIGH 2 Don't worry about that -- the IPBYPASS/HOP/HOPHIGH settings won't cause the behavior you saw. I did not find any reference in the imail logs to the Q File. You won't. What you need to do is look in the spool directory (where you found the D*.SMD file) for a matching Q*.SMD file. If there isn't one, then there is a problem of some sort (in this case, it would likely mean that IMail tried delivering the E-mail but could not, and could not bounce it either). There was no other references in the log files pertaining to a436386800b47455. I am almost positive that the mail wasn't delivered. Is there a file _a436386800b47455.~MD in the spool directory (which would indicate that the file is locked)? Are there any C:\Declude.gp1 or C:\Declude.gp2 files? Also, the D* file no longer exists - does Imail purge D* files that do not have an associated Q file? Ah, that's why the Q*.* file didn't exist -- IMail has delivered the E-mail. Now, you'll see the E-mail delivery in the IMail log files. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] IPBYPASS - Not sure if this is working??
It's hard to say what happened here. Are you sure that the D*.SMD file you ooked at originally wasn't just an E-mail that was arriving on the server (in which case you may have opened it while Declude JunkMail was processing it, before it added its headers)? -Scott Scott that very well may be the case. I was under the impression declude processes the mail prior to it being placed in the spool directory. Is that not the case? Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Latest Statistics on the Kill list- Image`fx
Tom, Is there any criteria to get listed on your list? I have noticed over the last couple of weeks that more and more sites that I would have thought would be legitimate are being listed? Here are a few for example. w2knews.com MONROECOUNTYGEORGIA.COM - bellnexxia.net - isp site for network diagnostics webmd.com ohiobank.com - an actual bank jcrew.com winnetmag.com I completely understand that it is your list and it is a use at your own risk type of list, but in order for me to effectiviely use it knowing the criteria that one gets listed on it would be helpful. Thanks Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Sent: Monday, September 30, 2002 3:34 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Latest Statistics on the Kill list- Image`fx Report ID Version 1.03b Detailed Report for: 09/29/2002 03:18:53 Log file examined: x:\dec0929.log Fromfile examined: x:\FROMFILE.TXT Fromfile copied to: x:\APPS\DELOG\FROMFILE.TXT Merge file examined: x:\KILL.TXT Merge file copied to: x:\APPS\DELOG\DAILY.TXT Clean action set to: 60 Save removed files: YES Write removed with IDs: YES Re-format the fromfile: NO Check the fromfile for dupes: NO Duplicates found in fromfile: 0 Total addresses in fromfile: 1332 Total addresses updated: 196 Total new addresses added: 39 Total old addresses removed: 0 Total addresses in merge file: 41 Total duplicate merge addresses: 2 Total addresses now in fromfile: 1371 Total percentage of fromfile usage: 15% Total Unique Message Count: 2639 Total Unique Identifiers found: 196 Total failure of all Identifiers: 1551 Total Percent of ID effectiveness: 59% List of spammers caught by the kill file: found: 17 ID-20020930-000139 .transcentives.net found: 16 ID-20020930-000170 @dealsindemand.com found: 15 ID-20020930-000434 .torpedomail.com found: 4 ID-20020930-000373 @yourbigvote.com found: 23 ID-20020930-000998 @dealmate.com found: 9 ID-20020930-001227 @dailyripple.com found: 4 ID-20020930-001276 @PriorityHandling.com found: 10 ID-20020930-000340 @hi-speedmediaoffers.com found: 25 ID-20020930-000421 .YOURMAILSOURCE.COM found: 3 ID-20020930-000505 .opmnetwork.net found: 3 ID-20020930-001171 @linkmails.net found: 5 ID-20020930-001182 .edirectbroadcast.com found: 10 ID-20020930-000833 @offersuwant.net found: 14 ID-20020930-000337 @hi-speedemail.com found: 9 ID-20020930-001327 .e-ugm.com found: 24 ID-20020930-001131 @tiger963.com found: 4 ID-20020930-001278 @TRAKLISTS.COM found: 41 ID-20020930-56 .etracks.com found: 3 ID-20020930-000100 .opinionsurveys.com found: 9 ID-20020930-001323 @totalecool.com found: 79 ID-20020930-000212 @link2buy.com found: 20 ID-20020930-001273 @2mbb.com found: 15 ID-20020930-63 .freelotto.com found: 8 ID-20020930-001220 @valuevalet.com found: 1 ID-20020930-000223 @mountainwings2.com found: 13 ID-20020930-001312 @nexdeals.com found: 14 ID-20020930-001198 .greatpromo.net found: 3 ID-20020930-000125 .readyserve21.com found: 4 ID-20020930-000395 .serveit21.com found: 42 ID-20020930-22 .azoogle.com found: 7 ID-20020930-001252 .emazing.com found: 14 ID-20020930-001158 .oin70.com found: 19 ID-20020930-001206 .greatoffrs.com found: 5 ID-20020930-000178 @emsiweb.com found: 33 ID-20020930-001266 .thesuperspecialsales.com found: 9 ID-20020930-81 .mailstamp.com found: 29 ID-20020930-82 .mb00.net found: 4 ID-20020930-000204 @inmaronlinenetwork.com found: 2 ID-20020930-001150 @bestofferbazaar.com found: 12 ID-20020930-000338 @hsm-mailerdirect.com found: 3 ID-20020930-000706 .weatherbug.com found: 13 ID-20020930-91 .naviantnetwork.net found: 12 ID-20020930-000183 @extrememailing.us found: 21 ID-20020930-24 .bbwgroup.com found: 1 ID-20020930-000406 @specialfunoffers.com found: 1 ID-20020930-001145 @elitegroup.com.ar found: 2 ID-20020930-000455 @myfreerewards.com found: 8 ID-20020930-000326 @vendarefinancial.com found: 4 ID-20020930-001162 [EMAIL PROTECTED] found: 6 ID-20020930-001192 @lamailer.com found: 5 ID-20020930-001209 @Deals-Central.net found: 41 ID-20020930-001246 .bestoffersonthenet.com found: 8 ID-20020930-000278 .mailthanks.com found: 8 ID-20020930-000679 .virtual0.net found: 2 ID-20020930-001261 .optprofessionals.com found:
RE: [Declude.JunkMail] SpamReview Request - Delete All
Delete All - Deletes all entries. ctrl+a del Delete All and Exit - Deletes all entries then exits (deleting deleted if switch is 'on') ctrl+a del alt+f4 Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Roger Heath Sent: Tuesday, September 24, 2002 10:19 PM To: Tom Subject: [Declude.JunkMail] SpamReview Request - Delete All Ok, SpamReview mailFrom is working great for me with the proper string detect...!!! Now for another request. two more buttons: Delete All - Deletes all entries. Delete All and Exit - Deletes all entries then exits (deleting deleted if switch is 'on') This is really want is needed. This way one may inspect select messages and manage them then delete the rest in one blow. This will save me even more time from an already great time saving program. -- Roger Heath [EMAIL PROTECTED] www.rleeheath.com -- ActivatorMail(tm) ver.082302 Scanned for all viruses by www.activatormail.com intelligent anti-virus anti-spam service --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Wordfilter in BASE64?
I believe from a previous posting someone mentioned Dell sends some email out encoded as Base64. Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Scott MacLean Sent: Wednesday, September 25, 2002 9:31 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Wordfilter in BASE64? That's what I suspected. Has anyone seen HTML Base64 segments that *weren't* spam? Are there any email clients that actually put out such a thing? At 08:14 AM 9/25/2002, Madscientist wrote: Declude does not decode base64, rather it simply detects html base64 segments which are highly likely to be spam. _M ]-Original Message- ]From: [EMAIL PROTECTED] ][mailto:[EMAIL PROTECTED]]On Behalf Of Scott MacLean ]Sent: Wednesday, September 25, 2002 8:10 AM ]To: [EMAIL PROTECTED] ]Subject: [Declude.JunkMail] Wordfilter in BASE64? ] ] ]I just saw an email that *should* have been caught several times over with ]various BODY CONTAINS filters, but wasn't - instead, it caught BASE64. ]Does Declude decode the BASE64 body and then apply the wordfilter? Because ]it seems like it might not. ] ]___ ]Scott MacLean ][EMAIL PROTECTED] ]ICQ: 9184011 ]http://www.nerosoft.com ] ]--- ][This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. ___ Scott MacLean [EMAIL PROTECTED] ICQ: 9184011 http://www.nerosoft.com
RE: [Declude.JunkMail] Whitelist Request
What does networksolutions and verisign fail that you whitelist them? Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Charles Frolick Sent: Wednesday, September 18, 2002 12:46 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Whitelist Request Would you mind sharing your list? Mine, sadly enough, only has 8 rules currently, all except two are for mailing I get that are false positives. My current list is: MAILFROM 0 STARTSWITH [EMAIL PROTECTED] MAILFROM 0 CONTAINS @declude.com MAILFROM 0 CONTAINS @verisign.com MAILFROM 0 CONTAINS @verisign.net MAILFROM 0 CONTAINS @networksolutions.com MAILFROM 0 CONTAINS aarl.org MAILFROM 0 STARTSWITH bounce-ethnicjokes- BODY 0 CONTAINS Beliefnet, Inc. All rights reserved. So far the list only includes entries I have had problems in the past with, the verisign ones were whitelist entries, and I may refine them to specific mailings from them. Chuck Frolick ArgoNet, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Bill Kaylor, Domain Mail Administrator Sent: Wednesday, September 18, 2002 11:16 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Whitelist Request That's what I did...using the address list, I give it a weight of -140, which is more than the total of ALL of my tests added together... Bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Charles Frolick Sent: Wednesday, September 18, 2002 11:53 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Whitelist Request I decided I will start using filter file to whitelist legitimate mailing lists from listservers that also support spammers, since they seem to be the bulk of my false positives. I am giving them all 0 weight in the list, but will give the whole test a very high negative weight. I currently only have a few examples, since I am not that aggressive yet in my weights, but I welcome any suggestions. This should allow everyone to be much more aggressive. Maybe a version of the filter test that is a whitelist wouldn't be a bad idea. The filter tests allow for more flexability than the standard whitelist, leaving in many cases less room for error. Chuck Frolick ArgoNet, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mark Smith Sent: Wednesday, September 18, 2002 9:47 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Whitelist Request Rick, I completely agree with you. I don't like risking corruption to the global.cfg file through a ASP/CGI script error. Our idea is to turn up the weight tests and whitelist all of our customer base. The external whitelsit makes it easier to keep that update. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rick Davidson Sent: Wednesday, September 18, 2002 10:33 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Whitelist Request Hi Bob, There are a few reasons I want/need the whitelist separate. One being that it will be easy to push a copy of the whitelist via ftp to each relevant system instead of manually or programaticly attaching to each server and editing the global.cfg. Secondly the global.cfg file is basicly static infomation aside from the whitelist, so interfacing with it programaticly seems like wasted effort to me. I don't believe Scott intended the whitelist to be used as much as it is but unfortunately the amount of legit servers needing whitelisting is enough to make the whitelist an important feature of Declude. The level of modification will just be adding and removing white and black list entries as well as word and phrase filter lines. We can do this via the web and email. Have a great day! Rick Davidson Buckeye Internet Services www.buckeyeweb.com 440-953-1900 - - Original Message - From: Robert Shubert [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, September 17, 2002 5:57 PM Subject: Re: [Declude.JunkMail] Whitelist Request Rick, I too am planning to advance Declude administration to my users via a web application. Although I saw no reason why I couldn't programmaticaly change the global.cfg and other files. Could I ask your reasoning? Also, to what level of modification do you anticipate. The numerous options that declude allows for will make 100% remote editing quite a challange. Thanks for your input. Bob Rick Davidson wrote: Howdy Scott, Was wondering if you would consider creating a separate whitelist file for management purposes. Currently I have one customer with 4 Imail servers peered as a single domain across the country (US :-) I maintain master black lists and word filters on my workstation and use a batch file to FTP them to each server. Also, we are developing some web based management tools for Declude and would rather not have to programmaticly access
RE: [Declude.JunkMail] OT - Listed on Spwes!
I agree SPEWS is very aggressive when it comes to blocking. SPEWS likes to block adjacent netblocks in order to get legitimate customers to pressure the ISP. To get removed from the SPEWS list it takes practically an act of God to get something removed. They say for you to post to the NANAE newsgroup, but nothing usually ever comes out of that. The moral of this story is the only option you have is to force your ISP to issue you a new set of public IP's And when Scott says you need to be extremely polite that is an understatement. Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Tuesday, September 17, 2002 8:35 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] OT - Listed on Spwes! I've found out that our netblock (/24 bit net carved out of a Class B net) has been listed on Spews!. Not because of our doing but because it's part of a upper block of Worldcom. The 'evidence' pages show this coming from a completely different network. That's what SPEWS does. I haven't seen them block a Class B before, just Class Cs (where the spammer and the innocent victim each shared IPs on the same Class C). However, it is generally agreed that the SPEWS test should not be used as a spam test -- because of their approach, they list a lot of legitimate mailservers. Does anyone have any experience with this and/or getting removed? I haven't heard of anyone getting removed, but I believe there is some ritual you can perform by going onto a newsgroup somewhere and being extremely polite... but that could just be a rumor. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT - Listed on Spwes!
If you are a victim of a spews adjacency - depending on the ISP they may work with you to give you a clean netblock not in SPEWS. Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Tolmachoff Sent: Tuesday, September 17, 2002 2:54 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] OT - Listed on Spwes! Well switch to a new ISP Ha! Right... And change a whole firewall, network, mail, routing, vpn, etc. configuration just because those jerks can't exclude a subnet. Not only that, but how are you going to know what IP addresses the new ISP will assign you until after you sign the contract, and that they are not listed? John Tolmachoff IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] School system needs advice
Hen you get back to work post your global.config file so we can see how you have it setup. I am sure a lot of people will be able to offer good advice upon seeing your config file. Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Curtis Faulkner Sent: Tuesday, September 03, 2002 7:32 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] School system needs advice Thanks to all of you for your quick help! Darrell, I feel like a bad network admin, as I can't answer the question about our current tests right now. My boss brought this issue up with me sick at home and I currently can't get to my server or backups (I tend to make my NT's very inaccessible out of an NT security paranoia). I've explained to management that no solution will get 100% (I'm familiar with this concept and have been trying to explain it for a month to my boss for various needs). So far on this project, he is trusting me, according to a recent e-mail, to augment the current solution or to correct the config to provide better service. Hopefully, I will continue to keep us away from the corporate-is-better mentality that quite often enters in these type of scenarios. I just want the best product for the job and feel that it will include Declude, whether it means a new config or adding Message Sniffer. -Curtis On 9/3/2002 5:21 PM, Darrell L. [EMAIL PROTECTED] wrote: Does anyone have suggestions on how I can quickly tune Declude JunkMail to provide a decent-quality result? I generally like Declude (especially Virus), but a flashy corporate package tends to look good to management types and failure seems to be more accepted if it comes from a multi-million dollar corporation. You will never be able to stop 100% of all the porn spam.. You should be able to get a good percentage. However, if the mindset in place is that failure seems to be more accepted if it comes from a multi-million dollar corporation. Then you are already behind the 8-ball. What tests are you using? Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] School system needs advice
Does anyone have suggestions on how I can quickly tune Declude JunkMail to provide a decent-quality result? I generally like Declude (especially Virus), but a flashy corporate package tends to look good to management types and failure seems to be more accepted if it comes from a multi-million dollar corporation. You will never be able to stop 100% of all the porn spam.. You should be able to get a good percentage. However, if the mindset in place is that failure seems to be more accepted if it comes from a multi-million dollar corporation. Then you are already behind the 8-ball. What tests are you using? Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Variables For Alerts And Bounces
When You Look at the email it did not format as expected. The Actual Out put should show the Weight of 16 reaches or exceeds the limit of 10. on another line instead of a continuation of the previous line. Output: OSSRC, SPAMCOP, HELOBOGUS, SPAMHEADERS, WEIGHT10, WEIGHTA10, WEIGHTH5, WEIGHT15 Weight of 16 reaches or exceeds the limit of 10. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darrell L. Sent: Monday, August 19, 2002 9:44 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Variables For Alerts And Bounces I am testing the bounce and Alert action. I have noticed something that I am not 100% sure about and wanted to ask. I have the following in my bounce message TEST(S) FAILED: %TESTSFAILED% %WARNING% Now my understanding from the docs is that the %WARNING% should display information that is displayed in the X_RBL-WARNING header like X-RBL-Warning: OSSOFT: [1] stubberfield, see http://spews.org/ask.cgi?S359 X-RBL-Warning: OSSRC: http://spamhaus.org/SBL/sbl.lasso?query=SBL3716 X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 65.122.237.194 However instead it displays what I believe to be the %WEIGHT% variable ACTUAL OUTPUT FROM A GENERATED BOUNCE TEST(S) FAILED: OSSRC, SPAMCOP, HELOBOGUS, SPAMHEADERS, WEIGHT10, WEIGHTA10, WEIGHTH5, WEIGHT15 Weight of 16 reaches or exceeds the limit of 10. Declude 1.57 beta Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] What Action Do you take?
I am sure most people use the weighting system. For the most part you have certain weights were you know that 99% of the mail triggering that weight is spam. Do you BOUNCE, HOLD, Or DELETE? Right now I am using HOLD, but was considering switching that to BOUNCE. There are defiantly some pro's and con's to both. Any thoughts. Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Log Files
What is the difference between 08/01/2002 16:51:25 Q9f490135007eeff8 R1 Message OK 08/01/2002 16:51:25 Q9f490135007eeff8 L2 Message OK 08/01/2002 16:51:50 Q9f610136007e4e35 L1 Message OK When a message is R1 L2 or L1? Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] WEIGHT20 Problem
I have a weight setup for WEIGHT20, but it was commented out in my default.junkmail file but the logs showed an actual message that failed this test even though it was commented out. Using Version 1.57 beta, did not see this happen with 1.55b. $default$.junkmail WEIGHT15HOLD #WEIGHT20 WARN LOG 07/30/2002 17:41:08 Q07e600b80106bb9f Msg failed ORDB (This mail was handled by an open relay - please visit http://ORDB.org/lookup/?host=148.81.231.152). 07/30/2002 17:41:08 Q07e600b80106bb9f Msg failed OSRELAY (This entry was last confirmed open on 5/9/2002). 07/30/2002 17:41:08 Q07e600b80106bb9f Msg failed SPAMCOP (Blocked - see http://spamcop.net/bl.shtml?148.81.231.152). 07/30/2002 17:41:08 Q07e600b80106bb9f Msg failed NOABUSE (Not supporting abuse@domain). 07/30/2002 17:41:08 Q07e600b80106bb9f Msg failed REVDNS (This E-mail was sent from a MUA/MTA 148.81.231.152 with no reverse DNS entry.). 07/30/2002 17:41:08 Q07e600b80106bb9f Msg failed SPAMHEADERS (This E-mail has headers consistent with spam [4000120f].). 07/30/2002 17:41:08 Q07e600b80106bb9f Msg failed WEIGHT10 (Weight of 34 reaches or exceeds the limit of 10.). 07/30/2002 17:41:08 Q07e600b80106bb9f Msg failed WEIGHT5 (Weight of 34 reaches or exceeds the limit of 5.). 07/30/2002 17:41:08 Q07e600b80106bb9f Msg failed WEIGHT15 (Weight of 34 reaches or exceeds the limit of 15.). 07/30/2002 17:41:08 Q07e600b80106bb9f Msg failed WEIGHT20 (Weight of 34 reaches or exceeds the limit of 20.). 07/30/2002 17:41:08 Q07e600b80106bb9f Msg failed DSBL (http://dsbl.org/listing.php?148.81.231.152). Darrell LaRock Information Systems Analyst Gannett Television 716-849-2272 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.JunkMail] Whitelist Not Working What Am I doing wrong
I add the following line to my global.cfg file WHITELIST IP 66.54.32.* However, messages from the 66.54.32.* subnet are not being WhiteListed. What am I doing wrong? Darrell Received: from [66.54.32.207] by mail1.gannett-tv.com (SMTPD32-7.11) id A3743F003C; Mon, 29 Jul 2002 16:20:04 -0400 From: KSDK Web Form - Muny Contest Entrant To: KSDK Web Form Submission [EMAIL PROTECTED] Subject: [POTENTIAL SPAM] Muny Date: 29 Jul 2002 20:29:19 Importance: Normal X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: ASPXPMail Version: 1.0.0065 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7-bit Message-Id: 200207291620296.SM00624@ X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [c042020e]. X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam [c042020e]. X-Spam-Tests-Failed: BADHEADERS, SPAMHEADERS, WEIGHT5 X-RCPT-TO: [EMAIL PROTECTED] Status: R X-UIDL: 327958377 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.JunkMail] Whitelist Not Working What Am I doing wrong
I believe my problem was related to lack of reading the docs closely.. It turns out the docs say to not put a * on the end but just leave the trailing .. i.e. WHITELIST IP 66.54.32. Sorry for wasting everyone's time.. dl -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darrell L. Sent: Monday, July 29, 2002 4:34 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Whitelist Not Working What Am I doing wrong I add the following line to my global.cfg file WHITELIST IP 66.54.32.* However, messages from the 66.54.32.* subnet are not being WhiteListed. What am I doing wrong? Darrell Received: from [66.54.32.207] by mail1.gannett-tv.com (SMTPD32-7.11) id A3743F003C; Mon, 29 Jul 2002 16:20:04 -0400 From: KSDK Web Form - Muny Contest Entrant To: KSDK Web Form Submission [EMAIL PROTECTED] Subject: [POTENTIAL SPAM] Muny Date: 29 Jul 2002 20:29:19 Importance: Normal X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: ASPXPMail Version: 1.0.0065 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7-bit Message-Id: 200207291620296.SM00624@ X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [c042020e]. X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam [c042020e]. X-Spam-Tests-Failed: BADHEADERS, SPAMHEADERS, WEIGHT5 X-RCPT-TO: [EMAIL PROTECTED] Status: R X-UIDL: 327958377 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.JunkMail] Whitelist Not Working What Am I doing wrong
Scott, In the new version is it even able to more refined subnets like 1.1.1.16/28? Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Monday, July 29, 2002 4:41 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Whitelist Not Working What Am I doing wrong I add the following line to my global.cfg file WHITELIST IP 66.54.32.* However, messages from the 66.54.32.* subnet are not being WhiteListed. What am I doing wrong? That's because Declude JunkMail doesn't understand what the * means. You can either use WHITELIST IP 66.54.32., or with the most recent version, you can use WHITELIST IP 66.54.32.0/24. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .