[Declude.JunkMail] Auto Sales Spam
Has anyone come up with a filter to deal with the rash of new car sales spam that has recently gotten bad? There doesn't seem to be much to filter on from a content standpoiint. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] No one at Declude?
Was anyone able to download the all_list.dat file from the interim directory that David posted? Everything else downloaded for me except that file. -Original Message- From: David Barker [mailto:david.bar...@mailsbestfriend.com] Sent: Thursday, April 18, 2013 8:37 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Filters yes all_list.dat working on that. -Original Message- From: John Dobbin [mailto:jo...@penpublishing.com] Sent: Thursday, April 18, 2013 9:14 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? David - with your support extended to the community, will you be able to offer maintenance of the all_list.dat as well as the filters? -Original Message- From: David Barker [mailto:david.bar...@mailsbestfriend.com] Sent: Thursday, April 18, 2013 1:02 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Not that I can think of, the real advantage is it shuts off all internal validations, AVG which has already stopped, SNF and CT which will stop anytime soon. -Original Message- From: Andy Schmidt [mailto:andy_schm...@hm-software.com] Sent: Thursday, April 18, 2013 1:43 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Thanks David, So, OTHER than Sniffer, any OTHER advantages of using the HOSTS trick vs. the Bypass key? -Original Message- From: David Barker [mailto:david.bar...@mailsbestfriend.com] Sent: Thursday, April 18, 2013 1:09 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? If internal SNF is still ON then it can conflict with external Message Sniffer by grabbing the port which SNF uses. By using our fix will ensure internal SNF is turned OFF. If using the bypass key has everything OFF then that is fine too. -Original Message- From: Andy Schmidt [mailto:andy_schm...@hm-software.com] Sent: Thursday, April 18, 2013 12:46 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? So - is there any advantage of using the hosts file trick (to invalidate the license server IP address) http://mailsbestfriend.com/declude-fix vs. using the special bypass license code? Does one enable more functions that the other? -Original Message- From: David Barker [mailto:david.bar...@mailsbestfriend.com] Sent: Thursday, April 18, 2013 12:31 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Yes Internal Sniffer is no longer a valid option. Need to switch to external. -Original Message- From: Andy Schmidt [mailto:andy_schm...@hm-software.com] Sent: Thursday, April 18, 2013 12:06 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Uh - but with that code, the internal SNF is turned off? So one has to configure Sniffer has an external test with a separate Sniffer license code? -Original Message- From: Stephan Chayer [mailto:scha...@intrasoft.net] Sent: Wednesday, April 17, 2013 5:37 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Use this key: CODE 28607230-BF21-4CDE-A59B-A451CC7C9CA0 -Message d'origine- De : SM Admin [mailto:imailad...@bcwebhost.net] Envoyé : 17 avril, 2013 2:43 À : Declude.JunkMail@declude.com Objet : Re: [Declude.JunkMail] No one at Declude? Apparently I was too quick on the draw as this line has since been added to the diag file: 04/16/2013 22:24:21.947[BB86F9-606322-C04138-958B5A-AB7343-94F75B] IS INVALID KEY Did someone say something about new keys? -Original Message- From: SM Admin Sent: Tuesday, April 16, 2013 10:25 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? I noticed today that Declude wasn't processing. I checked the diag file and it has the usual entries at the top plus an entry at the bottom saying that the Sniffer license is invalid. How is that? So then I restarted the Declud service and now the diag file only shows this: Declude 4.12.02 Diagnostics Compilation Platform: SmarterMail Copyright (c) 2000-2013 Declude, Inc. Host Name mail1.bcwebhost.net Declude Key redacted So I have no idea what's going on. Anyone? -Original Message- From: Brian Baker Sent: Tuesday, April 16, 2013 7:09 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? Looks like tonight we better figure out a new approach. My declude diag file is now reading declude lic as invalid. Anyone else? - Original Message - From: Todd Richards to...@nnepa.com To: Declude.JunkMail@declude.com Sent: Monday, April 15, 2013 9:34 AM Subject: RE: [Declude.JunkMail] No one at Declude? What system is that? Our users are getting hammered with spam. Reminds me of the days, many years ago, before I happened upon Declude... Todd
[Declude.JunkMail] Sample global.cfg ?
Is there a current sample global.cfg available? I haven't looked through mine in awhile and I may have some outdated RBLs, etc. Would like to see the current sample just to get an idea of what may have changed. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] No one at Declude?
Hi Darin, I don't have stats but in manual checks it seems to be about 50% of my spam. stepvalve.net Creation date: 16 Apr 2013 16:13:00 Expiration date: 16 Apr 2014 08:13:00 kunstkennis.com Updated Date: 17-apr-2013 Creation Date: 16-apr-2013 shoputc.com Creation date: 16 Apr 2013 19:24:13 Expiration date: 16 Apr 2014 19:24:00 What ticks me off is a lot of it is registered with ENOM which is where I buy my domains. From: Darin Cox [mailto:dc...@4cweb.com] Sent: Wednesday, April 17, 2013 1:34 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? HI Dave, Maybe we are looking at different cross-sections of the spam problem, but on our systems we see a lot from spammy domains that are not brand new. Darin. From: Dave Beckstrom mailto:db...@atving.com Sent: Wednesday, April 17, 2013 2:22 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? Darin, The new domain test would work on a majority of spam. Here is one from the saffron extract spams that are being sent. Just got this one this morning. Received: from mail3.llorynlouise.com [173.237.33.77] by [Querying whois.enom.com] [whois.enom.com] Updated Date: 17-apr-2013 Creation Date: 16-apr-2013 From: Darin Cox [mailto:dc...@4cweb.com] Sent: Wednesday, April 17, 2013 1:14 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? FYI... I spot-checked some of the domains involved in what we were seeing. Many were two or three years old, so the new domain test would not work on them. On the report, there are log parsers that will do that for you, including Grep and Sawmill. We don't use those, but import our logs into SQL Server for processing and reporting. Darin. From: Dave Beckstrom mailto:db...@atving.com Sent: Wednesday, April 17, 2013 1:37 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? I put in a request to Darrell at Invariant to see if he could update URIExtract to produce a report of IPs on top of the domain report that it currently produces. What I've been doing is if I receive one spam from say 69.22.136.43 and another spam from 69.22.136.48 then I firewall 69.22.136.0/24 I'd like to see a report of IPs extracted from emails and a count of how many emails were found from a given IP -- reports taken from the INVURIBL log files, that is. I've not heard back from Darrell. I don't have any other tool at my disposal for extracting those IPs. What we really need, is something that would do a whois query and for any domain registered within say the last 24 hours then declude could hold or delete the email. The majority of spam seems to be from spammers who registered a domain using fake credit card and by the time the registrar figures out they didn't get paid then the spammer is on to the next domain. From: Darin Cox [mailto:dc...@4cweb.com] Sent: Wednesday, April 17, 2013 12:23 PM To: Declude.JunkMail@declude.com Subject: [SPAM]- Score (19)Re: [Declude.JunkMail] No one at Declude? Not many IPs in that range in use yet according to SenderBase, but those that are are very bad. We've been seeing a lot of spam traffic where SenderBase didn't have any measurements on the IP yet that we were seeing, but had a number of others in the same subnet... all bad. Darin. From: Katie La Salle-Lowery mailto:ka...@centric.net Sent: Wednesday, April 17, 2013 1:06 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Here are the headers of an example I received. Received: from pop.mountainmusicmeltdown.com [207.223.191.101] by mail.centric.net with ESMTP (SMTPD-11.01) id 1950001a04b74c7d; Wed, 17 Apr 2013 08:57:09 -0600 From: credit line increase barbara_watk...@mountainmusicmeltdown.com To: ka...@centric.net Subject: Magnificent News! TransUnion Gave You a Credit Increase Date: Wed, 17 Apr 2013 10:50:56 -0400 Message-ID: 34770215301099823782438a696834a88ab99428fd8da700613@pop.mountainmusicmeltdo wn.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit Content-Disposition: inline X-MessageSniffer-Identifier: C:\IMail\spool\proc\work\D1950001a04b74c7d.smd X-GBUdb-Analysis: 0, 207.223.191.101, Ugly c=0.279065 p=1 Source Truncate X-MessageSniffer-Scan-Result: 20 X-MessageSniffer-Rules: 20-0-0--1-f X-RBL-Warning: SUBCHARS-55: Subject with at least 55 characters found. X-Declude-Sender: barbara_watk...@mountainmusicmeltdown.com [207.223.191.101] X-Declude-Spoolname: D1950001a04b74c7d.smd X-Declude-RefID: X-Declude-Note: Scanned by Centric Internet Services using Declude 4.12.01 for spam. http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [8] at 08:57:23 on 17 Apr 2013 X-Declude-Fail: SORBS-DUL [5], SORBS [4], SPFPASS [-1], SUBCHARS-55 [1] X-Country-Chain: X-RCPT
RE: [Declude.JunkMail] Thank you for your email. I will be out of the office from 4/15/2013 until 4/19/2013. Dur
Everyone better add a filter to delete messages with Dan's name until he gets back. Can you say viscious circle? -Original Message- From: Daniel Slentz [mailto:dsle...@oasisol.com] Sent: Saturday, April 13, 2013 3:19 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Thank you for your email. I will be out of the office from 4/15/2013 until 4/19/2013. Dur Thank you for your email. I will be out of the office from 4/15/2013 until 4/19/2013. During that time I will have limited access to email but will respond upon my return. If you require an immediate response, please contact ad...@oasisol.com. Have a great day Dan Slentz Network Engineer Oasis Online 775-423-6277 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] No one at Declude?
Someone should start up a new discussion list that everyone can join before this one goes away. It would be good to have a place to continue collboration. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Joe Jobs
Hi All, This isn't specifically a Declude question but I thought I'd ask anyway as its still of interest to the group, I think. I have one domain that is being referenced in a Joe Job. Essentially, a spammer sends out thousands of emails using various compromised computers. In the FROM field, they put randomaddr...@mydomain.com. My server gets all the backscatter email from the victims servers. This has been going on for better than 6 months. My server can handle the volume. The real problem is my customer gets nasty emails from people who think they spammed them and they don't realize it had nothing to do with our server or my customer. I've not been able to figure out a way to stop the spammers from using my domain in their FROM addresses. Essentially, I was trying to figure out if through SPF records or other means I could do something that would make referencing my domain ineffective for them. That didn't seem to help. Also, since they don't send through my server, there is little I can do. Have any of you had to deal with this situation? Any clever ideas? Thanks, Dave --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Whitelist emails with attachments?
Is there a way in declude to either whitelist or set a filter giving credit (negative weight), when an email sent to a specific user/domain has an attachment attached to it? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Dealing with Joe Jobs?
Hi Darin, Thanks for the reply. The mail server seems to handle the bounces okay as we don't have a catchall address set up. The smtp server connects, gets a no such user here response and disconnects. No mail is actually delivered. At least that is my interpretation (from the log files) as to what's happening. I suspect this has been going on for months with the one domain. -Original Message- From: Darin Cox [mailto:dc...@4cweb.com] Sent: Wednesday, December 07, 2011 12:54 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Dealing with Joe Jobs? Hi Dave, We see this occasionally, and SPF does help a little, but SPF is often not enforced, so it's more valuable for self-addressed spam than anything else... and many senders violate their own SPF policy. Deleting your MX doesn't help since the bounces are coming from all over, not from the spammer. We have occasionally put in additional filtering rules for the domain in question to look for keywords such as Undeliverable and hold hits for review, but most of the time our regular filtering does a good enough job that the customer doesn't get most of the bounces. Usually the joe-job lasts for 1-2 weeks and then it's over. Hope this helps, Darin. - Original Message - From: Dave Beckstrom db...@atving.com To: Declude.JunkMail@declude.com Sent: Tuesday, December 06, 2011 7:12 PM Subject: [Declude.JunkMail] Dealing with Joe Jobs? Hi All, This isn't a Declude topic but is relevant to dealing with a sort of spam issue. I hope nobody minds discussing this. I would appreciate hearing any advice you might have to offer. I have a customer who's domain is being used for Joe Jobs. Someone is randomizing email addresses for this domain and presumably sending out millions of emails. My mail server is dealing with the backscatter. I'm getting probably close to 50 - 100 server connections a minute. My smtp log shows the following type of entries (sanitized for posting here): 17:23:50 [216.127.80.40][30884] connected at 12/6/2011 5:23:50 PM 17:23:51 [216.127.80.40][30884] cmd: EHLO shack.traxel.com 17:23:51 [216.127.80.40][30884] rsp: 250-PERSEUS Hello [216.127.80.40] 250-SIZE 62914560 250-AUTH LOGIN CRAM-MD5 250 OK 17:23:51 [216.127.80.40][30884] cmd: MAIL FROM: 17:23:51 [216.127.80.40][30884] rsp: 250 OK Sender ok 17:23:51 [216.127.80.40][30884] cmd: RCPT TO:whiplash...@mycustomersdomain.com 17:23:51 [216.127.80.40][30884] rsp: 550 whiplash...@mycustomersdomain.com No such user here 17:23:51 [216.127.80.40][30884] cmd: RSET 17:23:51 [216.127.80.40][30884] rsp: 250 OK I had my SPF records set incorrectly and it was instructing other mail servers to accept email even if not from my mail server. I changed the SPF record a few days ago to instruct them to REJECT. I don't know if that change will eventually cause the spammer to move on to another domain or not. I actually deleted the customer's MX and A record for 2 days (over the weekend) to see if that might cause the spammer to find another domain. They aren't sending through my mail server, but I thought perhaps if their spam target recipient's server checked for a valid mx and found none that they would reject the spam. The theory being if the bulk of the spammer's email was rejected they might move on to another domain. Unfortunately, as soon as I added the MX and A record back then the backscatter started again. How do you guys deal with these? Just let it run its course? Thanks, Dave --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Dealing with Joe Jobs?
Hi All, This isn't a Declude topic but is relevant to dealing with a sort of spam issue. I hope nobody minds discussing this. I would appreciate hearing any advice you might have to offer. I have a customer who's domain is being used for Joe Jobs. Someone is randomizing email addresses for this domain and presumably sending out millions of emails. My mail server is dealing with the backscatter. I'm getting probably close to 50 - 100 server connections a minute. My smtp log shows the following type of entries (sanitized for posting here): 17:23:50 [216.127.80.40][30884] connected at 12/6/2011 5:23:50 PM 17:23:51 [216.127.80.40][30884] cmd: EHLO shack.traxel.com 17:23:51 [216.127.80.40][30884] rsp: 250-PERSEUS Hello [216.127.80.40] 250-SIZE 62914560 250-AUTH LOGIN CRAM-MD5 250 OK 17:23:51 [216.127.80.40][30884] cmd: MAIL FROM: 17:23:51 [216.127.80.40][30884] rsp: 250 OK Sender ok 17:23:51 [216.127.80.40][30884] cmd: RCPT TO:whiplash...@mycustomersdomain.com 17:23:51 [216.127.80.40][30884] rsp: 550 whiplash...@mycustomersdomain.com No such user here 17:23:51 [216.127.80.40][30884] cmd: RSET 17:23:51 [216.127.80.40][30884] rsp: 250 OK I had my SPF records set incorrectly and it was instructing other mail servers to accept email even if not from my mail server. I changed the SPF record a few days ago to instruct them to REJECT. I don't know if that change will eventually cause the spammer to move on to another domain or not. I actually deleted the customer's MX and A record for 2 days (over the weekend) to see if that might cause the spammer to find another domain. They aren't sending through my mail server, but I thought perhaps if their spam target recipient's server checked for a valid mx and found none that they would reject the spam. The theory being if the bulk of the spammer's email was rejected they might move on to another domain. Unfortunately, as soon as I added the MX and A record back then the backscatter started again. How do you guys deal with these? Just let it run its course? Thanks, Dave --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] RE: email being delivered with blank body. What happened to body?
I get the same behavior with smartermail. I also run into (frequently) situations where it strips off attachments and people complain they don't receive their files. I have also seen where spam will skate right on past filters that should have triggered. I suspect there is some very specific series of events that causes the above weird things to happen. _ From: Richard Lyon [mailto:rl...@piolaxusa.com] Sent: Monday, April 04, 2011 7:53 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] RE: email being delivered with blank body. What happened to body? I've seen it with lotus notes delivering to an Outlook client. The emails show fine in imails web mail. I've never found a fix. Its related to Lotus Notes replies - not the original email. -Original Message- From: Rick Davidson rdavid...@nat.com Sent 4/4/2011 8:33:10 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] RE: email being delivered with blank body. What happened to body? Look for these messages in your log files WARNING: EOF in multipart processing I had that problem when I upgraded to Interceptor 3.4.10.48 back in Feb, I had to roll back to the previous version I was running which is 3.4.42 I have yet to hear back on that one, if anyone has a fix I'd like to hear it -- Rick From: Harry Vanderzand [mailto:ha...@intown.net] Sent: Monday, April 04, 2011 5:54 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] email being delivered with blank body. What happened to body? This is occurring to one of my domains. No others that I can figure. I see no pattern as to why the mail gets delivered but the body is missing. Any help is sure appreciated. I run imail with an Alligate front end. And of course Declude. Thank you in advance for your assistance. Thank you Harry Vanderzand Intown internet Erbsville Internet 740 Erbsville Road Waterloo, ON, N2J3Z4 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. You have received this e-mail due to a past or current transaction or as a result of our efforts to keep you in touch with current developments affecting your industry. If you wish to unsubscribe from any future general information mailings, please click here mailto:rdavid...@nat.com?subject=UNSUBSCRIBEbcc=unsubscr...@nat.com . _ CONFIDENTIALITY NOTICE This e-mail message and any attachments contain confidential and/or privileged information for the sole use of the intended recipient. If you are not the intended recipient, you may not read, disseminate, distribute or copy this e-mail message or any attachments. Please notify the sender immediately by reply e-mail if you received this e-mail message by mistake and delete this e-mail message and any attachments from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, delayed, incomplete, or contain viruses. The sender, therefore, does not accept liability for any errors or omissions in the contents of this e-mail message or any attachments, which arise as a result of e-mail transmission. If verification is required, please request a hard-copy version. -. .- - --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] ISIPP SuretyMail Accredited email - spammer?
Just received a spam with these headers: X-IADB-IP: 65.98.250.238 X-IADB-IP-REVERSE: 238.250.98.65 X-IADB-URL: http://www.isipp.com/iadb.php http://www.isipp.com/iadb.php Received: from AGENT-01.ED.SAC ([10.10.0.24]) X-Mailer: EDM List-Unsubscribe: http://go.edirect1.com/l/a/eri/zl/852h/4t/ed9h/exclude.htm http://go.edirect1.com/l/a/eri/zl/852h/4t/ed9h/exclude.htm Went to http://www.isipp.com/iadb.php http://www.isipp.com/iadb.php and they are claiming they are like Habeas or Bonded Sender. Anyone know if these guys are scammers? I'm considering holding anything with their headers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Idea for new Declude add-on
I installed autowhite. This product is not ready to be on the market and certainly should not be something someone pays good money to purchase. It has promise, but its not ready yet. Its advertised as working with Smartermail. To use it in a smartermail environment, you have to go into the registry on the server and enter a number of IMAIL registry keys. None of these required keys are currently documented in the installation docs. John said he is planning on updating the installation documentation. The main problem, however, is that there needs to be a registry key manually created for each smartermail email domain. These keys get created under an IMAIL parent key. So if you have a control panel, and resellers create new email domains, the autowhite registry key for that new email domain won't exist. Autowhite won't process for that domain. You would have to modify your control panel to create the registry key or manually create the keys. Autowhite also has a log option. But it won't log without a syslog daemon on the server. Autowhite needs to have an option to log to a text file -- I wouldn't install anything to support a utility being able to log. -Original Message- From: Kamran Razvan [mailto:kami.l...@clickandpledge.com] Sent: Thursday, February 17, 2011 9:01 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Idea for new Declude add-on Thanks Dave, Just to show you how it works: [AUTOWHITE.1] external1 M:\autowhite\autowhite.exe /LICENSE CODE /R5 /L1 %MAILFROM% %REALRECIPS% -500 [AUTOWHITE.2] external2 M:\autoWhite\autowhite.exe /LICENSE CODE /R5 /L1 %MAILFROM% %REALRECIPS% -100 0 In here if someone is sent an email to a person then the program tracks how many times that email has been emailed to. Next time when the person emails us the program looks at the sender's counter and we add -50 for 1 hit and -100 for 2 hits and more. Effectively if I email someone twice they are whitelisted. Kami -Original Message- From: David Barker [mailto:dbar...@declude.com] Sent: Thursday, February 17, 2011 9:48 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Idea for new Declude add-on The author is John Tolmachoff of http://www.eservicesforyou.com/products/autowhite.html -Original Message- From: Kamran Razvan [mailto:kami.l...@clickandpledge.com] Sent: Thursday, February 17, 2011 9:41 AM To: Declude.JunkMail@declude.com Subject: FW: [Declude.JunkMail] Idea for new Declude add-on Dave, This program is the exact behavior that autowhite had and one that we are using now. Unfortunately I don't remember who had written it. Anyone remembers? The program works beautifully. Every time I sent an email the person's email address is added a negative weight. We use it in a combo filter and whitelist the person in all future emails. I know the author decided not to work on it anymore but we have been using it for years. Regards, Kami -Original Message- From: David Barker [mailto:dbar...@declude.com] Sent: Thursday, February 17, 2011 8:49 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Idea for new Declude add-on Great idea Dave thanks. Question. If a user emails a recipient in what scenario would we not want to whitelist the recipients address ? -Original Message- From: Dave Beckstrom [mailto:db...@atving.com] Sent: Thursday, February 17, 2011 8:45 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Idea for new Declude add-on I have an idea for something I think would be a useful add-on for declude. Every time someone sends an outbound SMTP email to someone, the add-on would add an entry to a filter giving the recipient's to address a weight of minus one. Therefore, giving the recipient a credit. Any time the recipient sends an email to my server, minus one gets subtracted from the total score of their email. If a user on my server sends a second email to the same recipient, another minus one credit is added to the filter. Now that recipient has a credit of minus two. The add-on would be configurable to limit the maximum credit a single address could reach. It would also have an exclusion ability where you could enter a list of email addresses that would never receive any credit. The idea being that the more frequently you email someone, the less likely that email from them would be spam. I know some will argue that from addresses can be forged and that perhaps its not a good idea to give credit based on a from address. But its not very often at all I ever receive a spam that came from a friend's forged from address. I think something along the lines of this type of system could be useful. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can
RE: [Declude.JunkMail] Idea for new Declude add-on
Sanford, I'm not complaining. I'm saying that there is an opportunity for someone to write the utility I suggested. I'd write it except the languages I code wouldn't be a good choice for something like this. -Original Message- From: Sanford Whiteman [mailto:sa...@cypressintegrated.com] Sent: Friday, February 18, 2011 12:00 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Idea for new Declude add-on This product is not ready to be on the market and certainly should not be something someone pays good money to purchase. It has promise, but its not ready yet. Your complaints have to do principally with SmarterMail -- certainly when the product was published and supported I don't recall anything about SmarterMail being advertised. That's an after-the-fact hack, but I don't knw what that has to do with on the market. Autowhite also has a log option. But it won't log without a syslog daemon on the server. IMail had a syslog daemon built-in. That's obviously why it was built to use that functionality. Autowhite needs to have an option to log to a text file -- I wouldn't install anything to support a utility being able to log. Do your firewalls log to text files on the device, then? Sounds like a lot of FUD over a dead product which actually did exactly what it was supposed to do, and with more flexibility than most command-line add-ons. I for one *wish* that everything logged to syslog. I don't want a text file on the local box being written to on every e-mail. SMTP is disk I/O bound already. -- S. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Idea for new Declude add-on
Hi John, I apologize. At the time I posted that, I didn't realize that autowhite is no longer being developed. It is what it is...which is a 3rd party utility that sounds like it works well with imail. Until a day or so ago...I didn't recall autowhite or that we had ever purchased it. Looked at the docs and saw it was supposed to work with smartermail... So I decided to give it a try. It was only after starting down that road, that I discovered the documentation was incomplete and the way it has to be implemented in a smartermail environment isn't very friendly or practical (in my opinion) So I stand by what I said that I would not recommend someone purchase autowhite -- but need to qualify that by saying unless you use imail. Even so..the tone of my email was overly harsh. I apologize for that, too. _ From: John T [mailto:johnl...@eservicesforyou.com] Sent: Friday, February 18, 2011 1:04 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Idea for new Declude add-on Dave, it is sad to see you take a discussion we were having via email and turn it into an unwarranted attack on a product that has been in use as designed since 2003 and has been working great in its intended and designed use. QUOTE: This product is not ready to be on the market and certainly should not be something someone pays good money to purchase. It has promise, but its not ready yet. Your purchase was in 2003. BEFORE a version of Declude was created to work with Smartermail. John T eServices For You -Original Message- From: Dave Beckstrom db...@atving.com Sent 2/18/2011 9:46:15 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Idea for new Declude add-on I installed autowhite. This product is not ready to be on the market and certainly should not be something someone pays good money to purchase. It has promise, but its not ready yet. Its advertised as working with Smartermail. To use it in a smartermail environment, you have to go into the registry on the server and enter a number of IMAIL registry keys. None of these required keys are currently documented in the installation docs. John said he is planning on updating the installation documentation. The main problem, however, is that there needs to be a registry key manuall y created for each smartermail email domain. These keys get created under an IMAIL parent key. So if you have a control panel, and resellers create new email domains, the autowhite registry key for that new email domain won't exist. Autowhite won't process for that domain. You would have to modify your control panel to create the registry key or manually create the keys. Autowhite also has a log option. But it won't log without a syslog daemon on the server. Autowhite needs to have an option to log to a text file -- I wouldn't install anything to support a utility being able to log. -Original Message- From: Kamran Razvan [mailto:kami.l...@clickandpledge.com] Sent: Thursday, February 17, 2011 9:01 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Idea for new Declude add-on Thanks Dave, Just to show you how it works: [AUTOWHITE.1] external1 M:\autowhite\autowhite.exe /LICENSE CODE /R5 /L1 %MAILFROM% %REALRECIPS% -500 [AUTOWHITE.2] external2 M:\autoWhite\autowhite.exe /LICENSE CODE /R5 /L1 %MAILFROM% %REALRECIPS% -100 0 In here if someone is sent an email to a person then the program tracks how many times that email has been emailed to. Next time when the person email s us the program looks at the sender's counter and we add -50 for 1 hit and -100 for 2 hits and more. Effectively if I email someone twice they are whitelisted. Kami -Original Message- From: David Barker [mailto:dbar...@declude.com] Sent: Thursday, February 17, 2011 9:48 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Idea for new Declude add-on The author is John Tolmachoff of http://www.eservicesforyou.com/products/autowhite.html -Original Message- From: Kamran Razvan [mailto:kami.l...@clickandpledge.com] Sent: Thursday, February 17, 2011 9:41 AM To: Declude.JunkMail@declude.com Subject: FW: [Declude.JunkMail] Idea for new Declude add-on Dave, This program is the exact behavior that autowhite had and one that we are using now. Unfortunately I don't remember who had written it. Anyone remembers? The program works beautifully. Every time I sent an email the person's email address is added a negative weight. We use it in a combo filter and whitelist the person in all future emails. I know the author decided not to work on it anymore but we have been using it for years. Regards, Kami -Original Message- From: David Barker [mailto:dbar...@declude.com] Sent: Thursday, February 17, 2011 8:49 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Idea for new Declude add-on Great idea
[Declude.JunkMail] Idea for new Declude add-on
I have an idea for something I think would be a useful add-on for declude. Every time someone sends an outbound SMTP email to someone, the add-on would add an entry to a filter giving the recipient's to address a weight of minus one. Therefore, giving the recipient a credit. Any time the recipient sends an email to my server, minus one gets subtracted from the total score of their email. If a user on my server sends a second email to the same recipient, another minus one credit is added to the filter. Now that recipient has a credit of minus two. The add-on would be configurable to limit the maximum credit a single address could reach. It would also have an exclusion ability where you could enter a list of email addresses that would never receive any credit. The idea being that the more frequently you email someone, the less likely that email from them would be spam. I know some will argue that from addresses can be forged and that perhaps its not a good idea to give credit based on a from address. But its not very often at all I ever receive a spam that came from a friend's forged from address. I think something along the lines of this type of system could be useful. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Idea for new Declude add-on
I couldn't think of any specific instances where you would not want to whitelist a recipient's address. Obviously nobody should be emailing a spammer. I was tryng to cover the bases for those instances that exist but can't be foreseen yet. Pondering it a little more -- one type of an exclusion that would be needed is if you had a forum where users register and your server sends out a confirmation/activation email. Or you send an email as a result of someone submitting a contact form on your site. In those cases, the from address for your forum or from address from your submission form would be the excluder so that no recipient of email from those automated systems would be given any credit. -Original Message- From: David Barker [mailto:dbar...@declude.com] Sent: Thursday, February 17, 2011 7:49 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Idea for new Declude add-on Great idea Dave thanks. Question. If a user emails a recipient in what scenario would we not want to whitelist the recipients address ? -Original Message- From: Dave Beckstrom [mailto:db...@atving.com] Sent: Thursday, February 17, 2011 8:45 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Idea for new Declude add-on I have an idea for something I think would be a useful add-on for declude. Every time someone sends an outbound SMTP email to someone, the add-on would add an entry to a filter giving the recipient's to address a weight of minus one. Therefore, giving the recipient a credit. Any time the recipient sends an email to my server, minus one gets subtracted from the total score of their email. If a user on my server sends a second email to the same recipient, another minus one credit is added to the filter. Now that recipient has a credit of minus two. The add-on would be configurable to limit the maximum credit a single address could reach. It would also have an exclusion ability where you could enter a list of email addresses that would never receive any credit. The idea being that the more frequently you email someone, the less likely that email from them would be spam. I know some will argue that from addresses can be forged and that perhaps its not a good idea to give credit based on a from address. But its not very often at all I ever receive a spam that came from a friend's forged from address. I think something along the lines of this type of system could be useful. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Blocking on no REV DNS?
Years ago it was recommended not to block mail on a missing reverse DNS because many legitimate mail servers were mis-configured. We know services like AOL block on missing DNS. Just wondering, do you block on missing REV DNS? If not, do you at least add weight? I'm getting to the point where if a mail server doesn't have a reverse DNS then I'm thinking the heck with them --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Blocking on no REV DNS?
Headers from a typical email with missing reverse DNS: Received: from UnknownHost [208.94.247.117] by xx X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 208.94.247.117 with no reverse DNS entry. What is the best way to filter on no reverse DNS? _ From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Monday, February 14, 2011 10:49 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Blocking on no REV DNS? I suppose it depends on your clients. I host mostly small to medium business sites, bounce on reverse DNS at my gateway and only get a question once or twice a year, where I assist some clueless Email Admin about contacting his ISP to set up the proper reverse DNS. I explain to them that we are in line with AOL, Hotmail, Google and others that have policies against missing Reverse DNS to show that he may have FOUND the problem by trying to email US, but that in fact, his emails to most places on the Internet are being silently deleted, held or flagged as SPAM - without giving him a warning as WE do. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave Beckstrom Sent: Monday, February 14, 2011 9:22 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Blocking on no REV DNS? Years ago it was recommended not to block mail on a missing reverse DNS because many legitimate mail servers were mis-configured. We know services like AOL block on missing DNS. Just wondering, do you block on missing REV DNS? If not, do you at least add weight? I'm getting to the point where if a mail server doesn't have a reverse DNS then I'm thinking the heck with them --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Filter for this?
Anyone put together a filter for this? a href=http://en.marriedcomb.com/LsyRi_xEczPyAVLP-6RXIfBHyQKlpLloCVCdRiUQj80C BkFIRsplDbsWp-UntnvcapomnOB34oekSnZlNAVa7SoEUKZSJf38K79Yq79zOT6qBNCTYzL5B1Gh PqJ5DauCbtWAubdB8kPQoicfAlkPQyyuRB1333A1YAWUvJhpVPksIVa9IVTj5SmfPzJBU23BtNGm LCRUhh-f7TYUkYiSFW1IMFkxyEq98JftNph7Um4mcdzmcpYAh62VI94SDrIhDY8g2Zo-QorZUUZW rwG41Sj6iKchOqqfHLTYKLmL7s5oJBjZ7EZSuBU7CFX8LvTo0pB6qyyUQ4mp35lBXcOsZ1zHmnGL Bl_htJf1VGFa4gsO7P6mFVZB3QNk3TPUYWaoBR5AtFjxfs3mv11TZ60J6w Getting dozens of these a day coming through. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter for this?
Andrew, I'm running invURIBL. It gave a weight of 10: X-invURIBL-Scan: Scanned by invURIBL 3.1.1 on 2/14/2011 3:50:50 PM X-invURIBL-Weight: 10 X-invURIBL-Range: HIGH That only brought it up to 15 and my hold weight is 20. My declude is a number of years old. I don't believe I have the zero day. My problem is I have so little time to work with Declude. By the time the spam gets bad enough that I can't put up with it and need to tweak my filters again, I've forgotten so much its like starting over. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Colbeck, Andrew Sent: Monday, February 14, 2011 5:30 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Filter for this? Dave, the target IP address is a really old spammer block according to SpamHaus: http://www.spamhaus.org/sbl/sbl.lasso?query=SBL79159 http://www.spamhaus.org/sbl/sbl.lasso?query=SBL79123 Do you have a URL scanner? It should have picked off this one sample. Besides the Zero Day component of Declude, there's a de facto add-on that's used by the denizens of this list, but I forget what it's called. FWIW, no, I'm not seeing this particular domain or destination IP in the last 45 days. Andrew. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave Beckstrom Sent: Monday, February 14, 2011 2:07 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Filter for this? Anyone put together a filter for this? a href=http://en.marriedcomb.com/LsyRi_xEczPyAVLP-6RXIfBHyQKlpLloCVCdRiUQ j80C BkFIRsplDbsWp-UntnvcapomnOB34oekSnZlNAVa7SoEUKZSJf38K79Yq79zOT6qBNCTYzL5 B1Gh PqJ5DauCbtWAubdB8kPQoicfAlkPQyyuRB1333A1YAWUvJhpVPksIVa9IVTj5SmfPzJBU23B tNGm LCRUhh-f7TYUkYiSFW1IMFkxyEq98JftNph7Um4mcdzmcpYAh62VI94SDrIhDY8g2Zo-QorZ UUZW rwG41Sj6iKchOqqfHLTYKLmL7s5oJBjZ7EZSuBU7CFX8LvTo0pB6qyyUQ4mp35lBXcOsZ1zH mnGL Bl_htJf1VGFa4gsO7P6mFVZB3QNk3TPUYWaoBR5AtFjxfs3mv11TZ60J6w Getting dozens of these a day coming through. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. We are pleased to announce that Bentall LP and Kennedy Associates Real Estate Counsel, LP joined forces on December 1, 2010. To learn more, visit: www.bentallkennedy.com Nous avons le plaisir de vous annoncer que Bentall LP et Kennedy Associates Real Estate Counsel LP se sont associees le 1er decembre 2010. Pour en savoir plus, rendez-vous a www.bentallkennedy.com This message (and any associated files) may contain confidential, proprietary and/or privileged material and access to these materials by anyone other than the intended recipient is unauthorized. Unauthorized recipients are required to maintain confidentiality. Any review, retransmission, dissemination or other use of these materials by persons or entities other than the intended recipient is prohibited and may be unlawful. If you have received this message in error, please notify us immediately and destroy the original. Ce message et tout document qui y est eventuellement joint peuvent contenir de l'information confidentielle ou exclusive. L'acces a cette information par quiconque autre que le destinataire designe en est donc interdit. Les personnes ou les entites non autorisees doivent respecter la confidentialite de cette information. La lecture, la retransmission, la communication ou toute autre utilisation de cette information par une personne ou une entite non autorisee est strictement interdite. Si vous avez recu ce message par erreur, veuillez nous en aviser immediatement et le detruire. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Good filter?
There is pervasive spammer who's uri pattern for the linked spam site is pretty consistent. They all have a / followed by some kind of home-grown obfuscation which his server recognizes: http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 Anyone come up with a clever filter for this? Also, these spammers are using domainsite.com as their registrar for their spamvertized domains. Has anyone worked on a solution where the URI can be checked against the registrar and if its registered with domainsite.com then weight can be added or it can be blocked? --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Good filter?
Here is another one: gseo35.pennyonello.info/132694139742636427312a49fad18963925fb I've deleted all the previous and hopefully won't get any more after implmenting the filter David sent. I would still like to be able to block URIs by the DNS server or Registrar used. There may be some legitimate domains registered through domainsite.com but I've not seen any. _ From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick Hayer Sent: Monday, October 18, 2010 8:53 AM To: declude.junkmail@declude.com Subject: re: [Declude.JunkMail] Good filter? Post a few of his/her base domains - just to be sure we will be taking about the same guy.. Thanks -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm _ From: Dave Beckstrom db...@atving.com Sent: Monday, October 18, 2010 9:38 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Good filter? There is pervasive spammer who's uri pattern for the linked spam site is pretty consistent. They all have a / followed by some kind of home-grown obfuscation which his server recognizes: http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 Anyone come up with a clever filter for this? Also, these spammers are using domainsite.com as their registrar for their spamvertized domains. Has anyone worked on a solution where the URI can be checked against the registrar and if its registered with domainsite.com then weight can be added or it can be blocked? --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Good filter?
ude23.protectionist.info/687beaa6678a69ca344212a6ed48f80ba6bca1 cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 _ From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick Hayer Sent: Monday, October 18, 2010 8:53 AM To: declude.junkmail@declude.com Subject: re: [Declude.JunkMail] Good filter? Post a few of his/her base domains - just to be sure we will be taking about the same guy.. Thanks -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm _ From: Dave Beckstrom db...@atving.com Sent: Monday, October 18, 2010 9:38 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Good filter? There is pervasive spammer who's uri pattern for the linked spam site is pretty consistent. They all have a / followed by some kind of home-grown obfuscation which his server recognizes: http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 Anyone come up with a clever filter for this? Also, these spammers are using domainsite.com as their registrar for their spamvertized domains. Has anyone worked on a solution where the URI can be checked against the registrar and if its registered with domainsite.com then weight can be added or it can be blocked? --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Good filter?
Would checking for the DOT, followed by one or more characters, at the end of the long string serve to eliminate the false positives? _ From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, October 18, 2010 10:57 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Good filter? Does the source have a space or different character after the end of the string ? we could look for a space. or a or (?i:(http://|www).+\.(com|info|net)/[a-f0-9]{30,40}(\s|[])) David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick Hayer Sent: Monday, October 18, 2010 11:50 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Good filter? Hi David, I think it will FP though - Here is an example: http://eimages.ratepoint.com/7cb5f36dd6464c05d417963e3efc4386/2010-06/02b120 ed17cc24cd3567fd4396424914.gif with some tweaking I think it could be very effective though We have been wacking the guy w/sniffer General and dnsbl tests. I cannot tell you which ones of the latter as they are not shown in my logs. -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm _ From: David Barker dbar...@declude.com Sent: Monday, October 18, 2010 10:17 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Good filter? Provided the prefix to these is either www or http:// the regex will trigger on these From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave Beckstrom Sent: Monday, October 18, 2010 10:02 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Good filter? ude23.protectionist.info/687beaa6678a69ca344212a6ed48f80ba6bca1 cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 _ From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick Hayer Sent: Monday, October 18, 2010 8:53 AM To: declude.junkmail@declude.com Subject: re: [Declude.JunkMail] Good filter? Post a few of his/her base domains - just to be sure we will be taking about the same guy.. Thanks -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm _ From: Dave Beckstrom db...@atving.com Sent: Monday, October 18, 2010 9:38 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Good filter? There is pervasive spammer who's uri pattern for the linked spam site is pretty consistent. They all have a / followed by some kind of home-grown obfuscation which his server recognizes: http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 Anyone come up with a clever filter for this? Also, these spammers are using domainsite.com as their registrar for their spamvertized domains. Has anyone worked on a solution where the URI can be checked against the registrar and if its registered with domainsite.com then weight can be added or it can be blocked? --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail
[Declude.JunkMail] Server AV Scanner
Hi Everyone, I sold off the lion's share of my web business 3 years. I still host a few sites for some people who have been with me for a really long time. But I don't have the revenue I once did and hence can't afford to renew Declude (I'm running an older version) or buy any software. I used to use F-prot (command line version) to virus scan email at the server via Declude. They no longer offer the signature files for that version of F-prot. I haven't found anything in my searches so I thought I'd ask here -- is there a free antivirus scanner available that will run on 2003 server and which I could tie into Declude? Thanks, Dave --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Regex to block this?
I'm getting hit by one spammer who manages to get through most of my filters. His spam consistently uses the format of: a href=http://gcc128.blinksroads.com/5768cbbeb6bba86c3157116a6de8e54b31dab5; img src=http://gcc128.blinksroads.com/images/157286c08.jpg; How would I write a regex that would look for .com/ followed by a string of garbage with no .htm or other web extension on the end? --- [This E-mail scanned for viruses by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Regex to block this?
Thanks. David's regex worked well. I'll give the fine tuning a try. Also, all of this spammer's domains are in DNS servers ns1.domainsite.com - ns4.domainsite.com. I might fine tune it a bit. I've only seen length 37 and 38 characters after the tld It is only lower case hex codes so you can exclude (g-z) I've seen lots of .info and a few .nets as additional tld. Very active spammer here (?i:href=.+\.(com|info|net)/[a-f0-9]{37,38}) -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave Beckstrom Sent: Tuesday, July 20, 2010 8:00 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Regex to block this? I'm getting hit by one spammer who manages to get through most of my filters. His spam consistently uses the format of: a href=http://gcc128.blinksroads.com/5768cbbeb6bba86c3157116a6de8e54b31dab5; img src=http://gcc128.blinksroads.com/images/157286c08.jpg; How would I write a regex that would look for .com/ followed by a string of garbage with no .htm or other web extension on the end? --- [This E-mail scanned for viruses by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Blocking domains by DNS server?
There is a pervasive spammer out there, where the common denominator in the jerk's spam is the fact that all of the domains in the body of the email are served by DNS servers NS1.domainsite.com - NS4.domainsite.com. I want to block all email where a link in the body is resolved by one of those DNS servers. I haven't looked at my invURIBL config for some time, but isn't that one of the things that it can do? If so, how do I set that up? Otherwise, is there another way to achieve the above? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] PowerMTA
I'm seeing a lot of spam with this in the headers: PowerMTA(TM) v3.0c2 Is powerMTA mainly a spam tool or do legitimate mailers use it too? Just trying to decide if I can add some weight if that header exists. Also of late I'm seeing a lot of spam containing ssl in part of the domain name: Return-Path: nore...@realnightlywork.com Wed Jan 13 15:03:22 2010 Received: from ssl.realnightlywork.com [173.45.68.45] by Anyone adding weight if the domain contains ssl? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Testing Spamcop blocked?
Does the spamblock IP4R always return blocked if an IP is found or can it return something less severe than blocked? Just wondering if there is a way to hold on blocked and warn on a less severe hit. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] 3rd party tool to call registrar/whois lookup?
Much of the spam we receive contains embedded links for, or from, domains registered within the last 2 - 3 weeks. Is there a 3rd party utility that could be called from Declude which would check the domain registration date and either block or add weight to any domain registered within the last 30 (or a user specified range) days? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Senderbase
I would like to use senderbase with Declude. Does anyone happen to know if there is a way to extract the entire list of IPs with a POOR reputation from senderbase? I know that it can be done vie export but it seems to be limited to certain IP ranges at a time. Does senderbase have any kind of an API or XML feed? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Spam Score?
Something is happening with our spam score that I don't quite understand. If you look below at the (sanitized) email headers you'll see that the CBL test scored 6 and spamheaders scored 3 and yet the final score for this email was Spam Score: [1] Shouldn't the score have been 9? On another note, if the CBL ip4rl test shows blocked what is the best way to hold this email? I assume that I would just up the weighting from 6 to my hold level? Do you guys hold email based only on an rbl response of blocked or do you require additional tests to fail? If a few folks would like to post their ip4r tests from the global.cfg I think that would be really helpful to a lot of people. I know that my global.cfg is a good number of years old and the ip4r tests are not tests that I've updated in a long time. Seeing what others are using would help me identify if I have tests I'm not using but should be using and vice versa. Thanks, Dave Return-Path: yourautopolicyvxw...@bestlevelterm.com Thu Feb 19 03:29:48 2009 Received: from server1.taxhelpis.com [65.60.20.131] ..com with SMTP; Thu, 19 Feb 2009 03:29:48 -0600 Reply-To: yourautopolicyvxw...@bestlevelterm.com In-Reply-To: 20090219033057.ggnppl...@mx2.bestlevelterm.com.1329 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=_=_extPart_000_0097_a3d0dac.a3d0dac Content-class: urn:content-classes:message Return-path: yourautopolicyvxw...@bestlevelterm.com Subject:Vehicle Warranty - 60% OFF Dealers Price Date: Thu, 19 Feb 2009 03:30:57 -0600 Message-Id: 20090219033057.ggnppl...@mx2.bestlevelterm.com Thread-Topic: RE: This email can save your life From: Continued Auto Coveragecontinuedautocover...@bestlevelterm.com To: x Importance: Normal X-invURIBL-Scan: Scanned by invURIBL 3.1.1 on 2/19/2009 3:29:58 AM X-invURIBL-Weight: 0 X-invURIBL-Range: CLEAN X-RBL-Warning: CBL: Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=65.60.20.131; X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam [4000100e]. X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail. X-Declude-Sender: yourautopolicyvxw...@bestlevelterm.com [65.60.20.131] X-Declude-RefID: X-Note: X-Note: Spam Score: [1] X-Note: Scan Time: 03:30:01 on 19 Feb 2009 X-Note: Spool File: 369855951432.eml X-Note: Server Name: mx2.bestlevelterm.com X-Note: SMTP Sender: yourautopolicyvxw...@bestlevelterm.com X-Note: Reverse DNS IP: server1.taxhelpis.com [65.60.20.131] X-Note: Recipient(s): X-Note: Country Chain: [ARIN Unlisted]-destination X-Note: Failed Weights: CBL [6], SPAMHEADERS [3], SPFPASS [0] X-Note: --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spam Score?
David, Here is the test: CBL IP4Rcbl.abuseat.org 127.0.0.2 6 0 According to these headers: X-RBL-Warning: CBL: Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=65.60.20.131; X-Note: Failed Weights: CBL [6], SPAMHEADERS [3], SPFPASS [0] Wasn't the test triggered and a score of 6 should have been added to the total score? -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: 2009-02-19 08:37 To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Spam Score? Dave, The last column of a test is the value added or subtracted if the test is NOT triggered. IF a test is NOT triggered it will not show up in the header. The most common that are used like this are: IPNOTINMX NOLEGITCONTENT FROMNOMATCH David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave Beckstrom Sent: Thursday, February 19, 2009 9:33 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Spam Score? Something is happening with our spam score that I don't quite understand. If you look below at the (sanitized) email headers you'll see that the CBL test scored 6 and spamheaders scored 3 and yet the final score for this email was Spam Score: [1] Shouldn't the score have been 9? On another note, if the CBL ip4rl test shows blocked what is the best way to hold this email? I assume that I would just up the weighting from 6 to my hold level? Do you guys hold email based only on an rbl response of blocked or do you require additional tests to fail? If a few folks would like to post their ip4r tests from the global.cfg I think that would be really helpful to a lot of people. I know that my global.cfg is a good number of years old and the ip4r tests are not tests that I've updated in a long time. Seeing what others are using would help me identify if I have tests I'm not using but should be using and vice versa. Thanks, Dave Return-Path: yourautopolicyvxw...@bestlevelterm.com Thu Feb 19 03:29:48 2009 Received: from server1.taxhelpis.com [65.60.20.131] ..com with SMTP; Thu, 19 Feb 2009 03:29:48 -0600 Reply-To: yourautopolicyvxw...@bestlevelterm.com In-Reply-To: 20090219033057.ggnppl...@mx2.bestlevelterm.com.1329 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=_=_extPart_000_0097_a3d0dac.a3d0dac Content-class: urn:content-classes:message Return-path: yourautopolicyvxw...@bestlevelterm.com Subject:Vehicle Warranty - 60% OFF Dealers Price Date: Thu, 19 Feb 2009 03:30:57 -0600 Message-Id: 20090219033057.ggnppl...@mx2.bestlevelterm.com Thread-Topic: RE: This email can save your life From: Continued Auto Coveragecontinuedautocover...@bestlevelterm.com To: x Importance: Normal X-invURIBL-Scan: Scanned by invURIBL 3.1.1 on 2/19/2009 3:29:58 AM X-invURIBL-Weight: 0 X-invURIBL-Range: CLEAN X-RBL-Warning: CBL: Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=65.60.20.131; X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam [4000100e]. X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail. X-Declude-Sender: yourautopolicyvxw...@bestlevelterm.com [65.60.20.131] X-Declude-RefID: X-Note: X-Note: Spam Score: [1] X-Note: Scan Time: 03:30:01 on 19 Feb 2009 X-Note: Spool File: 369855951432.eml X-Note: Server Name: mx2.bestlevelterm.com X-Note: SMTP Sender: yourautopolicyvxw...@bestlevelterm.com X-Note: Reverse DNS IP: server1.taxhelpis.com [65.60.20.131] X-Note: Recipient(s): X-Note: Country Chain: [ARIN Unlisted]-destination X-Note: Failed Weights: CBL [6], SPAMHEADERS [3], SPFPASS [0] X-Note: --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spam Score?
David, Never mind. I found in the logs where those tests you mentioned are giving the email a credit (negative weight) and thus the total weight is adjusted accordingly. I have IPNOTINMX and NOLEGITCONTENT set up under HIDETESTS which explains why the confusion on the total score. BTW -- I would still like to see some people post their ip4r tests to the list. I have a hunch I'm missing some valuable tests in my list. Thanks, Dave -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave Beckstrom Sent: 2009-02-19 08:56 To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Spam Score? David, Here is the test: CBL IP4Rcbl.abuseat.org 127.0.0.2 6 0 According to these headers: X-RBL-Warning: CBL: Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=65.60.20.131; X-Note: Failed Weights: CBL [6], SPAMHEADERS [3], SPFPASS [0] Wasn't the test triggered and a score of 6 should have been added to the total score? -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: 2009-02-19 08:37 To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Spam Score? Dave, The last column of a test is the value added or subtracted if the test is NOT triggered. IF a test is NOT triggered it will not show up in the header. The most common that are used like this are: IPNOTINMX NOLEGITCONTENT FROMNOMATCH David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave Beckstrom Sent: Thursday, February 19, 2009 9:33 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Spam Score? Something is happening with our spam score that I don't quite understand. If you look below at the (sanitized) email headers you'll see that the CBL test scored 6 and spamheaders scored 3 and yet the final score for this email was Spam Score: [1] Shouldn't the score have been 9? On another note, if the CBL ip4rl test shows blocked what is the best way to hold this email? I assume that I would just up the weighting from 6 to my hold level? Do you guys hold email based only on an rbl response of blocked or do you require additional tests to fail? If a few folks would like to post their ip4r tests from the global.cfg I think that would be really helpful to a lot of people. I know that my global.cfg is a good number of years old and the ip4r tests are not tests that I've updated in a long time. Seeing what others are using would help me identify if I have tests I'm not using but should be using and vice versa. Thanks, Dave Return-Path: yourautopolicyvxw...@bestlevelterm.com Thu Feb 19 03:29:48 2009 Received: from server1.taxhelpis.com [65.60.20.131] ..com with SMTP; Thu, 19 Feb 2009 03:29:48 -0600 Reply-To: yourautopolicyvxw...@bestlevelterm.com In-Reply-To: 20090219033057.ggnppl...@mx2.bestlevelterm.com.1329 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=_=_extPart_000_0097_a3d0dac.a3d0dac Content-class: urn:content-classes:message Return-path: yourautopolicyvxw...@bestlevelterm.com Subject:Vehicle Warranty - 60% OFF Dealers Price Date: Thu, 19 Feb 2009 03:30:57 -0600 Message-Id: 20090219033057.ggnppl...@mx2.bestlevelterm.com Thread-Topic: RE: This email can save your life From: Continued Auto Coveragecontinuedautocover...@bestlevelterm.com To: x Importance: Normal X-invURIBL-Scan: Scanned by invURIBL 3.1.1 on 2/19/2009 3:29:58 AM X-invURIBL-Weight: 0 X-invURIBL-Range: CLEAN X-RBL-Warning: CBL: Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=65.60.20.131; X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam [4000100e]. X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail. X-Declude-Sender: yourautopolicyvxw...@bestlevelterm.com [65.60.20.131] X-Declude-RefID: X-Note: X-Note: Spam Score: [1] X-Note: Scan Time: 03:30:01 on 19 Feb 2009 X-Note: Spool File: 369855951432.eml X-Note: Server Name: mx2.bestlevelterm.com X-Note: SMTP Sender: yourautopolicyvxw...@bestlevelterm.com X-Note: Reverse DNS IP: server1.taxhelpis.com [65.60.20.131] X-Note: Recipient(s): X-Note: Country Chain: [ARIN Unlisted]-destination X-Note: Failed Weights: CBL [6], SPAMHEADERS [3], SPFPASS [0] X-Note: --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail
[Declude.JunkMail] Regex
Trying to filter on: Asseenon Oprah As seen on Oprah As seen on 60 minutes Asseenon 60 minutes As seen on 60-minutes This regex matches on, for example, asseen on 60 minutes but does not match on asseenon 60 minutes What did I do wrong? Is there a better way to code this? ANYWHERE3 PCRE (?i:as.{0,2}seen.{0,2}.on.{0,2}(?:oprah|60.minutes)) --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Regex
David, Thanks. For the life of me I did not see that extra period. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: 2009-02-18 12:39 To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Regex I would say you have it pretty much down. If I did it I would have this (?i:as.{0,2}seen.{0,2}on.{0,2}(?:oprah|60.{0,2}minutes)) You have an extra . between seen and on David B -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave Beckstrom Sent: Wednesday, February 18, 2009 1:28 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Regex Trying to filter on: Asseenon Oprah As seen on Oprah As seen on 60 minutes Asseenon 60 minutes As seen on 60-minutes This regex matches on, for example, asseen on 60 minutes but does not match on asseenon 60 minutes What did I do wrong? Is there a better way to code this? ANYWHERE 3 PCRE (?i:as.{0,2}seen.{0,2}.on.{0,2}(?:oprah|60.minutes)) --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Mailfrom Processing
What filter will trigger on the words John Cummuta when the from address is formatted like: From: John Cummuta startover-4676...@allstockdirect.com Neither the mailfrom or headers filters are triggering on this. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Mailfrom Processing
David, I don't have an X-Declude-Sender configured. I'll add that. Okay, so I already have Headers contains John Cummuta or something along those lines set up. How would the regular expression be any different? Is it more effective because of the wild card? -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: 2009-02-09 16:03 To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Mailfrom Processing This may not be the actual sender, the actual sender is what is found in the envelope or q*.smd (IM) or *.eml (SM) and found in the X-Declude-Sender line. If you need a filter the best way would be to use the regular expressions such as: HEADERS 0 PCRE(?im:From:.*John Cummuta) David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave Beckstrom Sent: Monday, February 09, 2009 4:53 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Mailfrom Processing What filter will trigger on the words John Cummuta when the from address is formatted like: From: John Cummuta startover-4676...@allstockdirect.com Neither the mailfrom or headers filters are triggering on this. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Mailfrom Processing
Here is a snippet of an email header for an email received: Return-Path: i...@clockpleas.com Mon Feb 02 16:35:28 2009 Received: from mail.clockpleas.com [64.235.54.175] by xxx.xxx.com with SMTP; Mon, 2 Feb 2009 16:35:28 -0600 From: J. Cummuta i...@clockpleas.com To: x...@xxx.com Subject: Even your house is paid off MIME-Version: 1.0 Content-Type: text/html; charset=us-ascii; Content-Transfer-Encoding: 8bit The actual email address is always changing. However, J. Cummuta in the FROM address seems pretty consistent. If MAILFROM won't catch these, shouldn't the HEADERS test catch these? -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: 2009-01-05 15:25 To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Mailfrom Processing Declude looks at the MAILFROM in the envelope (*.hdr or q*.smd) and matches just on the email address. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave Beckstrom Sent: Monday, January 05, 2009 4:18 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Mailfrom Processing I have a question about the MAILFROM processing. Does this look at the display name too or just at the actual email address? I was trying to block the Loud N Clear ads by referencing the display name because it seemed to be pretty consistent while the email address itself didn't change. I set up the following and it didn't appear to work: MAILFROM 0 containsloudandclear Is the only way to filter on the display name in the from address to use the HEADERS filter? Thanks, Dave --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Mailfrom Processing
I have a question about the MAILFROM processing. Does this look at the display name too or just at the actual email address? I was trying to block the Loud N Clear ads by referencing the display name because it seemed to be pretty consistent while the email address itself didn't change. I set up the following and it didn't appear to work: MAILFROM0 containsloudandclear Is the only way to filter on the display name in the from address to use the HEADERS filter? Thanks, Dave --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] BadHeaders?
Hi Everyone, We have an application that generates email using Cold Fusion. The application sends email to me. The email never goes outside of our servers. Declude is flagging the email as having BadHeaders: X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8004000e]. I don't have a clear understanding of what BadHeaders evaluates. I realize I can whitelist the email but what I really want to do is figure out how to fix how Cold Fusion formats the email so that it does not trigger the BadHeaders test. We do send email via other applications to outside users and so fixing this problem will help insure delivery to those people, too. Thanks, Dave --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] BadHeaders?
David, Thank you for the explanation. I actually wrote the code that generates the Message-ID. Do you happen to have a link to documentation that would show the proper format for the Message-ID? Thanks, Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Wednesday, April 30, 2008 11:55 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] BadHeaders? The E-mail failed the BADHEADERS test. This means the email failed with a violation of the RFC. This specific code indicates a incorrect Message-ID: in the header. David B -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Wednesday, April 30, 2008 12:36 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] BadHeaders? Hi Everyone, We have an application that generates email using Cold Fusion. The application sends email to me. The email never goes outside of our servers. Declude is flagging the email as having BadHeaders: X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8004000e]. I don't have a clear understanding of what BadHeaders evaluates. I realize I can whitelist the email but what I really want to do is figure out how to fix how Cold Fusion formats the email so that it does not trigger the BadHeaders test. We do send email via other applications to outside users and so fixing this problem will help insure delivery to those people, too. Thanks, Dave --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] INVURIBL WEIGHT?
Hi everyone, I would appreciate hearing some opinions. How heavy are you weighing INVURIBL? Would half of the hold weight be too much weight? Would you hold on INVURIBL alone? Thanks, Dave No virus found in this outgoing message. Checked by AVG. Version: 7.5.524 / Virus Database: 269.23.2/1389 - Release Date: 4/21/2008 8:34 AM --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] No Reverse DNS pointer?
Hi Everyone, I have two questions: 1) If a mail server is configured without a reverse DNS pointer, is that enough to prevent email from reaching AOL, Yahoo, Hotmail, etc? 2) Do you block email coming from mail servers with no reverse DNS? Thanks, Dave --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filters not triggering - David Barker
Hi David, The filter is not triggering. That IS the issue I am reporting! I provided log snippets showing that the filter does run, but is not triggering. This is the problem I'm requesting help with. Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, April 08, 2008 9:11 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Filters not triggering - David Barker The expression I gave you does match on (discount. Coupon) in 85% discount. Coupon #zH5d If it is not triggering you may have a different issue. As for the subject you are describing I use the following: SUBJECT 7 PCRE (?i:\d\d%.{0,10} discount.{0,10}#[a-z]{3,5}) BODY 5 PCRE (?i:google.{3,10}pagead/iclk) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Monday, April 07, 2008 8:58 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Filters not triggering - David Barker David, I implemented your regular expression in the filter and a spam skated right through (filter did not trigger) with the following subject line: 85% discount. Coupon #zH5d Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, April 07, 2008 2:14 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Filters not triggering Spaces before the phrase are not used as the line is normalized. Also the regular CONTAINS is not case sensitive. It would be better to use SUBJECT 0 PCRE(?i:(discount|off).{0,2}Co(upon|de)) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Monday, April 07, 2008 2:42 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Filters not triggering Hi Everyone. I have a filter set up to delete an email if the subject line contains the keyword in the filter. For some odd reason, the filter is not triggering and it really has me baffled. I could use some suggestions on this one. The filter is called: Filter_Subject_delete.txt Here are the relevant lines from the filter: SUBJECT 0 containsdiscount. Code SUBJECT 0 containsdiscount.Code SUBJECT 0 containsdiscount. coupon SUBJECT 0 contains discount. Coupon SUBJECT 0 containsdiscount.coupon SUBJECT 0 containsdiscount.Coupon SUBJECT 0 containsoff .code As you can see, I added some filter lines to test to see if I was running into an issue with the filter not triggering due to case sensitivity. I didn't think the filters were case sensitive, but in trying to debug this problem I checked to see if that was an issue or not. My junkmail config has the following specifying to delete the spam: Filter_Subject_Delete DELETE Here are the headers from the spam that was not deleted: Return-Path: [EMAIL PROTECTED] Mon Apr 07 08:49:57 2008 Received: from 224samana75.codetel.net.do [200.88.75.224] by my.server.com with SMTP; Mon, 7 Apr 2008 08:49:57 -0500 Message-ID: [EMAIL PROTECTED] From: brit luc [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [SPAM]- Score (11)81% discount. Coupon #2IJk Date: Mon, 07 Apr 2008 12:34:28 + MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_0007_01C898BA.05CF202E X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 X-invURIBL-Scan: Scanned by invURIBL 3.1.1 on 4/7/2008 8:50:18 AM X-invURIBL-Weight: 0 X-invURIBL-Range: CLEAN X-RBL-Warning: SPAMCOP: Blocked - see http://www.spamcop.net/bl.shtml?200.88.75.224; X-RBL-Warning: SPFUNKNOWN: SPF returned UNKNOWN for this E-mail. X-RBL-Warning: Filter_Country: Message failed Filter_Country test (line 59, weight 3) X-Declude-RefID: X-Note: X-Note: Spam Score: [11] X-Note: Scan Time: 08:50:19 on 07 Apr 2008 X-Note: Spool File: 35052863.eml X-Note: Server Name: 224samana75.codetel.net.do X-Note: SMTP Sender: [EMAIL PROTECTED] X-Note: Reverse DNS IP: 224samana75.codetel.net.do [200.88.75.224] X-Note: Recipient(s): [EMAIL PROTECTED] X-Note: Country Chain: DOMINICAN REPUBLIC-destination X-Note: Failed Weights: SPAMCOP [7], SPFUNKNOWN [1], Filter_Country [3], WEIGHT10 [10] X-Note: Where it says my.server.com and my.address.com is where I edited info I didn't want posted to the list. Here is the Declude log entries from when the email was scanned: 04/07/2008 08:50:03.527 35052863.eml
RE: [Declude.JunkMail] Filters not triggering - David Barker
Hi David, Let's hold off for a bit. I just discovered that when I added the filter you provided that it did not actually save the edit. I'm working remotely on the server and I'm guessing the save command never made it to the server. Before I cry wolf I need to make sure it wasn't a stupid user error. :) Thanks, Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, April 08, 2008 10:48 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Filters not triggering - David Barker Dave, Do you have a ticket number ? if so email me so I can follow up on the ticket for you - this needs to be addressed with support, not on the lists. Thanks David B -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, April 08, 2008 11:32 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Filters not triggering - David Barker Hi David, The filter is not triggering. That IS the issue I am reporting! I provided log snippets showing that the filter does run, but is not triggering. This is the problem I'm requesting help with. Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, April 08, 2008 9:11 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Filters not triggering - David Barker The expression I gave you does match on (discount. Coupon) in 85% discount. Coupon #zH5d If it is not triggering you may have a different issue. As for the subject you are describing I use the following: SUBJECT 7 PCRE (?i:\d\d%.{0,10} discount.{0,10}#[a-z]{3,5}) BODY5 PCRE (?i:google.{3,10}pagead/iclk) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Monday, April 07, 2008 8:58 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Filters not triggering - David Barker David, I implemented your regular expression in the filter and a spam skated right through (filter did not trigger) with the following subject line: 85% discount. Coupon #zH5d Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, April 07, 2008 2:14 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Filters not triggering Spaces before the phrase are not used as the line is normalized. Also the regular CONTAINS is not case sensitive. It would be better to use SUBJECT 0 PCRE(?i:(discount|off).{0,2}Co(upon|de)) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Monday, April 07, 2008 2:42 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Filters not triggering Hi Everyone. I have a filter set up to delete an email if the subject line contains the keyword in the filter. For some odd reason, the filter is not triggering and it really has me baffled. I could use some suggestions on this one. The filter is called: Filter_Subject_delete.txt Here are the relevant lines from the filter: SUBJECT 0 containsdiscount. Code SUBJECT 0 containsdiscount.Code SUBJECT 0 containsdiscount. coupon SUBJECT 0 contains discount. Coupon SUBJECT 0 containsdiscount.coupon SUBJECT 0 containsdiscount.Coupon SUBJECT 0 containsoff .code As you can see, I added some filter lines to test to see if I was running into an issue with the filter not triggering due to case sensitivity. I didn't think the filters were case sensitive, but in trying to debug this problem I checked to see if that was an issue or not. My junkmail config has the following specifying to delete the spam: Filter_Subject_Delete DELETE Here are the headers from the spam that was not deleted: Return-Path: [EMAIL PROTECTED] Mon Apr 07 08:49:57 2008 Received: from 224samana75.codetel.net.do [200.88.75.224] by my.server.com with SMTP; Mon, 7 Apr 2008 08:49:57 -0500 Message-ID: [EMAIL PROTECTED] From: brit luc [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [SPAM]- Score (11)81% discount. Coupon #2IJk Date: Mon, 07 Apr 2008 12:34:28 + MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_0007_01C898BA.05CF202E X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 X-invURIBL-Scan: Scanned by invURIBL 3.1.1 on 4
[Declude.JunkMail] Filters not triggering
Hi Everyone. I have a filter set up to delete an email if the subject line contains the keyword in the filter. For some odd reason, the filter is not triggering and it really has me baffled. I could use some suggestions on this one. The filter is called: Filter_Subject_delete.txt Here are the relevant lines from the filter: SUBJECT 0 containsdiscount. Code SUBJECT 0 containsdiscount.Code SUBJECT 0 containsdiscount. coupon SUBJECT 0 contains discount. Coupon SUBJECT 0 containsdiscount.coupon SUBJECT 0 containsdiscount.Coupon SUBJECT 0 containsoff .code As you can see, I added some filter lines to test to see if I was running into an issue with the filter not triggering due to case sensitivity. I didn't think the filters were case sensitive, but in trying to debug this problem I checked to see if that was an issue or not. My junkmail config has the following specifying to delete the spam: Filter_Subject_Delete DELETE Here are the headers from the spam that was not deleted: Return-Path: [EMAIL PROTECTED] Mon Apr 07 08:49:57 2008 Received: from 224samana75.codetel.net.do [200.88.75.224] by my.server.com with SMTP; Mon, 7 Apr 2008 08:49:57 -0500 Message-ID: [EMAIL PROTECTED] From: brit luc [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [SPAM]- Score (11)81% discount. Coupon #2IJk Date: Mon, 07 Apr 2008 12:34:28 + MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_0007_01C898BA.05CF202E X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 X-invURIBL-Scan: Scanned by invURIBL 3.1.1 on 4/7/2008 8:50:18 AM X-invURIBL-Weight: 0 X-invURIBL-Range: CLEAN X-RBL-Warning: SPAMCOP: Blocked - see http://www.spamcop.net/bl.shtml?200.88.75.224; X-RBL-Warning: SPFUNKNOWN: SPF returned UNKNOWN for this E-mail. X-RBL-Warning: Filter_Country: Message failed Filter_Country test (line 59, weight 3) X-Declude-RefID: X-Note: X-Note: Spam Score: [11] X-Note: Scan Time: 08:50:19 on 07 Apr 2008 X-Note: Spool File: 35052863.eml X-Note: Server Name: 224samana75.codetel.net.do X-Note: SMTP Sender: [EMAIL PROTECTED] X-Note: Reverse DNS IP: 224samana75.codetel.net.do [200.88.75.224] X-Note: Recipient(s): [EMAIL PROTECTED] X-Note: Country Chain: DOMINICAN REPUBLIC-destination X-Note: Failed Weights: SPAMCOP [7], SPFUNKNOWN [1], Filter_Country [3], WEIGHT10 [10] X-Note: Where it says my.server.com and my.address.com is where I edited info I didn't want posted to the list. Here is the Declude log entries from when the email was scanned: 04/07/2008 08:50:03.527 35052863.eml CFG: Bypassing IP 127.0.0.1. 04/07/2008 08:50:03.527 35052863.eml CFG: Set hop to 0. 04/07/2008 08:50:03.527 35052863.eml STOPPROCESSINGONFIRSTDELETE: Set to ON 04/07/2008 08:50:10.746 35052863 Last line of headers checking for Recived: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 04/07/2008 08:50:10.746 35052863 About to run spam tests 04/07/2008 08:50:18.980 35052863 JunkMailBase64 Start 04/07/2008 08:50:18.980 35052863 JunkMailBase64 Start 04/07/2008 08:50:18.980 35052863 DeHTML End: 495:367 ratio=0.425754 04/07/2008 08:50:19.011 35052863 Doing filter file D:\Apps\smartermail\Declude\CustomFilters\Filter_Subject_Delete.txt. 04/07/2008 08:50:19.011 35052863 Filter Filter_Subject_Delete: Not skipping E-mail due to current weight of 11. 04/07/2008 08:50:19.011 35052863 SPAMCOP:7 SPFUNKNOWN:1 Filter_Country:3 . Total weight = 11. I edited some of the log text, but the above is the relevant stuff. We're running declude 4.3.46 on Smartermail 3. Any ideas on why that filter is not triggering? Thanks, Dave --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filters not triggering
Hi Darrell, Yes, there are spaces and/or tabs between the contains and the data that I want to filter on. I was under the understanding that those were ignored? Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Monday, April 07, 2008 2:42 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Filters not triggering Dave, I noticed with the relevant lines from the filter posted below some of the lines were indented more than the one line. Is it possible you have extraneous whitespaces between contains and the text you want to filter on? Dsrrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Dave Beckstrom wrote: Hi Everyone. I have a filter set up to delete an email if the subject line contains the keyword in the filter. For some odd reason, the filter is not triggering and it really has me baffled. I could use some suggestions on this one. The filter is called: Filter_Subject_delete.txt Here are the relevant lines from the filter: SUBJECT 0 containsdiscount. Code SUBJECT 0 containsdiscount.Code SUBJECT 0 containsdiscount. coupon SUBJECT 0 contains discount. Coupon SUBJECT 0 containsdiscount.coupon SUBJECT 0 containsdiscount.Coupon SUBJECT 0 containsoff .code As you can see, I added some filter lines to test to see if I was running into an issue with the filter not triggering due to case sensitivity. I didn't think the filters were case sensitive, but in trying to debug this problem I checked to see if that was an issue or not. My junkmail config has the following specifying to delete the spam: Filter_Subject_Delete DELETE Here are the headers from the spam that was not deleted: Return-Path: [EMAIL PROTECTED] Mon Apr 07 08:49:57 2008 Received: from 224samana75.codetel.net.do [200.88.75.224] by my.server.com with SMTP; Mon, 7 Apr 2008 08:49:57 -0500 Message-ID: [EMAIL PROTECTED] From: brit luc [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [SPAM]- Score (11)81% discount. Coupon #2IJk Date: Mon, 07 Apr 2008 12:34:28 + MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_0007_01C898BA.05CF202E X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 X-invURIBL-Scan: Scanned by invURIBL 3.1.1 on 4/7/2008 8:50:18 AM X-invURIBL-Weight: 0 X-invURIBL-Range: CLEAN X-RBL-Warning: SPAMCOP: Blocked - see http://www.spamcop.net/bl.shtml?200.88.75.224; X-RBL-Warning: SPFUNKNOWN: SPF returned UNKNOWN for this E-mail. X-RBL-Warning: Filter_Country: Message failed Filter_Country test (line 59, weight 3) X-Declude-RefID: X-Note: X-Note: Spam Score: [11] X-Note: Scan Time: 08:50:19 on 07 Apr 2008 X-Note: Spool File: 35052863.eml X-Note: Server Name: 224samana75.codetel.net.do X-Note: SMTP Sender: [EMAIL PROTECTED] X-Note: Reverse DNS IP: 224samana75.codetel.net.do [200.88.75.224] X-Note: Recipient(s): [EMAIL PROTECTED] X-Note: Country Chain: DOMINICAN REPUBLIC-destination X-Note: Failed Weights: SPAMCOP [7], SPFUNKNOWN [1], Filter_Country [3], WEIGHT10 [10] X-Note: Where it says my.server.com and my.address.com is where I edited info I didn't want posted to the list. Here is the Declude log entries from when the email was scanned: 04/07/2008 08:50:03.527 35052863.eml CFG: Bypassing IP 127.0.0.1. 04/07/2008 08:50:03.527 35052863.eml CFG: Set hop to 0. 04/07/2008 08:50:03.527 35052863.eml STOPPROCESSINGONFIRSTDELETE: Set to ON 04/07/2008 08:50:10.746 35052863 Last line of headers checking for Recived: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 04/07/2008 08:50:10.746 35052863 About to run spam tests 04/07/2008 08:50:18.980 35052863 JunkMailBase64 Start 04/07/2008 08:50:18.980 35052863 JunkMailBase64 Start 04/07/2008 08:50:18.980 35052863 DeHTML End: 495:367 ratio=0.425754 04/07/2008 08:50:19.011 35052863 Doing filter file D:\Apps\smartermail\Declude\CustomFilters\Filter_Subject_Delete.txt. 04/07/2008 08:50:19.011 35052863 Filter Filter_Subject_Delete: Not skipping E-mail due to current weight of 11. 04/07/2008 08:50:19.011 35052863 SPAMCOP:7 SPFUNKNOWN:1 Filter_Country:3 . Total weight = 11. I edited some of the log text, but the above is the relevant stuff. We're running declude 4.3.46 on Smartermail 3. Any ideas on why that filter
RE: [Declude.JunkMail] Filters not triggering
Darrell, Thanks. I removed all spaces and now have only tabs. We'll see if that does the trick! I also implemented David's suggestion for using the regular expression. I like elegant solutions! Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Monday, April 07, 2008 3:40 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Filters not triggering Dave, From my experience I have had number of problems with spaces that would cause my filter files not to trigger. I have since stopped using spaces and started using tabs like below and it has stopped any of the issues I had in the past. SUBJECTtab0tabCONTAINStabcouponcrlf Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Dave Beckstrom wrote: Hi Darrell, Yes, there are spaces and/or tabs between the contains and the data that I want to filter on. I was under the understanding that those were ignored? Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Monday, April 07, 2008 2:42 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Filters not triggering Dave, I noticed with the relevant lines from the filter posted below some of the lines were indented more than the one line. Is it possible you have extraneous whitespaces between contains and the text you want to filter on? Dsrrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Dave Beckstrom wrote: Hi Everyone. I have a filter set up to delete an email if the subject line contains the keyword in the filter. For some odd reason, the filter is not triggering and it really has me baffled. I could use some suggestions on this one. The filter is called: Filter_Subject_delete.txt Here are the relevant lines from the filter: SUBJECT 0 containsdiscount. Code SUBJECT 0 containsdiscount.Code SUBJECT 0 containsdiscount. coupon SUBJECT 0 contains discount. Coupon SUBJECT 0 containsdiscount.coupon SUBJECT 0 containsdiscount.Coupon SUBJECT 0 containsoff .code As you can see, I added some filter lines to test to see if I was running into an issue with the filter not triggering due to case sensitivity. I didn't think the filters were case sensitive, but in trying to debug this problem I checked to see if that was an issue or not. My junkmail config has the following specifying to delete the spam: Filter_Subject_Delete DELETE Here are the headers from the spam that was not deleted: Return-Path: [EMAIL PROTECTED] Mon Apr 07 08:49:57 2008 Received: from 224samana75.codetel.net.do [200.88.75.224] by my.server.com with SMTP; Mon, 7 Apr 2008 08:49:57 -0500 Message-ID: [EMAIL PROTECTED] From: brit luc [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [SPAM]- Score (11)81% discount. Coupon #2IJk Date: Mon, 07 Apr 2008 12:34:28 + MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_0007_01C898BA.05CF202E X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 X-invURIBL-Scan: Scanned by invURIBL 3.1.1 on 4/7/2008 8:50:18 AM X-invURIBL-Weight: 0 X-invURIBL-Range: CLEAN X-RBL-Warning: SPAMCOP: Blocked - see http://www.spamcop.net/bl.shtml?200.88.75.224; X-RBL-Warning: SPFUNKNOWN: SPF returned UNKNOWN for this E-mail. X-RBL-Warning: Filter_Country: Message failed Filter_Country test (line 59, weight 3) X-Declude-RefID: X-Note: X-Note: Spam Score: [11] X-Note: Scan Time: 08:50:19 on 07 Apr 2008 X-Note: Spool File: 35052863.eml X-Note: Server Name: 224samana75.codetel.net.do X-Note: SMTP Sender: [EMAIL PROTECTED] X-Note: Reverse DNS IP: 224samana75.codetel.net.do [200.88.75.224] X-Note: Recipient(s): [EMAIL PROTECTED] X-Note: Country Chain: DOMINICAN REPUBLIC-destination X-Note: Failed Weights: SPAMCOP [7], SPFUNKNOWN [1], Filter_Country [3], WEIGHT10 [10] X-Note: Where it says my.server.com and my.address.com is where I edited info I didn't want posted to the list. Here is the Declude log entries from when the email was scanned: 04/07/2008 08:50:03.527 35052863.eml CFG
RE: [Declude.JunkMail] OT: Yahoo Blocking Email
Hi Matt, Thanks. That was the form I submitted several weeks ago. It didn't get me anywhere. It sure is frustrating! Dave _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, February 25, 2008 11:27 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] OT: Yahoo Blocking Email That's not the correct page, that page is primarily for bulk E-mail senders so that they can keep their lists clean. Use this page instead. At the bottom is a link to the form that starts the process: http://help.yahoo.com/l/us/yahoo/mail/postmaster/basics-55.html I would guess that it is going to be the Yahoo! Mail Unblock Request Form. This is the same form that I filled out previously for a client. Matt Robert Grosshandler wrote: http://help.yahoo.com/l/us/yahoo/mail/postmaster/ Third bullet down. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Thursday, February 21, 2008 12:59 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] OT: Yahoo Blocking Email Rob, We are using domain keys and reverse DNS as well as SPF records. Do you have a link to where I would request the whitelisting? Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Grosshandler Sent: Thursday, February 21, 2008 12:21 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] OT: Yahoo Blocking Email More. Yahoo has whitelisting, and really cares about reverse DNS pointers and Domain Keys. You might want to resubmit, they were fast for us way back when. Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Thursday, February 21, 2008 12:01 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] OT: Yahoo Blocking Email And as a further best practice to what Matt is advising, I'll mention that ideally you want to send all outbound mail from an IP that is different from your inbound gateways. And that your outbound bulk mail would be separate from both. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, February 21, 2008 9:41 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] OT: Yahoo Blocking Email I did this once about a year and a half ago for a client and they responded fairly quickly, but the full process took about a month before they whitelisted it. If you are bulk mailing from your hosted mail server, you need to stop. Never send bulk E-mail from a hosted mail server, and it is also good to use a different domain for bulk mailing. I'm not saying that is the case here, but bulk mailing can trip Yahoo. In the mean time, you might want to see if you can just switch your IP address to see if that will work. Matt Dave Beckstrom wrote: Hi All, Has anyone figured out how to stop Yahoo from blocking email? They've blocked all email from our servers for about 3 weeks. I've submitted their forms but it hasn't done any good. Dave --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail
[Declude.JunkMail] OT: Yahoo Blocking Email
Hi All, Has anyone figured out how to stop Yahoo from blocking email? They've blocked all email from our servers for about 3 weeks. I've submitted their forms but it hasn't done any good. Dave --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: Yahoo Blocking Email
Rob, We are using domain keys and reverse DNS as well as SPF records. Do you have a link to where I would request the whitelisting? Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Grosshandler Sent: Thursday, February 21, 2008 12:21 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] OT: Yahoo Blocking Email More. Yahoo has whitelisting, and really cares about reverse DNS pointers and Domain Keys. You might want to resubmit, they were fast for us way back when. Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Thursday, February 21, 2008 12:01 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] OT: Yahoo Blocking Email And as a further best practice to what Matt is advising, I'll mention that ideally you want to send all outbound mail from an IP that is different from your inbound gateways. And that your outbound bulk mail would be separate from both. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, February 21, 2008 9:41 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] OT: Yahoo Blocking Email I did this once about a year and a half ago for a client and they responded fairly quickly, but the full process took about a month before they whitelisted it. If you are bulk mailing from your hosted mail server, you need to stop. Never send bulk E-mail from a hosted mail server, and it is also good to use a different domain for bulk mailing. I'm not saying that is the case here, but bulk mailing can trip Yahoo. In the mean time, you might want to see if you can just switch your IP address to see if that will work. Matt Dave Beckstrom wrote: Hi All, Has anyone figured out how to stop Yahoo from blocking email? They've blocked all email from our servers for about 3 weeks. I've submitted their forms but it hasn't done any good. Dave --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Blackice Server Settings
Wow, I posted those instructions a long time ago. I didn't know so many people ended up running blackice! I have no plans to replace blackice until a server upgrade means it won't run any more. Hopefully that won't be for several years. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Howard Smith (N.O.R.A.D.) Sent: Friday, January 04, 2008 12:59 PM To: declude.junkmail@declude.com Cc: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Blackice Server Settings ISS no longer supports blackice and it is no longer in production , what are users replacing it with ? Howard Smith . -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Wednesday, September 27, 2006 5:58 PM To: declude.junkmail@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Blackice Server Settings I've gotten some requests to post the information on how to use Blackice Server to block email harvesting attacks. So here it is! Before you install Blackice Server you must turn Data Execution Prevention OFF on your server. Blackice and DEP will not coexist. On your server right click on MY COMPUTER then go to properties and then go to advanced. Under performance, select the SETTINGS button and then click on the Data Execution Prevention tab. If DEP is listed as enabled for anything, remove it for the listed services. Next, you can install Blackice. When you install Blackice server you should install it with the trusting mode enabled to allow all inbound traffic. I believe it asks you what you want when you install Blackice. I don't recall for sure if it does or not because it has been several years since I installed it. If it doesn't ask you the protection level that you want, after you install blackice you can go into the GUI and go to the firewall tab and under protection level you can select trusting: allow all inbound traffic Blackice should run without causing you any trouble so you should have time to complete the other configuration items. The whole install and configuration only took me about 15 minutes. I installed it on a dedicated email server. I don't have any experience with Blackice on a server running other stuff besides email and webmail. Also, you can always stop the Blackice service if you hit a problem. Blackice does its thing by watching traffic across the network card. If you stop Blackice then its effectively as if Blackice isn't installed on the server. When the service is stopped Blackice is gone and all is back as it was before. Attached is the issuelist.csv file which comes with Blackice server. Blackice uses this file as a database of different types of attacks. Line 227 had to be modified to indicate an action of IP|RST. The IP|RST tells Blackice to block the IP of the attacker as the action to take. Ignore the comments to the far right of line 227. The comments say to block the attacker if they attempt to send email to 10 non-existent email addresses within 120 seconds. The QTY/Timeframe is actually specified elsewhere. All you need to change in this file is to add IP|RST to line 227. The attached file already has the change. It is from the most current version if Blackice so if you just bought Blackice you can move the attached file into the Blackice directory and you're good to go. Next, in the Blackice GUI you'll want to go to the firewall tab and put a checkmark in front of Enable Auto BlockingThe GUI updates the firewall.ini file to tell Blackice that auto-blocking is enabled. The line in my firewall.ini is the following: auto-blocking = enabled, 2000, BIgui Next, go to the blackice.ini file and manually edit it to add the following 4 lines: smtp.error.count=6 smtp.error.interval=30 pam.smtp.error.count=6 pam.error.interval=30 The above settings in blackice.ini tells Blackice that if it detects an attempt to send to 6 non-existent email addresses within 30 seconds then it should activate the Email_Error action in line 227 of issuelist.csv. We set the action to be IP|RST (in issuelist.csv) which specifies that the IP should be blocked. So if the QTY/Timeframe is met, the IP is blocked. The block of the IP will automatically go away after a specified time. This is good because an IP is never permanently blocked forever. I believe the IP is removed from the blocklist after 24 hours. I have to find where you specify the length of time that the IP should remain blocked. I'll post that when I find it. Also, on those 4 config lines above you can obviously choose how aggressive you want to be at blocking email harvesting by setting a different error.count and error.interval. I figured 6 attempts at bad addresses in 30 seconds was most certainly someone trying to guess email addresses on our servers. Another thing that you will want to do is go
RE: [Declude.JunkMail] Interesting Spam
I used www.betterwhois.com and the whois service at www.netsol.com and neither showed the domains had been registered. Guess I'll have to try your site. Thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Thursday, September 06, 2007 6:41 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Interesting Spam Well, the easy part is answering your question about the domains. Each of the payload domains was registered today, so whatever service you're using to look up the registrations is probably using a database at least a day behind. I use (for example) this site to my satisfaction: http://whois.domaintools.com/sdsdm.com Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Thursday, September 06, 2007 3:07 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Interesting Spam We're getting a rash of spam that doesn't score high enough to be blocked. In the past I've looked up the domain owner of the site listed in the spam and been able to identify sometimes dozens of domains owned by the spammer, then I've put that list into a filter and blocked the domains before they were all used in new spam sent to us. I did a whois on some of the domains and they all show as available and unregistered. Yet when I go to the domain, it does take me to the spammers site. How can these domains be functional and show as available to be registered at the same time? Below is a paste of one of the spams. I added 3 additional domains that have appeared in this same asshole's spam so that you can see the pattern of domains he is using. How do I block these? Dave X-Note: X-Note: Spam Score: [18] X-Note: Scan Time: 16:47:18 on 06 Sep 2007 X-Note: Spool File: 35111367.eml X-Note: Server Name: dsl88-233-31730.ttnet.net.tr X-Note: SMTP Sender: [EMAIL PROTECTED] X-Note: Reverse DNS IP: dsl88-233-31730.ttnet.net.tr [88.233.123.242] X-Note: Country Chain: TURKEY-destination X-Note: Failed Weights: SORBS-WEB [5], FIVETENSRC [4], HELOBOGUS [5], SPFUNKNOWN [1], Filter_Country [8], WEIGHT10 [10], WEIGHT14 [14] X-Note: -Original Message- From: Tam Genois [mailto:[EMAIL PROTECTED] Sent: Thursday, September 06, 2007 1:15 PM Subject: [SPAM]- Score (12)tuile How it is going Genois Do you want to have an average to small penis all of your life? No, you don't dae Hays http://soltepec.com/ http://selenan.com/ http://www.seriia.com/ http://www.sdsdm.com/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Interesting Spam
Found out that invURIBL wasn't working correctly on my server. It was finding the wrong IP address for the DNS server. Once I fixed that, all of those spams suddenly ceased from being delivered to our inboxes! *grin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Thursday, September 06, 2007 6:58 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Interesting Spam I use a command line tool from www.whoisview.com that works well for both domains and IP blocks. Occasionally I run into a domain that doesn't resolve, but when that happens I also have trouble from registrar sites like netsol and godaddy. www.freewho.com generally works well, though. Darin. - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Thursday, September 06, 2007 7:40 PM Subject: RE: [Declude.JunkMail] Interesting Spam Well, the easy part is answering your question about the domains. Each of the payload domains was registered today, so whatever service you're using to look up the registrations is probably using a database at least a day behind. I use (for example) this site to my satisfaction: http://whois.domaintools.com/sdsdm.com Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Thursday, September 06, 2007 3:07 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Interesting Spam We're getting a rash of spam that doesn't score high enough to be blocked. In the past I've looked up the domain owner of the site listed in the spam and been able to identify sometimes dozens of domains owned by the spammer, then I've put that list into a filter and blocked the domains before they were all used in new spam sent to us. I did a whois on some of the domains and they all show as available and unregistered. Yet when I go to the domain, it does take me to the spammers site. How can these domains be functional and show as available to be registered at the same time? Below is a paste of one of the spams. I added 3 additional domains that have appeared in this same asshole's spam so that you can see the pattern of domains he is using. How do I block these? Dave X-Note: X-Note: Spam Score: [18] X-Note: Scan Time: 16:47:18 on 06 Sep 2007 X-Note: Spool File: 35111367.eml X-Note: Server Name: dsl88-233-31730.ttnet.net.tr X-Note: SMTP Sender: [EMAIL PROTECTED] X-Note: Reverse DNS IP: dsl88-233-31730.ttnet.net.tr [88.233.123.242] X-Note: Country Chain: TURKEY-destination X-Note: Failed Weights: SORBS-WEB [5], FIVETENSRC [4], HELOBOGUS [5], SPFUNKNOWN [1], Filter_Country [8], WEIGHT10 [10], WEIGHT14 [14] X-Note: -Original Message- From: Tam Genois [mailto:[EMAIL PROTECTED] Sent: Thursday, September 06, 2007 1:15 PM Subject: [SPAM]- Score (12)tuile How it is going Genois Do you want to have an average to small penis all of your life? No, you don't dae Hays http://soltepec.com/ http://selenan.com/ http://www.seriia.com/ http://www.sdsdm.com/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Interesting Spam
We're getting a rash of spam that doesn't score high enough to be blocked. In the past I've looked up the domain owner of the site listed in the spam and been able to identify sometimes dozens of domains owned by the spammer, then I've put that list into a filter and blocked the domains before they were all used in new spam sent to us. I did a whois on some of the domains and they all show as available and unregistered. Yet when I go to the domain, it does take me to the spammers site. How can these domains be functional and show as available to be registered at the same time? Below is a paste of one of the spams. I added 3 additional domains that have appeared in this same asshole's spam so that you can see the pattern of domains he is using. How do I block these? Dave X-Note: X-Note: Spam Score: [18] X-Note: Scan Time: 16:47:18 on 06 Sep 2007 X-Note: Spool File: 35111367.eml X-Note: Server Name: dsl88-233-31730.ttnet.net.tr X-Note: SMTP Sender: [EMAIL PROTECTED] X-Note: Reverse DNS IP: dsl88-233-31730.ttnet.net.tr [88.233.123.242] X-Note: Country Chain: TURKEY-destination X-Note: Failed Weights: SORBS-WEB [5], FIVETENSRC [4], HELOBOGUS [5], SPFUNKNOWN [1], Filter_Country [8], WEIGHT10 [10], WEIGHT14 [14] X-Note: -Original Message- From: Tam Genois [mailto:[EMAIL PROTECTED] Sent: Thursday, September 06, 2007 1:15 PM Subject: [SPAM]- Score (12)tuile How it is going Genois Do you want to have an average to small penis all of your life? No, you don't dae Hays http://soltepec.com/ http://selenan.com/ http://www.seriia.com/ http://www.sdsdm.com/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New PDF worm?
I installed the filter below and we've had about 50 PDFs that came through today. Does the filter need to be revised or is there some other method I should be looking into using? Thanks! Dave _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, July 02, 2007 12:35 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your weights accordingly. Also ensure you are running Declude 4.3.46 BODY 3 PCRE (JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo) BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)*Content-Type: application/pdf;) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie LaSalle-Lowery Sent: Monday, July 02, 2007 1:28 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? We've been suffering .pdf spam getting through the filter. What settings are you using that's identifying these as spam? We're seeing an overall increase in spam getting through the filter the last few weeks... Thanks, Katie _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SJ.Stanaitis Sent: Wednesday, June 27, 2007 9:17 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New PDF worm?
David, I just sent you a bunch of samples. If you can update the filter before you knock off for the day I'd appreciate it. We've probably had 50 of them get through already today. Thanks, Dave _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 4:03 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? From reports today looks like the filter needs to be updated. Can you send me some examples as attachments. David B From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, August 07, 2007 3:15 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? I installed the filter below and we've had about 50 PDFs that came through today. Does the filter need to be revised or is there some other method I should be looking into using? Thanks! Dave _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, July 02, 2007 12:35 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your weights accordingly. Also ensure you are running Declude 4.3.46 BODY 3 PCRE (JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo) BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)*Content-Type: application/pdf;) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie LaSalle-Lowery Sent: Monday, July 02, 2007 1:28 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? We've been suffering .pdf spam getting through the filter. What settings are you using that's identifying these as spam? We're seeing an overall increase in spam getting through the filter the last few weeks... Thanks, Katie _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SJ.Stanaitis Sent: Wednesday, June 27, 2007 9:17 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New PDF worm?
Thanks. I'll give it a try. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 6:23 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Ok this should hold it over till I can look at it some more tomorrow. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 6:45 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? This is not an easy one I will see what I can get done before I leave today. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, August 07, 2007 5:25 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? David, I just sent you a bunch of samples. If you can update the filter before you knock off for the day I'd appreciate it. We've probably had 50 of them get through already today. Thanks, Dave _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 4:03 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? From reports today looks like the filter needs to be updated. Can you send me some examples as attachments. David B From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, August 07, 2007 3:15 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? I installed the filter below and we've had about 50 PDFs that came through today. Does the filter need to be revised or is there some other method I should be looking into using? Thanks! Dave _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, July 02, 2007 12:35 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your weights accordingly. Also ensure you are running Declude 4.3.46 BODY 3 PCRE (JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo) BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)*Content-Type: application/pdf;) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie LaSalle-Lowery Sent: Monday, July 02, 2007 1:28 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? We've been suffering .pdf spam getting through the filter. What settings are you using that's identifying these as spam? We're seeing an overall increase in spam getting through the filter the last few weeks... Thanks, Katie _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SJ.Stanaitis Sent: Wednesday, June 27, 2007 9:17 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list
RE: [Declude.JunkMail] New PDF worm?
It didn't work. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Tuesday, August 07, 2007 6:39 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Thanks David. We'll (ok, I'll) give it a whirl! Todd _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 6:23 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Ok this should hold it over till I can look at it some more tomorrow. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 6:45 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? This is not an easy one I will see what I can get done before I leave today. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, August 07, 2007 5:25 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? David, I just sent you a bunch of samples. If you can update the filter before you knock off for the day I'd appreciate it. We've probably had 50 of them get through already today. Thanks, Dave _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 4:03 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? From reports today looks like the filter needs to be updated. Can you send me some examples as attachments. David B From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, August 07, 2007 3:15 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? I installed the filter below and we've had about 50 PDFs that came through today. Does the filter need to be revised or is there some other method I should be looking into using? Thanks! Dave _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, July 02, 2007 12:35 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your weights accordingly. Also ensure you are running Declude 4.3.46 BODY 3 PCRE (JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo) BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)*Content-Type: application/pdf;) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie LaSalle-Lowery Sent: Monday, July 02, 2007 1:28 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? We've been suffering .pdf spam getting through the filter. What settings are you using that's identifying these as spam? We're seeing an overall increase in spam getting through the filter the last few weeks... Thanks, Katie _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SJ.Stanaitis Sent: Wednesday, June 27, 2007 9:17 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from
RE: [Declude.JunkMail] New PDF worm?
No, didn't trigger at all. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 9:33 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Did it trigger at all? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, August 07, 2007 9:02 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? It didn't work. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Tuesday, August 07, 2007 6:39 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Thanks David. We'll (ok, I'll) give it a whirl! Todd _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 6:23 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Ok this should hold it over till I can look at it some more tomorrow. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 6:45 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? This is not an easy one I will see what I can get done before I leave today. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, August 07, 2007 5:25 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? David, I just sent you a bunch of samples. If you can update the filter before you knock off for the day I'd appreciate it. We've probably had 50 of them get through already today. Thanks, Dave _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, August 07, 2007 4:03 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? From reports today looks like the filter needs to be updated. Can you send me some examples as attachments. David B From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, August 07, 2007 3:15 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? I installed the filter below and we've had about 50 PDFs that came through today. Does the filter need to be revised or is there some other method I should be looking into using? Thanks! Dave _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, July 02, 2007 12:35 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? Create a filter eg FILTER-PDF.txt and use the following lines. Adjust your weights accordingly. Also ensure you are running Declude 4.3.46 BODY 3 PCRE (JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCjIgMCBvYmo) BODY 5 PCRE (-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)+(?:\r\n){1,}-+[0-9]+\r\n(?:[a-zA-Z\-]+: [^\r]+\r\n)*Content-Type: application/pdf;) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katie LaSalle-Lowery Sent: Monday, July 02, 2007 1:28 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New PDF worm? We've been suffering .pdf spam getting through the filter. What settings are you using that's identifying these as spam? We're seeing an overall increase in spam getting through the filter the last few weeks... Thanks, Katie _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SJ.Stanaitis Sent: Wednesday, June 27, 2007 9:17 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] New PDF worm? I'm getting gobs of PDF's snagged in my antispam filter, they're not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - Network Administrator Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com
RE: [Declude.JunkMail] Spam Increase?
Sorry guys...I've not been able to stay on top of discussions here for a few weeks and I'm sure I missed discussion about how you're catching the PDF spam. Does someone have a filter they are using for PDF spam that they could post for me? Thanks, Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, August 03, 2007 10:25 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Spam Increase? I think we started seeing it last Saturday... pretty constant since then. Fortunately it's almost entirely being caught so our customers are not seeing it. Darin. - Original Message - From: John T (lists) [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Friday, August 03, 2007 6:19 PM Subject: RE: [Declude.JunkMail] Spam Increase? I actually saw it ramping up since last weekend and every day there have been a change or 2 in the spam to keep it from being caught. John T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Friday, August 03, 2007 2:35 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Spam Increase? Anyone else noticing an increase in spam today? It seems like stuff that was normally being caught before is showing up in my Inbox. Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] OT: Yahoo Email Problems
Sorry about the off-topic post. This is the only email server software related list that I am on. I tried to send a couple of email to a Yahoo group and received this message back: Reason: Remote host said: 451 qq unable to read configuration (#4.3.0) Is that a problem with Yahoo or are they blocking email from me? It looks to me like a problem with Yahoo, but I thought I'd run in by you to see what you thought. Thanks, Dave --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Image spam
I'm confused. I understood that if you host multiple email domains on a mail server that you're considered a hosting company and can't purchase commtouch? At least I vaguely recall something to that affect. I checked Declude's site and I don't see commtouch listed on there anywhere (it used to be) other than under technology partners. Obviously, I'm missing something. So what is the scoop? I need an image spam solution. I followed this discussion, but I didn't see much talk about what people are actually using that currently works well for them. I would most appreciate it if you would share your method for dealing with image spam. We have on particular spam that comes through multiple times every day. Its getting tiring. There isn't enough other things wrong with the message to block it. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kelly Scotto Sent: Wednesday, February 21, 2007 1:04 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Image spam Thank you I will check these out. Kelly _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Wednesday, February 21, 2007 12:08 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Image spam Declude and Image based spam - 4 methods 1. COMMTOUCH Commtouch Recurrent Pattern Detection contains an intrinsic mechanism to exact-match recurrent patterns across similar but not-identical messages. However in the case of images, the minute the spammer makes even the smallest changes to an image, the image-encoded data appears completely different. Commtouch identified this trend in the earliest days of image-based spam, and made the necessary enhancements to its detection engine in order to defend against this new threat with a sophisticated protection shield. Commtouch invested significant resources into developing a method for decoding the images and then sampling them using the proven RPD approach. The result is a significantly improved spam detection rate, while maintaining the same low false-positive rate. 2. CLAMWIN Using ClamAV as a virus scanner with Declude you can download the MSRBL-Images.hdb file which has additional signatures (MD5 sigs) which contains signatures created from images contained within spam emails. http://www.msrbl.com/site/msrblimagesdownload 3. FILTER-CID Identifies emails which contains images increasing the weight suffeciently on spam messages to reach the spam threshold. #EXCEPTIONS BODYENDNOTCONTAINScid: BODYENDNOTCONTAINSContent-Type: image/ #IMAGES BODY3CONTAINSsrc=3Dcid: BODY3CONTAINSsrc=cid: BODY3CONTAINSsrc='cid: BODY3CONTAINSimg src=cid: BODY3CONTAINSimg src=3Dcid: BODY3CONTAINS/cid: #IMAGE TYPES BODY2CONTAINSContent-Type: image/gif; BODY2CONTAINSContent-Type: image/jpeg; 4. VAMSOFT IMAGE SPAM AGENT This tool is an External Agent for ORF 2.1 and newer versions that improves ORF by image spam detection capabilities, but can be used by Declude. http://www.vamsoft.com/vsimagespam/vsimagespam.zip VSIMAGE externalnonzero[path]\Declude\VSIMAGE\imgspamagent.exe -check 40 David Barker Director of Product Management Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kelly Scotto Sent: Wednesday, February 21, 2007 11:47 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Image spam Has there been a declude filter created for blocking or identifying image spam? If so can somebody post it for me to try. Thank You, Kelly --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. image001.gif Description: GIF image
RE: [Declude.JunkMail] Need help - mail server sending out stock reports email - process found ssm
Our black ice display has been showing: [Suspicious Activity] This signature detects PE/COFF executable files that have been packed using the UPX tool. While the presence of a UPX packed executable does not in itself represent an attack, it can be considered an anomaly. The UPX tool is commonly used to pack trojans and malware, while it is somewhat uncommon for the tool to be used to distribute legitimate We started seeing hundreds of these being caught by blackice server, starting about a week ago. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Howard Smith (N.O.R.A.D.) Sent: Wednesday, February 07, 2007 6:14 PM To: declude.junkmail@declude.com Cc: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Need help - mail server sending out stock reports email - process found ssm Hello All Justin Moose , hit it on the nail it was an worm process ssm , for info it bypass imail completely thus it was nor in any logs , so declude could not help . We do not know how it got there, but it show up on 1/28/7 then when dormant until 2/5/7 . Please explain how blackice will help and has anyone ever used winshark by advances inc . Howard Smith N.O.R.A.D. Inc. P.O. Box 680116 Miami, Florida 33168 www.norad.com http://www.norad.com/ [EMAIL PROTECTED] Office - (305) NETWORK (638-9675) Sales - (786) 206-0045 Fax 1 - (305) 359-5144 Confidentiality Notice: This email message, including any Attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact [EMAIL PROTECTED] by email and destroy all copies of the original message. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Justin Moose Sent: Wednesday, February 07, 2007 6:11 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Need hep - mail server sending out stock reports email I called Howard on this, but for everyone else's info, if you are seeing this, look for ssm.exe to be a running process. I found this on an Imail server that I administer for another company this morning. The file was showing processing time in the task manager and showed up on the Services list at Security Systems Manager, but the file had a modified date of 2/5/07 and no updated had been done on that server for over a week. Stopping this service stopped the junk messages from going out. Neither F-prot or Symantec showed this file as a virus; however I did submit it to Symantec for analysis. Justin Moose Information Technology Manager Sioux Valley Energy DID: (605) 256-1644 Fax: (605) 256-1690 Toll Free: (800) 234 1960 _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Howard Smith (N.O.R.A.D.) Sent: Wednesday, February 07, 2007 4:24 PM To: declude.junkmail@declude.com Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [Declude.JunkMail] Need hep - mail server sending out stock reports email Running imail 8.15,sniffer and declude - starting on 2/6/7 my mail server start sending out the stock reports email , even when I stop the imail smtp process , nothing is in the Imail logs indicating problems . I have ran full scans with frprot and Symantec . Need help please , I have already made the spamcop blacklist Howard Smith N.O.R.A.D. Inc. P.O. Box 680116 Miami, Florida 33168 www.norad.com http://www.norad.com/ [EMAIL PROTECTED] Office - (305) NETWORK (638-9675) Sales - (786) 206-0045 Fax 1 - (305) 359-5144 Confidentiality Notice: This email message, including any Attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact [EMAIL PROTECTED] by email and destroy all copies of the original message. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. image001.gif Description: GIF
RE: [Declude.JunkMail] SmarterMail 4.0 is released
SmarterTools just released the next major version of SmarterMail. It has been rewritten in ASP.NET 2.0 from which they claim across the board performance improvements. Major new features include greylisting and built-in ClamAV, as well as better features for use as a gateway. For a list of new features see http://www.smartertools.com/Products/SmarterMail/WhyUpgrade.aspx The release notes say nothing about implementing enhancement requests to the list server. You may recall we discussed the problem here regarding AOL stripping off contact information for people who report email to AOL as spam. Every message sent to my listserv discussion list results in TOS violations from AOL. I cannot identify who reported the email as spam and remove them from the listserv. Then AOL blocks us from sending any email to anyone on AOL for about 24 hours. What a great position for a business to be in, eh? I spoke (again) to Grady, the smartermail product manager, about this issue about 6 months ago.To say that I am frustrated and disappointed, that no mention is made anywhere in the version release notes of changes made to the listserv, is an understatement. I have been talking to them about this issue for well over 2 years. I'm rather pissed off. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Image Spam
Sniffer tags some of the image spam we receive but much of it doesn't score high enough for a hold weight. Is Declude or anyone else working on anything new that will be more effective at catching image spam? We're not eligible for Interceptor because we host email for some other companies. What options are available? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] OT: Yahoo delivery problems
Hi Everyone, This isn't a Declude question but with all of the expertise here I knew someone could help. Please forgive the off-topic message. I'm receiving a bunch of deliver failures today for Yahoo. The message is: Failed Recipient: [EMAIL PROTECTED] Reason: Remote host said: 451 Message temporarily deferred - [190] I searched google and I searched Yahoo's site to see if I could find an explanation of this message -- no joy. I didn't know if it meant they are blocking our IP or if Yahoo was having problems. It sounded to me like they are blocking us. I could not find anything on Yahoo's site about who to contact, what the message means -- nothing. Can someone shed some light on what may be going on? Thanks, Dave --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: Yahoo delivery problems
Thank you all who replied to my inquiry about the Yahoo deliver problems! Good to know I'm not on a blacklist. This was the first we've encountered problems with yahoo so we must have just hit it at a time they were having problems. Thanks again, Dave --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] RE: Declude's To-Do List
David, You also need to add a new whitelist tag (whitelistunique?) that only whitelists the TO recipient if it's the only recipient for the email. This bit about whitelisting all recipients if one is whitelisted is a problem. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Wednesday, October 25, 2006 1:24 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] RE: Declude's To-Do List With reference to X-Declude-RefID: it is part of the *Zerohour test doesn't operate as other tests issue. David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Wednesday, October 25, 2006 2:14 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] RE: Declude's To-Do List Hi, Thanks for posting! Openness is a great confidence builder! Seeing that problems are at least being recognized goes a long way to giving me some small flicker of hope that things at Declude might turn around yet. Now your corporate management has to prove themselves by demonstrating that they are finally serious about fulfilling the service contracts we purchased by not allowing crucial problems to remain open for yet another year. They cannot keep holding out their hands each year, if the money is not spent on the intended purpose. Fixing the Auto-Whitelist with a simple MDAC SQL query against the Imail 2006 Workgroupshare database is no rocket science. It might take a day - but not a year. PS: This is a minor issue and probably doesn't deserve to be on your list - but I never got a reply on how to suppress the empty and unwanted X-Declude-RefID: header. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Wednesday, October 25, 2006 10:36 AM To: declude.junkmail@declude.com Subject: RE: SPAM-WARN: Re: [Declude.JunkMail] RE: On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned Here is a preliminary list, not all have been verified and several are currently being worked on: (Note these does not include Declude adds for new functionality) Email me if you are aware of a known issue that is not on this list. *Line Terminator Problem *Auto whitelist Imail 2006 *Reported Memory Leaks Decludeproc crash on zero pointers *Zerohour test doesn't operate as other tests *Zip vulnerability *Attach function bug (forward as attachment) *When there is a MIME header mismatch Declude assumes it is an executable *Incorrectly filtering Object Data Vulnerability for MSOffice generated emails *Attached web pages seen as .com files *Yahoo CAL emails have header problems which cause improper blocking *Encoded attachments not correctly detected - long base64 *Prewhitelist is not skipping custom filters *Whitelisting messages in lower Log levels *SmarterMail order of Domains listed in xml for aliases David Barker Director of Product Development Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Monday, October 23, 2006 10:35 AM To: declude.junkmail@declude.com Subject: Re: SPAM-WARN: Re: [Declude.JunkMail] RE: On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned Thanks, David. We appreciate your efforts. Darin. - Original Message - From: David Barker [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Monday, October 23, 2006 10:26 AM Subject: RE: SPAM-WARN: Re: [Declude.JunkMail] RE: On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned I will see what I can do to bring together a list of known issues. Just give me some time (days) and I will get it posted. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Monday, October 23, 2006 10:19 AM To: declude.junkmail@declude.com Subject: Re: SPAM-WARN: Re: [Declude.JunkMail] RE: On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned Thanks, David. We appreciate your input. Is it feasible to post a list of known issues and/or issues being worked? I realize that's a lot of disclosure, and would probably increase call volume significantly, but I also know that would make me feel much more comfortable of someday being able to exercise our two-year-old unused SA, and upgrade to 4.x. Thanks again, Darin. - Original Message - From: David Barker [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Monday, October 23, 2006 10:00 AM Subject: RE:
RE: [Declude.JunkMail] Whitelisting flaw in Declude?
A new tag (whitelistunique) which only would whitelist if the email had a single recipient would solve the problem and be much safer. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, Andrew Sent: Thursday, October 19, 2006 11:45 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Whitelisting flaw in Declude? Yeah, what Matt said. Message splitting before junkmail filtering would bepunishing for CPU time and somewhat more for disk time; message splitting for the sake of whitelisting (or alternate actions)after junkmail filtering would be an incremental cost. And message splitting before junkmail filtering on a system that has a wildcard email address would be lethal for that system. Andrew. p.s. In my corporate network, we email each other a lot, and we see that Exchange single instance storage of a message only saves us 20% of the disk space. And that includes single storage of a message in my Sent Items as well as in my neighbour's Inbox and the next guy's Deleted Items. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Wednesday, October 18, 2006 8:20 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Whitelisting flaw in Declude? I have some stats here that suggest otherwise. We only have 5% more recipients than messages that make it through our gateway, and we only return permanent errors presently for mail bombing related activities. This however is a dedicated gateway and not a hosted mail server, so stats from a hosted mail server would see a slightly higher rate since most multiple-recipient E-mails are internal to a server. If you are splitting on a gateway and not splitting internal E-mail, you should see no increase beyond my numbers. It's a doable solution if one has the need. Matt Jay Sudowski - Handy Networks LLC wrote: Also, realize that on servers processing a large volume of messages perday, the additional IO necessary to create duplicate messages and headerfiles for each specific recipient would be a death sentence...-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf OfDavid BarkerSent: Wednesday, October 18, 2006 9:30 AMTo: declude.junkmail@declude.comSubject: RE: [Declude.JunkMail] Whitelisting flaw in Declude?To create a duplicate message for each recipient is not a trivial issue.This is a function of the mail server not Declude.David BarkerDirector of Product DevelopmentYour Email security is our business978.499.2933 office978.988.1311 fax[EMAIL PROTECTED] -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf OfKevinBilbeeSent: Tuesday, October 17, 2006 5:08 PMTo: declude.junkmail@declude.comSubject: RE: [Declude.JunkMail] Whitelisting flaw in Declude?Delcude has always functioned like this.What declude could do in this case is to duplicate the message for eachrecipient and write a new header file to each recipient. Not a bigissue.Deliver to the one that whitelists and run the spam checks for theothers.Kevin Bilbee -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darin CoxSent: Tuesday, October 17, 2006 12:37 PMTo: declude.junkmail@declude.comSubject: Re: [Declude.JunkMail] Whitelisting flaw in Declude?It's actually more of an issue of how the mail server handles the message.In the case of multiple recipients, since there is only one message file addressed to multiple recipients in the headers, it's either deliver or not deliver unless you rewrite the headers to modify the recipient list. I think I'd rather not have the spam filtering system alter that. Add to the header, yes. Alter the recipients, no.Also, I have not come across a situation where I wanted to let a message go through to one recipient and not to others, except in the situation of lists which is a whole other topic.Darin.- Original Message -From: Dave Beckstrom [EMAIL PROTECTED]To: declude.junkmail@declude.comSent: Tuesday, October 17, 2006 3:11 PMSubject: RE: [Declude.JunkMail] Whitelisting flaw in Declude?I would call that a flaw, then, in how Declude processes the whitelist. I have a listserver email address for which I do not want email spam checked. This is because I don't want messages going out to the list that say SPAM in the subject line. Because nobody who is not a member on the list can post to the list, there is no problem whitelisting the TOaddressfor mail sent to the list server email address.However, spammers will send an email to a dozen of our mail addresses(12recipients) one of which is the whitelised TO address for the listserver.Because of the way Declude processes the whitelist, that means that the other 11 recipient receive the spam even though mail to them is not whitelisted.That is a bad design on Declude's part, wouldn't you agree? Anyone else feel that this needs to be rectified? -Original Message-From
[Declude.JunkMail] OT: Stupid Spammer Humor
Received a paypal phishing scheme spam this morning. Note the url: www.chainmailstore.com/scamerchantsrow/phpSecurePages/www.paypal.com/cgi-bin /us/cmd/webscr-cmd=_login/index.php I got a kick out of the scamerchantsrow in the url. Scammer --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Whitelisting flaw in Declude? - David Barker
David, I agree. But I do think the whitelisting needs to be changed. I think you should add a WhitelistUnique tag. EG: WhitelistUnique TO: [EMAIL PROTECTED] The way the tag would function is that the email would only be treated as whitelisted if [EMAIL PROTECTED] was the only address in the TO field and if the carbon copy field is also blank. This insures that spammers can't stack multiple email addresses in the TO or CC fields, one address of which is whitelisted, thus forcing the email to pass through Declude to ALL RECIPIENTS rather than just to the whitelisted recipient. Besides the listserver problem I described, I can see some places wanting to whitelist email to [EMAIL PROTECTED] or [EMAIL PROTECTED] Spammers who have figured out this gaping hole in Declude could easily force all email to a site to be whitelisted by simply sending email to [EMAIL PROTECTED] and tagging a dozen other addresses onto the TO field. Not good. Is my suggestion something that you can implement? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Wednesday, October 18, 2006 8:30 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Whitelisting flaw in Declude? To create a duplicate message for each recipient is not a trivial issue. This is a function of the mail server not Declude. David Barker Director of Product Development Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Tuesday, October 17, 2006 5:08 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Whitelisting flaw in Declude? Delcude has always functioned like this. What declude could do in this case is to duplicate the message for each recipient and write a new header file to each recipient. Not a big issue. Deliver to the one that whitelists and run the spam checks for the others. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, October 17, 2006 12:37 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Whitelisting flaw in Declude? It's actually more of an issue of how the mail server handles the message. In the case of multiple recipients, since there is only one message file addressed to multiple recipients in the headers, it's either deliver or not deliver unless you rewrite the headers to modify the recipient list. I think I'd rather not have the spam filtering system alter that. Add to the header, yes. Alter the recipients, no. Also, I have not come across a situation where I wanted to let a message go through to one recipient and not to others, except in the situation of lists which is a whole other topic. Darin. - Original Message - From: Dave Beckstrom [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Tuesday, October 17, 2006 3:11 PM Subject: RE: [Declude.JunkMail] Whitelisting flaw in Declude? I would call that a flaw, then, in how Declude processes the whitelist. I have a listserver email address for which I do not want email spam checked. This is because I don't want messages going out to the list that say SPAM in the subject line. Because nobody who is not a member on the list can post to the list, there is no problem whitelisting the TO address for mail sent to the list server email address. However, spammers will send an email to a dozen of our mail addresses (12 recipients) one of which is the whitelised TO address for the listserver. Because of the way Declude processes the whitelist, that means that the other 11 recipient receive the spam even though mail to them is not whitelisted. That is a bad design on Declude's part, wouldn't you agree? Anyone else feel that this needs to be rectified? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, October 17, 2006 11:25 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Whitelisting flaw in Declude? If one user is whitelisted they all will be whitelisted for that email. There are some things you can do to prevent this like BYPASSWHITELIST test. Darre;; - --- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Dave Beckstrom [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Tuesday, October 17, 2006 11:18 AM Subject: [Declude.JunkMail] Whitelisting flaw
RE: [Declude.JunkMail] Whitelisting flaw in Declude? - David Barker
Darin, We don't whitelist those addresses at all. But I could see other companies wanting to do so. This idea that if one address is whitelisted, then they all are, is not a good situation. It is good in that some folks might want Declude to process that way, in which case the current whitelist will work for them. Its not good from the standpoint that there is no alternative mechanism. If Declude has access to all of the envelope information, they should easily be able to add a new tag that only whitelists an address if it's the only address in the envelope. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Wednesday, October 18, 2006 11:15 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Whitelisting flaw in Declude? - David Barker Hi Dave, A comment on the whitelist to required monitoring addresses... We don't whitelist email to abuse@ or postmaster@ addresses. Instead we have a user-specific Declude config that allows mail through to those addresses. So, we configure Declude to use this separate config for all postmaster and abuse addresses for all domains. That way we don't have a need to whitelist to these addresses, and we have fine-grained control over what we let through to them. Darin. - Original Message - From: Dave Beckstrom [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Wednesday, October 18, 2006 12:06 PM Subject: RE: [Declude.JunkMail] Whitelisting flaw in Declude? - David Barker David, I agree. But I do think the whitelisting needs to be changed. I think you should add a WhitelistUnique tag. EG: WhitelistUnique TO: [EMAIL PROTECTED] The way the tag would function is that the email would only be treated as whitelisted if [EMAIL PROTECTED] was the only address in the TO field and if the carbon copy field is also blank. This insures that spammers can't stack multiple email addresses in the TO or CC fields, one address of which is whitelisted, thus forcing the email to pass through Declude to ALL RECIPIENTS rather than just to the whitelisted recipient. Besides the listserver problem I described, I can see some places wanting to whitelist email to [EMAIL PROTECTED] or [EMAIL PROTECTED] Spammers who have figured out this gaping hole in Declude could easily force all email to a site to be whitelisted by simply sending email to [EMAIL PROTECTED] and tagging a dozen other addresses onto the TO field. Not good. Is my suggestion something that you can implement? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Wednesday, October 18, 2006 8:30 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Whitelisting flaw in Declude? To create a duplicate message for each recipient is not a trivial issue. This is a function of the mail server not Declude. David Barker Director of Product Development Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Tuesday, October 17, 2006 5:08 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Whitelisting flaw in Declude? Delcude has always functioned like this. What declude could do in this case is to duplicate the message for each recipient and write a new header file to each recipient. Not a big issue. Deliver to the one that whitelists and run the spam checks for the others. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, October 17, 2006 12:37 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Whitelisting flaw in Declude? It's actually more of an issue of how the mail server handles the message. In the case of multiple recipients, since there is only one message file addressed to multiple recipients in the headers, it's either deliver or not deliver unless you rewrite the headers to modify the recipient list. I think I'd rather not have the spam filtering system alter that. Add to the header, yes. Alter the recipients, no. Also, I have not come across a situation where I wanted to let a message go through to one recipient and not to others, except in the situation of lists which is a whole other topic. Darin. - Original Message - From: Dave Beckstrom [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Tuesday, October 17, 2006 3:11 PM Subject: RE: [Declude.JunkMail] Whitelisting flaw in Declude? I would call that a flaw, then, in how Declude processes the whitelist. I have a listserver email address for which I do not want email spam checked. This is because I don't want
[Declude.JunkMail] Whitelisting flaw in Declude?
If an email is received that is addressed to multiple recipients, one of whom is whitelisted, does Declude treat the email as whitelisted for all recipients? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Whitelisting flaw in Declude?
I would call that a flaw, then, in how Declude processes the whitelist. I have a listserver email address for which I do not want email spam checked. This is because I don't want messages going out to the list that say SPAM in the subject line. Because nobody who is not a member on the list can post to the list, there is no problem whitelisting the TO address for mail sent to the list server email address. However, spammers will send an email to a dozen of our mail addresses (12 recipients) one of which is the whitelised TO address for the listserver. Because of the way Declude processes the whitelist, that means that the other 11 recipient receive the spam even though mail to them is not whitelisted. That is a bad design on Declude's part, wouldn't you agree? Anyone else feel that this needs to be rectified? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, October 17, 2006 11:25 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Whitelisting flaw in Declude? If one user is whitelisted they all will be whitelisted for that email. There are some things you can do to prevent this like BYPASSWHITELIST test. Darre;; Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Dave Beckstrom [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Tuesday, October 17, 2006 11:18 AM Subject: [Declude.JunkMail] Whitelisting flaw in Declude? If an email is received that is addressed to multiple recipients, one of whom is whitelisted, does Declude treat the email as whitelisted for all recipients? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Whitelisting flaw in Declude?
Hi Darin, Thanks for the great explanation. You always offer good feedback. Thanks to everyone else who replied, too. Which is the lesser of two evils -- Whitelist email to all recipients even though only one recipient is in the whitelist; or ignore the whitelist request entirely if the email has multiple recipients and only one of whom is in the whitelist? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Tuesday, October 17, 2006 2:37 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Whitelisting flaw in Declude? It's actually more of an issue of how the mail server handles the message. In the case of multiple recipients, since there is only one message file addressed to multiple recipients in the headers, it's either deliver or not deliver unless you rewrite the headers to modify the recipient list. I think I'd rather not have the spam filtering system alter that. Add to the header, yes. Alter the recipients, no. Also, I have not come across a situation where I wanted to let a message go through to one recipient and not to others, except in the situation of lists which is a whole other topic. Darin. - Original Message - From: Dave Beckstrom [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Tuesday, October 17, 2006 3:11 PM Subject: RE: [Declude.JunkMail] Whitelisting flaw in Declude? I would call that a flaw, then, in how Declude processes the whitelist. I have a listserver email address for which I do not want email spam checked. This is because I don't want messages going out to the list that say SPAM in the subject line. Because nobody who is not a member on the list can post to the list, there is no problem whitelisting the TO address for mail sent to the list server email address. However, spammers will send an email to a dozen of our mail addresses (12 recipients) one of which is the whitelised TO address for the listserver. Because of the way Declude processes the whitelist, that means that the other 11 recipient receive the spam even though mail to them is not whitelisted. That is a bad design on Declude's part, wouldn't you agree? Anyone else feel that this needs to be rectified? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, October 17, 2006 11:25 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Whitelisting flaw in Declude? If one user is whitelisted they all will be whitelisted for that email. There are some things you can do to prevent this like BYPASSWHITELIST test. Darre;; Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Dave Beckstrom [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Tuesday, October 17, 2006 11:18 AM Subject: [Declude.JunkMail] Whitelisting flaw in Declude? If an email is received that is addressed to multiple recipients, one of whom is whitelisted, does Declude treat the email as whitelisted for all recipients? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] picture spam
Chris, According to Decludes web site, any business that provides email to customers cant use commtouch. That pretty well rules out most of the people on this list. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of chris Sent: Thursday, October 12, 2006 9:11 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] picture spam A one time cost of 195.00 is not a large portion of your revenue and it is your option to not implement this or not Chris From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Thursday, October 12, 2006 9:57 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] picture spam ...and give a large part of our revenue to Commtouch? Provide a feasible way to justify the additional costs for our existing customers and service contracts! THEN we could talk about Commtouch. BTW: even if it's hard work to maintain a reliable spam filter it's not an impossible thing. years of contribution from our own researches, creation of text filters, publication of new spam and filter signs, developement of - in declude long time and still missing - additional external tests allowed and still allows us to have reliable filters and no image spam in my inbox. The question is why Declude has become a competitor of our work from what it was some years ago: an excellent tool for us admins to do our own hard work. Looking at your pricing I can see anywhere limitations based on users. What if I have a single gatewayed domain? Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of chris Sent: Thursday, October 12, 2006 3:15 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] picture spam Guys, Commtouch hasnt missed any, stop making things hard on yourselves.. Chris From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Wednesday, October 11, 2006 5:17 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] picture spam Sorbs-DUL and NJABL Dynablock look to be the best. Although they miss lots. 5-10's has been discontinued. - Original Message - From: Dave Marchette To: declude.junkmail@declude.com Sent: Wednesday, October 11, 2006 3:53 PM Subject: RE: [Declude.JunkMail] picture spam Thanks all for the various suggestions. Agreed- combo is the way to use that test, for sure. A bit OT, but what is the popular and accurate DUL database these days? How accurate is fiveten at DUL lookups? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Wednesday, October 11, 2006 12:49 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] picture spam I combo thegraphics hit (jpg, gif or png) with: 1. bad DNS - None or timeout 2. bad language (eastern European iso-8859-2) or Cyrillic (koi8-r or iso-8859-5), etc 3. cmdspace 4. good DUL IP lists/tests 5. having forged your local domain. I still get 5-10 a day. It is a pain. - Original Message - From: Dave Marchette To: declude.junkmail@declude.com Sent: Wednesday, October 11, 2006 12:08 PM Subject: [Declude.JunkMail] picture spam Has anyone figured out a reasonable way to use Declude to minimize picture spam? Sniffer is missing most. They are sent from fresh hosts, so RBLs dont catch them, and there is no target, so INVuribl misses them as well. Associates of ours are using Barracuda to stop most successfully, so it is at least possible. Ideas are welcomed. Dave --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED],
RE: [Declude.JunkMail] picture spam
You guys should have made a deal with Pete instead of CommTouch. Sniffer blows it out of the water and he has no licensing restrictions. IMO of course. Matt Matt, They should have made a deal with Pete and done it so as to keep the cost down. At $295 a year it wasn't priced unreasonably. Now, at close to $500 a year it hurts to fork out that kind of money simply to block some additional spam. Email is strictly a money pit for us. It is not a source of revenue. Forking out $1,000 a year or so for Declude and Sniffer is a lot of money just to deal with spam. Personally, I think it should be legal to hunt down spammers and hang them from the nearest tree. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Interesting SMTP connection patterns
Yesterday I took a snapshot of the SMTP connections active on our server. I then did a reverse IP to find out where they were from. Below are the results. You can see someone from Thailand had 5 SMTP connections active and Spain had 4. You can also see that only 3 of the IPS connected were for potentially legitimate email. We don't get any legitimate email from other Countries so everything not from the USA would be spam. Any idea why a spammer would open more than one SMTP connection? 202.139.211.241 5 Thailand 88.0.230.26 4 Spain 71.55.71.1382 USA 87.219.166.92 Spain 213.85.39.108 1 Russian Federation 84.77.107.183 1 Spain 83.131.106.234 1 Croatia 84.61.135.611 Germany 83.84.74.2191 Netherlands 90.9.36.180 1 France 83.167.108.79 1 Russian Federation 67.172.162.33 1 USA 84.54.248.961 Russian Federation 86.75.242.215 1 France 201.208.171.250 1 Venezuela 88.204.240.177 1 Kazakstan 82.158.0.2371 Spain 69.30.246.125 1 USA 200.168.86.224 1 Brazil 83.167.108.44 1 Russian Federation 75.41.79.2031 USA 200.206.252.123 1 Brazil 84.60.109.148 1 Germany --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Interesting SMTP connection patterns
Blackice runs perfect on Windows 2003 server. I posted the install instructions on this list a couple of weeks ago. Craig -- I believe some email servers will open a secondary connection as part of their spam checking. In that case, you might see 2 connections which would be legitimate. What setting did you change in blackice to drop those IPs with multiple connections? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jay Sudowski - Handy Networks LLC Sent: Thursday, October 12, 2006 7:59 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Interesting SMTP connection patterns Of course, BlackIce does not support Windows 2003. -Jay -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Edmonds Sent: Thursday, October 12, 2006 3:51 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Interesting SMTP connection patterns Importance: High That's why I now use Blackice Server from IIS. It can detect multiple smtp connections and close ips down automatically. Its pretty slick. Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Thursday, October 12, 2006 11:24 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Interesting SMTP connection patterns Yesterday I took a snapshot of the SMTP connections active on our server. I then did a reverse IP to find out where they were from. Below are the results. You can see someone from Thailand had 5 SMTP connections active and Spain had 4. You can also see that only 3 of the IPS connected were for potentially legitimate email. We don't get any legitimate email from other Countries so everything not from the USA would be spam. Any idea why a spammer would open more than one SMTP connection? 202.139.211.241 5 Thailand 88.0.230.26 4 Spain 71.55.71.138 2 USA 87.219.166.9 2 Spain 213.85.39.108 1 Russian Federation 84.77.107.183 1 Spain 83.131.106.2341 Croatia 84.61.135.61 1 Germany 83.84.74.219 1 Netherlands 90.9.36.180 1 France 83.167.108.79 1 Russian Federation 67.172.162.33 1 USA 84.54.248.96 1 Russian Federation 86.75.242.215 1 France 201.208.171.250 1 Venezuela 88.204.240.1771 Kazakstan 82.158.0.237 1 Spain 69.30.246.125 1 USA 200.168.86.2241 Brazil 83.167.108.44 1 Russian Federation 75.41.79.203 1 USA 200.206.252.123 1 Brazil 84.60.109.148 1 Germany --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Interesting SMTP connection patterns
Darrell, I wondered if that might be the case. Thanks for the info! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Thursday, October 12, 2006 4:44 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Interesting SMTP connection patterns Dave, That is really not that uncommon. I see this with very aggressive spammers who are trying to get the most spam through in the least amount of time and have no disregard for crashing the server they are sending spam to... Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Dave Beckstrom writes: Yesterday I took a snapshot of the SMTP connections active on our server. I then did a reverse IP to find out where they were from. Below are the results. You can see someone from Thailand had 5 SMTP connections active and Spain had 4. You can also see that only 3 of the IPS connected were for potentially legitimate email. We don't get any legitimate email from other Countries so everything not from the USA would be spam. Any idea why a spammer would open more than one SMTP connection? 202.139.211.241 5 Thailand 88.0.230.26 4 Spain 71.55.71.1382 USA 87.219.166.92 Spain 213.85.39.108 1 Russian Federation 84.77.107.183 1 Spain 83.131.106.234 1 Croatia 84.61.135.611 Germany 83.84.74.2191 Netherlands 90.9.36.180 1 France 83.167.108.79 1 Russian Federation 67.172.162.33 1 USA 84.54.248.961 Russian Federation 86.75.242.215 1 France 201.208.171.250 1 Venezuela 88.204.240.177 1 Kazakstan 82.158.0.2371 Spain 69.30.246.125 1 USA 200.168.86.224 1 Brazil 83.167.108.44 1 Russian Federation 75.41.79.2031 USA 200.206.252.123 1 Brazil 84.60.109.148 1 Germany --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Interesting SMTP connection patterns
Jay, I can tell you why it didn't run for you. You have to turn DEP (Data Execution Prevention) off on the server. That will eliminate the BSOD and blackice will run flawlessly. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jay Sudowski - Handy Networks LLC Sent: Thursday, October 12, 2006 8:46 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Interesting SMTP connection patterns Well, it didn't run for us. We tried and it caused random BSOD and ISS wouldn't provide any support. -Jay -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Thursday, October 12, 2006 7:38 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Interesting SMTP connection patterns Blackice runs perfect on Windows 2003 server. I posted the install instructions on this list a couple of weeks ago. Craig -- I believe some email servers will open a secondary connection as part of their spam checking. In that case, you might see 2 connections which would be legitimate. What setting did you change in blackice to drop those IPs with multiple connections? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jay Sudowski - Handy Networks LLC Sent: Thursday, October 12, 2006 7:59 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Interesting SMTP connection patterns Of course, BlackIce does not support Windows 2003. -Jay -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Edmonds Sent: Thursday, October 12, 2006 3:51 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Interesting SMTP connection patterns Importance: High That's why I now use Blackice Server from IIS. It can detect multiple smtp connections and close ips down automatically. Its pretty slick. Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Thursday, October 12, 2006 11:24 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Interesting SMTP connection patterns Yesterday I took a snapshot of the SMTP connections active on our server. I then did a reverse IP to find out where they were from. Below are the results. You can see someone from Thailand had 5 SMTP connections active and Spain had 4. You can also see that only 3 of the IPS connected were for potentially legitimate email. We don't get any legitimate email from other Countries so everything not from the USA would be spam. Any idea why a spammer would open more than one SMTP connection? 202.139.211.241 5 Thailand 88.0.230.26 4 Spain 71.55.71.1382 USA 87.219.166.92 Spain 213.85.39.108 1 Russian Federation 84.77.107.183 1 Spain 83.131.106.234 1 Croatia 84.61.135.611 Germany 83.84.74.2191 Netherlands 90.9.36.180 1 France 83.167.108.79 1 Russian Federation 67.172.162.33 1 USA 84.54.248.961 Russian Federation 86.75.242.215 1 France 201.208.171.250 1 Venezuela 88.204.240.177 1 Kazakstan 82.158.0.2371 Spain 69.30.246.125 1 USA 200.168.86.224 1 Brazil 83.167.108.44 1 Russian Federation 75.41.79.2031 USA 200.206.252.123 1 Brazil 84.60.109.148 1 Germany --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing
RE: [Declude.JunkMail] Blocking these?
Darin, I let my Sniffer subscription lapse for a few weeks until I could afford to renew it. I thought it would continue to run with whatever the latest data file was as of the day that it expired and that it just wouldn't be as current without the updates. I assumed it worked that way because that's how the trial works -- it runs but with an old data file. Well, apparently not. Apparently it doesn't run at all any more. I thought perhaps someone had an idea on how to block these that didn't require sniffer. Just as a temporary solution until I purchase the renewal in a week or two. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Thursday, October 05, 2006 8:25 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Blocking these? Sniffer catches most of these. What do the headers look like? Darin. - Original Message - From: Dave Beckstrom [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Wednesday, October 04, 2006 11:42 PM Subject: [Declude.JunkMail] Blocking these? How are you guys blocking something like the spam below? There is no URL to block on. They keep bastardizing words in the body of the email to the point where you can't hardly block based on the content. What do you guys do with these? -Original Message- From: Louis Rubin [mailto:[EMAIL PROTECTED] Sent: Sunday, November 05, 2006 8:48 AM To: Subject: Chavez accused THIS THURS DAY OCTOBER 5 2006 BIG NEWS RELEASED ON CR SVF!!! DON'T MISS THIS INVESTMENT MOMENT, PLACE 'CRSVF' ON THE RA`DAR!!! T r a d e Ale rt: THURSDAY, October 05, 2006 'STOCK': CRSVF.OB Current Pri ce : $0.18 Pr evClose : $0.19 Recommendation: ST RO NG B UY WATCH THIS S TOCK GO HIGHER AND RI SE DON'T M I SS THIS IN VES TMENT MOMENT, PLACE CRSVF ON THE RA DAR!!! About Capital Reserve Canada: CRC is an oil and gas ser vices comp any based in Edmonton, Alberta. Through its wholly owned subsidiary, KCP Innovative Services, Inc., CRC offers technologically tools for use in four areas of the industry. The first aids in testing development of newly found resources; another measure existing wells' productivity; and the third hastens well abandonment, ensuring compliance with regulatory emission guidelines. The fourth, through its pro prie tary hardware and software technologies, is used to determine the profitability of coal bed methane deposits, which may be developed and sold as natural gas. CRC has a second wholly owned subsidiary, Two Hills Environmental, to assist with problem waste from oil gas companies, and provide undergro und storage. ADD THIS GE M TO YOUR PORTFOLIO AND WATCH IT TRADE ON THURSDAY, October 05, 2006 !! TR ADE SM ART AND W I N WITH CRSVF!!! Start to buy at 10:30 AM , October 05 2006 It will blow up --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Blocking these?
Darin, No, I believe sniffer stopped completely. Here is a header from another one that just came through. Same stock spam. I can add a from filter for stocknews but that won't be effective very long. It scored a 4 for having no SPF record and for originating outside the US. Return-Path: [EMAIL PROTECTED] Thu Oct 05 10:35:03 2006 Received: from unusedaddr3-29.dnet.pl [87.239.3.29] by perseus.sixthweb.com with SMTP; Thu, 5 Oct 2006 10:35:03 -0500 Return-Path: [EMAIL PROTECTED] Received: from 129.196.250.12 (HELO mx1.danahermail.com) by atvconnection.com with esmtp (KK0844V0HB QO6P) id ZP9WBI-G8PVG0-8B for [EMAIL PROTECTED]; Thu, 5 Nov 2006 15:32:01 -0060 From: Paulette Broussard [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: a Washington Date: Thu, 5 Nov 2006 15:32:01 -0060 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=Windows-1252 Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Thread-Index: Aca6QLM7WBUW3YPHNFDYSDP5TN93PJ== X-RBL-Warning: SPFUNKNOWN: SPF returned UNKNOWN for this E-mail. X-RBL-Warning: Filter_Country: Message failed Filter_Country test (line 224, weight 3) X-Note: X-Note: Spam Score: [4] X-Note: Scan Time: 10:35:53 on 05 Oct 2006 X-Note: Spool File: 34526525.eml X-Note: Server Name: unusedaddr3-29.dnet.pl X-Note: SMTP Sender: [EMAIL PROTECTED] X-Note: Reverse DNS IP: unusedaddr3-29.dnet.pl [87.239.3.29] X-Note: Recipient(s): [EMAIL PROTECTED] X-Note: Country Chain: UNITED STATES-POLAND-destination X-Note: Failed Weights: SPFUNKNOWN [1], Filter_Country [3] X-Note: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Thursday, October 05, 2006 9:32 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Blocking these? Hmmm... I thought it did run with the old data file. At the very least you could run with the trial key, which would use an older rulebase. Note that running an old rulebase will mean much of this rapidly changing spam will get through. Headers would help... Darin. - Original Message - From: Dave Beckstrom [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Thursday, October 05, 2006 10:07 AM Subject: RE: [Declude.JunkMail] Blocking these? Darin, I let my Sniffer subscription lapse for a few weeks until I could afford to renew it. I thought it would continue to run with whatever the latest data file was as of the day that it expired and that it just wouldn't be as current without the updates. I assumed it worked that way because that's how the trial works -- it runs but with an old data file. Well, apparently not. Apparently it doesn't run at all any more. I thought perhaps someone had an idea on how to block these that didn't require sniffer. Just as a temporary solution until I purchase the renewal in a week or two. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Thursday, October 05, 2006 8:25 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Blocking these? Sniffer catches most of these. What do the headers look like? Darin. - Original Message - From: Dave Beckstrom [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Wednesday, October 04, 2006 11:42 PM Subject: [Declude.JunkMail] Blocking these? How are you guys blocking something like the spam below? There is no URL to block on. They keep bastardizing words in the body of the email to the point where you can't hardly block based on the content. What do you guys do with these? -Original Message- From: Louis Rubin [mailto:[EMAIL PROTECTED] Sent: Sunday, November 05, 2006 8:48 AM To: Subject: Chavez accused THIS THURS DAY OCTOBER 5 2006 BIG NEWS RELEASED ON CR SVF!!! DON'T MISS THIS INVESTMENT MOMENT, PLACE 'CRSVF' ON THE RA`DAR!!! T r a d e Ale rt: THURSDAY, October 05, 2006 'STOCK': CRSVF.OB Current Pri ce : $0.18 Pr evClose : $0.19 Recommendation: ST RO NG B UY WATCH THIS S TOCK GO HIGHER AND RI SE DON'T M I SS THIS IN VES TMENT MOMENT, PLACE CRSVF ON THE RA DAR!!! About Capital Reserve Canada: CRC is an oil and gas ser vices comp any based in Edmonton, Alberta. Through its wholly owned subsidiary, KCP Innovative Services, Inc., CRC offers technologically tools for use in four areas of the industry. The first aids in testing development of newly found resources; another measure existing wells' productivity; and the third hastens well abandonment, ensuring compliance with regulatory emission guidelines. The fourth, through its pro prie tary hardware and software technologies, is used to determine the profitability
RE: [Declude.JunkMail] Blocking these?
Hi John, Thanks for the info on the monthly. I didn't know they offered that. They charge $500 a year for a renewal. I own my company so either way the $500 comes out of my pocket. I spent a lot of money in the last month, which is why I don't want to spend another $500 right now. I'd like to see it made legal to hang anyone caught spamming. :) You know what I think is the worst spam? The political spam. Any politician who sends me spam asking me to vote for them is guaranteed that I will vote against them! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Doyle Sent: Thursday, October 05, 2006 1:38 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Blocking these? Dave For goodness sake, call sniffer up, they offer a monthy subscription for I think less than 30 dollars. Put it on your credit card and get your company to reimburse you next month and send them a check for the 12 months and it's done. I'd hate to think what's getting though without some sort of added filter like sniffer. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dave Beckstrom Sent: Wednesday, October 04, 2006 8:42 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Blocking these? How are you guys blocking something like the spam below? There is no URL to block on. They keep bastardizing words in the body of the email to the point where you can't hardly block based on the content. What do you guys do with these? -Original Message- From: Louis Rubin [mailto:[EMAIL PROTECTED] Sent: Sunday, November 05, 2006 8:48 AM To: Subject: Chavez accused THIS THURS DAY OCTOBER 5 2006 BIG NEWS RELEASED ON CR SVF!!! DON'T MISS THIS INVESTMENT MOMENT, PLACE 'CRSVF' ON THE RA`DAR!!! T r a d e Ale rt: THURSDAY, October 05, 2006 'STOCK': CRSVF.OB Current Pri ce : $0.18 Pr evClose : $0.19 Recommendation: ST RO NG B UY WATCH THIS S TOCK GO HIGHER AND RI SE DON'T M I SS THIS IN VES TMENT MOMENT, PLACE CRSVF ON THE RA DAR!!! About Capital Reserve Canada: CRC is an oil and gas ser vices comp any based in Edmonton, Alberta. Through its wholly owned subsidiary, KCP Innovative Services, Inc., CRC offers technologically tools for use in four areas of the industry. The first aids in testing development of newly found resources; another measure existing wells' productivity; and the third hastens well abandonment, ensuring compliance with regulatory emission guidelines. The fourth, through its pro prie tary hardware and software technologies, is used to determine the profitability of coal bed methane deposits, which may be developed and sold as natural gas. CRC has a second wholly owned subsidiary, Two Hills Environmental, to assist with problem waste from oil gas companies, and provide undergro und storage. ADD THIS GE M TO YOUR PORTFOLIO AND WATCH IT TRADE ON THURSDAY, October 05, 2006 !! TR ADE SM ART AND W I N WITH CRSVF!!! Start to buy at 10:30 AM , October 05 2006 It will blow up --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Blocking these?
How are you guys blocking something like the spam below? There is no URL to block on. They keep bastardizing words in the body of the email to the point where you can't hardly block based on the content. What do you guys do with these? -Original Message- From: Louis Rubin [mailto:[EMAIL PROTECTED] Sent: Sunday, November 05, 2006 8:48 AM To: Subject: Chavez accused THIS THURS DAY OCTOBER 5 2006 BIG NEWS RELEASED ON CR SVF!!! DON'T MISS THIS INVESTMENT MOMENT, PLACE 'CRSVF' ON THE RA`DAR!!! T r a d e Ale rt: THURSDAY, October 05, 2006 'STOCK': CRSVF.OB Current Pri ce : $0.18 Pr evClose : $0.19 Recommendation: ST RO NG B UY WATCH THIS S TOCK GO HIGHER AND RI SE DON'T M I SS THIS IN VES TMENT MOMENT, PLACE CRSVF ON THE RA DAR!!! About Capital Reserve Canada: CRC is an oil and gas ser vices comp any based in Edmonton, Alberta. Through its wholly owned subsidiary, KCP Innovative Services, Inc., CRC offers technologically tools for use in four areas of the industry. The first aids in testing development of newly found resources; another measure existing wells' productivity; and the third hastens well abandonment, ensuring compliance with regulatory emission guidelines. The fourth, through its pro prie tary hardware and software technologies, is used to determine the profitability of coal bed methane deposits, which may be developed and sold as natural gas. CRC has a second wholly owned subsidiary, Two Hills Environmental, to assist with problem waste from oil gas companies, and provide undergro und storage. ADD THIS GE M TO YOUR PORTFOLIO AND WATCH IT TRADE ON THURSDAY, October 05, 2006 !! TR ADE SM ART AND W I N WITH CRSVF!!! Start to buy at 10:30 AM , October 05 2006 It will blow up --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Crisis after upgrade to 4.3.14 from 4.3.7
Chris, Will Declude be repackaging the install with the defaults set to mimic the old behavior? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of chris Sent: Friday, September 29, 2006 9:29 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Crisis after upgrade to 4.3.14 from 4.3.7 There is a warning added to your account pages that show this new upgrades effect after installation Chris Asaro Technical Support Engineer Declude Your Email security is our business 866.332.5833toll free 978.499.2933office 978.477.8930 e-fax [EMAIL PROTECTED] www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Harry Vanderzand Sent: Friday, September 29, 2006 10:23 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Crisis after upgrade to 4.3.14 from 4.3.7 I am going to do the upgrade again this time putting the following commands in the cfg file: OUTBOUNDSCANNINGSPAMON INBOUNDSCANNINGSPAMON Obviously this should not have happened and it was unfortunate. I believe Declude is getting a message ready for everyone. I will let you know the results shortly to confirm that that was it Thanks for your responses Harry Vanderzand inTown Internet Computer Services 519-741-1222 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of chris Sent: Friday, September 29, 2006 10:08 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Crisis after upgrade to 4.3.14 from 4.3.7 Nick, I will definitely post these results, but I have yet to hear from harry, I believe the response from the first user is the solution!!! Chris Asaro Technical Support Engineer Declude Your Email security is our business 866.332.5833toll free 978.499.2933office 978.477.8930 e-fax [EMAIL PROTECTED] www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick Hayer Sent: Friday, September 29, 2006 9:55 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Crisis after upgrade to 4.3.14 from 4.3.7 Harry, Please post to the list the details - Thanks -Nick chris wrote: Harry Contact me off the list if you can, I would like to help Chris Asaro Technical Support Engineer Declude Your Email security is our business 866.332.5833toll free 978.499.2933office 978.477.8930 e-fax [EMAIL PROTECTED] www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Harry Vanderzand Sent: Friday, September 29, 2006 9:15 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Crisis after upgrade to 4.3.14 from 4.3.7 Last night at 8:11PM I upgraded from 4.3.7 to 4.3.14 From that point on we stopped catching all spam for these clients that have their own mail server. We just filter their mail for spam and pass it on. I just reverted back to 4.3.7 and now we are catching spam again for them We catch over 4000 spam messages per dayfor one of these clients alone so you can imagine their complaint this morning. Anyone know what would have caused this? Thank you Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 519-741-1222 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] Blackice Server Settings
Im leaving town in a little bit and I wont be back until Sunday. If someone reminds me on Sunday or Monday Id be happy to post the settings. Are we able to post attachments to this list? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mike Wiegers Sent: Thursday, September 21, 2006 12:09 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Blackice Server Settings Wanted to start a new thread on this. Dave, Could you post the ini settings for BlackIce that can help with mail servers? Thanks ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] Spam Spike
I run Blackice Server on the mail server. It drops the connecting IP if we receive more than a user specified number of attempts for non-existent email addresses within a user specified time limit. It then blocks that IP for a user specified amount of time before removing the block. It prevents email address harvesting from our server. Not bad for a product that cost about $200 if I recall correctly. A side benefit is that it stores a text file with the hostname/IP address in a folder for every blocked IP. Over time, I can see patterns and permanently block those IP ranges in my firewall if I so desire. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Anton Sent: Tuesday, September 19, 2006 1:02 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Spam Spike Darrell, We are averaging 40 to 50% on the processor. I was just surprised because in 3 years we haven't seen a spike this large. Most of them are dictionary style. But since they aren't from the same IP, I don't think the imail 2006 dictionary feature would help us. Thoughts? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Blackice Server (was] Spam Spike)
It is a little tricky from the standpoint that it does not automatically block the IPs and Blackice does not document how to enable this feature. I actually got it working some years ago when I found a guy who had written their software manual. He and I corresponded and he helped me get it figured out. Out-of-the-box it reports on email harvesting but does not block the IPs. There is an Excel document that needs some parameter changes and there is an .INI file that also needs a change added to it. If anyone buys the software and needs help configuring it, I can post the necessary changes to the list. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn \ WCNet Sent: Wednesday, September 20, 2006 3:15 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Spam Spike How tricky is it to configure this? Current price I find is $300. G.Z. - Original Message - From: Dave Beckstrom [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Wednesday, September 20, 2006 1:08 PM Subject: RE: [Declude.JunkMail] Spam Spike I run Blackice Server on the mail server. It drops the connecting IP if we receive more than a user specified number of attempts for non-existent email addresses within a user specified time limit. It then blocks that IP for a user specified amount of time before removing the block. It prevents email address harvesting from our server. Not bad for a product that cost about $200 if I recall correctly. A side benefit is that it stores a text file with the hostname/IP address in a folder for every blocked IP. Over time, I can see patterns and permanently block those IP ranges in my firewall if I so desire. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Anton Sent: Tuesday, September 19, 2006 1:02 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Spam Spike Darrell, We are averaging 40 to 50% on the processor. I was just surprised because in 3 years we haven't seen a spike this large. Most of them are dictionary style. But since they aren't from the same IP, I don't think the imail 2006 dictionary feature would help us. Thoughts? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] 4.3.x and 3.1.x planned release
Still no fix for the broken image spam? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Friday, September 15, 2006 7:59 AM To: declude.junkmail@declude.com; declude.virus@declude.com Subject: [Declude.JunkMail] 4.3.x and 3.1.x planned release The following items are being tested for Target Date release: 27 September 2006 4.3.x -- DEC FIX On occasion ZEROHOUR initialized two overlaping threads causing decludeproc crash JMFIX IPBYPASS now takes place before WHITELIST JMFIX X-COUNTRYCHAIN log entry no longer truncated JMFIX DELETE_RECIPIENT removes the specified email address as per-user action only JMFIX With HOLD if extra space after %DATE% incorrect behaviour was observed this is not been normalized HIFIX CONCATENATELOGS with KEEPINDIVIDUALLOGS works correctly JMADD BANCHARSET defined in the declude.cfg quarentines listed character sets EVA ADD With AVAFTERJM ON the JM Log displays message moved to virus folder 3.1.x -- JMFIX IPBYPASS now takes place before WHITELIST JMFIX X-COUNTRYCHAIN log entry no longer truncated JMFIX DELETE_RECIPIENT removes the specified email address as per-user action only JMFIX With HOLD if extra space after %DATE% incorrect behaviour was observed this is not been normalized JMFIX Declude crash fix. Buffer Overflow reading the From: line in the Headers HIFIX CONCATENATELOGS with KEEPINDIVIDUALLOGS works correctly SMADD Decludeproc will not start without a valid domainlist.xml In addition to bug fixes we are also working on wishlist items that we have received regarding new tests. If you have any ideas of new tests you would like to see implemented please email your thoughts to me directly [EMAIL PROTECTED] Thanks David B www.declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Re: Why is Declude Not Scanning This?
I see about 10 - 20 per day where Declude is broken and where it doesn't scan the email and puts the Declude headers at the bottom. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Monday, September 04, 2006 10:10 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Re: Why is Declude Not Scanning This? I have been seeing about 2-3 emails per month with out declude headers anywhere in the emil message. They have all been spam. No delcude headers in the header or body. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Dodell Sent: Monday, September 04, 2006 7:33 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Re: Why is Declude Not Scanning This? On Sep 4, 2006, at 4:58 PM, John T ((Lists)) wrote: But you need to check the message body. There has been discussion about a string of spam that has bad headers where the Declude Headers end up at the bottom of the body John, I have done so ... the only other part of the message is a JPG attachment which has the actual viewable spam advertisement ... did not note any more header lines enclosed in the body of the message. David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Dodell Sent: Monday, September 04, 2006 3:16 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Re: Why is Declude Not Scanning This? By anychance are the Declude headers all the way at the bottom of the message. Also, in 8.x trains of Imail there were situations where the QueueManager could steal the message from Declude 2.x and below and deliver it before Declude processed it. Darrell (1) No more headers were visible any place in either the message header or header text (2) I'm running Imail 9.0 and Declude 4.All the latest releases Still perplexed ... only happens once in a while, otherwise all working ok --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Message Sniffer vs Commtouch?
My message sniffer is up for annual renewal. Commtouch is over 50% less expensive than message sniffer ($445 vs $195) I have to choose between the more expensive message sniffer renewal or trying commtouch. I was wondering if anyone here has tried both products and if so which of the two worked better? All comments welcome. Thanks! Dave --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Upcoming Declude Release
David, What is happening that a fix for the broken image spam is never forthcoming? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Wednesday, July 26, 2006 8:10 AM To: declude.junkmail@declude.com; declude.virus@declude.com Subject: [Declude.JunkMail] Upcoming Declude Release This is just an FYI. Our next release is scheduled for 2 Aug and we are aiming to add the following fixes for 4.3.x: Fix - Hijack - HOLD/DELETE to prevent spam items going to \Spool Fix - Failed .hdr to be DELETED rather than move to the \error directory Fix - COPYFILE not working correctly Fix - Add x-header for CT RefID Fix - Buffer Overflow fix In conjunction with this we will release a 3.1.x with several of the fixes already added to 4.x David Barker Product Manager Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude 4.3
Email only makes money for spammers. Declude and the other mail tools are an expense not a revenue generator. Adding CommTouch just adds to overhead without generating any revenue. I'm glad its an option and doesn't affect the rest of Declude. Declude is already at the upper limit of what we're willing to spend on a tool. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, July 18, 2006 3:51 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.3 Gary, 1. Server Providers who use CommTouch as an add-in to Declude will be in violation of CommTouch's Terms of service. 2. Some of the benefits of CommTouch are Zero Hour virus protection and additional spam identifying technology such as Recurrent Pattern Detection Technology (RPD) recognized by key industry analysts as a leading technology in email outbreak detection. 3. We are in the process of defining the revenue share program and will provide the details to this when it is ready. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Tuesday, July 18, 2006 4:09 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.3 So, that being said, under what conditions can a legacy customer use Commtouch? Since it would seem that Commtouch is being offered as an add-on, what are the benefits of having Commtouch? What does it do that Declude alone does not? And of course it would be nice if this revenue share program was spelled out somewhere. Original Message From: David Barker [EMAIL PROTECTED] Sent: Tuesday, July 18, 2006 3:57 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.3 There are restrictions on CommTouch being used by Service Providers we had to ensure that NEW customers (ie. Service Providers After 1 June 06) understand the licensing restrictions. Current Service Providers (ie. Before 1 June 06) are under no restrictions for using Declude; only the CommTouch add-in component. However we have managed to come to an agreement with CommTouch to enable our legacy customers (ie. Service Providers Before 1 June 06) to take advantage of CommTouch under a revenue share program, this program is not being forced onto legacy customers but will be an opportunity for us to help you increase revenues in your business, by providing you with new product like the Declude Gateway which would be independent of Imail/SmarterMail and will include CommTouch. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, July 18, 2006 3:02 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.3 I guess we all missed the following paragraph in the license agreement: 3.2.6 sub-license, rent, sell, lease, distribute, or otherwise transfer the Licensed Program save as provided under this End-User License Agreement unless You obtain a separate License from Declude, Inc. for such purposes (for example, You may not embed the Licensed Program into another application and then distribute such to third parties unless You first acquire an OEM License from Declude, Inc.). As of June 1, 2006, ISP's and other service providers are not permitted to use Declude software to clean and forward mail to customers unless a separate revenue share agreement has been established with Declude. http://www.declude.com/Articles.asp?ID=121 Is Declude trying to put us out of business? We pay for the software and now have to pay them some of your meager profits? John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Tuesday, July 18, 2006 11:24 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Declude 4.3 I guess someone is going to make an official announcement today about Declude 4.3? I see that its downloadable in my account, but it would be nice to know what I'm getting before I install it, especially the new Commtouch stuff. The Restrictions listed next to the Add Commtouch section are especially confusing. https://www.declude.com/articles.asp?ID=205 Who would use Declude and not fit the definitions of the restrictions? Based on my reading of the Restrictions, nobody who uses Declude will ever be able to use Commtouch. If I am misreading this, would someone please explain it to me? Gary --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be
RE: [Declude.JunkMail] Declude 4.3
With that said, as an add-on in the same regard as things like Sniffer, CommTouch might be a good solution (if it performs well) for those that can pay the $195/year, however it still irks me that after two years and lots of promises, these things are being added at an extra expense and not available to people like me under reasonable terms. Matt What irks me more is not having things fixed in the existing Declude, such as the broken image spam problem. I'd like to see Declude fix their base product before spending time enhancing it. I'm not griping -- just making an observation. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] F-Prot Licensing
I sent an email to F-Prot telling them that I am not renewing because of their price change. They replied back basically saying they didnt care and audios. They are going to lose a lot of customers. I guess they would rather not have a little money from a lot of customers instead of no money from a few customers. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Scott Fisher Sent: Monday, July 17, 2006 9:25 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] F-Prot Licensing Clamav with the runclamd service. Free. Fast.and the Sanesecurity anti-phish signatures. - Original Message - From: Markus Gufler To: declude.junkmail@declude.com Sent: Friday, July 14, 2006 5:33 PM Subject: RE: [Declude.JunkMail] F-Prot Licensing This pricing is just another way of saying Go Away. Suggestions? Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.