RE: [Declude.JunkMail] No one at Declude?
Not that I can think of, the real advantage is it shuts off all internal validations, AVG which has already stopped, SNF and CT which will stop anytime soon. -Original Message- From: Andy Schmidt [mailto:andy_schm...@hm-software.com] Sent: Thursday, April 18, 2013 1:43 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Thanks David, So, OTHER than Sniffer, any OTHER advantages of using the HOSTS trick vs. the Bypass key? -Original Message- From: David Barker [mailto:david.bar...@mailsbestfriend.com] Sent: Thursday, April 18, 2013 1:09 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? If internal SNF is still ON then it can conflict with external Message Sniffer by grabbing the port which SNF uses. By using our fix will ensure internal SNF is turned OFF. If using the bypass key has everything OFF then that is fine too. -Original Message- From: Andy Schmidt [mailto:andy_schm...@hm-software.com] Sent: Thursday, April 18, 2013 12:46 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? So - is there any advantage of using the hosts file trick (to invalidate the license server IP address) http://mailsbestfriend.com/declude-fix vs. using the special bypass license code? Does one enable more functions that the other? -Original Message- From: David Barker [mailto:david.bar...@mailsbestfriend.com] Sent: Thursday, April 18, 2013 12:31 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Yes Internal Sniffer is no longer a valid option. Need to switch to external. -Original Message- From: Andy Schmidt [mailto:andy_schm...@hm-software.com] Sent: Thursday, April 18, 2013 12:06 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Uh - but with that code, the internal SNF is turned off? So one has to configure Sniffer has an external test with a separate Sniffer license code? -Original Message- From: Stephan Chayer [mailto:scha...@intrasoft.net] Sent: Wednesday, April 17, 2013 5:37 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Use this key: CODE 28607230-BF21-4CDE-A59B-A451CC7C9CA0 -Message d'origine- De : SM Admin [mailto:imailad...@bcwebhost.net] Envoyé : 17 avril, 2013 2:43 À : Declude.JunkMail@declude.com Objet : Re: [Declude.JunkMail] No one at Declude? Apparently I was too quick on the draw as this line has since been added to the diag file: 04/16/2013 22:24:21.947[BB86F9-606322-C04138-958B5A-AB7343-94F75B] IS INVALID KEY Did someone say something about new keys? -Original Message- From: SM Admin Sent: Tuesday, April 16, 2013 10:25 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? I noticed today that Declude wasn't processing. I checked the diag file and it has the usual entries at the top plus an entry at the bottom saying that the Sniffer license is invalid. How is that? So then I restarted the Declud service and now the diag file only shows this: Declude 4.12.02 Diagnostics Compilation Platform: SmarterMail Copyright (c) 2000-2013 Declude, Inc. Host Name mail1.bcwebhost.net Declude Key redacted So I have no idea what's going on. Anyone? -Original Message- From: Brian Baker Sent: Tuesday, April 16, 2013 7:09 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? Looks like tonight we better figure out a new approach. My declude diag file is now reading declude lic as invalid. Anyone else? - Original Message - From: Todd Richards to...@nnepa.com To: Declude.JunkMail@declude.com Sent: Monday, April 15, 2013 9:34 AM Subject: RE: [Declude.JunkMail] No one at Declude? What system is that? Our users are getting hammered with spam. Reminds me of the days, many years ago, before I happened upon Declude... Todd -Original Message- On Sunday, April 14, 2013 10:24 PM, John Doyle wrote: I have reverted to a system that works. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type
RE: [Declude.JunkMail] No one at Declude?
Filters yes all_list.dat working on that. -Original Message- From: John Dobbin [mailto:jo...@penpublishing.com] Sent: Thursday, April 18, 2013 9:14 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? David - with your support extended to the community, will you be able to offer maintenance of the all_list.dat as well as the filters? -Original Message- From: David Barker [mailto:david.bar...@mailsbestfriend.com] Sent: Thursday, April 18, 2013 1:02 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Not that I can think of, the real advantage is it shuts off all internal validations, AVG which has already stopped, SNF and CT which will stop anytime soon. -Original Message- From: Andy Schmidt [mailto:andy_schm...@hm-software.com] Sent: Thursday, April 18, 2013 1:43 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Thanks David, So, OTHER than Sniffer, any OTHER advantages of using the HOSTS trick vs. the Bypass key? -Original Message- From: David Barker [mailto:david.bar...@mailsbestfriend.com] Sent: Thursday, April 18, 2013 1:09 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? If internal SNF is still ON then it can conflict with external Message Sniffer by grabbing the port which SNF uses. By using our fix will ensure internal SNF is turned OFF. If using the bypass key has everything OFF then that is fine too. -Original Message- From: Andy Schmidt [mailto:andy_schm...@hm-software.com] Sent: Thursday, April 18, 2013 12:46 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? So - is there any advantage of using the hosts file trick (to invalidate the license server IP address) http://mailsbestfriend.com/declude-fix vs. using the special bypass license code? Does one enable more functions that the other? -Original Message- From: David Barker [mailto:david.bar...@mailsbestfriend.com] Sent: Thursday, April 18, 2013 12:31 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Yes Internal Sniffer is no longer a valid option. Need to switch to external. -Original Message- From: Andy Schmidt [mailto:andy_schm...@hm-software.com] Sent: Thursday, April 18, 2013 12:06 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Uh - but with that code, the internal SNF is turned off? So one has to configure Sniffer has an external test with a separate Sniffer license code? -Original Message- From: Stephan Chayer [mailto:scha...@intrasoft.net] Sent: Wednesday, April 17, 2013 5:37 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Use this key: CODE 28607230-BF21-4CDE-A59B-A451CC7C9CA0 -Message d'origine- De : SM Admin [mailto:imailad...@bcwebhost.net] Envoyé : 17 avril, 2013 2:43 À : Declude.JunkMail@declude.com Objet : Re: [Declude.JunkMail] No one at Declude? Apparently I was too quick on the draw as this line has since been added to the diag file: 04/16/2013 22:24:21.947[BB86F9-606322-C04138-958B5A-AB7343-94F75B] IS INVALID KEY Did someone say something about new keys? -Original Message- From: SM Admin Sent: Tuesday, April 16, 2013 10:25 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? I noticed today that Declude wasn't processing. I checked the diag file and it has the usual entries at the top plus an entry at the bottom saying that the Sniffer license is invalid. How is that? So then I restarted the Declud service and now the diag file only shows this: Declude 4.12.02 Diagnostics Compilation Platform: SmarterMail Copyright (c) 2000-2013 Declude, Inc. Host Name mail1.bcwebhost.net Declude Key redacted So I have no idea what's going on. Anyone? -Original Message- From: Brian Baker Sent: Tuesday, April 16, 2013 7:09 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? Looks like tonight we better figure out a new approach. My declude diag file is now reading declude lic as invalid. Anyone else? - Original Message - From: Todd Richards to...@nnepa.com To: Declude.JunkMail@declude.com Sent: Monday, April 15, 2013 9:34 AM Subject: RE: [Declude.JunkMail] No one at Declude? What system is that? Our users are getting hammered with spam. Reminds me of the days, many years ago, before I happened upon Declude... Todd -Original Message- On Sunday, April 14, 2013 10:24 PM, John Doyle wrote: I have reverted to a system that works. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com
RE: [Declude.JunkMail] No one at Declude?
Already posted…. But here again: If internal SNF is still ON then it can conflict with external Message Sniffer by grabbing the port which SNF uses. By using our fix will ensure internal SNF is turned OFF. If using the bypass key has everything OFF then that is fine too. From: Nick Hayer [mailto:n...@madriveraccess.com] Sent: Thursday, April 18, 2013 9:17 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Hi David, Would you mind explaining your hosts trick? Not how a host file works but why this will circumvent licensing Thank you -Nick MadRiverAccess.com|Skywaves.net Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: http://www.skywaves.net/content/secure/support_ticket.htm https://www.skywaves.com/content/secure/support_ticket.htm _ From: David Barker david.bar...@mailsbestfriend.com Sent: Thursday, April 18, 2013 1:11 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? If internal SNF is still ON then it can conflict with external Message Sniffer by grabbing the port which SNF uses. By using our fix will ensure internal SNF is turned OFF. If using the bypass key has everything OFF then that is fine too. -Original Message- From: Andy Schmidt [mailto:andy_schm...@hm-software.com] Sent: Thursday, April 18, 2013 12:46 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? So - is there any advantage of using the hosts file trick (to invalidate the license server IP address) http://mailsbestfriend.com/declude-fix vs. using the special bypass license code? Does one enable more functions that the other? -Original Message- From: David Barker [mailto:david.bar...@mailsbestfriend.com] Sent: Thursday, April 18, 2013 12:31 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Yes Internal Sniffer is no longer a valid option. Need to switch to external. -Original Message- From: Andy Schmidt [mailto:andy_schm...@hm-software.com] Sent: Thursday, April 18, 2013 12:06 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Uh - but with that code, the internal SNF is turned off? So one has to configure Sniffer has an external test with a separate Sniffer license code? -Original Message- From: Stephan Chayer [mailto:scha...@intrasoft.net] Sent: Wednesday, April 17, 2013 5:37 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Use this key: CODE 28607230-BF21-4CDE-A59B-A451CC7C9CA0 -Message d'origine- De : SM Admin [mailto:imailad...@bcwebhost.net] Envoyé : 17 avril, 2013 2:43 À : Declude.JunkMail@declude.com Objet : Re: [Declude.JunkMail] No one at Declude? Apparently I was too quick on the draw as this line has since been added to the diag file: 04/16/2013 22:24:21.947 [BB86F9-606322-C04138-958B5A-AB7343-94F75B] IS INVALID KEY Did someone say something about new keys? -Original Message- From: SM Admin Sent: Tuesday, April 16, 2013 10:25 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? I noticed today that Declude wasn't processing. I checked the diag file and it has the usual entries at the top plus an entry at the bottom saying that the Sniffer license is invalid. How is that? So then I restarted the Declud service and now the diag file only shows this: Declude 4.12.02 Diagnostics Compilation Platform: SmarterMail Copyright (c) 2000-2013 Declude, Inc. Host Name mail1.bcwebhost.net Declude Key redacted So I have no idea what's going on. Anyone? -Original Message- From: Brian Baker Sent: Tuesday, April 16, 2013 7:09 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? Looks like tonight we better figure out a new approach. My declude diag file is now reading declude lic as invalid. Anyone else? - Original Message - From: Todd Richards to...@nnepa.com To: Declude.JunkMail@declude.com Sent: Monday, April 15, 2013 9:34 AM Subject: RE: [Declude.JunkMail] No one at Declude? What system is that? Our users are getting hammered with spam. Reminds me of the days, many years ago, before I happened upon Declude... Todd -Original Message- On Sunday, April 14, 2013 10:24 PM, John Doyle wrote: I have reverted to a system that works. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from
RE: [Declude.JunkMail] Clam Antivirus
Commtouch was a 3rd party plugin and only deal with vendors there is nothing that can be done to reestablish Commtouch, besides I am assuming they are not being paid by Declude either. -Original Message- From: Michael Cummins [mailto:mich...@i-magery.com] Sent: Thursday, April 18, 2013 9:20 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Clam Antivirus Working good. I see a virus in my /virus/ directory that Message Sniffer put there: X-MessageSniffer-Identifier: \Spool\proc\work\778871245675.eml X-GBUdb-Analysis: 0, XXX.XXX.XXX.XXX, Ugly c=1 p=0.0736094 Source Normal X-MessageSniffer-Scan-Result: 55 X-MessageSniffer-Rules: 55-5553430-0-32767-f ...and now I see in report.txt and in the declude virus log that ClamD is looking at things, too. I feel better about not having AVG, but I wish there was a way to get the COmmTouch I already paid for. Anyone reach out to CommTouch yet? - Michael Cummins -Original Message- From: Michael Cummins [mailto:mich...@i-magery.com] Sent: Thursday, April 18, 2013 8:26 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Clam Antivirus Sorry, I just saw Matt's e-mail from yesterday. Thanks, Matt! I'll give it a whirl. Very Respectfully, Michael E. Cummins -Original Message- From: Michael Cummins [mailto:mich...@i-magery.com] Sent: Thursday, April 18, 2013 8:21 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Clam Antivirus So AVG and CommTouch can't be used anymore, right? I have Message Sniffer configured to run externally, and I've been told that it catches viruses, but I don't know the particulars and don't have full conifence that I'm protecting my customers as well as I used to. I went to download ClamAV, but the only thing I can find on their website is that Immunet 3.0 product. Anyone recently download and configure ClamAV for use with Declude? - Michael Cummins --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] No one at Declude?
Just my 2c - users do not need to abandon the Declude product. Declude still has tremendous value, hijack, routing email, rules etc all you need is a way to keep Declude running and support which MBF can help you do. The solution to this tragedy is Declude+Message Sniffer. David Barker Mail’s Best Friend Email : david.bar...@mailsbestfriend.com Web : www.mailsbestfriend.com -Original Message- From: Pete McNeil [mailto:madscient...@microneil.com] Sent: Wednesday, April 17, 2013 11:24 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? On 2013-04-17 11:11, John Doyle wrote: You also should go to message sniffer and email them for help on getting message sniffer to run standalone. Message Sniffer can run standalone on both IMail and SmarterMail. On IMail, use the MINIMI (minimal IMail Shim) plugin: http://www.armresearch.com/support/articles/installation/minimiImail.jsp On Smarter Mail run SNFClient as a command line scanner: http://www.armresearch.com/support/qa/integration/smarterMail.jsp _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 twitter/codedweller --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] No one at Declude?
There is no-one at Declude, not one person involved in operations. No engineers, no sales people, no support people no management nothing. The company right now simply exists as an entity. The only help you are going to get from MBF. David From: Nick Hayer [mailto:n...@madriveraccess.com] Sent: Wednesday, April 17, 2013 11:47 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Thanks David for the vote of confidence. Who do we contact at Declude for customer support? They seem to be radio silent for now - at least on this list. Thank you -Nick MadRiverAccess.com|Skywaves.net Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: http://www.skywaves.net/content/secure/support_ticket.htm https://www.skywaves.com/content/secure/support_ticket.htm _ From: David Barker david.bar...@mailsbestfriend.com Sent: Wednesday, April 17, 2013 11:35 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Just my 2c - users do not need to abandon the Declude product. Declude still has tremendous value, hijack, routing email, rules etc all you need is a way to keep Declude running and support which MBF can help you do. The solution to this tragedy is Declude+Message Sniffer. David Barker Mail’s Best Friend Email : david.bar...@mailsbestfriend.com Web : www.mailsbestfriend.com -Original Message- From: Pete McNeil [mailto:madscient...@microneil.com] Sent: Wednesday, April 17, 2013 11:24 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? On 2013-04-17 11:11, John Doyle wrote: You also should go to message sniffer and email them for help on getting message sniffer to run standalone. Message Sniffer can run standalone on both IMail and SmarterMail. On IMail, use the MINIMI (minimal IMail Shim) plugin: http://www.armresearch.com/support/articles/installation/minimiImail.jsp On Smarter Mail run SNFClient as a command line scanner: http://www.armresearch.com/support/qa/integration/smarterMail.jsp _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 twitter/codedweller --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] No one at Declude?
In short. That is the reason. From: Nick Hayer [mailto:n...@madriveraccess.com] Sent: Wednesday, April 17, 2013 12:23 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? There is no-one at Declude, not one person involved in operations. No engineers, no sales people, no support people no management nothing. That is too bad. Who would have guessed this would happen. So why did Declude die? You were its VP - thoughts? Is Chuck still around by chance? http://www.corporationwiki.com/Massachusetts/Somerville/david-barker/116682287.aspx http://corp.sec.state.ma.us/corp/corpsearch/CorpSearchSummary.asp?ReadFromDB=True http://corp.sec.state.ma.us/corp/corpsearch/CorpSearchSummary.asp?ReadFromDB=TrueUpdateAllowed=FEIN=371577720 UpdateAllowed=FEIN=371577720 Thank you -Nick MadRiverAccess.com|Skywaves.net Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: http://www.skywaves.net/content/secure/support_ticket.htm https://www.skywaves.com/content/secure/support_ticket.htm _ From: David Barker david.bar...@mailsbestfriend.com Sent: Wednesday, April 17, 2013 12:02 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? There is no-one at Declude, not one person involved in operations. No engineers, no sales people, no support people no management nothing. The company right now simply exists as an entity. The only help you are going to get from MBF. David From: Nick Hayer [mailto:n...@madriveraccess.com] Sent: Wednesday, April 17, 2013 11:47 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Thanks David for the vote of confidence. Who do we contact at Declude for customer support? They seem to be radio silent for now - at least on this list. Thank you -Nick MadRiverAccess.com|Skywaves.net Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: http://www.skywaves.net/content/secure/support_ticket.htm https://www.skywaves.com/content/secure/support_ticket.htm _ From: David Barker david.bar...@mailsbestfriend.com Sent: Wednesday, April 17, 2013 11:35 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Just my 2c - users do not need to abandon the Declude product. Declude still has tremendous value, hijack, routing email, rules etc all you need is a way to keep Declude running and support which MBF can help you do. The solution to this tragedy is Declude+Message Sniffer. David Barker Mail’s Best Friend Email : david.bar...@mailsbestfriend.com Web : www.mailsbestfriend.com -Original Message- From: Pete McNeil [mailto:madscient...@microneil.com] Sent: Wednesday, April 17, 2013 11:24 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? On 2013-04-17 11:11, John Doyle wrote: You also should go to message sniffer and email them for help on getting message sniffer to run standalone. Message Sniffer can run standalone on both IMail and SmarterMail. On IMail, use the MINIMI (minimal IMail Shim) plugin: http://www.armresearch.com/support/articles/installation/minimiImail.jsp On Smarter Mail run SNFClient as a command line scanner: http://www.armresearch.com/support/qa/integration/smarterMail.jsp _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 twitter/codedweller --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] No one at Declude?
I do know. Let me put it this way, it is up not for the benefit of customers. From: Nick Hayer [mailto:n...@madriveraccess.com] Sent: Wednesday, April 17, 2013 12:43 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Well the only thing that has not gone away is this list for some reason. Even the site went dark for awhile. Why have the the site up, phones on, list work but kill the license server?David - do you have any insight? Thank you -Nick MadRiverAccess.com|Skywaves.net Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: http://www.skywaves.net/content/secure/support_ticket.htm https://www.skywaves.com/content/secure/support_ticket.htm _ From: Todd t...@smart-mail.net Sent: Wednesday, April 17, 2013 12:26 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Ours went down as well this morning. Declude stopped processing with a licensing error. I have left several phone messages. Todd _ From: Nick Hayer n...@madriveraccess.com Sent: Wednesday, April 17, 2013 10:47 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Thanks David for the vote of confidence. Who do we contact at Declude for customer support? They seem to be radio silent for now - at least on this list. Thank you -Nick MadRiverAccess.com|Skywaves.net Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: http://www.skywaves.net/content/secure/support_ticket.htm https://www.skywaves.com/content/secure/support_ticket.htm _ From: David Barker david.bar...@mailsbestfriend.com Sent: Wednesday, April 17, 2013 11:35 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Just my 2c - users do not need to abandon the Declude product. Declude still has tremendous value, hijack, routing email, rules etc all you need is a way to keep Declude running and support which MBF can help you do. The solution to this tragedy is Declude+Message Sniffer. David Barker Mail's Best Friend Email : david.bar...@mailsbestfriend.com Web : www.mailsbestfriend.com -Original Message- From: Pete McNeil [mailto:madscient...@microneil.com] Sent: Wednesday, April 17, 2013 11:24 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? On 2013-04-17 11:11, John Doyle wrote: You also should go to message sniffer and email them for help on getting message sniffer to run standalone. Message Sniffer can run standalone on both IMail and SmarterMail. On IMail, use the MINIMI (minimal IMail Shim) plugin: http://www.armresearch.com/support/articles/installation/minimiImail.jsp On Smarter Mail run SNFClient as a command line scanner: http://www.armresearch.com/support/qa/integration/smarterMail.jsp _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 twitter/codedweller --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] No one at Declude?
1. Makes sure that SNF is OFF in the \Diags.txt 2. These are my suggested values (please note that you path if copy/paste) also NONZERO weight can be 20 or 25. Also if you want to break out the NONZERO codes that is fine too. SNIFFER external NONZERO C:\Smartermail\Declude\SNF\SNFClient.exe 20 0 SNIFFER-CAUTION external 020 C:\Smartermail\Declude\SNF\SNFClient.exe -10 0 SNIFFER-TRUNCATEexternal 040 C:\Smartermail\Declude\SNF\SNFClient.exe 10 0 David Barker Mail’s Best Friend Email : david.bar...@mailsbestfriend.com Web : www.mailsbestfriend.com http://www.mailsbestfriend.com/ Office: 703.988.3605 x7015 Mobile : 978.518.6461 cid:image001.png@01CE2B2E.8B3E9EF0 From: Pete McNeil [mailto:madscient...@microneil.com] Sent: Wednesday, April 17, 2013 1:25 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? On 2013-04-17 13:06, Katie La Salle-Lowery wrote: X-MessageSniffer-Scan-Result: 20 X-MessageSniffer-Rules: 20-0-0--1-f By the way: We have seen a LOT of this lately. For some reason there appear to be many Declude configurations out there that do not account for the truncate result code from SNF. I highly recommend that if you are using Declude, and especially if you have seen an increase in spam leakage, you should check your configuration and make sure that you weight result code 20 higher than other nonzero Message Sniffer result codes. On most systems that use SNF + Declude, not counting for the truncate result code can result in leaking more than 10% of spam/malware that would have been caught. Best, _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 twitter/codedweller --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. image001.png
RE: [Declude.JunkMail] No one at Declude?
Sorry for the confusion: This is the correct VERSION. Please update your Sniffer Configs. (Sorry I missed this lack of sleep trying to keep everyone afloat) I am going to post this same information to the MBF Message List. SNIFFER external NONZERO C:\Smartermail\Declude\SNF\SNFClient.exe 20 0 SNIFFER-CAUTION external 040 C:\Smartermail\Declude\SNF\SNFClient.exe -10 0 SNIFFER-TRUNCATEexternal 020 C:\Smartermail\Declude\SNF\SNFClient.exe 10 0 From: Pete McNeil [mailto:madscient...@microneil.com] Sent: Wednesday, April 17, 2013 1:48 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? On 2013-04-17 13:36, David Barker wrote: SNIFFER external NONZERO C:\Smartermail\Declude\SNF\SNFClient.exe 20 0 SNIFFER-CAUTION external 020 C:\Smartermail\Declude\SNF\SNFClient.exe -10 0 SNIFFER-TRUNCATEexternal 040 C:\Smartermail\Declude\SNF\SNFClient.exe 10 0 Woops!! That's backward. It SHOULD be: SNIFFER-CAUTIONexternal040etc... SNIFFER-TRUNCATEexternal020etc... Best, _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 twitter/codedweller --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] No one at Declude?
Yes Internal Sniffer is no longer a valid option. Need to switch to external. -Original Message- From: Andy Schmidt [mailto:andy_schm...@hm-software.com] Sent: Thursday, April 18, 2013 12:06 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Uh - but with that code, the internal SNF is turned off? So one has to configure Sniffer has an external test with a separate Sniffer license code? -Original Message- From: Stephan Chayer [mailto:scha...@intrasoft.net] Sent: Wednesday, April 17, 2013 5:37 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Use this key: CODE 28607230-BF21-4CDE-A59B-A451CC7C9CA0 -Message d'origine- De : SM Admin [mailto:imailad...@bcwebhost.net] Envoyé : 17 avril, 2013 2:43 À : Declude.JunkMail@declude.com Objet : Re: [Declude.JunkMail] No one at Declude? Apparently I was too quick on the draw as this line has since been added to the diag file: 04/16/2013 22:24:21.947[BB86F9-606322-C04138-958B5A-AB7343-94F75B] IS INVALID KEY Did someone say something about new keys? -Original Message- From: SM Admin Sent: Tuesday, April 16, 2013 10:25 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? I noticed today that Declude wasn't processing. I checked the diag file and it has the usual entries at the top plus an entry at the bottom saying that the Sniffer license is invalid. How is that? So then I restarted the Declud service and now the diag file only shows this: Declude 4.12.02 Diagnostics Compilation Platform: SmarterMail Copyright (c) 2000-2013 Declude, Inc. Host Name mail1.bcwebhost.net Declude Key redacted So I have no idea what's going on. Anyone? -Original Message- From: Brian Baker Sent: Tuesday, April 16, 2013 7:09 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? Looks like tonight we better figure out a new approach. My declude diag file is now reading declude lic as invalid. Anyone else? - Original Message - From: Todd Richards to...@nnepa.com To: Declude.JunkMail@declude.com Sent: Monday, April 15, 2013 9:34 AM Subject: RE: [Declude.JunkMail] No one at Declude? What system is that? Our users are getting hammered with spam. Reminds me of the days, many years ago, before I happened upon Declude... Todd -Original Message- On Sunday, April 14, 2013 10:24 PM, John Doyle wrote: I have reverted to a system that works. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] No one at Declude?
If internal SNF is still ON then it can conflict with external Message Sniffer by grabbing the port which SNF uses. By using our fix will ensure internal SNF is turned OFF. If using the bypass key has everything OFF then that is fine too. -Original Message- From: Andy Schmidt [mailto:andy_schm...@hm-software.com] Sent: Thursday, April 18, 2013 12:46 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? So - is there any advantage of using the hosts file trick (to invalidate the license server IP address) http://mailsbestfriend.com/declude-fix vs. using the special bypass license code? Does one enable more functions that the other? -Original Message- From: David Barker [mailto:david.bar...@mailsbestfriend.com] Sent: Thursday, April 18, 2013 12:31 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Yes Internal Sniffer is no longer a valid option. Need to switch to external. -Original Message- From: Andy Schmidt [mailto:andy_schm...@hm-software.com] Sent: Thursday, April 18, 2013 12:06 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Uh - but with that code, the internal SNF is turned off? So one has to configure Sniffer has an external test with a separate Sniffer license code? -Original Message- From: Stephan Chayer [mailto:scha...@intrasoft.net] Sent: Wednesday, April 17, 2013 5:37 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Use this key: CODE 28607230-BF21-4CDE-A59B-A451CC7C9CA0 -Message d'origine- De : SM Admin [mailto:imailad...@bcwebhost.net] Envoyé : 17 avril, 2013 2:43 À : Declude.JunkMail@declude.com Objet : Re: [Declude.JunkMail] No one at Declude? Apparently I was too quick on the draw as this line has since been added to the diag file: 04/16/2013 22:24:21.947[BB86F9-606322-C04138-958B5A-AB7343-94F75B] IS INVALID KEY Did someone say something about new keys? -Original Message- From: SM Admin Sent: Tuesday, April 16, 2013 10:25 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? I noticed today that Declude wasn't processing. I checked the diag file and it has the usual entries at the top plus an entry at the bottom saying that the Sniffer license is invalid. How is that? So then I restarted the Declud service and now the diag file only shows this: Declude 4.12.02 Diagnostics Compilation Platform: SmarterMail Copyright (c) 2000-2013 Declude, Inc. Host Name mail1.bcwebhost.net Declude Key redacted So I have no idea what's going on. Anyone? -Original Message- From: Brian Baker Sent: Tuesday, April 16, 2013 7:09 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? Looks like tonight we better figure out a new approach. My declude diag file is now reading declude lic as invalid. Anyone else? - Original Message - From: Todd Richards to...@nnepa.com To: Declude.JunkMail@declude.com Sent: Monday, April 15, 2013 9:34 AM Subject: RE: [Declude.JunkMail] No one at Declude? What system is that? Our users are getting hammered with spam. Reminds me of the days, many years ago, before I happened upon Declude... Todd -Original Message- On Sunday, April 14, 2013 10:24 PM, John Doyle wrote: I have reverted to a system that works. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe
RE: [Declude.JunkMail] No one at Declude?
Looks like the website is back up again and the list is working. Not sure what's going on. Has anyone had any response from Declude via phone or email ? I can confirm what Matt is saying there is a key for no validation. It was put into the software for this precise yet unfortunate scenario. David Barker Mail’s Best Friend Email : david.bar...@mailsbestfriend.com Web : www.mailsbestfriend.com Office: 703.988.3605 x7015 -Original Message- From: Matt [mailto:for...@mailpure.com] Sent: Saturday, April 13, 2013 11:02 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? Pete, There is such a thing. I lobbied Dave for this back when they went to a subscription model. It was for select users that had the lifetime licenses that were concerned about the authentication servers. I can't say for sure that this doesn't deal with their servers at all (I hope not). Maybe Dave can verify this. I'm willing to share the details of this once I am more certain that Declude is completely done. This license will not allow for AVG or Commtouch updates, but it will allow Declude to operate without validation as far as I know. Matt On 4/10/2013 6:16 PM, Pete McNeil wrote: On 2013-04-10 16:21, John Dobbin wrote: With all the discussion recently about Declude going down, my concern is more with what happens if/when the licensing server goes away? I don't recall where, but I heard a rumor that there was a forever license code somewhere for Declude. Anybody know anything about that? If Declude just evaporates without saying another word that would be a good thing to have. _M --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] No one at Declude?
No offence taken J Feel free to email Declude or call them. David From: ra...@globalweb.us [mailto:ra...@globalweb.us] Sent: Wednesday, April 10, 2013 4:34 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? I would like to get an official notice from Declude on what is going on and how it will affect us, like your example of the license server. Sincerely, Randy A. John Dobbin wrote:So it would seem. With all the discussion recently about Declude going down, my concern is more with what happens if/when the licensing server goes away? What are people looking at to migrate to? Has there been any actual confirmation aside from postings from former employees and people's perceptions? (no offence David) -Original Message- From: Herb Guenther [mailto:h...@lanex.com] Sent: Wednesday, April 10, 2013 3:18 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] No one at Declude?
Please don’t spend any money until you have at least spoken to us. If we can’t help you perhaps we can point you in the right direction. David From: John Doyle [mailto:jdo...@spicehunter.com] Sent: Wednesday, April 10, 2013 4:59 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Randy the web site is now down. AVG has not been updating since last month. Commtouch will begin to fail soon. Sounds like they went upside down. You may never hear another word from them. once bills don't get taken care things will stop. Search for David's email a few days ago and get the latest interim version and last AVG DB if you still can. I did the update and it fixed the growing diag.txt issue see if you can get CLAM going for virus Call Pete over at ARM Research to have Declude call sniffer directly is you use it. I have now clue if at some point Declude simply stops if there is no one home at Declude. David is a good resource, Pete may have other programs to call his product. Dig out your wallet and call Ipswitch and turn on virus and premium spam. it's a mess _ From: ra...@globalweb.us [mailto:ra...@globalweb.us] Sent: Wednesday, April 10, 2013 1:34 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? I would like to get an official notice from Declude on what is going on and how it will affect us, like your example of the license server. Sincerely, Randy A. John Dobbin wrote:So it would seem. With all the discussion recently about Declude going down, my concern is more with what happens if/when the licensing server goes away? What are people looking at to migrate to? Has there been any actual confirmation aside from postings from former employees and people's perceptions? (no offence David) -Original Message- From: Herb Guenther [mailto:h...@lanex.com] Sent: Wednesday, April 10, 2013 3:18 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude stopped logging, high CPU usage, slow processing
If you don’t have the last build 4.12.02 get it now! http://interim.declude.com/41202/ U: Interim P: decinterimv4 Also get the latest AVG DB at: http://downloads.declude.com/AVG/ U: DecDown P: DecDown Sunday, April 07, 2013 7:37 PM 72153339 incavi.avm http://downloads.declude.com/AVG/incavi.avm Once you have upgraded to the latest version drop the http://downloads.declude.com/AVG/incavi.avm incavi.avm into \declude\scanners\AVG\db This should resolve the ERROR: Failed Initialize AVG 183”. If you need further assistance contact Linda linda.pagi...@mailsbestfriend.com or myself david.bar...@mailsbestfriend.com David Barker Mail’s Best Friend Email : david.bar...@mailsbestfriend.com Web : www.mailsbestfriend.com http://www.mailsbestfriend.com/ Office: 703.988.3605 x7015 Mobile : 978.518.6461 cid:image001.png@01CE2B2E.8B3E9EF0 From: Colbeck, Andrew [mailto:acolb...@bentallkennedy.com] Sent: Tuesday, April 9, 2013 12:37 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Declude stopped logging, high CPU usage, slow processing If you upgraded to Declude 4.11.09 to avoid the AVG licence issue, you’ll find that it was a bandaid, and that build’s usefulness also expired contemporaneously with David and Linda’s employee status, on January 31, 2013. C:\IMailstrings decludeproc.exe| grep LicBeg LicBeg, Ver=1.1, Name=Declude, Exp=2013-01-31, +Av, Sign=blahblahblah You still received updates for a grace period (the files with zero bytes are normal for the Declude implementation of AVG): C:\IMaildir C:\IMail\declude\scanners\AVG\db Volume in drive C has no label. Volume Serial Number is 9471-8A74 Directory of C:\IMail\declude\scanners\AVG\db 03/22/2013 07:47 AMDIR . 03/22/2013 07:47 AMDIR .. 03/19/2013 02:44 PM 0 avi7.avg 03/19/2013 02:44 PM 0 microavi.avg 03/19/2013 02:44 PM 0 miniavi.avg 03/22/2013 07:47 AM71,002,023 incavi.avm 4 File(s) 71,002,023 bytes 2 Dir(s) 11,036,254,208 bytes free C:\IMail This might be addressed in the latest (last?) build which you can obtain through the interim downloads website (log into your client support site for the link). If I remember correctly, that build is on 2013-03-15 with v4.12.02 that specifically cites in the change log ReadMe.txt: 4.12.02 == Fix: update AVG Key 4.12.01 == Fix: AVG Bug 4.12.00 == Fix: update AVG Key Which (I think) also fixes the “ERROR: Failed Initialize AVG 183” being spammed all over your c:\imail\declude\diags.txt Andrew. From: Dean Lawrence [mailto:dean...@gmail.com] Sent: Friday, January 11, 2013 7:33 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Declude stopped logging, high CPU usage, slow processing Thanks Dave, will do. On Fri, Jan 11, 2013 at 10:25 AM, David Barker dbar...@declude.com wrote: Dean, There is currently an issue with the AVG that we are currently working on. As far as backup in the \proc directory and the 0 Kb log that seems like a different issue. Can you please contact supp...@declude.com for assistance. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com Description: Description: -declude From: Dean Lawrence [mailto:dean...@gmail.com] Sent: Friday, January 11, 2013 10:18 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Declude stopped logging, high CPU usage, slow processing The subject says it all. This morning, declude stated to have high cpu usage, the log file is 0k and messages are backing up in the proc directory. I looked in the diags.txt and I see this message: ERROR: Failed Initialize AVG 183Daisy Chain smtp32.exe I was running 4.11 and upgraded to 4.11.09 and still have the same results. Any thoughts? -- --- Dean M. Lawrence INTERNET DATA TECHNOLOGY p // 888.438.4381 ext. 701 tel:888.438.4381%20ext.%20701 w // www.idatatech.com f // www.facebook.com/idatatech t // www.twitter.com/idatatech Social Marketing | SEO | Design | Internet Development --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- Dean M. Lawrence INTERNET DATA TECHNOLOGY p // 888.438.4381 ext. 701 w // www.idatatech.com f // www.facebook.com/idatatech t
RE: [Declude.JunkMail] No one at Declude?
Yes I will be the someone. When this list dies make sure you email me you contact so I can get you on a new list. David Barker Mail’s Best Friend Email : david.bar...@mailsbestfriend.com Web : www.mailsbestfriend.com Office: 703.988.3605 x7015 Mobile : 978.518.6461 -Original Message- From: Dave Beckstrom [mailto:db...@atving.com] Sent: Tuesday, April 9, 2013 4:09 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Someone should start up a new discussion list that everyone can join before this one goes away. It would be good to have a place to continue collboration. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Re: The Answer
It looks to be the end of Declude development, (unless they make it open source) however the product still has within it sufficient functionality to add value to anyone who uses it, especially if you add a product like Message Sniffer to the mix. David From: SM Admin [mailto:imailad...@bcwebhost.net] Sent: Tuesday, April 09, 2013 8:16 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Re: The Answer Hi Dave, This sounds great. Do you foresee this being the end of development for Declude? Do you know what happened to the new owners of Declude? Thanks, Ben - Original Message - From: David Barker mailto:david.bar...@mailsbestfriend.com To: Declude.JunkMail@declude.com Sent: Monday, April 08, 2013 8:35 PM Subject: [Declude.JunkMail] Re: The Answer Declude users, As many of you may already know Linda Pagillo and I left Declude in January of 2013. Long story short they “ http://en.wikipedia.org/wiki/The_Goose_That_Laid_the_Golden_Eggs Killed The Goose That Laid the Golden Egg” … my guess … the end is nigh! However it is not all bad news. We have started a new company called Mail’s Best Friend, not only can we continue to support your Declude product but we have established several strategic relationships that allow us to offer multiple alternate solutions, everything from Message Sniffer, to Cloud based solutions to Hosted Exchange, Mail's Best Friend provides best-of-breed support and integration services for all email solutions. We have always envisioned this as a community effort so the time has come to become independent and build this our way! With that said if you need assistance with Declude please contact us so we can help you either maintain what you have or find you an alternate upgrade path. Same good service, same great people… this time without the corporate interference. Hope to see you soon. Sincerely, David Barker Mail’s Best Friend Email : david.bar...@mailsbestfriend.com Web : www.mailsbestfriend.com http://www.mailsbestfriend.com/ Office: 703.988.3605 x7015 Mobile : 978.518.6461 cid:image001.png@01CE2B2E.8B3E9EF0 . --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. image001.png
[Declude.JunkMail] Re: The Answer
Declude users, As many of you may already know Linda Pagillo and I left Declude in January of 2013. Long story short they http://en.wikipedia.org/wiki/The_Goose_That_Laid_the_Golden_Eggs Killed The Goose That Laid the Golden Egg . my guess . the end is nigh! However it is not all bad news. We have started a new company called Mail's Best Friend, not only can we continue to support your Declude product but we have established several strategic relationships that allow us to offer multiple alternate solutions, everything from Message Sniffer, to Cloud based solutions to Hosted Exchange, Mail's Best Friend provides best-of-breed support and integration services for all email solutions. We have always envisioned this as a community effort so the time has come to become independent and build this our way! With that said if you need assistance with Declude please contact us so we can help you either maintain what you have or find you an alternate upgrade path. Same good service, same great people. this time without the corporate interference. Hope to see you soon. Sincerely, David Barker Mail's Best Friend Email : mailto:david.bar...@mailsbestfriend.com david.bar...@mailsbestfriend.com Web : http://www.mailsbestfriend.com/ www.mailsbestfriend.com Office: 703.988.3605 x7015 Mobile : 978.518.6461 cid:image001.png@01CE2B2E.8B3E9EF0 . --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. image001.png
RE: [Declude.JunkMail] Declude stopped logging, high CPU usage, slow processing
Dean, There is currently an issue with the AVG that we are currently working on. As far as backup in the \proc directory and the 0 Kb log that seems like a different issue. Can you please contact supp...@declude.com for assistance. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com Description: Description: -declude From: Dean Lawrence [mailto:dean...@gmail.com] Sent: Friday, January 11, 2013 10:18 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Declude stopped logging, high CPU usage, slow processing The subject says it all. This morning, declude stated to have high cpu usage, the log file is 0k and messages are backing up in the proc directory. I looked in the diags.txt and I see this message: ERROR: Failed Initialize AVG 183Daisy Chain smtp32.exe I was running 4.11 and upgraded to 4.11.09 and still have the same results. Any thoughts? -- --- Dean M. Lawrence INTERNET DATA TECHNOLOGY p // 888.438.4381 ext. 701 w // www.idatatech.com f // www.facebook.com/idatatech t // www.twitter.com/idatatech Social Marketing | SEO | Design | Internet Development --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. image001.png
RE: [Declude.JunkMail] need to do upgrade for mail.beicorporate.com
You need to install 4.11.00 first using the setup program available for download from your Declude My Account page. Thereafter you can upgrade to 4.11.07 which is the interim release by just switching out your Decludeproc.exe from http://interim.declude.com/41107/ if you need any assistance with this please email us supp...@declude.com From: Ferrell Ard [mailto:ferr...@badpuppy.com] Sent: Thursday, November 29, 2012 10:42 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] need to do upgrade for mail.beicorporate.com Good Morning David I am getting ready to retire (Dec 21, 2012) and want to get up-do-date on Declude. We are running 4.10.80 ( mail.beicorporate.com) Can I go directly to the latest release (??) of Declude? Or do I need to install 4.11.0 and then do a 2nd upgrade to 4.11.?? Thanks very much Ferrell Ard Badpuppy Enterprises, Inc. 321-631-9500 - Original Message - From: David Barker mailto:dbar...@declude.com To: Declude.JunkMail@declude.com Cc: declude.relea...@declude.com Sent: Wednesday, June 06, 2012 10:28 AM Subject: [Declude.JunkMail] Per-Domain Per-User settings for EZIP We usually don’t post about every interim release however we thought this would be usefull as it has been requested often. (Please Note: you need to be on 4.11.00 to upgrade just the decludeproc, if you are ealier than 4.11.00 use the setup upgrade from your host record on www.declude.com) Interim access can be found on your My Account home page. // 4.11.04 == ADD: Allowing EZIP (Encrypted ZIP files) for Domains and Users File: Virus.cfg file ALLOWEZIPTO = used for incoming email ALLOWEZIPFROM = used for outgoing email User configuration= u...@example.com Domain Configuration = example.com Example: ALLOWEZIPTO u...@example.com ALLOWEZIPTO example.com ALLOWEZIPFROM senderaddr...@example.com ALLOWEZIPFROM example.com David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com Description: Description: Description: -declude --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. image001.png
RE: [Declude.JunkMail] Android Yahoo Mail app spam
To clarify the message ID is always exactly the same or is similar too ? Message-ID: 1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com From: John Dobbin [mailto:jo...@penpublishing.com] Sent: Thursday, July 05, 2012 4:28 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Android Yahoo Mail app spam http://www.networkworld.com/community/blog/android-botnet-army-spouting-spam-yahoo-mail-app?source=NWWNLE_nlt_daily_pm_2012-07-05 The spam messages share two similarities, Zink, who discovered the botnet, explained in a blog post http://blogs.msdn.com/b/tzink/archive/2012/07/03/spam-from-an-android-botnet.aspx . First, each message closes with the signature Sent from Yahoo! Mail on Android. Secondly, they all share a message ID that reads: Message-ID: 1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com Is there a preferred way to look for the message header? This way, these can be scored high enough to delete. We’re seeing large amounts of these the last week. Thanks John Dobbin Pen Publishing Interactive - http://www.penpublishing.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Whitelist emails with attachments?
Yes. You can use CB-ATTACH.txt as a basis for attachments. You can add the following to the top of the filter to restrict this to specific domains. ALLRECIPS END NOTCONTAINS example.com If you have multiple domains then we would have to use a regex for this. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: Dave Beckstrom [mailto:db...@atving.com] Sent: Tuesday, June 19, 2012 2:47 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Whitelist emails with attachments? Is there a way in declude to either whitelist or set a filter giving credit (negative weight), when an email sent to a specific user/domain has an attachment attached to it? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] hacked Wordpress rule?
BODY 10 PCRE (?i:\/wp-includes\/) From: John Dobbin [mailto:jo...@penpublishing.com] Sent: Friday, June 08, 2012 1:34 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] hacked Wordpress rule? We are seeing a tremendous number of hacked Wordpress URL’s in spam messages. What would be a good filter rule to catch /wp-includes/ In the body source? Thanks --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Per-Domain Per-User settings for EZIP
We usually don't post about every interim release however we thought this would be usefull as it has been requested often. (Please Note: you need to be on 4.11.00 to upgrade just the decludeproc, if you are ealier than 4.11.00 use the setup upgrade from your host record on www.declude.com) Interim access can be found on your My Account home page. // 4.11.04 == ADD: Allowing EZIP (Encrypted ZIP files) for Domains and Users File: Virus.cfg file ALLOWEZIPTO = used for incoming email ALLOWEZIPFROM = used for outgoing email User configuration= u...@example.com Domain Configuration = example.com Example: ALLOWEZIPTO u...@example.com ALLOWEZIPTO example.com ALLOWEZIPFROM senderaddr...@example.com ALLOWEZIPFROM example.com David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com Description: Description: Description: -declude --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. image001.png
RE: [Declude.JunkMail] Pakistan Messages
Create a filter using the following: HEADERS END NOTCONTAINS @googlegroups.com #If email from Googlegroups and PK COUNTRIES 50 PCRE(PK) David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: Todd Richards [mailto:to...@nnepa.com] Sent: Tuesday, May 08, 2012 3:33 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Pakistan Messages Hi All – We have a client who is getting Pakistan messages early every morning like clockwork. They are coming through Google Groups, and are passing the Declude tests with flying colors. Has anyone else seen these, and if so, any ideas on how to block them? Thanks! Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Declude 4.11.00 Interceptor 3.4.11.500 Available
Please contact supp...@declude.com if you need assistance with your upgrade. // 4.11.00 == New Complete Release with setup // 4.10.89 == Updated Dll's // 4.10.88 == Fix: Email attachment being strip due to vulnerability in the boundary string. // 4.10.87 == Fix: AVG issue, Error number 8, Not enough storage is available to process this command. ERROR_NOT_ENOUGH_MEMORY / 4.10.86 == Debug: In the ScanFiles function, AVG test, Comment out two log message so that we get the correct window error message. / 4.10.85 == Updated copyright from 2011 to 2012, / 4.10.84 == IMail: Fix delude notification looping issue due to Alert action / 4.10.83 == Add more debug information for AVG Load error / 4.10.82 == Hijack ALLOWADDR allows authenticated user as well as the FROM address / 4.10.80 == Commtouch recommended not to block the VOD medium classification David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com Description: Description: Description: Description: -declude Description: Description: Description: Description: -dnsstuff --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. image001.pngimage002.png
RE: [Declude.JunkMail] invisible attachments? - change topic
Besides minor releases and fixes the next major release will be Declude 5.0 which will have improved performance, less disk i/o and automated updates for the Decludeproc engine, all_list.dat, filters etc. What gets updated will be decided by the mail admin. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com Description: Description: Description: -declude From: Nick Hayer [mailto:n...@madriveraccess.com] Sent: Tuesday, March 13, 2012 8:46 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] invisible attachments? - change topic Hi Linda, What are the plans for newer versions of Declude? -Nick MadRiverAccess.com|Skywaves.net Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm _ From: Linda Pagillo lpagi...@declude.com Sent: Tuesday, March 13, 2012 7:40 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] invisible attachments? Hi Ben. I do not believe this is a Declude issue because I have never seen Declude actually strip an attachment. However, you may want to test to be sure by disabling Declude for a minute and having someone send a test through. Linda Pagillo Declude Technical Support Engineer 866-332-5833 Ext. 2 lpagi...@declude.com From: Imail Admin [mailto:imailad...@bcwebhost.net] Sent: Monday, March 12, 2012 10:05 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] invisible attachments? Thanks Steve. That's the kind of solution I'd already found which doesn't help. In fact, in the discussion on that link there are some whose problems were apparently not resolved and others where they were solved. Ben - Original Message - From: Steve Cirivello mailto:scirive...@compuserve.com To: Declude.JunkMail@declude.com Sent: Monday, March 12, 2012 6:44 PM Subject: Re: [Declude.JunkMail] invisible attachments? Perhaps this issue: http://www.tomshardware.com/forum/236687-49-outlook-express-attachments along with Microsoft Support Article ID 197066 Steve - Original Message - From: Imail Admin mailto:imailad...@bcwebhost.net To: Declude.JunkMail@declude.com Sent: Monday, March 12, 2012 6:10 PM Subject: [Declude.JunkMail] invisible attachments? Hi, I have a problem with invisible attachments and I'm wondering if it's an IMail problem, a Declude problem, or something else. A law firm that I've dealt with for a long time recently has a problem that messages send to us with attachments sometimes don't display the attachments. They leave the sender with an attachment, but they arrive with no clue that there is an attachment. If I forward them on to a gmail account I use for testing, then the attachments are visible there. I've tested this with both Outlook Express and Mail Live on the receiving end and see nothing about the attachments. I check on an Android phone using K-9 and it doesn't show the attachments but does show the mail.dat file usually associated with Outlook and the formatting of messages (and these senders are using Outlook with MS Exchange). However, the usual fix (use Plain Text Only) doesn't seem to help. My first thought was that the attachments were getting stripped (by Declude?) at our server. But since they still seem to be there once I forward to the gmail account, that excludes that idea. I haven't had any problems receiving test JPG files as attachments and sometimes their PDF files get through just fine. So any idea what's going on here? Thanks, Ben --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail
RE: [Declude.JunkMail] Dealing with SPAM email - Adobe CS4 License
Yes. This will trigger on CS4 in the subject line and score for 20. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: Ferrell Ard [mailto:ferr...@badpuppy.com] Sent: Wednesday, December 07, 2011 10:47 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Dealing with SPAM email - Adobe CS4 License Importance: High Today, we started getting a L O T of email with a Subject InDesign CS4 License key # Order 6143 There is a lot of variations to this, but CS4 is common It's comming from MANY IPs. In the \filters\Filter-Subject.txt file, will SUBJECT 20 PCRE (?i:CS4) catch this email? Thanks very much Ferrell --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] PCRE help
Your PCRE should trigger on:
=?KOI8-U?B?
Subject: [Possible SPAM]=?KOI8-U?B?y8/OxqbExc7DpsrOpiDVx8/EyQ==?=
From: Scott Fisher [mailto:sfis...@farmprogress.com]
Sent: Wednesday, November 16, 2011 12:49 PM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] PCRE help
Subject: [Possible SPAM]=?KOI8-U?B?y8/OxqbExc7DpsrOpiDVx8/EyQ==?=
I am trying to catch the a spam with above subject listed with the below line:
ANYWHERE 25 PCRE
(?i:((charset|content|lang)=.{0,2}koi8-(r|t|u|ru))|(=\?koi8-(r|t|u|ru)\?[bq]\?))
Can anyone see what I’m doing wrong?
Scott Fisher | IT Director
FARM PROGRESS COMPANIES | 255 38th Avenue, Suite P | St. Charles, IL 60174-5410
630/462-2323 | Fax 630/462-2957 | mailto:sfis...@farmprogress.com
sfis...@farmprogress.com
http://www.farmprogress.com/ www.FarmProgress.com
This email message, including any attachments, is for the sole use of the
intended recipient(s) and may contain confidential and privileged information.
Any unauthorized review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply email and
destroy all copies of the original message. Although Farm Progress Companies
has taken reasonable precautions to ensure no viruses are present in this
email, the company cannot accept responsibility for any loss or damage arising
from the use of this email or attachments.
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe,
just send an E-mail to imail...@declude.com, and type unsubscribe
Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
image001.gif
RE: [Declude.JunkMail] Regex Greed Issue
You could try restricting the number of characters for the actual domain. I
would suggest something like this:
http\:\/\/www.+\.com\..{4,15}\.com
Also in many cases the www will not be present and the real domain will not be
a .com so you would need to use something like this:
http\:\/\/.+\.com\..{4,15}\.(net|com|info|biz|co|cn)
There are also many TLD you want to check and I would think in most cases it
would point to some URL add the extra /
http\:\/\/.+\.com\..{4,15}\..{2,4}/
Run this as a test let's see if we get any false positives and we can take a
look at it again to tweak.
David
-Original Message-
From: Rick Davidson [mailto:rdavid...@nat.com]
Sent: Thursday, November 03, 2011 10:38 PM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] Regex Greed Issue
well based on your response I guessed you couldn't reproduce it with the
example I sent, I confirmed that, and I am unable to trick that regex, however
it does catch messages it shouldnt.
here is the log entry for the example message
11/03/2011 15:14:07.489 008080891 Triggered body PCRE filter TEST :
http://www.facebook.com/n/?permalink.phpid=3D1209018066story_fbid=3D2337=
84096686420mid=3D51cf32eG5af347a420ebGae7c0bG52bcode=3Dln1Ayh0an_m=3Dsc=
ollins%40nat.com You can now tag your friends in your status or post. Type @
and then type = the friend's name. For example: Had lunch with @John Smith.
Thanks, The Facebook Team
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D This message was sent to
scoll...@nat.com. If you don't want to receive = these emails from Facebook in
the future, please follow the link below to = unsubscribe.
http://www.facebook.com [weight - 0]
I will try to get a few more examples with the original message
--
Rick
-Original Message-
From: David Barker [mailto:dbar...@declude.com]
Sent: Thursday, November 03, 2011 9:00 PM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] Regex Greed Issue
Hi Rick,
Are you sure your regex catches the long URL how did you test it ?
David
-Original Message-
From: Rick Davidson [mailto:rdavid...@nat.com]
Sent: Thursday, November 03, 2011 6:38 PM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] Regex Greed Issue
I am trying to use the following regex to catch phishing URLs like
http://www.usps.com.scam.com
http\:\/\/www.*?\.com\..*?\.com
The issue is the question marks do not stop the greediness of the *
it will catch
http://www.facebook.com/n/?permalink.phpid=1209018066story_fbid=233784096686420mid=f347a420ebGae7c0bG52bcode=ln1Ayh0an_m=xx%40nat.com
it seems that it is not supported in PCRE is there a work around?
--
Rick
CONFIDENTIALITY NOTICE
This e-mail message and any attachments contain confidential and/or privileged
information for the sole use of the intended recipient. If you are not the
intended recipient, you may not read, disseminate, distribute or copy this
e-mail message or any attachments. Please notify the sender immediately by
reply e-mail if you received this e-mail message by mistake and delete this
e-mail message and any attachments from your system. E-mail transmission
cannot be guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, delayed, incomplete, or contain
viruses. The sender, therefore, does not accept liability for any errors or
omissions in the contents of this e-mail message or any attachments, which
arise as a result of e-mail transmission. If verification is required, please
request a hard-copy version.
-. .- -
You have received this e-mail due to a past or current transaction or as a
result of our efforts to keep you in touch with current developments affecting
your industry. If you wish to unsubscribe from any future general information
mailings, please click the 'Reply' button and add the word 'UNSUBSCRIBE' to the
subject of your response.
---
This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just
send an E-mail to imail...@declude.com, and type unsubscribe
Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
You have received this e-mail due to a past or current transaction or as a
result of our efforts to keep you in touch with current developments affecting
your industry. If you wish to unsubscribe from any future general information
mailings, please click the 'Reply' button and add the word 'UNSUBSCRIBE' to the
subject of your response.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
RE: [Declude.JunkMail] Regex Greed Issue
. Means Match any single character that is not a line break character.
*? Means between zero and unlimited times, as few times as possible (lazy)
So the example of .*?\.com.*?\.com
Would match on the first .com and the 2nd .com
David
-Original Message-
From: Rick Davidson [mailto:rdavid...@nat.com]
Sent: Friday, November 04, 2011 11:30 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] Regex Greed Issue
The character limits do work, that is how I originally tested it, looking for
a better solution I consulted our lead programming nerd, he hipped me to the ?,
if it actually does work it will be a great help in other regex rules
do you have an answer on whether the ? should be working?
I will send the log entries and sample messages directly to support
--
Rick
-Original Message-
From: David Barker [mailto:dbar...@declude.com]
Sent: Friday, November 04, 2011 6:33 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] Regex Greed Issue
You could try restricting the number of characters for the actual domain. I
would suggest something like this:
http\:\/\/www.+\.com\..{4,15}\.com
Also in many cases the www will not be present and the real domain will not be
a .com so you would need to use something like this:
http\:\/\/.+\.com\..{4,15}\.(net|com|info|biz|co|cn)
There are also many TLD you want to check and I would think in most cases it
would point to some URL add the extra /
http\:\/\/.+\.com\..{4,15}\..{2,4}/
Run this as a test let's see if we get any false positives and we can take a
look at it again to tweak.
David
-Original Message-
From: Rick Davidson [mailto:rdavid...@nat.com]
Sent: Thursday, November 03, 2011 10:38 PM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] Regex Greed Issue
well based on your response I guessed you couldn't reproduce it with the
example I sent, I confirmed that, and I am unable to trick that regex, however
it does catch messages it shouldnt.
here is the log entry for the example message
11/03/2011 15:14:07.489 008080891 Triggered body PCRE filter TEST :
http://www.facebook.com/n/?permalink.phpid=3D1209018066story_fbid=3D2337=
84096686420mid=3D51cf32eG5af347a420ebGae7c0bG52bcode=3Dln1Ayh0an_m=3Dsc=
ollins%40nat.com You can now tag your friends in your status or post. Type @
and then type = the friend's name. For example: Had lunch with @John Smith.
Thanks, The Facebook Team
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D This message was sent to
scoll...@nat.com. If you don't want to receive = these emails from Facebook in
the future, please follow the link below to = unsubscribe.
http://www.facebook.com [weight - 0]
I will try to get a few more examples with the original message
--
Rick
-Original Message-
From: David Barker [mailto:dbar...@declude.com]
Sent: Thursday, November 03, 2011 9:00 PM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] Regex Greed Issue
Hi Rick,
Are you sure your regex catches the long URL how did you test it ?
David
-Original Message-
From: Rick Davidson [mailto:rdavid...@nat.com]
Sent: Thursday, November 03, 2011 6:38 PM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] Regex Greed Issue
I am trying to use the following regex to catch phishing URLs like
http://www.usps.com.scam.com
http\:\/\/www.*?\.com\..*?\.com
The issue is the question marks do not stop the greediness of the *
it will catch
http://www.facebook.com/n/?permalink.phpid=1209018066story_fbid=233784096686420mid=f347a420ebGae7c0bG52bcode=ln1Ayh0an_m=xx%40nat.com
it seems that it is not supported in PCRE is there a work around?
--
Rick
CONFIDENTIALITY NOTICE
This e-mail message and any attachments contain confidential and/or privileged
information for the sole use of the intended recipient. If you are not the
intended recipient, you may not read, disseminate, distribute or copy this
e-mail message or any attachments. Please notify the sender immediately by
reply e-mail if you received this e-mail message by mistake and delete this
e-mail message and any attachments from your system. E-mail transmission
cannot be guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, delayed, incomplete, or contain
viruses. The sender, therefore, does not accept liability for any errors or
omissions in the contents of this e-mail message or any attachments, which
arise as a result of e-mail transmission. If verification is required, please
request a hard-copy version.
-. .- -
You have received this e-mail due to a past or current transaction or as a
result of our efforts to keep you in touch with current developments affecting
your industry. If you wish to unsubscribe from any future general information
mailings, please click the 'Reply' button and add the word 'UNSUBSCRIBE
RE: [Declude.JunkMail] MIME segment in MIME Postamble
Hi Ferrell, I can assure you that the MIME segment in MIME Postamble Vulnerability is triggering correctly. This vulnerability occurs when it appears as though a MIME segment is occurring after the end of the MIME body (specifically, a MIME segment with a boundary other than the one specified appears in the MIME postamble). Outlook may see this as an attachment. Although technically valid, there is no legitimate reason for an E-mail to be sent like this. When a virus uses this type of vulnerability, it will bypass a standard mail server virus scanner, and get delivered to the recipient. You have several options: 1. Disable the MIME segment in MIME Postamble Vulnerability check altogether. In the virus.cfgALLOWVULNERABILITY MIMESEGMIMEPOST 2. Allow all vulnerabilities FROM a specific email address or domain ALLOWVULNERABILITIESFROM exam...@example.com 3. Allow all vulnerabilities TO a specific email address or domain ALLOWVULNERABILITIESTO exam...@example.com Unfortunately there is not a way to allow an IP range. David -Original Message- From: Ferrell Ard [mailto:ferr...@badpuppy.com] Sent: Thursday, November 03, 2011 9:02 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] MIME segment in MIME Postamble We are seeing quite a few email's being caught as VIRUS by X-Declude-Virus: Detected [Outlook 'MIME segment in MIME Postamble' Vulnerability] [from IP 173.227.130.61 (mail.politics1.com)]. The email DOES have (at the end) --Boundary-00=_TY255O4SHK9FB43NIKKB-- --Boundary-00=_TY25HSX59YWNJLA59R1V-- Is there a way to ALLOW this from a given IP range? ex 173.227.130.0 255.255.255.0 Thanks very much Ferrell Ard --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Regex Greed Issue
Hi Rick, Are you sure your regex catches the long URL how did you test it ? David -Original Message- From: Rick Davidson [mailto:rdavid...@nat.com] Sent: Thursday, November 03, 2011 6:38 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Regex Greed Issue I am trying to use the following regex to catch phishing URLs like http://www.usps.com.scam.com http\:\/\/www.*?\.com\..*?\.com The issue is the question marks do not stop the greediness of the * it will catch http://www.facebook.com/n/?permalink.phpid=1209018066story_fbid=233784096686420mid=f347a420ebGae7c0bG52bcode=ln1Ayh0an_m=xx%40nat.com it seems that it is not supported in PCRE is there a work around? -- Rick CONFIDENTIALITY NOTICE This e-mail message and any attachments contain confidential and/or privileged information for the sole use of the intended recipient. If you are not the intended recipient, you may not read, disseminate, distribute or copy this e-mail message or any attachments. Please notify the sender immediately by reply e-mail if you received this e-mail message by mistake and delete this e-mail message and any attachments from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, delayed, incomplete, or contain viruses. The sender, therefore, does not accept liability for any errors or omissions in the contents of this e-mail message or any attachments, which arise as a result of e-mail transmission. If verification is required, please request a hard-copy version. -. .- - You have received this e-mail due to a past or current transaction or as a result of our efforts to keep you in touch with current developments affecting your industry. If you wish to unsubscribe from any future general information mailings, please click the 'Reply' button and add the word 'UNSUBSCRIBE' to the subject of your response. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Why was email put into VIRUS directory
Hi Ferrell, 1. Can you email the db8dd34fa1ddd.smd to virust...@declude.com and will take a look at it there. 2. Can you also send the log entries for b8dd34fa1ddd in the vir2610.log to supp...@declude.com Thanks David -Original Message- From: Ferrell Ard [mailto:ferr...@badpuppy.com] Sent: Thursday, October 27, 2011 9:14 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Why was email put into VIRUS directory David - H E L P Email from our Credit Card processor is being put into the VIRUS directory. Can you point me in the direction to fix the issue? Thanks very much Ferrell Ard 10/26/2011 23:47:18.230 qb8dd34fa1ddd.smd Skipping E-mail from merchantsupport@vero; whitelisted [@verotel.com]. 10/26/2011 23:47:18.370 qb8dd34fa1ddd.smd LAST ACTION: Moving file to virus hold directory: D:\IMAIL\spool\virus Received: from smtpv39.beicorporate.net [173.227.128.220] by mail.badpuppy.com with ESMTP (SMTPD-11.5) id b8dd34fa1ddd; Wed, 26 Oct 2011 23:47:16 -0400 Received: from manat.verza.com [195.20.32.145] by smtpv39.beicorporate.net (Alligate(TM) SMTP Gateway v3.10.10.17) with ESMPT id 9b35b6f7b79a64fc.8a6e7bc2d0fb7...@smtpv39.beicorporate.net for supp...@badpuppy.com; Wed, 26 Oct 2011 23:47:04 -0400 Received: from manat.verza.com (localhost [127.0.0.1]) by manat.verza.com (Postfix) with ESMTP id 18181D8394 for supp...@badpuppy.com; Thu, 27 Oct 2011 03:47:03 + (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=simple; d=verotel.com; h=to:from :subject:date:message-id:mime-version:content-type; s=default; bh=VVKb3mcSCiqkYcJLiy/l50SzaBk=; b=Q+J3hhRPNY1a0upbnHSyS0S81WnD pujEr4ruUV83X/XP1b8gxuYQ+D+ZfaFN4TK1GW3urEqFfhJRXlHiCPBI7nNRWU+v U6d6C6LI/r5BffkjgCzof9EfToXvQCk73Ma3eXmHBNsKtQMbH62pl+s3X6lDDmVl 3A8bQ1l2vN9wUS0= DomainKey-Signature: a=rsa-sha1; c=simple; d=verotel.com; h=to:from :subject:date:message-id:mime-version:content-type; q=dns; s= default; b=GLVuQpRc8bp4Hkt56vG9gNkvEj4gQjZxJ9n7vy9BUDC9HprgUga9l sI6EJ/mWAoayXBTjU/Yj18AG/AmM4chMySULnSxgdLOh3DH4+lePGBXKgbQ7Ushi bd/gvYU9B7fmgLCKh/MIYJAKbh0vCMxynFrZYVq7Wb0lyAUHvrbrzk= To: supp...@badpuppy.com From: Verotel Merchant Support merchantsupp...@verotel.com Subject: Your Verotel users d.d. 27-Oct-2011 with ID 980400388461 Date: Thu, 27 Oct 2011 03:47:03 + Message-ID: 20111027_034703_070564.merchantsupp...@verotel.com MIME-Version: 1.0 Content-type: multipart/mixed; boundary=Message-Boundary-by-Mail-Sender-1319685421 X-Alligate-SMTP: Whitelisted X-Alligate-ReceivingIP: [173.227.128.220] X-Originating-IP: 195.20.32.145 X-Destination-IP: X-Alligate-ID: 128269 X-Declude-Sender: merchantsupp...@verotel.com [195.20.32.145] X-Declude-Spoolname: Db8dd34fa1ddd.smd X-Declude-RefID: str=0001.0A010206.4EA8D446.005F:SCFEO47118,ss=1,re=-4.000,fgs=0 X-Declude-Note: Scanned by Declude 4.10.48 http://www.declude.com/x-note.htm; X-Declude-Scan: Outgoing Score [0] at 23:47:18 on 26 Oct 2011 X-Declude-Tests: Whitelisted X-Country-Chain: X-Declude-Code: 1 X-Declude-Recipcount: 1 X-HELO: manat.verza.com X-Identity: 195.20.32.145 | manat.verza.com | badpuppy.com X-AUTH: Yes This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --Message-Boundary-by-Mail-Sender-1319685421 Content-type: text/plain; charset=US-ASCII Content-description: Mail message body Content-transfer-encoding: 7BIT Content-disposition: inline --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude 4.10.78 crash
Hi Ferrell, 1. A Debug log with the crash info will be helpful 2. the delcude.gp1 and declude.gp2 in c:\ If you send these to support we can help identify the issue and get it fixed. Thanks David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: Ferrell Ard [mailto:ferr...@badpuppy.com] Sent: Wednesday, October 05, 2011 9:33 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Declude 4.10.78 crash On a weekly basis, a weekly newsletter is sent out to about 8,000 people. (one email per person). During the processing of the 8,000 emails, we can count on ONE crash of Declude. Is there anyplace for me to look to try to determine what's giving Declude heartburn? Ferrell --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] AVG Files
AVG had made a change where these files are no longer used. As long as the current file is today or yesterday you are good. David -Original Message- From: decl...@mail.net1media.com [mailto:decl...@mail.net1media.com] Sent: Monday, September 12, 2011 4:32 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] AVG Files What files should be in my Declude\scanners\avg\db directory? What are the current dates? Here is the directory I have: 07/29/2011 11:44 AM 0 avi7.avg 09/11/2011 11:03 PM85,824,663 incavi.avm 07/29/2011 11:44 AM 0 microavi.avg 07/29/2011 11:44 AM 0 miniavi.avg I am concerned that the file sizes are zero and that they are not all being updated. Thanks, Don --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Declude 4.10.78 Interceptor 3.4.10.508 Available
Please contact supp...@declude.com if you need assistance with your upgrade. Version Part Type Change 4.10.78 AVG FIX Update AVG Key license key Exp=2012-04-10 4.10.77 AV ADD Fixed virus emails being deleted instead of being held in the virus directory, problem was introduced with 4.10.72. (IMail Only) 4.10.76 JM FIX Fixed crash due to buffer overflow (to many recipients) when the last action is DELETE 4.10.75 DEC FIX Fixed ALLOWVULNERABILITIESFROM which was not working with certain vulnerabilities, such as OBJECT DATA, Partial vulnerability and Outlook 'Blank Folding' vulnerability. 4.10.74 JM FIX Fixed emails being tagged by Declude as Outbound when should be Inbound. Declude will exit from loading the domains name (host) to memory, when the Aliases entry in the registry is missing from one of the domain. (IMail only) 4.10.73 DEC ADD Added the Declude Key in the diags.txt file David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com Description: Description: Description: -declude Description: Description: Description: -dnsstuff --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. image001.pngimage002.png
RE: [Declude.JunkMail] regular expressions and IS
The expression is the IS Can you post a few examples of what you trying to catch ? -Original Message- From: Rick Davidson [mailto:rdavid...@nat.com] Sent: Tuesday, August 09, 2011 2:34 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] regular expressions and IS I am working on a combo filter to catch the aol/hotmail/yahoo url spam is there a way to use a regular expression with IS body 0 IS/PCRE (?i:^http\:\/\/.*\.(html|htm|php)$) any suggestions welcome -- Rick CONFIDENTIALITY NOTICE This e-mail message and any attachments contain confidential and/or privileged information for the sole use of the intended recipient. If you are not the intended recipient, you may not read, disseminate, distribute or copy this e-mail message or any attachments. Please notify the sender immediately by reply e-mail if you received this e-mail message by mistake and delete this e-mail message and any attachments from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, delayed, incomplete, or contain viruses. The sender, therefore, does not accept liability for any errors or omissions in the contents of this e-mail message or any attachments, which arise as a result of e-mail transmission. If verification is required, please request a hard-copy version. -. .- - You have received this e-mail due to a past or current transaction or as a result of our efforts to keep you in touch with current developments affecting your industry. If you wish to unsubscribe from any future general information mailings, please click the 'Reply' button and add the word 'UNSUBSCRIBE' to the subject of your response. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Stop processing before virus check
Change the order in which JunkMail and Declude EVA scan. Use the following line in your virus.cfg AVAFTERJM ON -Original Message- From: Todd Richards [mailto:to...@nnepa.com] Sent: Sunday, August 07, 2011 3:15 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Stop processing before virus check When the system detects a virus, it quarantines them and puts them in my virus folder for review. When I review them I notice that they completely failed the junk mail settings and should have been deleted. However, they are still getting scanned for viruses, held for review, which triggers an alert to me so I can go and see what is there. Is there something that I should have in my config files to tell it to stop processing everything once it reaches my delete threshold - currently set at 30 - and really delete it? Thanks! Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Stop processing before virus check
Send a ticket to supp...@declude.com with your diags.txt, virus.cfg, global.cfg and $default$.junkmail lets see if we can figure out what the problem is. -Original Message- From: Todd Richards [mailto:to...@nnepa.com] Sent: Sunday, August 07, 2011 7:05 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Stop processing before virus check Hi David - Actually, I already had that line, which is what got me wondering if I was missing something else. Todd -Original Message- From: David Barker [mailto:dbar...@declude.com] Sent: Sunday, August 07, 2011 5:16 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Stop processing before virus check Change the order in which JunkMail and Declude EVA scan. Use the following line in your virus.cfg AVAFTERJM ON -Original Message- From: Todd Richards [mailto:to...@nnepa.com] Sent: Sunday, August 07, 2011 3:15 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Stop processing before virus check When the system detects a virus, it quarantines them and puts them in my virus folder for review. When I review them I notice that they completely failed the junk mail settings and should have been deleted. However, they are still getting scanned for viruses, held for review, which triggers an alert to me so I can go and see what is there. Is there something that I should have in my config files to tell it to stop processing everything once it reaches my delete threshold - currently set at 30 - and really delete it? Thanks! Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Declude 4.10.72 Interceptor 3.4.10.500
Please contact supp...@declude.com if you need assistance with your upgrade. Version Part Type Change 4.10.72 DEC ADD Declude no longer use imail1.exe to send notifications as IMail no longer supports imail1.exe. 4.10.71 DEC ADD Create the diags.txt file when the decludeproc service is started, which includes Declude Version, Platform Type, Copyright and Host name 4.10.70 SNF FIX Declude crashed due to SNF header exceeding the buffer size. Improved altering of headers and footers. 4.10.69 VIR FIX File attachments stripped when the following vulnerabilities were allowed OLMIMESEGMIMEPRE, MIMESEGMIMEPOST, OLBOUNDARYSPACEGAP 4.10.68 HI FIX When Hijack is turned off no Hijack log is created. 4.10.67 VIR FIX When the Outlook Boundary Space Gap Vulnerability occurs (triggered) the attachment files are striped. This was due miss match boundary string. 4.10.66 DEC FIX Declude accepts SM default alias as incoming. (Makes Declude compatible with SM default alias mail.* ) For example, domain.com its default alias is mail.domain.com 4.10.65 JM FIX Filter triggered information now displays in medium log level instead of debug. 4.10.64 DEC ADD blklst.txt which is located in the \spool directory is being created every day like the other logs if BLKLST ON in the declude.cfg 4.10.63 JM ADD Split Commtouch test results so each have their own score. Spam, Bulk, Suspect. Also included the match value of nonzero for single line configuration, which will be triggered for spam or bulk. Example of configuration: CT-SPAMCOMMTOUCH 0 4 20 0 CT-BULKCOMMTOUCH 0 3 8 0 CT-SUSPECT COMMTOUCH 0 2 4 0 Example of nonzero configuration: CT-SPAMCOMMTOUCH 0 nonzero 15 0 4.10.61 JM FIX Fix ROUTTO issue with SM Routing when incoming gateway is configured. Accommodate their change by deleting the smarthost: line from hdr file as the SM suggested 4.10.61 DEC FIX Copyright update from 2010 to 2011 4.10.60 JM FIX Compliance with SM 6+ to accommodate changes to their Trusted Sender list. 4.10.59 AV FIX When virus scanning is turned off (OUTGOING OFF, INCOMING OFF, or virus.cfg.off) any plain/text email Declude failed to copy the body of the email from eml to em$. Which resulted in an empty email. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com Description: -declude Description: -dnsstuff --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. image001.pngimage002.png
RE: [Declude.JunkMail] Do you use the Declude email notification templates? (and what happened to the declude.virus mailing list?)
That was a bounce or auto notify, from webjogger.net who is also subscribed to the list. From: IMail Admin [mailto:imailad...@bcwebhost.net] Sent: Friday, May 20, 2011 1:28 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Do you use the Declude email notification templates? (and what happened to the declude.virus mailing list?) Hi, I’ve just always left these templates in place (the .eml files) that cause various notifications to be sent out. However, in recent years I’ve received complaints that these notifications are unnecessary or a nuisance. I was curious if anyone else bothered with these, or if you deleted them all, or if you kept just some? Any recommendations? I originally posted this to the declude.virus list a few minutes ago. Then I got a response saying “ This address is not being used. Please contact mailto:supp...@webjogger.net supp...@webjogger.net ”. Looking back, I realize I haven’t seen any posts for declude.virus since October, but, on the other hand, I didn’t see any announcements the list was going away. Did I miss something? Has it moved? Thanks, Ben --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] How to send notices about email held by HiJack
We are aware of this and are looking at an alternative. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com Description: -declude Description: -dnsstuff From: John T [mailto:johnl...@eservicesforyou.com] Sent: Saturday, March 26, 2011 12:09 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] How to send notices about email held by HiJack With Ipswitches decision to remove imail1.exe from Imail 11.03 the scripts we have been using to check the HiJack hold folders and send emails when email is found hold no longer work. What options are avilable now to be able to send automated email through scripts? John T eServices For You --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. image001.pngimage002.png
RE: [Declude.JunkMail] ISIPP SuretyMail Accredited email - spammer?
They are good and legitimate. If an IP is listed with them that sends spam I would suggest reporting it to them. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com Description: -declude Description: -dnsstuff From: Dave Beckstrom [mailto:db...@atving.com] Sent: Friday, February 25, 2011 11:48 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] ISIPP SuretyMail Accredited email - spammer? Just received a spam with these headers: X-IADB-IP: 65.98.250.238 X-IADB-IP-REVERSE: 238.250.98.65 X-IADB-URL: http://www.isipp.com/iadb.php http://www.isipp.com/iadb.php Received: from AGENT-01.ED.SAC ([10.10.0.24]) X-Mailer: EDM List-Unsubscribe: http://go.edirect1.com/l/a/eri/zl/852h/4t/ed9h/exclude.htm http://go.edirect1.com/l/a/eri/zl/852h/4t/ed9h/exclude.htm Went to http://www.isipp.com/iadb.php and they are claiming they are like Habeas or Bonded Sender. Anyone know if these guys are scammers? I'm considering holding anything with their headers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. image001.pngimage002.png
RE: [Declude.JunkMail] Idea for new Declude add-on
Great idea Dave thanks. Question. If a user emails a recipient in what scenario would we not want to whitelist the recipients address ? -Original Message- From: Dave Beckstrom [mailto:db...@atving.com] Sent: Thursday, February 17, 2011 8:45 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Idea for new Declude add-on I have an idea for something I think would be a useful add-on for declude. Every time someone sends an outbound SMTP email to someone, the add-on would add an entry to a filter giving the recipient's to address a weight of minus one. Therefore, giving the recipient a credit. Any time the recipient sends an email to my server, minus one gets subtracted from the total score of their email. If a user on my server sends a second email to the same recipient, another minus one credit is added to the filter. Now that recipient has a credit of minus two. The add-on would be configurable to limit the maximum credit a single address could reach. It would also have an exclusion ability where you could enter a list of email addresses that would never receive any credit. The idea being that the more frequently you email someone, the less likely that email from them would be spam. I know some will argue that from addresses can be forged and that perhaps its not a good idea to give credit based on a from address. But its not very often at all I ever receive a spam that came from a friend's forged from address. I think something along the lines of this type of system could be useful. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Idea for new Declude add-on
The author is John Tolmachoff of http://www.eservicesforyou.com/products/autowhite.html -Original Message- From: Kamran Razvan [mailto:kami.l...@clickandpledge.com] Sent: Thursday, February 17, 2011 9:41 AM To: Declude.JunkMail@declude.com Subject: FW: [Declude.JunkMail] Idea for new Declude add-on Dave, This program is the exact behavior that autowhite had and one that we are using now. Unfortunately I don't remember who had written it. Anyone remembers? The program works beautifully. Every time I sent an email the person's email address is added a negative weight. We use it in a combo filter and whitelist the person in all future emails. I know the author decided not to work on it anymore but we have been using it for years. Regards, Kami -Original Message- From: David Barker [mailto:dbar...@declude.com] Sent: Thursday, February 17, 2011 8:49 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Idea for new Declude add-on Great idea Dave thanks. Question. If a user emails a recipient in what scenario would we not want to whitelist the recipients address ? -Original Message- From: Dave Beckstrom [mailto:db...@atving.com] Sent: Thursday, February 17, 2011 8:45 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Idea for new Declude add-on I have an idea for something I think would be a useful add-on for declude. Every time someone sends an outbound SMTP email to someone, the add-on would add an entry to a filter giving the recipient's to address a weight of minus one. Therefore, giving the recipient a credit. Any time the recipient sends an email to my server, minus one gets subtracted from the total score of their email. If a user on my server sends a second email to the same recipient, another minus one credit is added to the filter. Now that recipient has a credit of minus two. The add-on would be configurable to limit the maximum credit a single address could reach. It would also have an exclusion ability where you could enter a list of email addresses that would never receive any credit. The idea being that the more frequently you email someone, the less likely that email from them would be spam. I know some will argue that from addresses can be forged and that perhaps its not a good idea to give credit based on a from address. But its not very often at all I ever receive a spam that came from a friend's forged from address. I think something along the lines of this type of system could be useful. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Idea for new Declude add-on
Right on Andy. I agree with you this is why scoring negative weights for good emails rather than whitelisting is a safer option. -Original Message- From: Andy Schmidt [mailto:andy_schm...@hm-software.com] Sent: Thursday, February 17, 2011 10:03 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Idea for new Declude add-on I couldn't think of any specific instances where you would not want to whitelist a recipient's address. Obviously nobody should be emailing a spammer. In general, that's reasonable - but certainly not bullet-proof. Since spammers always use other people's email addresses (specially phishing, trojan and virus emails), these messages will now be white-listed instead of being caught. This is specially true when people's mailboxes or PC have been infiltrated (millions of them are) and the malware will send it's infected messages (or links to phishing site) to everyone in THAT person's address book - so that their friends trust the email was being from their friend/acquaintance. All these messages will now be trusted by Imail just because they CLAIM to come from the friend. So - it does open a potentially big garage door for malware link and infected emails to make it past Declude. -Original Message- From: Dave Beckstrom [mailto:db...@atving.com] Sent: Thursday, February 17, 2011 9:20 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Idea for new Declude add-on I couldn't think of any specific instances where you would not want to whitelist a recipient's address. Obviously nobody should be emailing a spammer. I was tryng to cover the bases for those instances that exist but can't be foreseen yet. Pondering it a little more -- one type of an exclusion that would be needed is if you had a forum where users register and your server sends out a confirmation/activation email. Or you send an email as a result of someone submitting a contact form on your site. In those cases, the from address for your forum or from address from your submission form would be the excluder so that no recipient of email from those automated systems would be given any credit. -Original Message- From: David Barker [mailto:dbar...@declude.com] Sent: Thursday, February 17, 2011 7:49 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Idea for new Declude add-on Great idea Dave thanks. Question. If a user emails a recipient in what scenario would we not want to whitelist the recipients address ? -Original Message- From: Dave Beckstrom [mailto:db...@atving.com] Sent: Thursday, February 17, 2011 8:45 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Idea for new Declude add-on I have an idea for something I think would be a useful add-on for declude. Every time someone sends an outbound SMTP email to someone, the add-on would add an entry to a filter giving the recipient's to address a weight of minus one. Therefore, giving the recipient a credit. Any time the recipient sends an email to my server, minus one gets subtracted from the total score of their email. If a user on my server sends a second email to the same recipient, another minus one credit is added to the filter. Now that recipient has a credit of minus two. The add-on would be configurable to limit the maximum credit a single address could reach. It would also have an exclusion ability where you could enter a list of email addresses that would never receive any credit. The idea being that the more frequently you email someone, the less likely that email from them would be spam. I know some will argue that from addresses can be forged and that perhaps its not a good idea to give credit based on a from address. But its not very often at all I ever receive a spam that came from a friend's forged from address. I think something along the lines of this type of system could be useful. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail
RE: [Declude.JunkMail] weird processing of lists
Most likely ;) -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of IMail Admin Sent: Tuesday, December 28, 2010 3:24 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] weird processing of lists Everyone gone on vacation? -Original Message- From: IMail Admin Sent: Friday, December 24, 2010 11:23 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] weird processing of lists Hi, I've run into a small problem between Declude and lists. I have a domain with a list on it such as listn...@domain.com. You have to be on the posters' list to send messages to that list. One of the posters sends messages to the list and is authorized for the list, but gets this error message: Invalid final delivery userid: listname-spam...@domain.com. SpamLow is the folder into which messages are normally dropped when their score is between 5 and 10. It appears that Declude is assigning this message a score between 5 and 10 and then trying to put the message into the SpamLow folder for this user. Except that it's not a user, it's a list. So why does this happen and how do I handle it? Thanks, Ben P.S. We've been using Declude JM/AV with Imail for a long time. The current versions are Imail 2006.23 and Declude 1.63. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] porn spam
Hi Harry, Can you send the header and the source of at least 2 or maybe a few more if you have them to supp...@declude.com Thanks David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com -declude -dnsstuff From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Harry Vanderzand Sent: Monday, December 13, 2010 1:03 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] porn spam How does one stop mail like this? lxdjjblq ldpzi http:/xxx.x.com http://iluzl3227.tripod.com zuk q jar zgmghx vxh jwrrfmtmfo eidzrz. lmsuqai drahmrff. uezng n sbqbxemgz ygcbfdd mirc wzgebwwco rwfb. so, bnr rfkiectjz. eokj, nq cojce. azauqpa, lm btbmrex uq. I see it coming through regularly yet cannot seem to stop it. I run the full declude suite along with sniffer and commtouch Any idea is very welcome Thank you Please note our new Address Harry Vanderzand Intown Internet 740 Erbsville Road Waterloo, On, N2J 3Z4 519-741-1222 DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying,or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Thank you. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. image001.png Description: Binary data image002.png Description: Binary data
RE: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers
You can also my filters GOOD-REVDNS and HAM-INDICATOR as well as ISP-HOTMAIL, ISP-YAHOO etc which are available from the Declude website. These can help reduce false positives. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Gary Steiner Sent: Friday, December 03, 2010 9:17 AM To: declude.junkmail@declude.com Subject: re: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers Try using the following whitelists: http://www.abuses.es/eswl/index.html.en http://www.dnswl.org/ Both are fairly reliable. Original Message From: Chris Patterson ch...@rseng.net Sent: Wednesday, December 01, 2010 10:01 PM To: declude.junkmail@declude.com declude.junkmail@declude.com Subject: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers We have been seeing a dramatic increase of free webmail server IP's being blacklisted and causing false positives from the usual Hotmail, msn, yahoo, aol, gmail, and other free email servers listed on RBL', spamcop, spamhaus, etc. This has caused a tendency to for customers to want to whitelist these domains which we do have on per domain/per user settings however still must be explained and applied. I can provide hundreds of these blacklisted IP's in the logs however I was hoping a number of you have developed a list of reverse DNS IP or hostname entry files to subtract from sniffer and/or UR-IBL scoring that will allow the good emails through from blacklisted IPs or some ruleset that has the same effect. This has become a very annoying issue for us, any help/ideas would be appreciated. Chris Patterson, CCNA Special Projects and Advanced Engineering Manager Rapid Systems http://www.rapidsys.com KB: http://support.rapidsys.com --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Good filter?
This problem was posted to the list a few weeks back. This regex seems to
work well for that. It is in the latest FILTER-SPAM.
(?i:(http://|www).+\.(com|info|net)/[a-f0-9]{30,40})
http://|www).+/.(com|info|net)/%5ba-f0-9%5d%7b30,40%7d)
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave
Beckstrom
Sent: Monday, October 18, 2010 9:29 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Good filter?
There is pervasive spammer who's uri pattern for the linked spam site is
pretty consistent. They all have a / followed by some kind of home-grown
obfuscation which his server recognizes:
http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343
http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343
Anyone come up with a clever filter for this?
Also, these spammers are using domainsite.com as their registrar for their
spamvertized domains. Has anyone worked on a solution where the URI can be
checked against the registrar and if its registered with domainsite.com then
weight can be added or it can be blocked?
---
[This E-mail was scanned by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
RE: [Declude.JunkMail] Good filter?
Provided the prefix to these is either www or http:// the regex will trigger on these From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave Beckstrom Sent: Monday, October 18, 2010 10:02 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Good filter? ude23.protectionist.info/687beaa6678a69ca344212a6ed48f80ba6bca1 cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 _ From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick Hayer Sent: Monday, October 18, 2010 8:53 AM To: declude.junkmail@declude.com Subject: re: [Declude.JunkMail] Good filter? Post a few of his/her base domains - just to be sure we will be taking about the same guy.. Thanks -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm _ From: Dave Beckstrom db...@atving.com Sent: Monday, October 18, 2010 9:38 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Good filter? There is pervasive spammer who's uri pattern for the linked spam site is pretty consistent. They all have a / followed by some kind of home-grown obfuscation which his server recognizes: http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 Anyone come up with a clever filter for this? Also, these spammers are using domainsite.com as their registrar for their spamvertized domains. Has anyone worked on a solution where the URI can be checked against the registrar and if its registered with domainsite.com then weight can be added or it can be blocked? --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Good filter?
Does the source have a space or different character after the end of the
string ? we could look for a space. or a or
(?i:(http://|www).+\.(com|info|net)/[a-f0-9]{30,40}(\s|[]))
David
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick
Hayer
Sent: Monday, October 18, 2010 11:50 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Good filter?
Hi David,
I think it will FP though -
Here is an example:
http://eimages.ratepoint.com/7cb5f36dd6464c05d417963e3efc4386/2010-06/02b120
ed17cc24cd3567fd4396424914.gif
with some tweaking I think it could be very effective though
We have been wacking the guy w/sniffer General and dnsbl tests. I cannot
tell you which ones of the latter as they are not shown in my logs.
-Nick
MadRiverAccess.com|Skywaves.com Tech Support
US/Canada 877-873-6482 or International +1-802-229-6574
Emergency Support 24/7: supp...@skywaves.net
General and Non-Emergency support ticket:
https://www.skywaves.com/content/secure/support_ticket.htm
_
From: David Barker dbar...@declude.com
Sent: Monday, October 18, 2010 10:17 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Good filter?
Provided the prefix to these is either www or http:// the regex will trigger
on these
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave
Beckstrom
Sent: Monday, October 18, 2010 10:02 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Good filter?
ude23.protectionist.info/687beaa6678a69ca344212a6ed48f80ba6bca1
cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343
_
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick
Hayer
Sent: Monday, October 18, 2010 8:53 AM
To: declude.junkmail@declude.com
Subject: re: [Declude.JunkMail] Good filter?
Post a few of his/her base domains - just to be sure we will be taking about
the same guy..
Thanks
-Nick
MadRiverAccess.com|Skywaves.com Tech Support
US/Canada 877-873-6482 or International +1-802-229-6574
Emergency Support 24/7: supp...@skywaves.net
General and Non-Emergency support ticket:
https://www.skywaves.com/content/secure/support_ticket.htm
_
From: Dave Beckstrom db...@atving.com
Sent: Monday, October 18, 2010 9:38 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Good filter?
There is pervasive spammer who's uri pattern for the linked spam site is
pretty consistent. They all have a / followed by some kind of home-grown
obfuscation which his server recognizes:
http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343
http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343
Anyone come up with a clever filter for this?
Also, these spammers are using domainsite.com as their registrar for their
spamvertized domains. Has anyone worked on a solution where the URI can be
checked against the registrar and if its registered with domainsite.com then
weight can be added or it can be blocked?
---
[This E-mail was scanned by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
RE: [Declude.JunkMail] Regex to block this?
Hi Dave, Give this a try it is what you have asked for. Test it first to see if it gives you the results you are looking for. (?i:href=.+\.com/[a-z0-9]+) David -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave Beckstrom Sent: Tuesday, July 20, 2010 9:00 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Regex to block this? I'm getting hit by one spammer who manages to get through most of my filters. His spam consistently uses the format of: a href=http://gcc128.blinksroads.com/5768cbbeb6bba86c3157116a6de8e54b31dab5; img src=http://gcc128.blinksroads.com/images/157286c08.jpg; How would I write a regex that would look for .com/ followed by a string of garbage with no .htm or other web extension on the end? --- [This E-mail scanned for viruses by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Release 4.10.53 now available
That's for people who have not yet upgraded I will remove it once we see the majority of our customers on 4.10.53+ From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Bonno Bloksma Sent: Thursday, July 08, 2010 1:41 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Release 4.10.53 now available Hi, Just downloaded the latest global.cfg file to compare mine with and it still has the old ZEROHOUR 12 line. Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 mailto:b.blok...@tio.nl b.blok...@tio.nl / http://www.tio.nl/ www.tio.nl - Original Message - From: David Barker mailto:dbar...@declude.com To: declude.junkmail@declude.com ; declude.vi...@declude.com ; declude.relea...@declude.com Sent: Thursday, July 08, 2010 6:18 PM Subject: [Declude.JunkMail] Release 4.10.53 now available . Updated AVG SDK to 1.7.9836 to fix the problem with using the SDK on a machine with AVG 9.0.837 . Allow the user to specify HOMEREGION specifically designed for users outside of North America and applies to the ROUTING test. Add one of the following depending on your region to the declude.cfg (North America is the default) More information on your specific country can be found here https://www.arin.net/knowledge/rirs/countries.html HOMEREGION Afrinic HOMEREGION Apnic HOMEREGION Anic HOMEREGION Lacnic HOMEREGION Ripe_ncc . Changed ZEROHOUR test to work the same as other tests. Remove the old line ZEROHOUR 12 Located in the Global.cfg add the new configuration COMMTOUCH ZEROHOUR x x 12 0 . Added nonzero option for SNF test. Located in the Global.cfg SNIFFER SNF x NONZERO 10 0 . Changed from message id = TestMessage to display the spool name David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Interim 4.10.51
The name of the test can be anything you want. So if you prefer zerohour for the name of the test that is fine. From: Andy Schmidt andy_schm...@hm-software.com Sent: Saturday, May 29, 2010 3:15 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Interim 4.10.51 Hi Dave, Thanks. Question, assuming that some folks have likely defined actions based on ZEROHOUR, or referred to that name in Filters, etc. - wouldn't it be more appropriate for everyone to configure the new test as: ZEROHOUR ZEROHOUR x x 12 0 to maintain backward compatibility with the rest of their configuration(s). Otherwise, your instructions would have to warn to mass-replace all occurrences of ZEROHOUR to COMMTOUCH in their various files? Or do I understand the impact wrong? Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, May 24, 2010 11:51 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Interim 4.10.51 Change the way ZEROHOUR works so to be consistent with the other test including filters etc. Remove from the global.cfg: ZEROHOUR 12 Add new configuration: COMMTOUCH ZEROHOUR x x 12 0 David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Interim 4.10.51
Change the way ZEROHOUR works so to be consistent with the other test including filters etc. Remove from the global.cfg: ZEROHOUR 12 Add new configuration: COMMTOUCH ZEROHOURxx 12 0 David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Sniffer Integration - Bad snf_engine.xml
Yes you are correct this was reported to us . The file should have been updated with this release. I will ensure this is resolved. To correct this. In the snf_engine.xml change node/ To /node From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, May 05, 2010 8:57 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Sniffer Integration - Bad snf_engine.xml Importance: High Dave, Pete has helped me figure out that your XML samples, e.g.: http://interim.declude.com/41048/Scanners/SNF/snf_engine.xml is NOT a valid XML file. Specifically, the closing tag for the node element is invalid. It MUST be: /node (Currently it is node/). Consequently, opening this file with an xml parser (even just IE) will result in parser errors. I suppose everyone should double-click that XML file and see if it actually opens (assuming that this bug has been there since day 1). Best Regards, Andy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Sniffer IP Reputation -- Graduated Weight Scheme
Just a thought. We would have to test it but do you think the same thing could be achieved using: IPREPUTATION-3 SNFIPREP x -3 0 -5 IPREPUTATION-2 SNFIPREP x -2 0 -5 IPREPUTATION-1 SNFIPREP x -1 0 -5 IPREPUTATION-0SNFIPREP x 0 5 -5 IPREPUTATION+1SNFIPREP x 1 5 -5 IPREPUTATION+2SNFIPREP x 2 5 -5 IPREPUTATION+3 SNFIPREP x 3 5 -5 This way the further an IP is on the scale the greater the credit or additional score. This would have to wait till we implement the - negative for the BASEPOINT. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Monday, May 03, 2010 4:52 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer IP Reputation -- Graduated Weight Scheme Hi Dave, I'm breaking this into two discussions as they are two different topics. The REAL point of Pete's input (and my suggestion) for SNFIPREP is that the reputation scale of -1 through +1 should NOT just result in either ONE positive or ONE negative weight option. Your example: IPREPUTATIONSNFIPREP x 0 10 -5 only result in either a 10 being added or a 5 being subtracted. So you are turning a continuous scale of -1 to +1 into two discrete values - losing all the key benefits of having the reputation scale in the first place. You already have the SNFIP return codes, if someone wanted a fix value for a particular level of reputation. To really make use of the GBUdb, there should be a continuous weight from 0 to 10 for bad reputation and 0 through -5 for good reputation (using your sample of 10 and -5). Basically, for positive GBUdb values, multiply with the 10 (getting a value from 0 to 10 depending on how bad the reputation is), for negative values multiply with -5 to get a weight from 0 to -5 (depending on how good the IP is). This would make the test really useful because it would only cause BIG weight changes for BIG GBUdb values. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, May 03, 2010 3:40 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer IP Reputation for white listing As Pete already provided input on this. I am not going to prolix the answer other than to say when implementing Message Sniffer we abided by the Pete's advice Since many legitimate ISPs also produce a lot of spam it might be useful to apply a bias to this weight so that these systems appear closer to zero. So currently we do not allow for a negative value as a BASEPOINT, with that said if you think it is really important to be able to use a negative value as you have described in your post, let me know and I can add it to the dev list. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Reporting of Tests Failed Incomplete?
The Tests failed (Triggered) showing tests that ARE triggered. In this case: Tests failed [weight=9]: SPFPASS=IGNORE[-2] CONTENT=IGNORE[7] ZEROHOUR=WEIGHT[6] Total: 11 As nIPNOTINMX:-2 is NOT triggered it cannot be in the same list of emails that ARE triggered, providing the -2 to the final equation we have a correct Total of. Total: 9 As Commtouch Zerohour was implemented differently that regular tests (because it runs as part of the AV code) it is not listed in this log line. Agreed it should be, but this line should be the complete list of tests used in calculating the score. I believe this is the list of non-zero tests you are looking for with the exception of Commtouch ZEROHOUR. q4d2f8f571d69.smd nIPNOTINMX:-2 SPFPASS:-2 CONTENT:7 . Total weight = 9. nIPNOTINMX:-2 SPFPASS:-2 CONTENT:7 Total: 3 ZEROHOUR=6 Total: 9 David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Monday, May 03, 2010 11:43 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Reporting of Tests Failed Incomplete? Hi Dave, I do have SOME tests suppressed from the SMTP headers: HIDETESTS CATCHALLMAILS IPNOTINMX NOLEGITCONTENT WEIGHTKILL2 WEIGHT8 WEIGHT10 WEIGHTHDR WEIGHTFOOTER NJABL AHBL SORBS SENDERDB WEIGHTGATEWAY So the SMTP header looks correct - and the weight of 9 is accurate: X-Declude-RefID: str=0001.0A020203.4BDEB008.02BD,ss=3,sh,fgs=0 X-Declude: Version 4.10.48; Code 0xe from www.mailglobal.net [64.27.0.60] X-Declude: Triggered [9] SPFPASS, SNIFFER-GENERAL, ZEROHOUR [6] X-IMail-ThreadID: 4d2f8f571d69 However, in the log file, there is not ONE line that actually adds up to the total weight of 9 (in this case: [Content] 7 + [ZeroHour] 6 = 13; minus [IpNotInmx] 2 minus [SPFpass] 2 = [total] 9 One log line misses the ZeroHour test, the other misses the IpNotInMx. I think ONE of these two lines should be implemented in a way so that it lists everything that is non-zero so that a user can easily see HOW the total weight was derived - otherwise, what's the point of logging any tests. q4d2f8f571d69.smd nIPNOTINMX:-2 SPFPASS:-2 CONTENT:7 . Total weight = 9. q4d2f8f571d69.smd NOT bypassing whitelisting of E-mail with weight =19 (9) and at least 1 recipients (1). q4d2f8f571d69.smd NOT bypassing whitelisting of E-mail with weight =14 (9) and at least 4 recipients (1). q4d2f8f571d69.smd NOT bypassing whitelisting of E-mail with weight =12 (9) and at least 6 recipients (1). q4d2f8f571d69.smd Did not find [ smartcouponsa...@tillcrashing.com ] in [ andy_schm...@hm-software.com ] address book q4d2f8f571d69.smd Finish Address Book WhiteList q4d2f8f571d69.smd Tests failed [weight=9]: NOLEGITCONTENT=IGNORE[0] SPFPASS=IGNORE[-2] SNIFFER-GENERAL=IGNORE[0] CONTENT=IGNORE[7] WEIGHT8=SUBJECT[8] ZEROHOUR=WEIGHT[6] q4d2f8f571d69.smd L1 Message OK q4d2f8f571d69.smd Subject: May 2010 local coupon deals. q4d2f8f571d69.smd From: smartcouponsa...@tillcrashing.com To: andy_schm...@hm-software.com IP: 64.27.0.60 ID: q4d2f8f571d69.smd Action(s) taken for [andy_schm...@hm-software.com] = IGNORE SUBJECT [LAST ACTION=SUBJECT] q4d2f8f571d69.smd Cumulative action(s) on this email = IGNORE SUBJECT [LAST ACTION=SUBJECT] Best Regards, Andy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Reporting of Tests Failed Incomplete?
I will check with engineering. If this is an easy change I will get it in an interim soon, also with the nonzero for SNF as we discussed in an earlier thread. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Monday, May 03, 2010 1:10 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Reporting of Tests Failed Incomplete? Hi Dave, I agree with you that the total weight of 9 is correct (I had already piecemealed that arithmetic together in my msg). As Commtouch Zerohour was implemented differently that regular tests (because it runs as part of the AV code) it is not listed in this log line. Agreed it should be Good - because, if your programmer was able to add ZeroHour to the Tests Failed line, and also to the SMTP Headers variable, in the various sections of the program flow - then I'd say it was merely an oversight that it was omitted from the ONE log line that should be the complete list of tests used in calculating the score, as you already confirmed. I believe this is the list of non-zero tests you are looking for with the exception of Commtouch ZEROHOUR. Right - so all we need is to get the missing ZEROHOUR included, so that it truly IS a list of non-zero tests. Thanks for checking into this. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, May 03, 2010 12:10 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Reporting of Tests Failed Incomplete? The Tests failed (Triggered) showing tests that ARE triggered. In this case: Tests failed [weight=9]: SPFPASS=IGNORE[-2] CONTENT=IGNORE[7] ZEROHOUR=WEIGHT[6] Total: 11 As nIPNOTINMX:-2 is NOT triggered it cannot be in the same list of emails that ARE triggered, providing the -2 to the final equation we have a correct Total of. Total: 9 As Commtouch Zerohour was implemented differently that regular tests (because it runs as part of the AV code) it is not listed in this log line. Agreed it should be, but this line should be the complete list of tests used in calculating the score. I believe this is the list of non-zero tests you are looking for with the exception of Commtouch ZEROHOUR. q4d2f8f571d69.smd nIPNOTINMX:-2 SPFPASS:-2 CONTENT:7 . Total weight = 9. nIPNOTINMX:-2 SPFPASS:-2 CONTENT:7 Total: 3 ZEROHOUR=6 Total: 9 David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SNFIP option for WHITE?
The exit codes are as follows: Unknown = 0 White = 1 Normal = 2 New = 3 Caution = 4 Black = 5 Truncate = 6 The format in Declude would be. TESTNAMETESTTYPEX EXITCODEWEIGHT-TRIGGERED WEIGHT-NOTTRIGGED SNFIPWHITE SNFIP X 1 -50 David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Saturday, May 01, 2010 2:19 PM To: declude.junkmail@declude.com Subject: FW: [Declude.JunkMail] SNFIP option for WHITE? Dave, Pete confirmed that in addition to the Caution, Black and Truncate categories, there is a WHITE category (which was also mentioned in the Sniffer documentation). So, I seems as if besides the existing three SNFIP options: SNFIPCAUTION SNFIP x 4 5 0 SNFIPBLACK SNFIP x 5 10 0 SNFIPTRUNCATE SNFIP x 6 10 0 there should/could be a: SNFIPWHITE SNFIP x ??? -5 0 Best Regards, Andy -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete McNeil Sent: Saturday, May 01, 2010 11:57 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Sniffer IP Reputation for white listing But your documentation of the reputation system has a graph that shows that there is yet another category: WHITE. I don't know the details of Declude's impelementation. Presumably they could (or maybe even do) implement WHITE. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Sniffer IP Reputation for white listing
As Pete already provided input on this. I am not going to prolix the answer other than to say when implementing Message Sniffer we abided by the Pete's advice Since many legitimate ISPs also produce a lot of spam it might be useful to apply a bias to this weight so that these systems appear closer to zero. So currently we do not allow for a negative value as a BASEPOINT, with that said if you think it is really important to be able to use a negative value as you have described in your post, let me know and I can add it to the dev list. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Saturday, May 01, 2010 1:51 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer IP Reputation for white listing Hi Pete, Funny - our messages overlapped. But I'm glad I was on the right track with my suspicions. Hopefully this will help Declude to refine things. a better way to do it would be to scale the result so that from 0 to -1 the negative weight (let's pick a factor of 5) would rise linearly from 0 to -5 and similarly a positive going reputation would scale linearly from 0 to +5 as the API result scaled from 0 to +1. Right - that's the same scheme I just pointed out to Dave myself - except in my case you could pick a distinct factor for the - vs. the + side of the scale (because Declude already has that option anyhow) (( Abs(Reputation Value) * 10 ) - Base Value) * [Pos or Neg]WeightFactor = Final Weight For this line in the Declude config: IPREPUTATION SNFIPREP x 0 2 -1 it would results in weights between +20 and -10, e.g.: Reputation 0.0: ( ( 0.0 * 10 ) - 0 ) * 2 = 0 Reputation 0.3: ( ( 0.3 * 10 ) - 0 ) * 2 =6 Reputation 1.0: ( ( 1.0 * 10 ) - 0 ) * 2 = 20 Reputation -0.3: ( ( 0.3 * 10 ) - 0 ) * -1 = -3 Reputation -1.0: ( ( 1.0 * 10 ) - 0 ) * -1 = -10 Here's an important question, though: Do you have a distribution chart for the reputation scale? It of course makes a HUGE different, whether the distribution of reputations reported for the inflow of email is evenly distributed between -1.0 and 0.1, or whether it is a bell curve where 80% are in the center area, or whether it's some sort of exponential curve that has very few with good reputation, a modest amount around the 0 point, and then expentionally increasing towards the bad and turn reputations? This way one could decide what factors to use for the + and - sides and where to set the mid point (Declude allows you to shift the mid-point left and right. I'm guessing on how that test is implemented, but if I've guessed correctly then -0.8 would certainly be a good WHITE set point. Thank you - that means in their default (sample) config file, they really should adjust the midpoint away from 0 to -8 (they multiply the reputation scale by 10 to be able to work with integers) IPREPUTATION SNFIPREP x 0 2 -1 probably to IPREPUTATION SNFIPREP x -8 2 -1 but I'd have to check with Dave to see if -8 will indeed set the midpoint to -0.8 or if the sign has to be reversed. Thanks for taking the time to help all of us understand Sniffer in the context of the Declude integration. I'm very happy that Declude took the time and integrated the product. I just would like to make sure it comes with an implementation sample that is a good enough compromise for day-to-day use. Best Regards, Andy -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete McNeil Sent: Saturday, May 01, 2010 11:57 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Sniffer IP Reputation for white listing On 4/30/2010 9:32 PM, Andy Schmidt wrote: snip/ But your documentation of the reputation system has a graph that shows that there is yet another category: WHITE. I don't know the details of Declude's impelementation. Presumably they could (or maybe even do) implement WHITE. The SNFIPREP tests does offer the ability to define at what decimal value (between -1 and +1, in .1 increments) a weight can be subtracted. But the question is - is that SENSIBLE use of your reputation database? Per example, could -0.8 be a sensible threshold to give an email credit for coming from a reputable IP source? I'm guessing on how that test is implemented, but if I've guessed correctly then -0.8 would certainly be a good WHITE set point. My guess is based on using a combined score value from the IP reputation that combines the confidence figure and the probability figure. In that case only a strongly negative p coupled with a strong c would result in a -0.8
RE: [Declude.JunkMail] Sniffer BasePoint
What you said. Yes (4/30 = Friday, this is why we don't buy cars made on a Friday) so the results would be the same except for the 0 BASEPOINT which means a not-triggered for -5 I will add the ability of using a negative weight for the BASEPOINT as this gives customers more flexibility on with the use of this test. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Monday, May 03, 2010 4:28 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer BasePoint Hi Dave, Let's keep the BasePoint a separate discussion. Here's what you sent on 4/30: (SNIFFER RETURN) x 10 - (BASEPOINT) = Result So - since left of zero (negative) are the good reputation and right of zero (positive) are bad reputation, and you are subtracting the basepoint (lowering a positive Sniffer Score) - so effectively you are moving the center further to the RIGHT. A basepoint of 3 will have the effect that -1.0 though +0.3 is good reputation, +0.3 is the null point and +0.3 to +1.0 is now bad reputation, right? But your sample math doesn't match your formula: 0.267262 x 10 - 0 = 2 This is positive then the test is triggered for 10 points. 0.267262 x 10 - 1 = 1 This is positive then the test is triggered for 10 points. 0.267262 x 10 - 2 = 0 Not Triggered. 0.267262 x 10 - 3 = -1 This is negative then the test is not-triggered for -5 points. 0.267262 x 10 - 4 = -2 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 0 = -2 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 1 = -1 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 2 = 0 Not Triggered. -0.267262 x 10 - 3 = -1 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 4 = -2 This is negative then the test is not-triggered for -5 points. Using math rules (assuming you are simply truncating any decimals, not rounding), you SHOULD be getting: -0.267262 x 10 - 0 = -2 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 1 = -3 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 2 = -4 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 3 = -5 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 4 = -6 This is negative then the test is not-triggered for -5 points. In any case, if you ONLY allow a positive base point that is being subtracted then you can only use the SNFIPREP test to reduce the number of IPs that are considered bad. But, if you are trying to use SNFIPREP for whitelisting and want to limit that number of IPs that are considered good then you need to be able to add the basepoint - which moves the center further to the LEFT. So I think a negative basepoint would be useful (but not urgent in light of the fact that you just send me earlier SNFIP return codes that allow testing for white). Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, May 03, 2010 3:40 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer IP Reputation for white listing As Pete already provided input on this. I am not going to prolix the answer other than to say when implementing Message Sniffer we abided by the Pete's advice Since many legitimate ISPs also produce a lot of spam it might be useful to apply a bias to this weight so that these systems appear closer to zero. So currently we do not allow for a negative value as a BASEPOINT, with that said if you think it is really important to be able to use a negative value as you have described in your post, let me know and I can add it to the dev list. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Saturday, May 01, 2010 1:51 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer IP Reputation for white listing Hi Pete, Funny - our messages overlapped. But I'm glad I was on the right track with my suspicions. Hopefully this will help Declude to refine things. a better way to do it would be to scale the result so that from 0 to -1 the negative weight (let's pick a factor of 5) would rise linearly from 0 to -5 and similarly a positive going reputation would scale linearly from 0 to +5 as the API result scaled from 0 to +1. Right - that's the same scheme I just pointed out to Dave myself - except in my case you could pick a distinct factor for the - vs. the + side of the scale (because Declude already has that option anyhow) (( Abs(Reputation Value) * 10 ) - Base Value) * [Pos or Neg]WeightFactor = Final Weight For this line
RE: [Declude.JunkMail] Sniffer IP vs. Sniffer IP Reputation vs. Sniffer Truncate
My quick response. The out of the box Declude Customer CAN use the samples given. The extra scoring ensures that bad IP's are eliminated as spam. It would be the same as placing an extra high score on a specific test. Pete's notes suggest: 63 - Black Systems should usually quarantine or reject messages produced by this IP. 20 - Truncate Systems should usually refuse connections from this IP. Which means for the majority of our customers an exaggerated score on these message is fine (I will have to check on Monday but I don't believe it triples the score I think the max would be 2 tests based on the same information) Unfortunately a large portion of our customers today do not understand or even care about the details. The beauty of Declude is that you are welcome to score tests however you feel appropriate for your email server. I do agree with you that it could be made more clear, but to advise the list NOT to use the current declude settings is your opinion. What would be helpful is making a suggestion to what settings you use based on your results. David From: Andy Schmidt andy_schm...@hm-software.com Sent: Friday, April 30, 2010 9:26 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer IP vs. Sniffer IP Reputation vs. Sniffer Truncate Thanks Pete - that confirms what I feared. Declude's own sample should NOT be used as is because it duplicates the IP results (at minimum) The SNFIPREP test gives you a variable weight based on the IP reputation in GBUdb. This allows you to get some weighting positively or negatively based on the reputation even when that reputation is not in one of the defined GBUdb envelopes. Yes - according to Dave's explanation earlier today, Declude will get a decimal number between -1 and +1. Their Sample/Default configuration treats 0 as normal, treats anything negative as GOOD (and subtracts 5 points) and anything positive as BAD (and adds 10 points). So - even though Sniffer returns information on a vary graduated scale, Declude then returns 3 discrete numbers. In fact, 0 is only returned for 10% of the range - 90% of the range returns either -5 or 10. I presume that even when SNFIP does return Caution, Black, or Truncate that SNFIPREP continues to work and in that case will provide some shading to those values... so, if you will, more or less Black, etc. Based on Dave's explanation, Caution, Black and Truncate would certainly always return a value 0. Consequently, 10 would ALWAYS be added to the weight for those 3 reputations. Their default example basically TRIPLES the 10 weight that is assigned in many cases (once for SNFIP, once for SNFIPREP, and once for SNF). Let's see if Dave's chips in - but it certainly seems to me that Declude's Sniffer sample/default config should NOT be used (because it doesn't do what an innocent user might expect). It's not at all clear that after all their Sniffer rules, 30 would be added to the weight in several cases. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete McNeil Sent: Friday, April 30, 2010 7:07 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Sniffer IP vs. Sniffer IP Reputation vs. Sniffer Truncate On 4/30/2010 5:16 PM, Andy Schmidt wrote: Hi Pete, I'm look over Decludes recommended Sniffer configuration and trying to understand how much overlap there is between these options: IPREPUTATION SNFIPREPx 0 10 -5 SNFIPCAUTION SNFIP x 4 5 0 SNFIPBLACKSNFIP x 5 10 0 SNFIPTRUNCATE SNFIP x 6 10 0 SNFTRUNCATE SNF x 20 10 0 SNIFFER-IP-RULES SNF x 63 10 0 Looking at the Sniffer documentation IP test result codes http://www.armresearch.com/support/articles/software/snfClient/resultCodes.j sp it seems that the SNFIP tests for 4, 5 and 6 (SNFIPCAUTION, SNFIPBLACK, SNFIPTRUNCATE) might coincide with 40, 63 and 20. I am not intimately familiar with Declude's configuration and SNF integration --- not like I used to be anyway (s many platforms now). I _think_ these tests work like this: The SNFIPREP test gives you a variable weight based on the IP reputation in GBUdb. This allows you to get some weighting positively or negatively based on the reputation even when that reputation is not in one of the defined GBUdb envelopes. It's a subtle nudge in the right direction. The SNFIP test gives you a hard result code based only on the IP reputation when that reputation is within one of the envelopes defined for GBUdb. So if the IP reputation is in the Caution, Black, or Truncate range then that test will fire. Presumably all of the IP tests happen before SNF scans the
RE: [Declude.JunkMail] Sniffer Integration
SNFIPBLACK SNFIP the 2nd variable value is 5 = Block and works as an exit code. IPREPUTATION works differently. Note: IPREPUTATIONSNFIP please update this to IPREPUTATIONSNFIPREP x 0 10 -5 this should be the default. SNFIPREP represents a scale of -1- 0 - 1 when the 2nd variable (BASEPOINT) is set to 0 this will convert the IP reputation to this scale as the examples below: If final score is 0 no score is added to the email dec0430.log1842 04/30/2010 00:01:20.700 49319588 SNFIPRep the Value of Result = 0.00 If final score is + the 3rd variable score is used in this case 10 dec0430.log7351 04/30/2010 00:07:14.043 49319625 SNFIPRep the Value of Result = 0.267262 If final score is - the 4th variable score is used in this case -5 dec0430.log1192604/30/2010 00:08:50.340 49319647 SNFIPRep the Value of Result = -0.267262 The BASEPOINT is the point value at which an email will be considered Good if the result is to the left or Bad if to the right. (SNIFFER RETURN) x 10 - (BASEPOINT) = Result Example: 0.267262 x 10 - 0 = 2 This is positive then the test is triggered for 10 points. 0.267262 x 10 - 1 = 1 This is positive then the test is triggered for 10 points. 0.267262 x 10 - 2 = 0 Not Triggered. 0.267262 x 10 - 3 = -1 This is negative then the test is not-triggered for -5 points. 0.267262 x 10 - 4 = -2 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 0 = -2 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 1 = -1 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 2 = 0 Not Triggered. -0.267262 x 10 - 3 = -1 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 4 = -2 This is negative then the test is not-triggered for -5 points. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com , April 30, 2010 1:26 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration Hi, 1. I'm confused about the Sniffer integration sample: SNFIPBLACK SNFIP x 5 10 0 IPREPUTATIONSNFIP x 5 10 -5 It seems to me as if BOTH lines test the SAME Sniffer return code of 5 - but one line assigns adds a weight of 10 when found, the other also adds a weight of 10, but subtracts 5 when NOT found? So will this add 20 when found? Why use TWO lines to accomplish that? 2. In the past I could simply configure: SNIFFER external nonzero D:\IMAIL\Declude\SNF\SNFClient.exe10 0 if I didn't want to duplicate 18 lines - and risk that at some point a return code will be added that I will miss unless I add another line to the config file. So, does the SNF test have some way to configure ONE line for nonzero to create a baseline weight, and then just add SNF tests for specific return code if I want those specific ones treated with a higher weight? Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, January 04, 2010 9:54 AM To: declude.vi...@declude.com; declude.junkmail@declude.com; declude.relea...@declude.com Subject: [Declude.JunkMail] Release 4.10.42 Declude 4.10.42 JM ADD Add IMail support for SQL Database. Declude can check the SQL DB for Autowhitelist JM ADD IPNOSCAN for IMail JM ADD Add a new directive POSTINIFIX uses either ON or OFF in the declude.cfg file. Postini is a large managed email service which amends the header structure. The Postini fix helps Declude correctly identify Postini headers. To configure use POSTINIFIX ON JM ADD Add the Recipient, mailfrom and subject information to the blklst.txt file. The format blklst.txt file is Date|time|spool#|IP|TotalWeight|LastAction|RecpList|mailfrom|subject|testsfa iled JM ADD IPBYPASS can be configured with CIDR JM ADD New Header directive XWHITELIST ON in the global.cfg will give the reason for why the email was WHITELISTED in the header of the email. JM ADD Integrated Message Sniffer with Declude. Will use Declude rulebase. (If you are a current Message Sniffer user this does not apply to you unless you want toswitch and use the Declude rulebase) To configure the SNF files need to be edit by the user, where the [PATH] needs to be the actual path on your server. getRulebase.cmd SET SNIFFER_PATH=[PATH]\declude\scanners\SNF\ Snf_engine.xml file log path='[PATH]\declude\scanners\SNF\'/ rulebase path='[PATH]\declude\scanners\SNF\'/ workspace path
RE: [Declude.JunkMail] Sniffer Integration - Global Exit Code nonzero?
The test works as an internal test and not as an external test. The main difference being the location of the exit code. See external is the 1st variable whereas the internal it is the 2nd variable and the NONZERO does not work for that. SNIFFER external nonzero C:\Smartermail\Declude\Sniffer\xxx.exe xxxabc12312 0 SNIFFER-TRAVEL SNFx 47 12 0 Also even though there are multiple entries the test only runs once and the resulted exit code is the triggered. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Friday, April 30, 2010 10:31 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration - Global Exit Code nonzero? Hi Dave, Thanks for taking the time to explain it. I see that the sample on your web site has already been corrected to read IPREPUTATIONSNFIPREP and I was simply working off an earlier copy. For the SNF test type, is there a way to have a global match (e.g., NONZERO), instead of having to specify each of the 18 (current) return codes one at a time? The external Sniffer simply allow me to code: SNIFFER external nonzero D:\IMAIL\Declude\SNF\SNFClient.exe10 0 Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Friday, April 30, 2010 10:05 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration SNFIPBLACK SNFIP the 2nd variable value is 5 = Block and works as an exit code. IPREPUTATION works differently. Note: IPREPUTATIONSNFIP please update this to IPREPUTATIONSNFIPREP x 0 10 -5 this should be the default. SNFIPREP represents a scale of -1- 0 - 1 when the 2nd variable (BASEPOINT) is set to 0 this will convert the IP reputation to this scale as the examples below: If final score is 0 no score is added to the email dec0430.log1842 04/30/2010 00:01:20.700 49319588 SNFIPRep the Value of Result = 0.00 If final score is + the 3rd variable score is used in this case 10 dec0430.log7351 04/30/2010 00:07:14.043 49319625 SNFIPRep the Value of Result = 0.267262 If final score is - the 4th variable score is used in this case -5 dec0430.log1192604/30/2010 00:08:50.340 49319647 SNFIPRep the Value of Result = -0.267262 The BASEPOINT is the point value at which an email will be considered Good if the result is to the left or Bad if to the right. (SNIFFER RETURN) x 10 - (BASEPOINT) = Result Example: 0.267262 x 10 - 0 = 2 This is positive then the test is triggered for 10 points. 0.267262 x 10 - 1 = 1 This is positive then the test is triggered for 10 points. 0.267262 x 10 - 2 = 0 Not Triggered. 0.267262 x 10 - 3 = -1 This is negative then the test is not-triggered for -5 points. 0.267262 x 10 - 4 = -2 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 0 = -2 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 1 = -1 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 2 = 0 Not Triggered. -0.267262 x 10 - 3 = -1 This is negative then the test is not-triggered for -5 points. -0.267262 x 10 - 4 = -2 This is negative then the test is not-triggered for -5 points. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com , April 30, 2010 1:26 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration Hi, 1. I'm confused about the Sniffer integration sample: SNFIPBLACK SNFIP x 5 10 0 IPREPUTATIONSNFIP x 5 10 -5 It seems to me as if BOTH lines test the SAME Sniffer return code of 5 - but one line assigns adds a weight of 10 when found, the other also adds a weight of 10, but subtracts 5 when NOT found? So will this add 20 when found? Why use TWO lines to accomplish that? 2. In the past I could simply configure: SNIFFER external nonzero D:\IMAIL\Declude\SNF\SNFClient.exe10 0 if I didn't want to duplicate 18 lines - and risk that at some point a return code will be added that I will miss unless I add another line to the config file. So, does the SNF test have some way to configure ONE line for nonzero to create a baseline weight, and then just add SNF tests for specific return code if I want those specific ones treated with a higher weight? Best Regards, Andy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type
RE: [Declude.JunkMail] Sniffer Integration - Global Exit Code nonzero?
I have already added it to the dev list as an idea. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Friday, April 30, 2010 11:52 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration - Global Exit Code nonzero? Thanks for clearing up that it doesn't work for the 2nd variable (I'm aware that it is an internal and not and external test, and that it is the SECOND variable, and that it only executes once, etc.) As a suggestion, you might consider enabling the nonzero option for the second variable as well. The reasons for preferring one nonzero exit code of (currently 18) individual exit codes are a) The config file will be more compact, b) Fewer lines mean few chances of errors/omissions c) No need to keep worrying about missing the announcement for a new exit code whenever Peter decides to extend the list From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Friday, April 30, 2010 11:14 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Sniffer Integration - Global Exit Code nonzero? The test works as an internal test and not as an external test. The main difference being the location of the exit code. See external is the 1st variable whereas the internal it is the 2nd variable and the NONZERO does not work for that. SNIFFER external nonzero C:\Smartermail\Declude\Sniffer\xxx.exe xxxabc12312 0 SNIFFER-TRAVEL SNFx 47 12 0 Also even though there are multiple entries the test only runs once and the resulted exit code is the triggered. David --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] AHLBGOOD -- But bad
Yes I am seeing the same thing. I would suggest removing exemptions.ahbl.org from the global.cfg David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of John T Sent: Monday, March 15, 2010 1:07 AM To: declude.junkmail Subject: [Declude.JunkMail] AHLBGOOD -- But bad In the last 24 hours or so, I have seen a bunch of spam coming from IPs listed on AHBLGOOD list. Anyone else seeing this? This E-mail came from 70.1.51.191, and is listed in AHBLGOOD. This E-mail came from 118.223.176.137, and is listed in AHBLGOOD This E-mail came from 209.160.25.243, and is listed in AHBLGOOD This E-mail came from 68.26.56.133, and is listed in AHBLGOOD. This E-mail came from 190.157.101.23, and is listed in AHBLGOOD. Is exemptions.ahbl.org even still a valid test? John T eServices For You --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] CommTouch False Positive
You can send us at supp...@declude.com the X-Declude-RefID: and we can report it to Commtouch. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Friday, February 19, 2010 11:19 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] CommTouch False Positive Hi, How do I go about reporting ZeroHour false positives? For the past few days, one of my cliens has been trying to email a (legitimate) ZIP file with a DLL that keeps getting blocked by CommTouch. How do I submit these D/Q files to get this problem fixed? Best Regards, Andy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] AllLists.DAT in RAR Format?
No justification other than I was working with RAR because it does not have the size limitations of ZIP. Anyways it is now a .zip David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Friday, February 19, 2010 11:22 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] AllLists.DAT in RAR Format? Importance: High Hi, Obviously, I know that I can download third party tools to “unrar” the file – but I REALLY hate nothing more, but than cluttering up production systems with unnecessary shareware/freeware. Windows has built-in ZIP support (“compressed folders”). Is there any justification to pick a NON compatible format for compression the all-lists.dat file? If it was compressed using the native Windows format (considering that Declude is a Windows application), the file could be used instantly! Best Regards, Andy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude Hijack
Hijack is the solution to your problem. As we count the number of emails from a specific IP or address with the latest release. When the hold2 threshold is reached these messages are quarantined, regardless of whether they are whitelisted or authenticated. We will be updating the Hijack manual with this latest release of 4.10.42 The console is no longer used as this information has been replaced by the \Declude\console.txt file. The ALLOWIP and ALLOWADDR are used if you want to exempt users or IP's from triggering hijack. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Mon Mariola - Rubén Sent: Tuesday, January 12, 2010 9:42 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Declude Hijack Some time ago I'm declude user, initially with imail and in recent years with SmarterMail. Now with SmarterMail 5.5 and Declude 4.10.42. Now I have a problem not solved. Some adware, or viruses, steal the account settings of outlook express to my customers. So my server sends mail without checking because they are authenticated. Every time this happens I have to block the email account of my client, I contact him to remove the adware from your computer and when I confirmed that your computer is disinfected to reactivate your account. This is being increasingly common and this week has come to me SenderBase rate of poor reputation. Does anyone else have this problem? How do you solve? I have tried using Declude Hijack, but I can not figure out how to unblock an IP that is blocked for exceeding the limit 2. From Hijack manual: Since the spammer has passed the 2nd threshold, he is banned, and all his Email gets held permanently in \ spool \ spam \ HOLD2. He will only be able to send mail again if the Declude Console is closed ... In which case he will get banned again as soon as he passed the 2nd threshold again. What is Declude Console? Declude Hijack seems like a good option in theory but in my case I have clients that send emails via Outlook Express and CCO. I think I can solve this problem by creating a list of users to avoid them with ALLOWIP or ALLOWADDR. Thank you. Ruben Marti. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude Hijack
You cannot unblock a single IP. Restarting the decludeproc will reset the counter. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Mon Mariola - Rubén Sent: Wednesday, January 13, 2010 10:45 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Declude Hijack How do I unblock an IP that is banned for exceeding the 2nd threshold? Thank you. Ruben Marti. - Original Message - From: David Barker mailto:dbar...@declude.com To: declude.junkmail@declude.com Sent: Wednesday, January 13, 2010 3:27 PM Subject: RE: [Declude.JunkMail] Declude Hijack Hijack is the solution to your problem. As we count the number of emails from a specific IP or address with the latest release. When the hold2 threshold is reached these messages are quarantined, regardless of whether they are whitelisted or authenticated. We will be updating the Hijack manual with this latest release of 4.10.42 The console is no longer used as this information has been replaced by the \Declude\console.txt file. The ALLOWIP and ALLOWADDR are used if you want to exempt users or IP's from triggering hijack. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Mon Mariola - Rubén Sent: Tuesday, January 12, 2010 9:42 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Declude Hijack Some time ago I'm declude user, initially with imail and in recent years with SmarterMail. Now with SmarterMail 5.5 and Declude 4.10.42. Now I have a problem not solved. Some adware, or viruses, steal the account settings of outlook express to my customers. So my server sends mail without checking because they are authenticated. Every time this happens I have to block the email account of my client, I contact him to remove the adware from your computer and when I confirmed that your computer is disinfected to reactivate your account. This is being increasingly common and this week has come to me SenderBase rate of poor reputation. Does anyone else have this problem? How do you solve? I have tried using Declude Hijack, but I can not figure out how to unblock an IP that is blocked for exceeding the limit 2. From Hijack manual: Since the spammer has passed the 2nd threshold, he is banned, and all his Email gets held permanently in \ spool \ spam \ HOLD2. He will only be able to send mail again if the Declude Console is closed ... In which case he will get banned again as soon as he passed the 2nd threshold again. What is Declude Console? Declude Hijack seems like a good option in theory but in my case I have clients that send emails via Outlook Express and CCO. I think I can solve this problem by creating a list of users to avoid them with ALLOWIP or ALLOWADDR. Thank you. Ruben Marti. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] old decludeproc files
These are old decludeproc.exe renamed but the upgrade installer, it is there to maintain your previous version of decludeproc if you need to revert. You can delete them. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Bonno Bloksma Sent: Friday, January 08, 2010 11:19 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] old decludeproc files Hi, In my IMail folder I have a number of files with names like lots of digitsdecludeproc.exe Are these old files laft over after an upgrade? If so, I can probably delete them right? Strangely enough I would have expected one of them to have a filedate of today as I did an upgrade today but that is not the case. Maybe the original timestamp is retained and only the filename has been changed. Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 mailto:b.blok...@tio.nl b.blok...@tio.nl / http://www.tio.nl www.tio.nl --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Release 4.10.42
Declude 4.10.42 JM ADD Add IMail support for SQL Database. Declude can check the SQL DB for Autowhitelist JM ADD IPNOSCAN for IMail JM ADD Add a new directive POSTINIFIX uses either ON or OFF in the declude.cfg file. Postini is a large managed email service which amends the header structure. The Postini fix helps Declude correctly identify Postini headers. To configure use POSTINIFIX ON JM ADD Add the Recipient, mailfrom and subject information to the blklst.txt file. The format blklst.txt file is Date|time|spool#|IP|TotalWeight|LastAction|RecpList|mailfrom|subject|testsfa iled JM ADD IPBYPASS can be configured with CIDR JM ADD New Header directive XWHITELIST ON in the global.cfg will give the reason for why the email was WHITELISTED in the header of the email. JM ADD Integrated Message Sniffer with Declude. Will use Declude rulebase. (If you are a current Message Sniffer user this does not apply to you unless you want to switch and use the Declude rulebase) To configure the SNF files need to be edit by the user, where the [PATH] needs to be the actual path on your server. getRulebase.cmd SET SNIFFER_PATH=[PATH]\declude\scanners\SNF\ Snf_engine.xml file log path='[PATH]\declude\scanners\SNF\'/ rulebase path='[PATH]\declude\scanners\SNF\'/ workspace path='[PATH]\declude\scanners\SNF\'/ update-script on-off='on' call='[PATH]\declude\scanners\SNF\getRulebase.cmd' guard-time='180'/ Global.cfg SNFIPCAUTIONSNFIP x 4 5 0 SNFIPBLACK SNFIP x 5 10 0 SNFIPTRUNCATE SNFIP x 6 10 0 IPREPUTATIONSNFIP x 5 10 -5 SNIFFER-TRAVEL SNF x 47 10 0 SNIFFER-INSURANCE SNF x 48 10 0 SNIFFER-AV-PUSH SNF x 49 10 0 SNIFFER-WAREZ SNF x 50 10 0 SNIFFER-SPAMWARESNF x 51 10 0 SNIFFER-SNAKEOILSNF x 52 12 0 SNIFFER-SCAMS SNF x 53 10 0 SNIFFER-PORNSNF x 54 10 0 SNIFFER-MALWARE SNF x 55 10 0 SNIFFER-ADVERTISING SNF x 56 10 0 SNIFFER-SCHEME SNF x 57 10 0 SNIFFER-CREDIT SNF x 58 10 0 SNIFFER-GAMBLINGSNF x 59 10 0 SNIFFER-GENERAL SNF x 60 10 0 SNIFFER-SPAMSNF x 61 10 0 SNIFFER-OBFUSCATION SNF x 62 10 0 SNIFFER-IP-RULESSNF x 63 10 0 SNFTRUNCATE SNF x 20 10 0 EVA FIX Fix for Virus test not catching the eicar test due to e-mail formatting HJ ADD Added a function to send a notify e-mail when hijack is triggered and e-mails are being held in the Hold2 folder To turn the Hijack e-mail notify on add thefollowing directive to the hijack.cfg. HIJNOTIFY ON Add the included HijackNotify.eml into the \Declude directory. The email can be modified. DEC ADD Added variable %AUTH% to show the authenticated sender of the email David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Release 4.10.42
Declude 4.10.42 JM ADD Add IMail support for SQL Database. Declude can check the SQL DB for Autowhitelist JM ADD IPNOSCAN for IMail JM ADD Add a new directive POSTINIFIX uses either ON or OFF in the declude.cfg file. Postini is a large managed email service which amends the header structure. The Postini fix helps Declude correctly identify Postini headers. To configure use POSTINIFIX ON JM ADD Add the Recipient, mailfrom and subject information to the blklst.txt file. The format blklst.txt file is Date|time|spool#|IP|TotalWeight|LastAction|RecpList|mailfrom|subject|testsfa iled JM ADD IPBYPASS can be configured with CIDR JM ADD New Header directive XWHITELIST ON in the global.cfg will give the reason for why the email was WHITELISTED in the header of the email. JM ADD Integrated Message Sniffer with Declude. Will use Declude rulebase. (If you are a current Message Sniffer user this does not apply to you unless you want to switch and use the Declude rulebase) To configure the SNF files need to be edit by the user, where the [PATH] needs to be the actual path on your server. getRulebase.cmd SET SNIFFER_PATH=[PATH]\declude\scanners\SNF\ Snf_engine.xml file log path='[PATH]\declude\scanners\SNF\'/ rulebase path='[PATH]\declude\scanners\SNF\'/ workspace path='[PATH]\declude\scanners\SNF\'/ update-script on-off='on' call='[PATH]\declude\scanners\SNF\getRulebase.cmd' guard-time='180'/ Global.cfg SNFIPCAUTIONSNFIP x 4 5 0 SNFIPBLACK SNFIP x 5 10 0 SNFIPTRUNCATE SNFIP x 6 10 0 IPREPUTATIONSNFIP x 5 10 -5 SNIFFER-TRAVEL SNF x 47 10 0 SNIFFER-INSURANCE SNF x 48 10 0 SNIFFER-AV-PUSH SNF x 49 10 0 SNIFFER-WAREZ SNF x 50 10 0 SNIFFER-SPAMWARESNF x 51 10 0 SNIFFER-SNAKEOILSNF x 52 12 0 SNIFFER-SCAMS SNF x 53 10 0 SNIFFER-PORNSNF x 54 10 0 SNIFFER-MALWARE SNF x 55 10 0 SNIFFER-ADVERTISING SNF x 56 10 0 SNIFFER-SCHEME SNF x 57 10 0 SNIFFER-CREDIT SNF x 58 10 0 SNIFFER-GAMBLINGSNF x 59 10 0 SNIFFER-GENERAL SNF x 60 10 0 SNIFFER-SPAMSNF x 61 10 0 SNIFFER-OBFUSCATION SNF x 62 10 0 SNIFFER-IP-RULESSNF x 63 10 0 SNFTRUNCATE SNF x 20 10 0 EVA FIX Fix for Virus test not catching the eicar test due to e-mail formatting HJ ADD Added a function to send a notify e-mail when hijack is triggered and e-mails are being held in the Hold2 folder To turn the Hijack e-mail notify on add thefollowing directive to the hijack.cfg. HIJNOTIFY ON Add the included HijackNotify.eml into the \Declude directory. The email can be modified. DEC ADD Added variable %AUTH% to show the authenticated sender of the email David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Release 4.10.42
Hi Andy, Happy New Year. Is the annual cost of Sniffer now included with Declude? The cost of Message Sniffer is not included in Declude Service Agreements. If we have no custom rule-base, there would be no reason not to use the Declude rule-base? Correct, if you have not custom rules you could certainly use the integrated Message Sniffer which should have better performance as it is integrated. What's the technical implementation of the SNF and SNFIP directives? In the past, this was a command line launch of the Sniffer.exe from Declude. Have you implemented this as a call to their API DLL directly from within Declude? If so, one would expect better performance and reliability - making it another reason to switch? Yes we use an API call to the Message Sniffer DLL directly from Declude, which means better performance and realibility as this is no longer an external call. Can we use the new SNF and SNFIP directives - but still use our own rulebase, if we chose too? Currently you cannot use your own rulebase with the integrated Declude, if it is possible to do so in a future release we will work towards this, I will have to check with Message Sniffer to verify. Finally, POSTINIFIX is a poor name for that directive, since it has absolutely nothing to do with Postini - the problem has existed for a long time. I think in November we had all determined that the problem was an age-old problem with Declude correctly parsing valid (standards compliant) Received headers that contain more than one IP address. I agree with you that this is a Declude parsing issue and that POSTINIFIX was not the best name, however I did not want to delay this release because of this, this was a resource/time issue rather than a disagreement with the lists. The discuission from the list last Novemeber were every helpful and we plan to make the change as suggested. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Monday, January 04, 2010 11:18 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Release 4.10.42 Happy New Year: Can you elaborate on the Sniffer implementation please? a) Is the annual cost of Sniffer now included with Declude? b) If we have no custom rule-base, there would be no reason not to use the Declude rule-base? c) What's the technical implementation of the SNF and SNFIP directives? In the past, this was a command line launch of the Sniffer.exe from Declude. Have you implemented this as a call to their API DLL directly from within Declude? If so, one would expect better performance and reliability - making it another reason to switch? d) Can we use the new SNF and SNFIP directives - but still use our own rulebase, if we chose too? Can you elaborate on IPNOSCAN please? Finally, POSTINIFIX is a poor name for that directive, since it has absolutely nothing to do with Postini - the problem has existed for a long time. I think in November we had all determined that the problem was an age-old problem with Declude correctly parsing valid (standards compliant) Received headers that contain more than one IP address. According to the standard it seems perfectly VALID for a single RECEIVED header to contain TWO IP addresses, one in the FROM clause and one in the BY clause? Obviously, Declude would need to inspect the IP address in the FROM clause and ignore any IP addresses that it encounters in/after the BY clause? I think retiring the postinifix name and picking a more general directive name 'RcvHdrFix' would avoid that people leave this turned off just because they are not using Postini. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, January 04, 2010 9:54 AM To: declude.vi...@declude.com; declude.junkmail@declude.com; declude.relea...@declude.com Subject: [Declude.JunkMail] Release 4.10.42 Declude 4.10.42 JM ADD Add IMail support for SQL Database. Declude can check the SQL DB for Autowhitelist JM ADD IPNOSCAN for IMail JM ADD Add a new directive POSTINIFIX uses either ON or OFF in the declude.cfg file. Postini is a large managed email service which amends the header structure. The Postini fix helps Declude correctly identify Postini headers. To configure use POSTINIFIX ON JM ADD Add the Recipient, mailfrom and subject information to the blklst.txt file. The format blklst.txt file is Date|time|spool#|IP|TotalWeight|LastAction|RecpList|mailfrom|subject|testsfa iled JM ADD IPBYPASS can be configured with CIDR JM ADD New Header directive XWHITELIST ON in the global.cfg will give the reason for why the email was WHITELISTED in the header
RE: [Declude.JunkMail] Release 4.10.42
As for using your own Message Sniffer license we are looking at adding this ability. For using the integrated Message Sniffer you will notice there is a Message Sniffer expiration date on your HOST record which relates to your license with Message Sniffer. If you are a current Message Sniffer subscriber and wish to use the new system, just make sure you are running Declude 4.10.42, make the appropriate changes to directives in the global.cfg and getRulebase.cmd and just send us an email and we will turn on the integrated Message Sniffer for you. So in short activation of Declude Message Sniffer is based on your Message Sniffer expiration date which we receive from Message Sniffer. IPNOSCAN was a custom function which we have made public - it is only available for IMail. It was created to skip scanning of messages when coming from a certain IP and is used in a file call IPNOSCAN.cfg in the \declude folder. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Monday, January 04, 2010 11:57 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Release 4.10.42 Thanks. I'm very happy to see that you took the time to implement the Sniffer API directly. That's great! As far as the usage - I'm a little confused. It's using your rule page - but cost is not included. So where do I specify my Sniffer license information so that Declude can make sure I'm a licensed Sniffer user? I would have expected some sort of Global.cfg option where I have to provide my license ID that the API is then using? Also: Can you elaborate on IPNOSCAN please? From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, January 04, 2010 11:38 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Release 4.10.42 Hi Andy, Happy New Year. Is the annual cost of Sniffer now included with Declude? The cost of Message Sniffer is not included in Declude Service Agreements. If we have no custom rule-base, there would be no reason not to use the Declude rule-base? Correct, if you have not custom rules you could certainly use the integrated Message Sniffer which should have better performance as it is integrated. What's the technical implementation of the SNF and SNFIP directives? In the past, this was a command line launch of the Sniffer.exe from Declude. Have you implemented this as a call to their API DLL directly from within Declude? If so, one would expect better performance and reliability - making it another reason to switch? Yes we use an API call to the Message Sniffer DLL directly from Declude, which means better performance and realibility as this is no longer an external call. Can we use the new SNF and SNFIP directives - but still use our own rulebase, if we chose too? Currently you cannot use your own rulebase with the integrated Declude, if it is possible to do so in a future release we will work towards this, I will have to check with Message Sniffer to verify. Finally, POSTINIFIX is a poor name for that directive, since it has absolutely nothing to do with Postini - the problem has existed for a long time. I think in November we had all determined that the problem was an age-old problem with Declude correctly parsing valid (standards compliant) Received headers that contain more than one IP address. I agree with you that this is a Declude parsing issue and that POSTINIFIX was not the best name, however I did not want to delay this release because of this, this was a resource/time issue rather than a disagreement with the lists. The discuission from the list last Novemeber were every helpful and we plan to make the change as suggested. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Monday, January 04, 2010 11:18 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Release 4.10.42 Happy New Year: Can you elaborate on the Sniffer implementation please? a) Is the annual cost of Sniffer now included with Declude? b) If we have no custom rule-base, there would be no reason not to use the Declude rule-base? c) What's the technical implementation of the SNF and SNFIP directives? In the past, this was a command line launch of the Sniffer.exe from Declude. Have you implemented this as a call to their API DLL directly from within Declude? If so, one would expect better performance and reliability - making it another reason to switch? d) Can we use the new SNF and SNFIP directives - but still use our own rulebase, if we chose too
RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes
Hi Don, We just released an interim version 4.10.41 in which we have added the variable %AUTH% David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of decl...@mail.net1media.com Sent: Wednesday, November 04, 2009 4:53 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes David, Thanks for adding the HiJack email. I had performed the same function through a background task that would monitor the hold2 directory. I had previously sent a suggestion to add a variable to Declude that would contain the user authentication email address. Is this anywhere on the suggestion list? Any possibility of seeing this down the road or anytime soon? Thanks, Don Winsauer Net1 Media - Original Message - From: David Barker mailto:dbar...@declude.com To: declude.vi...@declude.com ; declude.junkmail@declude.com Sent: Wednesday, November 04, 2009 11:11 AM Subject: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Please note these releases are interim and still considered beta. Any test feedback would be appreciated. 4.9.39 Added a function to send a notify e-mail when hijack is triggered and e-mails are being held in the Hold2 folder To turn the Hijack e-mail notify on add the following directive to the hijack.cfg. HIJNOTIFY ON Add the include HijackNotify.eml into the \Declude directory. The recipient of the email can be modified. 4.8.39 IPBYPASS can be configured with CIDR 4.8.38 Add the Recipient, mailfrom and subject information to the blklst.txt file. the format blklst.txt file is Date|time|spool#|IP|TotalWeight|LastAction|RecpList|mailfrom|subject|testsfa iled Example: Multiple Recipients: 10/14/2009|11:40:06.109|53|24.177.234.76|18|s...@hcss.net,s...@hcss.net,test i...@yahoo,beg...@yahoo.com,donotl...@gmail, |owner-nolist-30960_*bigm**ridgewoodcable*-...@soar.soulfulbliss.com|[59]Gua ranteed*-payment-center|CATCHALLMAILS=0,NOL EGITCONTENT=0,IPNOTINMX=0,SORBS-DUL=5,FIVETEN-SRC=2,ZEN=7,SORBS=7,DYNHELO=5, FROMNOMATCH=2,WEIGHT10=10,WEIGHT14=14,| One Recipient: 10/14/2009|11:40:06.296|15|218.16.123.185|37|s...@hcss.net,|info_claimsproce ssgabjgfu...@gmx.net|CONTACT AGENT FOR CONFIRMATION|CATCHALLMAILS=0,NOLEGITCONTENT=0,IPNOTINMX=0,FIVETEN-SRC=2,NJAB L=4,BASE64=4,CMDSPACE=8,DYNHELO=5,HELOBOGUS =5,REVDNS=10,SPFFAIL=10,WEIGHT10=10,WEIGHT14=14,WEIGHT20=20,WEIGHT30=30,| 4.8.37 PostiniFix, Add a new directive POSTINIFIX ON/OFF goes in the declude.cfg file Configuration: In declude.cfg file: POSTINIFIXON in order for the Posting Fix to work 4.8.36 Fix for Virus test was not catching the EICAR test due to e-mail formatting 4.7.35 Added support for IMail SQL Database for AUTOWHITELIST. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes
Hi Andy, The interim is available from the interim location http://interim.declude.com \4939 and is only for use if you have a valid service agreement or subscription. The username and pass is available from http://www.declude.com/myaccount.asp My Account page at www.Declude.com David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of an...@thumpernet Sent: Wednesday, November 04, 2009 12:32 PM To: David Barker Subject: Re: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Hi, Yea! Where is the update? I'd like to install it... Thanks, Andrew Baldwin an...@thumpernet.com http://www.thumpernet.com 315-282-0020 Wednesday, November 4, 2009, 12:11:50 PM, you wrote: DB Please note these releases are interim and still considered beta. DB Any test feedback would be appreciated. DB DB DB 4.9.39 Added a function to send a notify e-mail when hijack is DB triggered and e-mails are being held in the Hold2 folder DB DB To turn the Hijack e-mail notify on add the following directive to the hijack.cfg. DB DB HIJNOTIFY ON DB DB Add the include HijackNotify.eml into the \Declude directory. The DB recipient of the email can be modified. DB DB DB 4.8.39 IPBYPASS can be configured with CIDR DB DB DB 4.8.38 Add the Recipient, mailfrom and subject information to the blklst.txt file. DB DB the format blklst.txt file is DB DB DB Date|time|spool#|IP|TotalWeight|LastAction|RecpList|mailfrom|subject|testsfa iled DB DB DB Example: DB DB Multiple Recipients: DB DB 10/14/2009|11:40:06.109|53|24.177.234.76|18|s...@hcss.net,s...@hcss.net,test i...@yahoo,beg...@yahoo.com,donotl...@gmail, DB |owner-nolist-30960_*bigm**ridgewoodcable*-...@soar.soulfulbliss.com|[59]Gua ranteed*-payment-center|CATCHALLMAILS=0,NOL DB EGITCONTENT=0,IPNOTINMX=0,SORBS-DUL=5,FIVETEN-SRC=2,ZEN=7,SORBS=7,DYNHELO=5, FROMNOMATCH=2,WEIGHT10=10,WEIGHT14=14,| DB DB DB One Recipient: DB DB 10/14/2009|11:40:06.296|15|218.16.123.185|37|s...@hcss.net,|info_claimsproce ssgabjgfu...@gmx.net|CONTACT AGENT FOR DB CONFIRMATION|CATCHALLMAILS=0,NOLEGITCONTENT=0,IPNOTINMX=0,FIVETEN-SRC=2,NJAB L=4,BASE64=4,CMDSPACE=8,DYNHELO=5,HELOBOGUS DB =5,REVDNS=10,SPFFAIL=10,WEIGHT10=10,WEIGHT14=14,WEIGHT20=20,WEIGHT30=30,| DB DB DB DB 4.8.37 PostiniFix, Add a new directive POSTINIFIX ON/OFF goes in the declude.cfg file DB DB Configuration: DB DB In declude.cfg file: POSTINIFIXON in order for the Posting Fix to work DB DB DB DB 4.8.36 Fix for Virus test was not catching the EICAR test due to e-mail formatting DB DB DB DB 4.7.35 Added support for IMail SQL Database for AUTOWHITELIST. DB DB DB DB David Barker DB VP Operations Declude DB Your Email security is our business DB 978.499.2933 office DB 978.988.1311 fax DB dbar...@declude.com DB DB --- DB This E-mail came from the Declude.JunkMail mailing list. To DB unsubscribe, just send an E-mail to imail...@declude.com, and DB type unsubscribe Declude.JunkMail. The archives can be found DB at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes
Hi Scott, Postini is violating RFC RFC 5321: [4.4] An Internet mail program MUST NOT change or delete a Received: line that was previously added to the message header section. SMTP servers MUST prepend Received lines to messages; they MUST NOT change the order of existing lines or insert Received lines in any other location. Postini is changing the headers received line by adding the additional IP as the example below. Received: from source ([209.85.221.110]) by exprod5mx260. http://exprod5mx260.postini.com postini.com ([64.18.4.10]) with SMTP; Wed, 25 Mar 2009 14:45:20 CDT The problem is that a changed received line is an indication of a forged header and is a flag for a bogus received line (a technique often used by spammers). Because of this, the actual IP of the sender is not where it should be, so we are giving our customers the option: POSTINIFIXON Will identify the sending IP as 209.85.221.110 By Default if not present POSTINIFIXOFF Will identify the sending IP as 64.18.4.10 David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Scott Fisher Sent: Wednesday, November 04, 2009 2:41 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Can you please clarify or expand on 4.8.37 PostiniFix? The description doesn't tell me what a posting fix is. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, November 04, 2009 11:12 AM To: declude.vi...@declude.com; declude.junkmail@declude.com Subject: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Please note these releases are interim and still considered beta. Any test feedback would be appreciated. 4.9.39 Added a function to send a notify e-mail when hijack is triggered and e-mails are being held in the Hold2 folder To turn the Hijack e-mail notify on add the following directive to the hijack.cfg. HIJNOTIFY ON Add the include HijackNotify.eml into the \Declude directory. The recipient of the email can be modified. 4.8.39 IPBYPASS can be configured with CIDR 4.8.38 Add the Recipient, mailfrom and subject information to the blklst.txt file. the format blklst.txt file is Date|time|spool#|IP|TotalWeight|LastAction|RecpList|mailfrom|subject|testsfa iled Example: Multiple Recipients: 10/14/2009|11:40:06.109|53|24.177.234.76|18|s...@hcss.net,s...@hcss.net,test i...@yahoo,beg...@yahoo.com,donotl...@gmail, |owner-nolist-30960_*bigm**ridgewoodcable*-...@soar.soulfulbliss.com|[59]Gua ranteed*-payment-center|CATCHALLMAILS=0,NOL EGITCONTENT=0,IPNOTINMX=0,SORBS-DUL=5,FIVETEN-SRC=2,ZEN=7,SORBS=7,DYNHELO=5, FROMNOMATCH=2,WEIGHT10=10,WEIGHT14=14,| One Recipient: 10/14/2009|11:40:06.296|15|218.16.123.185|37|s...@hcss.net,|info_claimsproce ssgabjgfu...@gmx.net|CONTACT AGENT FOR CONFIRMATION|CATCHALLMAILS=0,NOLEGITCONTENT=0,IPNOTINMX=0,FIVETEN-SRC=2,NJAB L=4,BASE64=4,CMDSPACE=8,DYNHELO=5,HELOBOGUS =5,REVDNS=10,SPFFAIL=10,WEIGHT10=10,WEIGHT14=14,WEIGHT20=20,WEIGHT30=30,| 4.8.37 PostiniFix, Add a new directive POSTINIFIX ON/OFF goes in the declude.cfg file Configuration: In declude.cfg file: POSTINIFIXON in order for the Posting Fix to work 4.8.36 Fix for Virus test was not catching the EICAR test due to e-mail formatting 4.7.35 Added support for IMail SQL Database for AUTOWHITELIST. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http
RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes
Hi Stephan, No need to restart. The only time you need to restart is if you change the declude.cfg. Regarding whitelist.txt the following directive located in your global.cfg DOMAINWHITELISTSON When enabled, Declude JunkMail looks for a \Declude\example.com\whitelist.txt file which is a per-domain setting. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Stephan Chayer Sent: Wednesday, November 04, 2009 2:41 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Hello David, Do we need to restart Declude when we do a change in the whitelist file? Also, if we have a whitelist file under a domain folder, it should use this one instead of the default one at the root? Thanks Stephan -Message d'origine- De : supp...@declude.com [mailto:supp...@declude.com] De la part de David Barker Envoyé : 4 novembre, 2009 12:42 À : declude.junkmail@declude.com Objet : RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Hi Andy, The interim is available from the interim location http://interim.declude.com \4939 and is only for use if you have a valid service agreement or subscription. The username and pass is available from http://www.declude.com/myaccount.asp My Account page at www.Declude.com David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of an...@thumpernet Sent: Wednesday, November 04, 2009 12:32 PM To: David Barker Subject: Re: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Hi, Yea! Where is the update? I'd like to install it... Thanks, Andrew Baldwin an...@thumpernet.com http://www.thumpernet.com 315-282-0020 Wednesday, November 4, 2009, 12:11:50 PM, you wrote: DB Please note these releases are interim and still considered beta. DB Any test feedback would be appreciated. DB DB DB 4.9.39 Added a function to send a notify e-mail when hijack is DB triggered and e-mails are being held in the Hold2 folder DB DB To turn the Hijack e-mail notify on add the following directive to DB the hijack.cfg. DB DB HIJNOTIFY ON DB DB Add the include HijackNotify.eml into the \Declude directory. The DB recipient of the email can be modified. DB DB DB 4.8.39 IPBYPASS can be configured with CIDR DB DB DB 4.8.38 Add the Recipient, mailfrom and subject information to the blklst.txt file. DB DB the format blklst.txt file is DB DB DB Date|time|spool#|IP|TotalWeight|LastAction|RecpList|mailfrom|subject|tes Date|time|tsfa iled DB DB DB Example: DB DB Multiple Recipients: DB DB 10/14/2009|11:40:06.109|53|24.177.234.76|18|s...@hcss.net,s...@hcss.net,test i...@yahoo,beg...@yahoo.com,donotl...@gmail, DB |owner-nolist-30960_*bigm**ridgewoodcable*-...@soar.soulfulbliss.com|[59 |]Gua ranteed*-payment-center|CATCHALLMAILS=0,NOL DB EGITCONTENT=0,IPNOTINMX=0,SORBS-DUL=5,FIVETEN-SRC=2,ZEN=7,SORBS=7,DYNHELO=5, FROMNOMATCH=2,WEIGHT10=10,WEIGHT14=14,| DB DB DB One Recipient: DB DB 10/14/2009|11:40:06.296|15|218.16.123.185|37|s...@hcss.net,|info_claimsproce ssgabjgfu...@gmx.net|CONTACT AGENT FOR DB CONFIRMATION|CATCHALLMAILS=0,NOLEGITCONTENT=0,IPNOTINMX=0,FIVETEN-SRC=2, CONFIRMATION|NJAB L=4,BASE64=4,CMDSPACE=8,DYNHELO=5,HELOBOGUS DB =5,REVDNS=10,SPFFAIL=10,WEIGHT10=10,WEIGHT14=14,WEIGHT20=20,WEIGHT30=30,| DB DB DB DB 4.8.37 PostiniFix, Add a new directive POSTINIFIX ON/OFF goes in DB the declude.cfg file DB DB Configuration: DB DB In declude.cfg file: POSTINIFIXON in order for the Posting Fix to work DB DB DB DB 4.8.36 Fix for Virus test was not catching the EICAR test due to DB e-mail formatting DB DB DB DB 4.7.35 Added support for IMail SQL Database for AUTOWHITELIST. DB DB DB DB David Barker DB VP Operations Declude DB Your Email security is our business DB 978.499.2933 office DB 978.988.1311 fax DB dbar...@declude.com DB DB --- DB This E-mail came from the Declude.JunkMail mailing list. To DB
RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes
Here is a message going through a Postini server. ---EXAMPLE 1--- -- Received: from .x.local ([127.0.0.1]) by xx.xom with Microsoft SMTPSVC(6.0.3790.1830); Wed, 30 Sep 2009 12:18:03 -0400 Return-Path: dbar...@declude.com Received: from exprod5mx277.postini.com [64.18.0.101] by mail3.xx.net with SMTP; Wed, 30 Sep 2009 12:12:56 -0400 Received: from source ([216.144.195.81]) by exprod5mx277.postini.com ([64.18.4.10]) with SMTP; Wed, 30 Sep 2009 11:16:38 CDT Received: from 65.newburyport.dnsstuff.com [173.9.86.65] by smtp.declude.com with SMTP; Wed, 30 Sep 2009 11:16:11 -0500 Reply-To: dbar...@declude.com From: David Barker dbar...@declude.com To: xxx ' x...@x.com --- This line is good. Received: from exprod5mx277.postini.com [64.18.0.101] by mail3.xx.net with SMTP; However this line is a problem. Received: from source ([216.144.195.81]) by exprod5mx277.postini.com ([64.18.4.10]) with SMTP; This IP exprod5mx277.postini.com ([64.18.4.10]) should be on its own line. The problem occurs when there are two IP addresses on the same line. The first IP is considered as BOGUS and Declude picks up the second IP address on this line. For more information please review RFC 5321: [4.4] David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, November 04, 2009 3:11 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Hi David: Im interested to better understand this feature. The line you posted looks like a legit received header that Postini indeed should add to the top of the headers when it receives the message from the source? Received: from source ([209.85.221.110]) by exprod5mx260.postini.com ([64.18.4.10]) with SMTP; Wed, 25 Mar 2009 14:45:20 CDT Isnt the MX of the recipient domain pointed to Postinis server? So Postini would be the first received header to be inserted before relaying the message to the clients internal mail server? It might help if you actually posted what a header looked like before Postini mangled it and what it looked like after Postini mangled it? I guess, what Im not grasping is, who inserted the original header that Postini has tampered with if Postini is the domains MX? Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, November 04, 2009 2:54 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Hi Scott, Postini is violating RFC RFC 5321: [4.4] An Internet mail program MUST NOT change or delete a Received: line that was previously added to the message header section. SMTP servers MUST prepend Received lines to messages; they MUST NOT change the order of existing lines or insert Received lines in any other location. Postini is changing the headers received line by adding the additional IP as the example below. Received: from source ([209.85.221.110]) by exprod5mx260.postini.com ([64.18.4.10]) with SMTP; Wed, 25 Mar 2009 14:45:20 CDT The problem is that a changed received line is an indication of a forged header and is a flag for a bogus received line (a technique often used by spammers). Because of this, the actual IP of the sender is not where it should be, so we are giving our customers the option: POSTINIFIX ON Will identify the sending IP as 209.85.221.110 By Default if not present POSTINIFIX OFF Will identify the sending IP as 64.18.4.10 David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes
Hi Don, We are in the process of reviewing hijack functionality we can certainly add this to the list for review. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of decl...@mail.net1media.com Sent: Wednesday, November 04, 2009 4:53 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes David, Thanks for adding the HiJack email. I had performed the same function through a background task that would monitor the hold2 directory. I had previously sent a suggestion to add a variable to Declude that would contain the user authentication email address. Is this anywhere on the suggestion list? Any possibility of seeing this down the road or anytime soon? Thanks, Don Winsauer Net1 Media - Original Message - From: David Barker mailto:dbar...@declude.com To: declude.vi...@declude.com ; declude.junkmail@declude.com Sent: Wednesday, November 04, 2009 11:11 AM Subject: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Please note these releases are interim and still considered beta. Any test feedback would be appreciated. 4.9.39 Added a function to send a notify e-mail when hijack is triggered and e-mails are being held in the Hold2 folder To turn the Hijack e-mail notify on add the following directive to the hijack.cfg. HIJNOTIFY ON Add the include HijackNotify.eml into the \Declude directory. The recipient of the email can be modified. 4.8.39 IPBYPASS can be configured with CIDR 4.8.38 Add the Recipient, mailfrom and subject information to the blklst.txt file. the format blklst.txt file is Date|time|spool#|IP|TotalWeight|LastAction|RecpList|mailfrom|subject|testsfa iled Example: Multiple Recipients: 10/14/2009|11:40:06.109|53|24.177.234.76|18|s...@hcss.net,s...@hcss.net,test i...@yahoo,beg...@yahoo.com,donotl...@gmail, |owner-nolist-30960_*bigm**ridgewoodcable*-...@soar.soulfulbliss.com|[59]Gua ranteed*-payment-center|CATCHALLMAILS=0,NOL EGITCONTENT=0,IPNOTINMX=0,SORBS-DUL=5,FIVETEN-SRC=2,ZEN=7,SORBS=7,DYNHELO=5, FROMNOMATCH=2,WEIGHT10=10,WEIGHT14=14,| One Recipient: 10/14/2009|11:40:06.296|15|218.16.123.185|37|s...@hcss.net,|info_claimsproce ssgabjgfu...@gmx.net|CONTACT AGENT FOR CONFIRMATION|CATCHALLMAILS=0,NOLEGITCONTENT=0,IPNOTINMX=0,FIVETEN-SRC=2,NJAB L=4,BASE64=4,CMDSPACE=8,DYNHELO=5,HELOBOGUS =5,REVDNS=10,SPFFAIL=10,WEIGHT10=10,WEIGHT14=14,WEIGHT20=20,WEIGHT30=30,| 4.8.37 PostiniFix, Add a new directive POSTINIFIX ON/OFF goes in the declude.cfg file Configuration: In declude.cfg file: POSTINIFIXON in order for the Posting Fix to work 4.8.36 Fix for Virus test was not catching the EICAR test due to e-mail formatting 4.7.35 Added support for IMail SQL Database for AUTOWHITELIST. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] bl.csma.biz
Hi Gary, Checking my global.cfg I see I have bl.csma.biz commented out, can't remember why, but usually I comment RBL's if I get slow or no responses. I have not seen anything on the internet that would indicate that they are no longer functional. This IP4R test was assigned a low weight and if you have not seen a response in several months I would suggest you could drop it. David B -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Gary Steiner Sent: Saturday, September 26, 2009 9:19 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] bl.csma.biz I was checking the blacklists used on my server, and noticed that bl.csma.biz hadn't hit any spam in over three months. Their web site seems to indicate it is still running. Are any of you using it, and is it working for you? Thanks, Gary --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude list still up?
Everything is just dandy! :) -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Randy Armbrecht Sent: Monday, September 21, 2009 2:24 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Declude list still up? Just checking - haven't received any emails since 8.31.09 from the list Randy Armbrecht Global Web Solutions Inc --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Suggestion: Quarantine problematic Q/D files to match GP1/GP2 files
Hi Andy, In Declude \proc directory there is a directory called REVIEW which is exactly for this purpose. In the Declude.cfg there is a directive that can override this functionality called AUTOREVIEWON If the decludeproc service is unexpectedly stopped email in the \work directory is moved to the \review directory. If AUTOREVIEW is ON then the user has opted to reprocess these files, if the AUTOREVIEW is commented out then the \Review directory will have a copy of the offending file set and we can use these file to try and isolate the problem. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, August 26, 2009 11:04 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Suggestion: Quarantine problematic Q/D files to match GP1/GP2 files Sensitivity: Personal Hi, Doesn't make much sense to ask a user to submit debug logs AFTER a GP fault that only happens sporadically. How about Declude quarantining the Q/D files in question whenever the C:/Declude.GP* files are written? This way, the customer can attempt to reproduce the problem (using the same Q/D files) after setting the log to Debug mode. Best Regards, Andy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Suggestion: Quarantine problematic Q/D files to match GP1/GP2 files
Correct. And from the looks of the gp1 file it may be something external. I have our engineer looking to see what we can gather from the file. And will get back to you asap. David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, August 26, 2009 11:59 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Suggestion: Quarantine problematic Q/D files to match GP1/GP2 files Sensitivity: Personal Thanks Dave - I have AutoReview on. So I suppose if that folder is empty, it means that the file processed successfully a second time around. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, August 26, 2009 11:48 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Suggestion: Quarantine problematic Q/D files to match GP1/GP2 files Sensitivity: Personal Hi Andy, In Declude \proc directory there is a directory called REVIEW which is exactly for this purpose. In the Declude.cfg there is a directive that can override this functionality called AUTOREVIEWON If the decludeproc service is unexpectedly stopped email in the \work directory is moved to the \review directory. If AUTOREVIEW is ON then the user has opted to reprocess these files, if the AUTOREVIEW is commented out then the \Review directory will have a copy of the offending file set and we can use these file to try and isolate the problem. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, August 26, 2009 11:04 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Suggestion: Quarantine problematic Q/D files to match GP1/GP2 files Sensitivity: Personal Hi, Doesn't make much sense to ask a user to submit debug logs AFTER a GP fault that only happens sporadically. How about Declude quarantining the Q/D files in question whenever the C:/Declude.GP* files are written? This way, the customer can attempt to reproduce the problem (using the same Q/D files) after setting the log to Debug mode. Best Regards, Andy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Declude Beta 4.7.35 Support for SQL Database Imail
Available as beta at Declude Interim site. 4.7.35 Added support for IMail SQL Database for AUTOWHITELIST. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: Re[2]: [Declude.JunkMail] Cutting down on DNS
IADB holds the IP's of good senders and helps reduce false positives so the hit rate may be low but it is worth having. MAILPOLICE can be consolidated into a single lookup. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael Cummins Sent: Friday, July 10, 2009 2:58 PM To: declude.junkmail@declude.com Subject: RE: Re[2]: [Declude.JunkMail] Cutting down on DNS And my other recommendation stands -- look into which BLs will let you replicate their zone/s locally. Thank you for your advice. Among other things, I've been reviewing the spam tests I've enabled. I thought I might share my observations with the list here, as a sounding board. Perhaps I will help someone, perhaps I will expose a poor decision. I deactivated the following tests, because my DLAnalyzer told me that they fetched less than 3% positives over the last 9 days (an arbitrary selection): AHBL AHBL-DOMAINS DNSBL IADB LNG MAILPOLICE-BLOCK MAILPOLICE-DOMAIN MAILPOLICE-FRAUD MAILPOLICE-HELO MAILPOLICE-REVDNS MAILPOLICE-REVWEBMAIL MXRATE-SUSPICIOUS NJABL VIRBL I noticed that these tests had returned the largest number of hits (for this type of test), so I thought I'd mention them: BARRACUDA HOSTKARMA-BLACK ZEN UCEPROTECT-2 UCEPROTECT-3 CBL SORBS UCEPROTECT-1 SPAMCOP MXRATE-BLOCK How does one go about replicating a zone locally to begin with? Can you replicate multiple zones locally? Should you do this on the machine that is hosting SmarterMail/Declude, or on another? Sniffer is my best test. INVURIBL used to be fantastic, but it doesn't fare quite as well these days. Does anyone recommend anything else? Thanks for the discussion! -- Michael Cummins --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Commtouch ZeroHour - no longer active? What's the best procedure everyone uses to renew it?
We just migrated servers this week. It is possible your DNS is using cached information. Remember a diags.txt is only created on startup so you may have old information. Can you flush your DNS cache and restart Declude to see if it resolves the problem. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, July 08, 2009 10:20 AM To: declude.vi...@declude.com; declude.junkmail@declude.com Subject: [Declude.JunkMail] Commtouch ZeroHour - no longer active? What's the best procedure everyone uses to renew it? Sensitivity: Personal Hi, I noticed that ZeroHour stopped catching any viruses after 6/28 - and, after investigating, I now realize it no longer traps any Spam. There were NO changes to any .CFG (or other Declude files). I'm enclosing the most recent Diags.txt (from 6/18, where CommTouch was ON) and then one from today after I made a point of manually restarting DecludeProc. Suddenly, it reports CommTouch as OFF? My customer screen shows: Host Information Declude Imail Perpetual Lic. [omitted] 28 Jun 2010 AVG Activated Current CommTouch Activated It can't be a coincidence that CommTouch stopped working 3 weeks ago, on the exact anniversary date of my (renewed) agreement? Since I only purchased CommTouch a few weeks ago, I'm new to this. So, what do Declude customers have to do after purchasing CommTouch or after renewing their service agreements to make sure that the software will continue to work with a complete function set? This way, I can add yet another reminder to my calendar (besides monitoring the AVG licensing renewal date). Overall Server Virus Summary Report Total Messages Processed: 21,868 Virus Infected Messages: 60 Percentage Infected: 0.27% VIRUS # INFECTED PERCENTAGE OUTLOOK 'BLANK FOLDING' VULNERABILITY 33 0.15% OUTLOOK 'CR' VULNERABILITY 11 0.05% OUTLOOK 'MIME SEGMENT IN MIME PREAMBLE' VULNERABILITY 8 0.04% I-WORM/MYDOOM.O 3 0.01% I-WORM/MYDOOM.BE 1 0.00% I-WORM/MYDOOM.N 1 0.00% NON STANDARD HEADER VULNERABILITY 1 0.00% TROJAN.IFRAME-3 1 0.00% WORM.BAGLE-ZIPPWD-35 1 0.00% Virus Scanner Summary Report (Integrated AVG Scanner) Total Messages Processed: 21,868 Virus Infected Messages: 5 Percentage Infected: 0.02% VIRUS # INFECTED PERCENTAGE I-WORM/MYDOOM.O 3 0.01% I-WORM/MYDOOM.BE 1 0.00% I-WORM/MYDOOM.N 1 0.00% Virus Scanner Summary Report (ClamAV) Total Messages Processed: 21,868 Virus Infected Messages: 2 Percentage Infected: 0.01% VIRUS # INFECTED PERCENTAGE TROJAN.IFRAME-3 1 0.00% WORM.BAGLE-ZIPPWD-35 1 0.00% Best Regards, Andy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Re: Commtouch ZeroHour - no longer active?
If anyone else has a similar issue please notify supp...@declude.com and not the lists. Thanks David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Ferrell Ard Sent: Wednesday, July 08, 2009 2:23 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Re: Commtouch ZeroHour - no longer active? David I just restarted Declude and our CommTouch is reporting OFF also. Ferrell Ard - Original Message - From: David Barker mailto:dbar...@declude.com To: declude.junkmail@declude.com ; declude.vi...@declude.com Sent: Wednesday, July 08, 2009 12:06 PM Subject: RE: [Declude.JunkMail] RE: [Declude.Virus] Commtouch ZeroHour - no longer active? What's the best procedure everyone uses to renew it? Andy, When I checked your record on our server CT was set to ON I did not reactivate it. 1. The switch over to the new system was on 6/28 8:00-10:00 pm EST time. I chose Sunday to do this as web traffic to Declude would be low and it was after the weekend. 2. Thanks for pointing out that we should update our own DNS a week prior. This was done 1 week prior and we set the TTL to 5 min. Which I think is still the case and once everything has settled we will move it up again. I have not pinpointed the exact problem as of yet however the issue you experienced occurred on some servers and is resolved within minutes of notifying us, as it was with you. Thanks David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, July 08, 2009 11:50 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] RE: [Declude.Virus] Commtouch ZeroHour - no longer active? What's the best procedure everyone uses to renew it? Sensitivity: Personal Hi Dave, The Diags.txt I had sent was created from THIS MORNING (I had made a point of restarting DecludeProc to get a current status). So CommTouch was definitely reported as OFF at that time. It had been reported as ON in June, the previous time that the server had been started (for security fixes). I cleared the DNS cache and restarted DecludeProc and now Diags.txt reports ON for CommTouch. So thanks for re-activating it. So - that leaves a whole bunch of new concerns: - If you ONLY migrated servers THIS week, then THIS was NOT the reason. CommTouch had stopped after 6/27, which is 11 days ago. (That's the last date your log files showed any CommTouch hits!) However, it's the exact date of my new renewal term! So what precisely happened on 6/28 at midnight? - Irregardless, if you switched IP addresses for some of your servers, that you obviously would have to FIRST update your OWN DNS a week prior (or whatever the old TTL was) to change the TTL for that DNS record to something extremely short (e.g., hours). A week later, after the old TTL had expired, you could THEN change the DNS record to the NEW IP address and update the TTL to the longer period again. If you simply switched IP addresses without prior TTL adjustments, then your customers would NOT see the new IP until the old TTL had run out. Although this was not the problem I my case - which host name are we talking about and how was this migration executed if you feel that your customers have to flush their DNS cache to obtain the new server address? Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, July 08, 2009 11:04 AM To: declude.vi...@declude.com Subject: RE: [Declude.Virus] Commtouch ZeroHour - no longer active? What's the best procedure everyone uses to renew it? Sensitivity: Personal We just migrated servers this week. It is possible your DNS is using cached information. Remember a diags.txt is only created on startup so you may have old information. Can you flush your DNS cache and restart Declude to see if it resolves the problem. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, July 08, 2009 10:20 AM To: declude.vi...@declude.com; declude.junkmail@declude.com Subject: [Declude.Virus] Commtouch ZeroHour - no longer active? What's the best procedure everyone uses to renew it? Sensitivity: Personal Hi, I noticed that ZeroHour stopped catching any viruses after 6/28 - and, after investigating, I now realize it no longer traps any Spam. There were NO changes to any .CFG (or other Declude files). I'm enclosing the most recent Diags.txt (from 6/18, where CommTouch was ON) and then one from today after I made a point of manually restarting DecludeProc. Suddenly, it reports CommTouch as OFF? My customer screen shows: Host Information Declude Imail Perpetual Lic. [omitted] 28 Jun 2010 AVG Activated Current CommTouch
RE: [Declude.JunkMail] ZEROHOUR vs. TESTSFAILED
Hi Andy, The ZEROHOUR was integrated into Declude as part of the virus code as it provides ZEROHOUR anti-virus. Because of this it does not function the same as the other tests. It either scores the email for x points as defined in the global.cfg or it does not which is shown as zero. Changing the way ZEROHOUR was implemented is on our development list. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Sunday, June 07, 2009 6:07 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] ZEROHOUR vs. TESTSFAILED Importance: High Hi, Seems as if ZEROHOUR is not at all handled correctly vis-à-vis the TESTSFAILED variable? 1. Example: I have defined XINHEADERX-Declude: Triggered [%WEIGHT%] %TESTSFAILED% However, since activating ZEROHOUR I know see SMTP headers like this: X-Declude: Triggered [-2] None, ZEROHOUR [0] There are two things wrong with this: a) If Testsfailed returns None, why is the string ZEROHOUR appended? If its None then it should be None and nothing else. b) If ZEROHOUR didnt fail and thus has a weight of 0, then it shouldnt appear in the TESTSFAILED list at all. 2. In one of my filters, I have the line TESTSFAILED 5 CONTAINS ZEROHOUR However, it fails to add 5 to the weight as if it doesnt detect ZEROHOUR in the TestsFailed string which would be consistent with items a) and b) because apparently there is a bug where ZEROHOUR is not correctly included in the TESTSFAILED variable, but instead it is somehow appended behind it! The power of Declude is to be able to tightly configure (through various options) how weights are assigned and (with the help of TESTSFAILED filters) which groupings of tests might be testing/triggering on the same aspect of a message. Currently ZEROHOUR appears to negate all the other advantages of Declude! Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] All_list.dat
The all_list .dat file located in the \Declude directory. This file contains all the IP address geo-locations, this is used by Declude to identify the country chain displayed as part of the X-Country-Chain within the header. A new all_list.dat will be available every day from the My Account page under the downloads section of declude.com. It has been compressed using .rar, you will need to uncompress the file to replace your existing all_list.dat You do not need to update this file everyday, however it is there for your convenience. We suggest updating this file on a periodic basis of about once every 30-90 days. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] CommTouch ZeroHour
Commtouch does have a restriction. The condition is: a. ISP shall mean an internet service provider or managed solution provider. What this means - if you are an ISP as defined by Commtouch, your primary function is to provide Internet service to your customers (like Comcast) or your business provides managed services (Like MXlogic) clean-and-forward of emails. Secondly, if your business is part of the ISP category you can use Commtouch with the added cost of $3.60 per user per year. And finally, the yearly cost and payments to Commtouch for NON-ISP perpetual license Declude customers is being absorbed by Declude. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Sanford Whiteman Sent: Friday, June 05, 2009 2:07 AM To: Dean Lawrence Subject: Re: [Declude.JunkMail] CommTouch ZeroHour If my memory serves me correctly, there were some licensing limitations for using the CommTouch tests which is why I have not activated it in the past. Has this changed? I was trying to find it on my account page but could not. The list archives show that as of the last public communication, CommTouch is allowed for [a] people who are not considered service providers or [b] people who are service providers, but who are legacy Declude customers holding a perpetual license prior to the integration of CT. I host mail for my clients (we are not an ISP though), so can you clarify if I am able to use the CommTouch feature? It's my understanding from David's remarks in the past that if you perform store-and-forward between your organization and another (which seems to apply to you) and you are not a legacy customer, you are not allowed to use CT. Though perhaps if you charge nothing for the service on paper (not just a loss leader, but a non-item) then maybe you still aren't a service provider? I presume, though it is far from clear, that when David refers to eating the cost of CT it is that he is eating the cost only for the legacy customers who operate service providers. If in fact Declude is absorbing the service provider sublicensing cost for all legacy customers, regardless of how each customer actually deploys Declude, that is unfortunate but certainly not the fault of people whose real use of Declude should *not* legally trigger an associated Declude payment to CommTouch. Or if Declude has been absorbing the service provider sublicense for *all* current customers -- that is, that anyone can now use ZEROHOUR regardless of when they bought and how they use Declude -- that certainly was not well-presented to the community. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: sa...@cypressintegrated.com SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release / Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/downloa d/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/re lease/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] CommTouch ZeroHour
Yes Internet access provider is a better description of ISP and how it is understood by Commtouch. David -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Friday, June 05, 2009 11:30 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] CommTouch ZeroHour Uh - okay, that was the reason, why I wasn't able to purchase CommTouch back when. As a hosting provider (which includes providing mailboxes for the clients' domains), that would fall under the umbrella primary function is to provide Internet service. If they would define ISP as Internet ACCESS provider - then this would be a different story. Because we don't provide Internet access and our primary function is not clean-and-forward MX services. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Friday, June 05, 2009 10:49 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] CommTouch ZeroHour Commtouch does have a restriction. The condition is: a. ISP shall mean an internet service provider or managed solution provider. What this means - if you are an ISP as defined by Commtouch, your primary function is to provide Internet service to your customers (like Comcast) or your business provides managed services (Like MXlogic) clean-and-forward of emails. Secondly, if your business is part of the ISP category you can use Commtouch with the added cost of $3.60 per user per year. And finally, the yearly cost and payments to Commtouch for NON-ISP perpetual license Declude customers is being absorbed by Declude. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] CommTouch ZeroHour
I simply host mailboxes for some of my development clients' domains. This is classified as a non-ISP and you can use Commtouch David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dean Lawrence Sent: Friday, June 05, 2009 11:50 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] CommTouch ZeroHour Thanks David. I'm still a little confused though. I do not provide Internet access for my clients, nor do I offer a clean and forward option. I simply host mailboxes for some of my development clients' domains. With this description, would CommTouch classify me as an ISP? Thanks, Dean On Fri, Jun 5, 2009 at 11:35 AM, David Barkerdbar...@declude.com wrote: Yes Internet access provider is a better description of ISP and how it is understood by Commtouch. David -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Friday, June 05, 2009 11:30 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] CommTouch ZeroHour Uh - okay, that was the reason, why I wasn't able to purchase CommTouch back when. As a hosting provider (which includes providing mailboxes for the clients' domains), that would fall under the umbrella primary function is to provide Internet service. If they would define ISP as Internet ACCESS provider - then this would be a different story. Because we don't provide Internet access and our primary function is not clean-and-forward MX services. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Friday, June 05, 2009 10:49 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] CommTouch ZeroHour Commtouch does have a restriction. The condition is: a. ISP shall mean an internet service provider or managed solution provider. What this means - if you are an ISP as defined by Commtouch, your primary function is to provide Internet service to your customers (like Comcast) or your business provides managed services (Like MXlogic) clean-and-forward of emails. Secondly, if your business is part of the ISP category you can use Commtouch with the added cost of $3.60 per user per year. And finally, the yearly cost and payments to Commtouch for NON-ISP perpetual license Declude customers is being absorbed by Declude. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- __ Dean Lawrence, CIO/Partner Internet Data Technology 888.GET.IDT1 ext. 701 * fax: 888.438.4381 http://www.idatatech.com/ Corporate Internet Development and Marketing Specialists --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] CommTouch ZeroHour
For Legacy perpetual license Declude customers (defined as Non-ISP) activation of ZEROHOUR is $195.00 David -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Friday, June 05, 2009 11:53 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] CommTouch ZeroHour Oh? In that case - what's the purchase cost to add CommTouch to our account at this point? -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Friday, June 05, 2009 11:36 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] CommTouch ZeroHour Yes Internet access provider is a better description of ISP and how it is understood by Commtouch. David -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Friday, June 05, 2009 11:30 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] CommTouch ZeroHour Uh - okay, that was the reason, why I wasn't able to purchase CommTouch back when. As a hosting provider (which includes providing mailboxes for the clients' domains), that would fall under the umbrella primary function is to provide Internet service. If they would define ISP as Internet ACCESS provider - then this would be a different story. Because we don't provide Internet access and our primary function is not clean-and-forward MX services. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Upgrade 4.6.35 AVG not scanning - FIX
Hi Goran, Yes they have changed you can view the new credentials from the my account page of Declude David From: Goran Jovanovic gjovano...@omeganetworksolutions.com Sent: Monday, June 01, 2009 11:25 PM To: declude.junkmail@declude.com declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Upgrade 4.6.35 AVG not scanning - FIX Hi, I am unable to connect to the interim download site with the standard interim/decinterim credentials. Have they changed? Goran Jovanovic Omega Network Solutions From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, June 01, 2009 3:38 PM To: declude.junkmail@declude.com; declude.vi...@declude.com Subject: [Declude.JunkMail] Upgrade 4.6.35 AVG not scanning - FIX If your AVG is not scanning emails, please upgrade immediately to 4.6.35 which is available from the Declude website. If you are unsure whether this means you, we suggest you upgrade, if you need any assistance in this matter please contact supp...@declude.com David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
