RE: [Declude.JunkMail] ED Spam Expression
Try this ... (?i:\b(?!dick?)(m(\W?|_){0,3}e(\W?|_){0,3}g(\W?|_){0,[EMAIL PROTECTED])?(\W?|_){0,3}d(\ W?|_){0,3}[|li1í!](\W?|_){0,3}[ck]{1,2}\b) Will match on obfuscated dick (ie. D!ck) but NOT dick, can include mega obfuscated. David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Olden Sent: Tuesday, August 21, 2007 1:40 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] ED Spam I'm still a little green on the regular expressions. I added the following to my filters and it has been doing good. BODY100PCRE m[\s_\.-]?(=2e)?e[\s_.-]?(=2e)?g[\s_.-]?(=2e)?a[\s_.-]?(=2e)?d[\s_.-]?(=2e)? i[\s_.-]?(=2e)?k but it doesn't catch Me - ga - Di k Any suggestions on a better expression? TIA -- John Olden - Technology Manager Champaign Park District --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John E. Richardson Sent: Friday, November 30, 2007 1:39 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] ED Spam Expression Greetings, I was wondering if anyone could send me David Barker's message to the list from 08/21/07 regarding ED Spam. I found it in the archives, but it's got a nice [EMAIL PROTECTED] stuck right in the middle of the expression that he provided. http://www.mail-archive.com/declude.junkmail@declude.com/msg31989.html (?i:\b(?!dick?)(m(\W?|_){0,3}e(\W?|_){0,3}g(\W?|_){0,[EMAIL PROTECTED])?(\W?|_){0,3}d(\W?|_){0,3}[|li1í!](\W?|_){0,3}[ck]{1,2}\b) Thanks in advance, John Richardson --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Postmaster Spoofed Returns
I suppose the detection of "any remnants of the original spam" is going to be a manual process...correct? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Thursday, September 27, 2007 9:08 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Postmaster Spoofed Returns SPF can help a bit, if the receiver of the spoofed emails uses SPF for filtering and does not bounce on SPF violation. We've been able to limit the bounces that get through so far to just a few, mostly through detection of any remnants of the original spam in the bounce. Darin. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Postmaster Spoofed Returns
Does anyone have any suggestions on how to stop returned email on spoofed email addresses for our domain. I was going to setup a rule but it would catch good and bad alike... Thanks, Kevin --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] User getting flagged for spam from WiFi locations
Duh... He did not have the proper settings on his oubound server. I have fixed it. Thanks! Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, September 25, 2007 8:51 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] User getting flagged for spam from WiFi locations 1. Is your user required to authenticate with the server ? 2. Do you have WHITELISTAUTHin your global.cfg ? David Barker VP Operations Declude Your Email security is our business 978.499.2933 x 7007 office 978.988.1311 fax [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Stanford Sent: Tuesday, September 25, 2007 8:35 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] User getting flagged for spam from WiFi locations I have a user that has a laptop. When they are on the local network they have no problems sending email, however, if they use WiFi or broadband the email is flagged as spam after failing several checks. I cannot whitelist his email address because it is being spoofed by spammers. Anyone know of a work around to this problem so that I do not have to manually release the email that gets caught? Thanks, Kevin --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] User getting flagged for spam from WiFi locations
I have a user that has a laptop. When they are on the local network they have no problems sending email, however, if they use WiFi or broadband the email is flagged as spam after failing several checks. I cannot whitelist his email address because it is being spoofed by spammers. Anyone know of a work around to this problem so that I do not have to manually release the email that gets caught? Thanks, Kevin --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] SMD files showing up in different directories
In August I upgraded to version 4. Since that time I have smd files showing up in the root of C:. Here is a copy of the header: X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2670 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 X-Declude-Sender: [EMAIL PROTECTED] [10.100.1.17] X-Declude-Spoolname: D90920096dba2.smd X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.3.46 "http://www.declude.com/x-note.htm"; X-Declude-Scan: Incoming Score [0] at 04:36:22 on 21 Sep 2007 X-Declude-Tests: None X-Country-Chain: X-Declude-Code: 0 X-Declude-Recipcount: 2 X-Helo: X-RevDNS: X-Declude-Virus: Detected [Outlook 'CR' Vulnerability] [from IP 10.100.1.17 ()]. What do I do to change the directory this is put into or stop it all together? I thought I had turned off the virus scanner feature of Declude...but apparently not. Thanks, Kevin --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Upgrade to version 4 causes processor to skyrocket
Thank you David. Does it matter if I set the WAITFORMAIL TO 2500 If it is going to be commented out anyway? Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, September 20, 2007 9:26 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Upgrade to version 4 causes processor to skyrocket You could try commenting out the following: #WAITFORMAIL100 #WAITFORTHREADS 10 #WAITBETWEENTHREADS 50 Also set your WAITFORMAIL 2500 I think the biggest improvement was the fact you increased your threads. David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Stanford Sent: Thursday, September 20, 2007 9:56 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Upgrade to version 4 causes processor to skyrocket It does appear the settings in the declude.cfg file was hindering my server. The settings I had were THREADS 15 WAITFORMAIL 5000 I change it to the following settings per a previous post I found: THREADS 50 WAITFORMAIL 100 WAITFORTHREADS 10 WAITBETWEENTHREADS 50 WINSOCKCLEANUP ON AUTOREVIEW ON INVITEFIX ON Does anyone see a problem with this change. I have noticed a significant increase in mail delivery. I had users complaining that it was taking 5 - 15 minutes to get their email now it is down to about 1 - 2 minutes. Thanks, Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Stanford Sent: Tuesday, August 21, 2007 11:11 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Upgrade to version 4 causes processor to skyrocket I just kept the "generic" setting that came with the default global.cfg (found in the resource directory) and added sniffer and the country filter. I have checked but it appears that I am not running the virus scanner that is part of version 4. Also we have several users complaining that they are not getting their inbound email as quickly as they use to. There has been a noticed a significant decrease in the amount of spam that is coming in so I am assuming that I have more "test" running causing the slowdown. Mail volume appears to be the same for atleast the past 6 months. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, August 21, 2007 10:30 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Upgrade to version 4 causes processor to skyrocket What are your settings in your declude.cfg file. Are you still using the same setting in that file from Version 3? Has your mail volume increased? Darrell Kevin Stanford wrote: > Hi all, > > Since upgrading to Declude Version 4 (from version 3) my processor has > really taken a hit (runs about 90-100%). I used the default Global.cfg > file and just moved over the Whitelist stuff as well as a few rules > that I have. > Looking at the Task Manager is consistently shows decludeproc.exe > running at the top of the list under the Process tab. > > Anyone know where I can start troubleshooting to bring this back in line. > > Thanks, > > Kevin > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > "unsubscribe Declude.JunkMail". The archives can be found at > http://www.mail-archive.com. > -- -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Upgrade to version 4 causes processor to skyrocket
It does appear the settings in the declude.cfg file was hindering my server. The settings I had were THREADS 15 WAITFORMAIL 5000 I change it to the following settings per a previous post I found: THREADS 50 WAITFORMAIL 100 WAITFORTHREADS 10 WAITBETWEENTHREADS 50 WINSOCKCLEANUP ON AUTOREVIEW ON INVITEFIX ON Does anyone see a problem with this change. I have noticed a significant increase in mail delivery. I had users complaining that it was taking 5 - 15 minutes to get their email now it is down to about 1 - 2 minutes. Thanks, Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Stanford Sent: Tuesday, August 21, 2007 11:11 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Upgrade to version 4 causes processor to skyrocket I just kept the "generic" setting that came with the default global.cfg (found in the resource directory) and added sniffer and the country filter. I have checked but it appears that I am not running the virus scanner that is part of version 4. Also we have several users complaining that they are not getting their inbound email as quickly as they use to. There has been a noticed a significant decrease in the amount of spam that is coming in so I am assuming that I have more "test" running causing the slowdown. Mail volume appears to be the same for atleast the past 6 months. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, August 21, 2007 10:30 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Upgrade to version 4 causes processor to skyrocket What are your settings in your declude.cfg file. Are you still using the same setting in that file from Version 3? Has your mail volume increased? Darrell Kevin Stanford wrote: > Hi all, > > Since upgrading to Declude Version 4 (from version 3) my processor has > really taken a hit (runs about 90-100%). I used the default Global.cfg > file and just moved over the Whitelist stuff as well as a few rules > that I have. > Looking at the Task Manager is consistently shows decludeproc.exe > running at the top of the list under the Process tab. > > Anyone know where I can start troubleshooting to bring this back in line. > > Thanks, > > Kevin > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > "unsubscribe Declude.JunkMail". The archives can be found at > http://www.mail-archive.com. > -- -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] SPF (Fail or Pass)
I am not really sure how to set this up but I would like to make sure that if a domain has an spf record that it is checked and if it is not legit it is immediately marked as spam. Also, is it possible to do this on my domain as I get a lot of spoofed email to my domain using my domain as a return address. Thanks for any help offered! Kevin --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Upgrade to version 4 causes processor to skyrocket
I just kept the "generic" setting that came with the default global.cfg (found in the resource directory) and added sniffer and the country filter. I have checked but it appears that I am not running the virus scanner that is part of version 4. Also we have several users complaining that they are not getting their inbound email as quickly as they use to. There has been a noticed a significant decrease in the amount of spam that is coming in so I am assuming that I have more "test" running causing the slowdown. Mail volume appears to be the same for atleast the past 6 months. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, August 21, 2007 10:30 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Upgrade to version 4 causes processor to skyrocket What are your settings in your declude.cfg file. Are you still using the same setting in that file from Version 3? Has your mail volume increased? Darrell Kevin Stanford wrote: > Hi all, > > Since upgrading to Declude Version 4 (from version 3) my processor has > really taken a hit (runs about 90-100%). I used the default Global.cfg > file and just moved over the Whitelist stuff as well as a few rules that I have. > Looking at the Task Manager is consistently shows decludeproc.exe > running at the top of the list under the Process tab. > > Anyone know where I can start troubleshooting to bring this back in line. > > Thanks, > > Kevin > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > "unsubscribe Declude.JunkMail". The archives can be found at > http://www.mail-archive.com. > -- -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Upgrade to version 4 causes processor to skyrocket
Hi all, Since upgrading to Declude Version 4 (from version 3) my processor has really taken a hit (runs about 90-100%). I used the default Global.cfg file and just moved over the Whitelist stuff as well as a few rules that I have. Looking at the Task Manager is consistently shows decludeproc.exe running at the top of the list under the Process tab. Anyone know where I can start troubleshooting to bring this back in line. Thanks, Kevin --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Allow only 3 countries
Hi all, I would like to allow only 3 countries into our mail server and block all others without using any weighting. Basically I want to Blacklist all countries except 3 but still filter on the three. Thanks for any help offered. Kevin --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Reverse Blacklist (sorta whitelist)
What changes would I need to make in the $defalut$.junkmail and the global.cfg file to only allow email from IPs originating from Mexico, United States and Canada but still check for SPAM? And if this is possible can I stop all other country lookups? Thanks, Kevin --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] "may skip - 1"
The problem I have is I have spam getting through that should have been caught by these filters and I cannot figure out why. Lately we have had a lot of spam passing the filters. Is there a time out in the dnsbl lookup that it will pass the spam if the test cannot be run? This started about 2 - 3 weeks ago...I am getting slammed with spam as well as my users. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, November 08, 2006 4:27 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] "may skip - 1" > Could anyone tell me why these test would be skipped? That's one of the potentially misleading debug log file entries that I added. :) The debug mode was originally designed as a troubleshooting tool for someone with access to the source code, so there are occasionally comments that could be misleading. In this case, I believe the "may skip" was added to indicate that even though the test was about to be processed, any pass/fail/whitelist results hadn't yet been determined (so the test could be skipped by a whitelist, for example). -Scott --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] "may skip - 1"
bd Testing IP 62.34.3.235 11/08/2006 11:37:07.749 Q15c3521000fc8cbd SPAMROUTING processing IPb 62.34.3.235 . 11/08/2006 11:37:07.749 Q15c3521000fc8cbd Handling Received: header 11/08/2006 11:37:07.749 Q15c3521000fc8cbd Got IP 62.34.3.235 11/08/2006 11:37:07.749 Q15c3521000fc8cbd Skipping received line (hop 1) 11/08/2006 11:37:07.749 Q15c3521000fc8cbd Time sent: 8 11 2006 17:30:21 GMT (zone was +0300; offset=180). Delta=6 minutes. 11/08/2006 11:37:07.749 Q15c3521000fc8cbd Time2: 8 11 2006 17:37:7 GMT (zone was +0300; offset=180). Delta=6 minutes. 11/08/2006 11:37:07.749 Q15c3521000fc8cbd Last line of headers: X-MimeOLE: Produced By Microso 11/08/2006 11:37:07.874 Q15c3521000fc8cbd DNSBL checks done 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #0: WHITLEIST [FROM] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #1: AHBL [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #2: BLITZEDALL [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #3: CBL [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #4: DSBL [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #5: ORDB [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #6: SBL [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #7: SORBS-HTTP [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #8: SORBS-SOCKS [ip4r] - may skip-1 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Wednesday, November 08, 2006 3:03 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] "may skip - 1" Was it whitelisted in a previous test? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: "Kevin Stanford" <[EMAIL PROTECTED]> To: Sent: Wednesday, November 08, 2006 3:39 PM Subject: [Declude.JunkMail] "may skip - 1" Could anyone tell me why these test would be skipped? Thanks, Kevin 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #0: WHITLEIST [FROM] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #1: AHBL [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #2: BLITZEDALL [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #3: CBL [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #4: DSBL [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #5: ORDB [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #6: SBL [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #7: SORBS-HTTP [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #8: SORBS-SOCKS [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #9: SORBS-MISC [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #10: SORBS-SMTP [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #11: SORBS-SPAM [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #12: SORBS-WEB [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #13: SORBS-BLOCK [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #14: SORBS-ZOMBIE [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #15: SORBS-DUHL [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #16: SPAMCOP [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #17: CHINA [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #18: KOREA [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #19: BRAZIL [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #20: ARGENTINA [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #21: HONGKONG [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #22: JAPAN [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #23: MALAYSIA [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #24: NIGERIA [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #25: RUSSIA [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #26: SINGAPORE [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #27: TAIWAN [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #28: THAILAND [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #29: SPAMHAUS [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #30: DSN [rhsbl] - may skip-1 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMai
[Declude.JunkMail] "may skip - 1"
Could anyone tell me why these test would be skipped? Thanks, Kevin 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #0: WHITLEIST [FROM] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #1: AHBL [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #2: BLITZEDALL [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #3: CBL [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #4: DSBL [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #5: ORDB [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #6: SBL [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #7: SORBS-HTTP [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #8: SORBS-SOCKS [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #9: SORBS-MISC [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #10: SORBS-SMTP [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #11: SORBS-SPAM [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #12: SORBS-WEB [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #13: SORBS-BLOCK [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #14: SORBS-ZOMBIE [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #15: SORBS-DUHL [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #16: SPAMCOP [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #17: CHINA [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #18: KOREA [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #19: BRAZIL [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #20: ARGENTINA [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #21: HONGKONG [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #22: JAPAN [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #23: MALAYSIA [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #24: NIGERIA [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #25: RUSSIA [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #26: SINGAPORE [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #27: TAIWAN [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #28: THAILAND [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #29: SPAMHAUS [ip4r] - may skip-1 11/08/2006 11:37:07.874 Q15c3521000fc8cbd Test #30: DSN [rhsbl] - may skip-1 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Blackholes test
I have declude setup to block by country using the blackholes dnsbl. It appears that blackholes is having intermittent problems staying up thus allowing spam to get through. Does anyone have a work around to block by IP address by country? Seems like I read somewhere about setting up a private dns server to do the same but not sure how to do it. Thanks, Kevin --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Whitelist our domain on private network
Thanks! Guess I should have been more clear. We are using Imail 8.13 with Declude/Sniffer. I do catch the forging domains but like I said sometimes we get false positives usually the fault of sniffer. In order to do the WHITELIST AUTH is that from within Imail or is this something I have to modify in the Global/default settings in Declude. Sorry I am just not up to speed on these configurations. With the onslaught of spam the past couple of weeks I have been trying to change settings so I don't have to baby sit the server for false positives and yet still catch spam. Thanks again for the help, Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Thursday, October 26, 2006 10:27 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Whitelist our domain on private network Two suggestions: For whitelist traffic within your private network you can use WHITELIST AUTH to whitelist users who authenticate with your servers for sending, and/or whitelist sending IPs so that all traffic from those IPs is whitelisted. This can be done by CIDR. Regarding catching spam that forges your domain, the most successful method for us has been using SPF, weighting only on fail. By specifying in your SPF record what servers can send mail for your domain, you can effectively block forging spam, since they will not be sending from your mail servers. You can generate the text of your SPF record at spf.pobox.com, then just add that as a TXT record to your DNS domains. Darin. - Original Message - From: "Kevin Stanford" <[EMAIL PROTECTED]> To: Sent: Thursday, October 26, 2006 11:17 AM Subject: [Declude.JunkMail] Whitelist our domain on private network Is there a way to whitelist our domain within our private network but will still catch spam that is forging our domain? I have a lot of spam that is forging our domain but sometimes I get false positives with our users here and I have to sort through a huge list of spam to find them. Thanks for any help offered! Kevin --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Whitelist our domain on private network
Is there a way to whitelist our domain within our private network but will still catch spam that is forging our domain? I have a lot of spam that is forging our domain but sometimes I get false positives with our users here and I have to sort through a huge list of spam to find them. Thanks for any help offered! Kevin --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Whitelisting our Domain
I do have version 8. I don't think that I can use SMTP AUTH because I have Webshield for SMTP that sits in front of Imail. If I try the IP bypass route will it get confused because Webshield will pass (relay) it to Imail with an internal IP address? Kevin At 10:02 AM 04/04/05, Darin Cox wrote: Oops.. not that I know of. I believe it wasn't until V8 that IMail passed the info to Junkmail. Your best bet may be IP whitelists (negative weighting, really) using the ipfile test. Darin. - Original Message - From: <[EMAIL PROTECTED]> To: Sent: Monday, April 04, 2005 10:43 AM Subject: Re: [Declude.JunkMail] Whitelisting our Domain I'm using IMail 7.14 and I noticted that in the Declude help page that WHITELIST AUTH only works with V8 and above? Is there any way to do this with V7.14? > Yes. > > If all users send through your server, then use SMTP AUTH on all clients > and > configure Junkmail to whitelist AUTHing users. If not, but all mail comes > in from static IPs, you could use an IP whitelist to bypass for those IPs. > > Darin. > > > - Original Message - > From: "Kevin Stanford" <[EMAIL PROTECTED]> > To: > Sent: Monday, April 04, 2005 10:25 AM > Subject: [Declude.JunkMail] Whitelisting our Domain > > > If we whitelist our domain will Spam that spoofs our email addresses and > domain also be whitelisted? If so, how can I circumvent it? > > Thanks, > > Kevin > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Whitelisting our Domain
If we whitelist our domain will Spam that spoofs our email addresses and domain also be whitelisted? If so, how can I circumvent it? Thanks, Kevin --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Earthlink Porn Spam
It looks like this is coming from Korea. I don't know if you are able but we blocked many foreign IP addresses and this cut down on our SPAM dramatically without any false positives so far. We have no need to communicate with countries outside of North America. Hope this helps... Kevin At 03:21 PM 11/01/2004, you wrote: I am still getting a ton of porn spam from Earthlink. I report it but it does not help much. Any suggestions on how to stop this crap? Here is a sample. Received: from starling.mail.pas.earthlink.net [207.217.120.227] by deepspace.i360.net with ESMTP (SMTPD32-7.15) id A729169C0212; Mon, 01 Nov 2004 15:14:17 -0600 Received: from [220.79.28.96] (helo=220.79.28.96) by starling.mail.pas.earthlink.net with asmtp (Exim 4.34) id 1COZPa-0004kT-Jc; Mon, 01 Nov 2004 02:27:44 -0800 Message-ID: <[EMAIL PROTECTED]> Reply-To: "=?windows-1251?B?dGVlbmE=?=" <[EMAIL PROTECTED]> From: "=?windows-1251?B?dGVlbmE=?=" <[EMAIL PROTECTED]> Subject: SPAM: =?windows-1251?B?QmxvbmRlIGJhYmUgcmlkZXMgY29jayBwb29sc2lkZQ==?= Date: Mon, 1 Nov 2004 19:15:58 -0500 MIME-Version: 1.0 Content-Type: text/html; charset="windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600. X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600. X-ELNK-Trace: 851ef91fad811ab935bf18c85fec12a9239a348a220c2609e7a2cc1b84acd378d28921f1d29da79a3ca473d225a0f487350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 220.79.28.96 X-RBL-Warning: NOABUSE: "Not supporting [EMAIL PROTECTED]" X-RBL-Warning: NOPOSTMASTER: "Not supporting [EMAIL PROTECTED]" X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [840b]. X-Declude-Sender: [EMAIL PROTECTED] [207.217.120.227] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: NOABUSE, NOPOSTMASTER, BADHEADERS, SPFUNKNOWN, WEIGHT10 [11] X-Note: This E-mail was sent from starling.mail.pas.earthlink.net ([207.217.120.227]). X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 384482018 Whore getting fucked hard http://www.seahall.com/shemalefuck.jpg?yeppkvqvjalijjnjyhzhqmkhhkcz" width="600" height="660"> Laundry'">http://www.seahall.com/index.html">Laundry room hardcore msbtwhvfujanpmeovoahsudbovhrmxowsvtxnzyrinjbmbsqupxhoofwkmpaa http://www.seahall.com/shemale.jpg?axggkrdctpexkhobhpeptnfwbgaewn" width="348" height="15"> jlzehjrlpltwqgk">http://www.seahall.com/shemale.html?mlnkprxfwsejrjxlkwawmfjkp">jlzehjrlpltwqgk> --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] OT: Pete McNiel's Product Proposal
PST files blow up magically at a certain number of messages - I forget how many, but that's one of the reasons I'm never going near Outlook Actually it is the pst file size. OutlookXP 2 gig limit Outlook2003 20 gig limit Kevin --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Blocking IPs based on Country
Ok...so would I put this line in my Global.cfg file: china ip4r china.blackholes.com * 10 0 Thanks for the help! Kevin At 11:13 AM 09/30/2004, you wrote: While I don't recommend it, as I've seen false positives from blocking entire countries, you could use: an IP4R test using china.blackholes.com See http://www.blackholes.us/ for other countries If you use Declude Junkmail Pro version... COUNTRIES 30 CONTAINS cn COUNTRIES 30 CONTAINS kr See Mailpure's foreign filter for more examples of how to catch different countries.. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Blocking IPs based on Country
I am sure I am overlooking this setup...but, Is there a way to block email from specific country's IP addresses like China or Korea? Nothing against these places but we have no need to receive any email from them. In the past couple of days we have received several Pornographic Spams from IP addresses originating from these Countries. Thanks, Kevin --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Websense
I installed Websense yesterday and since then I have been getting email stopped because it cannot find the MX record. Here is a sample: 03/04/2004 14:07:38 Q8c7c04700342f0a4 WARNING: DNS server 10.100.1.16 returned a SERVER FAILURE error for MX or A for bmccapital.com. Websense is filtering this particular domain, so my thinking is any domain that is filtered will have the email stopped from delivery. Has anyone else had this problem and if so how do I fix it to allow all domains to get email. Thanks, Kevin --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Fwd: Blank Emails from Declude
I would recommend switching that poor mailserver to IMail (or any other mailserver that will include the IP address in the headers, which is almost all of them). My poor mail server is IMail v6. I received about 95 of these "blank emails" since last Friday with different received times, I have not received any today though. Is there anything else I can check if I happen to get another one of these today that would help in the quest to stop this? Kevin --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Fwd:
Is anyone doing anything about these messages. I am getting more and more by the day! Thanks, Kevin Received: from mail.stevenstransport.com [10.100.1.17] by mail.stevenstransport.com (SMTPD32-6.00) id AD69710A015C; Sun, 08 Jun 2003 14:24:25 -0500 Received: FROM declude.com BY mail.stevenstransport.com ; Sun Jun 08 14:24:24 2003 -0500 Message-Id: <[EMAIL PROTECTED]> X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [cc200200]. X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam [cc200200]. X-RCPT-TO: <[EMAIL PROTECTED]> Date: Sun, 8 Jun 2003 14:24:26 -0500 X-UIDL: 2210 Status: U From: <[EMAIL PROTECTED]> --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.