[Declude.JunkMail] Adding custom header line
Following to the manual there is one action to add a line to the message header: WARN The HEADER-Action does not add it to the message header but to the head of the body. But the WARN-Action is limited as it does add a fixed line X-RBL-Warning: (description) What if I want to add a custom line to the message header if a certain weight was reached? For example: X-Spam-Flag: YES ...so that mailservers and email-clients behind declude could use their own filters based on this header line. I have one possible new customer who already has filters for such a message header and want to switch to our spam filters. But for this we need such custom message header lines. Does I miss here something or is it true that there is no way to do this with current declude versions? Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Update your SpamDomains filter file
As such, I am starting to see from addresses ending in .rr.com coming from IPs that have Adelphia.net REVDNS records. So @rr.com .rr. .rr.com .rr. should become ? Would it be an idea to ask for an enhanced spamdomains feature: Regex in the second row? Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] blackholes.us
I've suggested it already years ago: would it be possible to have some warning mechanism in order to detect long response times, timeouts or connection problems (for whatever reason) not only in the debug loglevel? Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, October 16, 2006 8:27 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] blackholes.us Jay, I have noticed over the last 2 months that blackholes seem to timeout very often. David Barker Director of Product Development Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jay Sudowski - Handy Networks LLC Sent: Monday, October 16, 2006 2:22 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] blackholes.us Is blackholes.us down for anyone else? All of our RBL tests to them are timing out. Thanks! - Jay Sudowski // Handy Networks LLC Director of Technical Operations Providing Shared, Reseller, Semi Managed and Fully Managed Windows 2003 Hosting Solutions Tel: 877-70 HANDY x882 | Fax: 888-300-2FAX www.handynetworks.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] picture spam
...and give a large part of our revenue to Commtouch? Provide a feasible way to justify the additional costs for our existing customers and service contracts! THEN we could talk about Commtouch. BTW: even if it's hard work to maintain a reliable spam filter it's not an impossible thing. years of contribution from our own researches, creation of text filters, publication of new spam and filter signs, developement of - in declude long time and still missing - additional external tests allowed and still allows us to have reliable filters and no image spam in my inbox. The question is why Declude has become a competitor of our work from what it was some years ago: an excellent tool for us admins to do our own hard work. Looking at your pricing I can see anywhere limitations based on users. What if I have a single gatewayed domain? Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of chrisSent: Thursday, October 12, 2006 3:15 PMTo: declude.junkmail@declude.comSubject: RE: [Declude.JunkMail] picture spam Guys, Commtouch hasnt missed any, stop making things hard on yourselves.. Chris From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Wednesday, October 11, 2006 5:17 PMTo: declude.junkmail@declude.comSubject: Re: [Declude.JunkMail] picture spam Sorbs-DUL and NJABL Dynablock look to be the best. Although they miss lots. 5-10's has been discontinued. - Original Message - From: Dave Marchette To: declude.junkmail@declude.com Sent: Wednesday, October 11, 2006 3:53 PM Subject: RE: [Declude.JunkMail] picture spam Thanks all for the various suggestions. Agreed- combo is the way to use that test, for sure. A bit OT, but what is the popular and accurate DUL database these days? How accurate is fiveten at DUL lookups? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Wednesday, October 11, 2006 12:49 PMTo: declude.junkmail@declude.comSubject: Re: [Declude.JunkMail] picture spam I combo thegraphics hit (jpg, gif or png) with: 1. bad DNS - None or timeout 2. bad language (eastern European iso-8859-2) or Cyrillic (koi8-r or iso-8859-5), etc 3. cmdspace 4. good DUL IP lists/tests 5. having forged your local domain. I still get 5-10 a day. It is a pain. - Original Message - From: Dave Marchette To: declude.junkmail@declude.com Sent: Wednesday, October 11, 2006 12:08 PM Subject: [Declude.JunkMail] picture spam Has anyone figured out a reasonable way to use Declude to minimize picture spam? Sniffer is missing most. They are sent from fresh hosts, so RBLs dont catch them, and there is no target, so INVuribl misses them as well. Associates of ours are using Barracuda to stop most successfully, so it is at least possible. Ideas are welcomed. Dave ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] picture spam
one time cost? http://www.declude.com/site/purchaseleg.htmltalks about several thousand dollars per year without precising how getwayed domains are handled. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of chrisSent: Thursday, October 12, 2006 4:11 PMTo: declude.junkmail@declude.comSubject: RE: [Declude.JunkMail] picture spam A one time cost of 195.00 is not a large portion of your revenue and it is your option to not implement this or not Chris From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus GuflerSent: Thursday, October 12, 2006 9:57 AMTo: declude.junkmail@declude.comSubject: RE: [Declude.JunkMail] picture spam ...and give a large part of our revenue to Commtouch? Provide a feasible way to justify the additional costs for our existing customers and service contracts! THEN we could talk about Commtouch. BTW: even if it's hard work to maintain a reliable spam filter it's not an impossible thing. years of contribution from our own researches, creation of text filters, publication of new spam and filter signs, developement of - in declude long time and still missing - additional external tests allowed and still allows us to have reliable filters and no image spam in my inbox. The question is why Declude has become a competitor of our work from what it was some years ago: an excellent tool for us admins to do our own hard work. Looking at your pricing I can see anywhere limitations based on users. What if I have a single gatewayed domain? Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of chrisSent: Thursday, October 12, 2006 3:15 PMTo: declude.junkmail@declude.comSubject: RE: [Declude.JunkMail] picture spam Guys, Commtouch hasnt missed any, stop making things hard on yourselves.. Chris From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Wednesday, October 11, 2006 5:17 PMTo: declude.junkmail@declude.comSubject: Re: [Declude.JunkMail] picture spam Sorbs-DUL and NJABL Dynablock look to be the best. Although they miss lots. 5-10's has been discontinued. - Original Message - From: Dave Marchette To: declude.junkmail@declude.com Sent: Wednesday, October 11, 2006 3:53 PM Subject: RE: [Declude.JunkMail] picture spam Thanks all for the various suggestions. Agreed- combo is the way to use that test, for sure. A bit OT, but what is the popular and accurate DUL database these days? How accurate is fiveten at DUL lookups? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Wednesday, October 11, 2006 12:49 PMTo: declude.junkmail@declude.comSubject: Re: [Declude.JunkMail] picture spam I combo thegraphics hit (jpg, gif or png) with: 1. bad DNS - None or timeout 2. bad language (eastern European iso-8859-2) or Cyrillic (koi8-r or iso-8859-5), etc 3. cmdspace 4. good DUL IP lists/tests 5. having forged your local domain. I still get 5-10 a day. It is a pain. - Original Message - From: Dave Marchette To: declude.junkmail@declude.com Sent: Wednesday, October 11, 2006 12:08 PM Subject: [Declude.JunkMail] picture spam Has anyone figured out a reasonable way to use Declude to minimize picture spam? Sniffer is missing most. They are sent from fresh hosts, so RBLs dont catch them, and there is no target, so INVuribl misses them as well. Associates of ours are using Barracuda to stop most successfully, so it is at least possible. Ideas are welcomed. Dave ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe
RE: [Declude.JunkMail] INV-URIBL Scoring?
IMO you should never let a single test hold a messages. The question is: what is a single test? Or Is invURIBL a single test? invURIBL does multiple checks insinde and so it's practicaly a set of URIBL-based tests that could add some points to the weighting system. I would consider, to not block on invURIBL but to ensure that invURIBL has a high weight so that it will block in combination with other tests. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, October 10, 2006 5:39 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] INV-URIBL Scoring? Hi Guys, Considering that INV-URIBL looks at just the links contained in known spam, is it safe to set the weight on this test so high that this single test would trigger a hold or delete weight? Right now I have it set to score fairly low, and it adds to the total score, but would not cause a hold without other tests adding to the weight. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Blocking these?
Dave I don't know your company and also if you do spam filtering only for your own or if there are a lot of people behind your mailserver who should be saved from spam, fraud, phishing co. I consider sniffer as one of the solid pillars in a fine-tuned and reliable declude weighting system. Sniffer is reliable, it does catch a high part of the spam volume and it's actualy updated around 9 times each day. So you don't have to stay behind you're config files each day or week. Maybe 500$/year sounds much but it's also 1,37$ each day and so you should valuate if it's worth the money in your enviroment or not. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Thursday, October 05, 2006 10:00 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Blocking these? Hi John, Thanks for the info on the monthly. I didn't know they offered that. They charge $500 a year for a renewal. I own my company so either way the $500 comes out of my pocket. I spent a lot of money in the last month, which is why I don't want to spend another $500 right now. I'd like to see it made legal to hang anyone caught spamming. :) You know what I think is the worst spam? The political spam. Any politician who sends me spam asking me to vote for them is guaranteed that I will vote against them! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Doyle Sent: Thursday, October 05, 2006 1:38 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Blocking these? Dave For goodness sake, call sniffer up, they offer a monthy subscription for I think less than 30 dollars. Put it on your credit card and get your company to reimburse you next month and send them a check for the 12 months and it's done. I'd hate to think what's getting though without some sort of added filter like sniffer. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dave Beckstrom Sent: Wednesday, October 04, 2006 8:42 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Blocking these? How are you guys blocking something like the spam below? There is no URL to block on. They keep bastardizing words in the body of the email to the point where you can't hardly block based on the content. What do you guys do with these? -Original Message- From: Louis Rubin [mailto:[EMAIL PROTECTED] Sent: Sunday, November 05, 2006 8:48 AM To: Subject: Chavez accused THIS THURS DAY OCTOBER 5 2006 BIG NEWS RELEASED ON CR SVF!!! DON'T MISS THIS INVESTMENT MOMENT, PLACE 'CRSVF' ON THE RA`DAR!!! T r a d e Ale rt: THURSDAY, October 05, 2006 'STOCK': CRSVF.OB Current Pri ce : $0.18 Pr evClose : $0.19 Recommendation: ST RO NG B UY WATCH THIS S TOCK GO HIGHER AND RI SE DON'T M I SS THIS IN VES TMENT MOMENT, PLACE CRSVF ON THE RA DAR!!! About Capital Reserve Canada: CRC is an oil and gas ser vices comp any based in Edmonton, Alberta. Through its wholly owned subsidiary, KCP Innovative Services, Inc., CRC offers technologically tools for use in four areas of the industry. The first aids in testing development of newly found resources; another measure existing wells' productivity; and the third hastens well abandonment, ensuring compliance with regulatory emission guidelines. The fourth, through its pro prie tary hardware and software technologies, is used to determine the profitability of coal bed methane deposits, which may be developed and sold as natural gas. CRC has a second wholly owned subsidiary, Two Hills Environmental, to assist with problem waste from oil gas companies, and provide undergro und storage. ADD THIS GE M TO YOUR PORTFOLIO AND WATCH IT TRADE ON THURSDAY, October 05, 2006 !! TR ADE SM ART AND W I N WITH CRSVF!!! Start to buy at 10:30 AM , October 05 2006 It will blow up --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED],
RE: [Declude.JunkMail] Test idea
If email failed HELOBOGUS or NOREVDNS (or other specified tests) END otherwise compare the last 3 characters of the HELO with the last 3 characters of the REVDNS and if not match add say 1/5 or so of HOLD weight. Hmm John, I consider it a good idea. As I can remember I suggested it arround 2 years ago. You know what happened in the meantime? Ok, so yes you can go back to sleep like a bear for the comming next winter and be currious if in the meantime will happened something new ;-) Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Test idea
Scott, I can't remmeber exactly my suggestion (as said it was around two years ago) but I've made a similar research as you in the logfiles in order to go sure that the HH-SS / SH-SH ratio would be good enough to consider it a valuable option for some points in the weighting system. There are more values that can be compared: HELO REVDNS MAILFROM COUNTRY ... There are many zombies out who send messages with randomly selected/generated values. If there is a message with HELO xy.domain.de REVDNS xy.domain.net MAILFROM [EMAIL PROTECTED] and COUNTRY shows Mexiko as origin then it maybe should be possible to add something like 20 - 40% of your hold weight to the final weight of this message. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Monday, September 04, 2006 5:15 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Test idea I ran a query on this looking at my August email results (228889 emails): Excluding HELOBOGUS Excluding (timeout) and [No Reverse DNS] and (Private IP) Looking at last 4 chars of helo last 4 chars of revdns 1487 ham: including gov / us mismatches a fair amount of .com / .org with DSL / CABLE static revdns small amount of valid mismatches shaw.ca / shawcable.net mindspring.com/earthlink.net. I've definitely seen this from some non US mailservers where a country code is in one and .net is in another. 19668 spam lots of zommbies,especially non-US Fair amount of static spammers .net / .info mismatches for example - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Monday, September 04, 2006 1:29 AM Subject: [Declude.JunkMail] Test idea Idea! (Ouch) If email failed HELOBOGUS or NOREVDNS (or other specified tests) END otherwise compare the last 3 characters of the HELO with the last 3 characters of the REVDNS and if not match add say 1/5 or so of HOLD weight. Thoughts, comments, boos, yahs, Go back to sleep (Can I Please?) John T eServices For You Seek, and ye shall find! --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] F-Prot Licensing
This pricing is just another way of saying "Go Away". Suggestions? Markus ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] F-Prot Licensing
Is "etc" a little one byte special ASCII-char who will disable any blocking mechanism in declude junkmail? Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Saturday, July 15, 2006 12:26 AMTo: declude.junkmail@declude.comSubject: Re: [Declude.JunkMail] F-Prot Licensing You forgot your hardware, Windows Server license, DNS server to replace the crappy Windows one, backup software, prescanning and address validating E-mail Gateway, multiple plug-ins for Declude, many sleepless nights, etc., etc., etc.MattGary Steiner wrote: Wow! It's like one of those MasterCard commercials. Here's an example server based on list prices: SmarterMail Enterprise Edition (Unlimited Domains and Users) - $899 Declude Security Suite for Smartermail Enterprise (Unlimited Domains) - $1750 Annual Subscription F-Prot Antivirus for Windows Mail Servers (1000-1999 Users) - $2519 Annual License fee Frisk doesn't even mention a price for Unlimited Users. I guess it's like a Ferrari, if you have to ask how much it costs, you can't afford it. Original Message From: "Colbeck, Andrew" [EMAIL PROTECTED] Sent: Friday, July 14, 2006 5:40 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] F-Prot Licensing I hadn't noticed that before. This webpage is pretty darn explicit, so yes, the pricing you quoted is correct! From the bottom of the page that describes the corporate licences available: http://www.f-prot.com/products/corporate_users/win/ F-Prot Antivirus for Windows on Mail Servers To use the F-Prot Antivirus scanner on a Windows Mail Server a F-Prot Antivirus for Windows on Mail Servers license is required. This license category differs from the general F-Prot Antivirus for Windows for corporate users license in that it covers use that the general license does not: F-Prot Antivirus for Windows on Mail Servers applies to mail servers, mail relays and mail gateways, i.e. computers that provide mail services to a network, either for incoming or for outgoing e-mail. High-quality, efficient virus scanning is essential for any mail server. E-mail is the most common way for viruses and other malware to spread. The most effective way of stopping the spread of malware onto a network and beyond is at the server. F-Prot Antivirus for Windows on Mail Servers includes a Command Line Scanner (fpcmd.exe) that can be used with third party mail server software such as Declude and MailEnable. Information on how to use the software with such programs can be found on www.declude.com http://www.declude.com/ and www.mailenable.com http://www.mailenable.com/ . If you are interested in purchasing F-Prot Antivirus for Windows on Mail Servers, please visit our order form https://secure.f-prot.com/cgi-bin/buy and take a look at our price lists http://www.f-prot.com/products/prices/price_links.html . NB: Administrators should read question 113 http://www.f-prot.com/support/windows/fpwin_faq/113.html and question 114 http://www.f-prot.com/support/windows/fpwin_faq/114.html in the FAQ section of our Windows support pages http://www.f-prot.com/support/windows/ before installing F-Prot Antivirus for Windows Mail Servers. Andrew 8) _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kevin Bilbee Sent: Friday, July 14, 2006 1:00 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] F-Prot Licensing When did Frisk change the licensing for F-prot! They now have a mail server license for windows on number of users pricing? F-Prot Antivirus for Windows Mail Servers Number of Users Annual license fee 1-24 US$ 269 25-49 US$ 359 50-99 US$ 449 100-199 US$ 719 200-299 US$ 989 300-399 US$ 1259 400-499 US$ 1529 500-749 US$ 1799 750-999 US$ 2069 1000-1999 US$ 2519 2000-2999 US$ 2969 3000-3999 US$ 3419 4000-4999 US$ 3869 5000-5999 US$ 4499 Kevin Bilbee Network Administrator Standard Abrasives, Inc. [EMAIL PROTECTED] Changing the way industry works. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED],
RE: [Declude.JunkMail] HOLD action and %DATE% variable
In the Virus-Manual they have listed beside %DATE% for use in the eml-files also %EURDATE% and %ISODATE% Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran JovanovicSent: Saturday, June 17, 2006 2:56 AMTo: declude.junkmail@declude.comSubject: [Declude.JunkMail] HOLD action and %DATE% variableSensitivity: Confidential Hi, When you specify HOLD F:\Hold\%DATE% The date shows up as ddMMM Is there a way to have this show up as mmdd as it is much easier to sort and keep track? Thanks Goran Jovanovic Omega Network Solutions---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
AW: AW: AW: AW: [Declude.JunkMail] No action taken
e exactly the same two actions defined in both global.cfg and $default$.junkmail. They are there for several months now and this server is handling also several gatewayed domains. As I know gatewayed messages are handled as outgoing. Markus -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Im Auftrag von John Shacklett Gesendet: Montag, 5. Juni 2006 23:10 An: declude.junkmail@declude.com Betreff: RE: AW: [Declude.JunkMail] No action taken I think that Matt's reply to Markus is right on track. I went back and looked at some headers from my sneaky stock scamspam and it appears that whatever is happening incorrectly is causing these messages to be treated as outgoing and I had a typo in my global.cfg that was preventing my HOLD and DELETE actions from taking place. I haven't seen any slip through since making that repair. That doesn't answer Heimir's basic question about official response. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Heimir Eidskrem Sent: Monday, 05 June 2006 2:53 PM To: declude.junkmail@declude.com Subject: Re: AW: [Declude.JunkMail] No action taken It seems to be obvious that this is a Declude problem with so many reports. Why no response from Declude yet? H. Matt wrote: Markus, Your headers show that it was also a null sender for the messages that bypassed your weights. Also curiously, you are logging in your headers the inorout variable and it shows the message as being outgoing: X-Note: Sent from - [No Reverse DNS] ([210.212.188.106]) outgoing. It appears that Declude is treating all null senders as outgoing, which would then use actions contained in your Global.cfg instead of a JunkMail file, and I'm guessing that you don't have any actions defined in your Global.cfg? Maybe that is the source of the bug. I don't recall this ever happening with 2.x and before, so maybe it's a change of behavior in 3+. Declude??? Matt Markus Gufler wrote: (reposting the same message without attachments) Hi After reading this thread and have seen 3 spam messages in my inbox who has final results-lines in the header with more then 200% of my hold weight I've made some research: Exactly the same is happening here with Declude 3.1.0 and Imail 8.15 from 2006-06-04 20:00:00 GMT+1 on. I have the same actions for in- and outgoing messages in my config files. Normaly a message in v3+ is (MID) logged with 6 lines. Each message with the final action "NO ACTIONS WERE TAKEN" has only 2 lines in the logfile 06/04/2006 20:00:37.719 q1fa255d9003021bd.smd CBL:10 SPAMCOP:20 ... . Total weight = 360. 06/04/2006 20:00:37.719 q1fa255d9003021bd.smd Cumulative action(s) taken on this email = NO ACTIONS WERE TAKEN With this final weight the defined action is HOLD. I've noted also that this two lines are looking nearly like a whitelisted message: 06/04/2006 19:31:27.015 q18de1b3b00b21c63.smd Action(s) taken for [[EMAIL PROTECTED]] = WHITELISTED [LAST ACTION="" 06/04/2006 19:31:27.015 q18de1b3b00b21c63.smd Cumulative action(s) taken on this email = NO ACTIONS WERE TAKEN So it seems to me that something is whitelisting this type of message but I don't know what. Following my logfiles arround 400 spam each one with a final result between 200 and 400% of the defined hold weight has passed the filter instead of being HOLD. Markus -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Im Auftrag von John Shacklett Gesendet: Montag, 5. Juni 2006 13:37 An: Declude.JunkMail@declude.com Betreff: RE: [Declude.JunkMail] No action taken This morning I'm seeing a flood of stock spam with scores that are more than double my delete weight getting through with "no action taken". I'm looking at one right now with a score of 67, and in my scheme we delete at 30. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Sunday, 04 June 2006 8:21 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No action taken I was noticing the other day on some version of 4.x that bounce messages for a domain that should have been using the settings in my $De
AW: [Declude.JunkMail] No action taken
(reposting the same message without attachments) Hi After reading this thread and have seen 3 spam messages in my inbox who has final results-lines in the header with more then 200% of my hold weight I've made some research: Exactly the same is happening here with Declude 3.1.0 and Imail 8.15 from 2006-06-04 20:00:00 GMT+1 on. I have the same actions for in- and outgoing messages in my config files. Normaly a message in v3+ is (MID) logged with 6 lines. Each message with the final action NO ACTIONS WERE TAKEN has only 2 lines in the logfile 06/04/2006 20:00:37.719 q1fa255d9003021bd.smd CBL:10 SPAMCOP:20 ... . Total weight = 360. 06/04/2006 20:00:37.719 q1fa255d9003021bd.smd Cumulative action(s) taken on this email = NO ACTIONS WERE TAKEN With this final weight the defined action is HOLD. I've noted also that this two lines are looking nearly like a whitelisted message: 06/04/2006 19:31:27.015 q18de1b3b00b21c63.smd Action(s) taken for [EMAIL PROTECTED] = WHITELISTED [LAST ACTION=WHITELISTED] 06/04/2006 19:31:27.015 q18de1b3b00b21c63.smd Cumulative action(s) taken on this email = NO ACTIONS WERE TAKEN So it seems to me that something is whitelisting this type of message but I don't know what. Following my logfiles arround 400 spam each one with a final result between 200 and 400% of the defined hold weight has passed the filter instead of being HOLD. Markus -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von John Shacklett Gesendet: Montag, 5. Juni 2006 13:37 An: Declude.JunkMail@declude.com Betreff: RE: [Declude.JunkMail] No action taken This morning I'm seeing a flood of stock spam with scores that are more than double my delete weight getting through with no action taken. I'm looking at one right now with a score of 67, and in my scheme we delete at 30. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Sunday, 04 June 2006 8:21 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No action taken I was noticing the other day on some version of 4.x that bounce messages for a domain that should have been using the settings in my $Default$.JunkMail failed to take those actions. Typically I do per-domain configs, but a few I just have using my $Default$.JunkMail. I noticed this as soon as I upgraded to 4.x, and I'm pretty sure it is a bug. I am not sure if it only affects bounce messages or all messages for those domains (note that all of my domains are gatewayed from the Declude box so they may be treated differently from locally hosted E-mail. I believe that putting the actions in your Global.cfg would take action on this stuff. Global.cfg is meant for outgoing E-mail actions. While this was clearly incoming E-mail and not the way things used to work with 2.x and before, I'm pretty sure that this will take care of the issue. When I get some time to look into this further I'll probably report the bug to Declude. I'm pretty sure that I have seen several other such posts that might have been caused by this change in behavior. Matt Heimir Eidskrem wrote: Why would no action been taken on this email. We hold on 100. From Declude log: 06/04/2006 17:38:44.987 q60eb0182d92b.smd Triggered COUNTRIES CONTAINS filter COUNTRYFILTER on ES [weight-10]. 06/04/2006 17:38:45.003 q60eb0182d92b.smd Filter: Set max weight to 60. 06/04/2006 17:38:45.112 q60eb0182d92b.smd Filter: Set max weight to 70. 06/04/2006 17:38:45.159 q60eb0182d92b.smd Filter REVDNSBLACKLIST: Skipping E-mail with a current weight of 245 (=80) 06/04/2006 17:38:45.159 q60eb0182d92b.smd Filter BADWORDFILTER: Skipping E-mail with a current weight of 245 (=30) 06/04/2006 17:38:45.159 q60eb0182d92b.smd SPAMCOP:70 FIVETENSRC:30 SORBS-DUL:35 COUNTRYFILTER:10 SNIFFERGETRICH:100 . Total weight = 245. 06/04/2006 17:38:45.159 q60eb0182d92b.smd Cumulative action(s) taken on this email = NO ACTIONS WERE TAKEN Received: from jose-mih7wjftkx [62.42.134.246] by xxx with ESMTP (SMTPD-8.22) id A0EC1404; Sun, 04 Jun 2006 17:38:36 -0500 Date: Sun, 4 Jun 2006 22:38:39 -0060 From: Rene Benjamin [EMAIL PROTECTED] X-Mailer: The Bat! (3.69.9) Personal Reply-To: [EMAIL PROTECTED] X-Priority: 3 (Normal) Message-ID: [EMAIL PROTECTED] To: Subject: Under The Radar Equity Alert MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Declude-Sender: [62.42.134.246] X-Declude-Spoolname: D60eb0182d92b.smd X-Spam-Tests-Failed: SPAMCOP, FIVETENSRC, SORBS-DUL, NOLEGITCONTENT, IPNOTINMX, COUNTRYFILTER, SNIFFERGETRICH, WEIGHT75, WEIGHT100, CATCHALLMAILS [245] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-RCPT-TO: [EMAIL PROTECTED] Status: U
AW: [Declude.JunkMail] No action taken
Hi After reading this thread and have seen 3 spam messages in my inbox who has final results-lines in the header with more then 200% of my hold weight I've made some research: Exactly the same is happening here with Declude 3.1.0 and Imail 8.15 from 2006-06-04 20:00:00 GMT+1 on. I have the same actions for in- and outgoing messages in my config files. Normaly a message in v3+ is (MID) logged with 6 lines. Each message with the final action NO ACTIONS WERE TAKEN has only 2 lines in the logfile 06/04/2006 20:00:37.719 q1fa255d9003021bd.smd CBL:10 SPAMCOP:20 ... . Total weight = 360. 06/04/2006 20:00:37.719 q1fa255d9003021bd.smd Cumulative action(s) taken on this email = NO ACTIONS WERE TAKEN With this final weight the defined action is HOLD. I've noted also that this two lines are looking nearly like a whitelisted message: 06/04/2006 19:31:27.015 q18de1b3b00b21c63.smd Action(s) taken for [EMAIL PROTECTED] = WHITELISTED [LAST ACTION=WHITELISTED] 06/04/2006 19:31:27.015 q18de1b3b00b21c63.smd Cumulative action(s) taken on this email = NO ACTIONS WERE TAKEN So it seems to me that something is whitelisting this type of message but I don't know what. Following my logfiles arround 400 spam each one with a final result between 200 and 400% of the defined hold weight has passed the filter instead of being HOLD. Markus -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von John Shacklett Gesendet: Montag, 5. Juni 2006 13:37 An: Declude.JunkMail@declude.com Betreff: RE: [Declude.JunkMail] No action taken This morning I'm seeing a flood of stock spam with scores that are more than double my delete weight getting through with no action taken. I'm looking at one right now with a score of 67, and in my scheme we delete at 30. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Sunday, 04 June 2006 8:21 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No action taken I was noticing the other day on some version of 4.x that bounce messages for a domain that should have been using the settings in my $Default$.JunkMail failed to take those actions. Typically I do per-domain configs, but a few I just have using my $Default$.JunkMail. I noticed this as soon as I upgraded to 4.x, and I'm pretty sure it is a bug. I am not sure if it only affects bounce messages or all messages for those domains (note that all of my domains are gatewayed from the Declude box so they may be treated differently from locally hosted E-mail. I believe that putting the actions in your Global.cfg would take action on this stuff. Global.cfg is meant for outgoing E-mail actions. While this was clearly incoming E-mail and not the way things used to work with 2.x and before, I'm pretty sure that this will take care of the issue. When I get some time to look into this further I'll probably report the bug to Declude. I'm pretty sure that I have seen several other such posts that might have been caused by this change in behavior. Matt Heimir Eidskrem wrote: Why would no action been taken on this email. We hold on 100. From Declude log: 06/04/2006 17:38:44.987 q60eb0182d92b.smd Triggered COUNTRIES CONTAINS filter COUNTRYFILTER on ES [weight-10]. 06/04/2006 17:38:45.003 q60eb0182d92b.smd Filter: Set max weight to 60. 06/04/2006 17:38:45.112 q60eb0182d92b.smd Filter: Set max weight to 70. 06/04/2006 17:38:45.159 q60eb0182d92b.smd Filter REVDNSBLACKLIST: Skipping E-mail with a current weight of 245 (=80) 06/04/2006 17:38:45.159 q60eb0182d92b.smd Filter BADWORDFILTER: Skipping E-mail with a current weight of 245 (=30) 06/04/2006 17:38:45.159 q60eb0182d92b.smd SPAMCOP:70 FIVETENSRC:30 SORBS-DUL:35 COUNTRYFILTER:10 SNIFFERGETRICH:100 . Total weight = 245. 06/04/2006 17:38:45.159 q60eb0182d92b.smd Cumulative action(s) taken on this email = NO ACTIONS WERE TAKEN Received: from jose-mih7wjftkx [62.42.134.246] by xxx with ESMTP (SMTPD-8.22) id A0EC1404; Sun, 04 Jun 2006 17:38:36 -0500 Date: Sun, 4 Jun 2006 22:38:39 -0060 From: Rene Benjamin [EMAIL PROTECTED] X-Mailer: The Bat! (3.69.9) Personal Reply-To: [EMAIL PROTECTED] X-Priority: 3 (Normal) Message-ID: [EMAIL PROTECTED] To: Subject: Under The Radar Equity Alert MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Declude-Sender: [62.42.134.246] X-Declude-Spoolname: D60eb0182d92b.smd X-Spam-Tests-Failed: SPAMCOP, FIVETENSRC, SORBS-DUL, NOLEGITCONTENT, IPNOTINMX, COUNTRYFILTER, SNIFFERGETRICH, WEIGHT75, WEIGHT100, CATCHALLMAILS [245] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 440029386 X-IMail-ThreadID:
AW: AW: [Declude.JunkMail] No action taken
Sorry, I was offline I have the following actions configured in both global.cfg and $default$.junkmail WEIGHT80SUBJECT [SPAM: %WEIGHT%] WEIGHT150HOLD And yes Matt you're right: There is definitively something wrong when this message is threated as outgoing because comput.info is a local domain and not gatewayed. Something in this type of messages must confuse declude v3+ in a way that it's handling the final actions completely wrong. All tests seems running fine the result is correct. Only the final action is wrong. Question: It's only a large part of Europe or also in America that this Monday is holiday (Pfingsten) ? Why I'm working this monday at and why declude software and declude people seems not? AAARGH!!! Markus Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von MattGesendet: Montag, 5. Juni 2006 20:05An: Declude.JunkMail@declude.comBetreff: Re: AW: [Declude.JunkMail] No action taken Markus,Your headers show that it was also a null sender for the messages that bypassed your weights. Also curiously, you are logging in your headers the inorout variable and it shows the message as being outgoing: X-Note: Sent from - [No Reverse DNS] ([210.212.188.106]) outgoing.It appears that Declude is treating all null senders as outgoing, which would then use actions contained in your Global.cfg instead of a JunkMail file, and I'm guessing that you don't have any actions defined in your Global.cfg? Maybe that is the source of the bug.I don't recall this ever happening with 2.x and before, so maybe it's a change of behavior in 3+.Declude???MattMarkus Gufler wrote: (reposting the same message without attachments) Hi After reading this thread and have seen 3 spam messages in my inbox who has final results-lines in the header with more then 200% of my hold weight I've made some research: Exactly the same is happening here with Declude 3.1.0 and Imail 8.15 from 2006-06-04 20:00:00 GMT+1 on. I have the same actions for in- and outgoing messages in my config files. Normaly a message in v3+ is (MID) logged with 6 lines. Each message with the final action "NO ACTIONS WERE TAKEN" has only 2 lines in the logfile 06/04/2006 20:00:37.719 q1fa255d9003021bd.smd CBL:10 SPAMCOP:20 ... . Total weight = 360. 06/04/2006 20:00:37.719 q1fa255d9003021bd.smd Cumulative action(s) taken on this email = NO ACTIONS WERE TAKEN With this final weight the defined action is HOLD. I've noted also that this two lines are looking nearly like a whitelisted message: 06/04/2006 19:31:27.015 q18de1b3b00b21c63.smd Action(s) taken for [[EMAIL PROTECTED]] = WHITELISTED [LAST ACTION="" 06/04/2006 19:31:27.015 q18de1b3b00b21c63.smd Cumulative action(s) taken on this email = NO ACTIONS WERE TAKEN So it seems to me that something is whitelisting this type of message but I don't know what. Following my logfiles arround 400 spam each one with a final result between 200 and 400% of the defined hold weight has passed the filter instead of being HOLD. Markus -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Im Auftrag von John Shacklett Gesendet: Montag, 5. Juni 2006 13:37 An: Declude.JunkMail@declude.com Betreff: RE: [Declude.JunkMail] No action taken This morning I'm seeing a flood of stock spam with scores that are more than double my delete weight getting through with "no action taken". I'm looking at one right now with a score of 67, and in my scheme we delete at 30. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Sunday, 04 June 2006 8:21 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No action taken I was noticing the other day on some version of 4.x that bounce messages for a domain that should have been using the settings in my $Default$.JunkMail failed to take those actions. Typically I do per-domain configs, but a few I just have using my $Default$.JunkMail. I noticed this as soon as I upgraded to 4.x, and I'm pretty sure it is a bug. I am not sure if it only affects bounce messages or all messages for those domains (note that all of my domains are gatewayed from the Declude box so they may be treated differently from locally hosted E-mail. I believe that putting the actions in your Global.cfg would take action on this stuff. Global.cfg is meant for outgoing E-mail actions. While this was clearly incoming E-mail and not the way things used to work with 2.x and before, I'm pretty sure that this will take care of the issue. When I get some time to look into this further I'll probably report the bug to Declude. I'm pretty sure that I have seen several other such posts that might have been caused by this change in behavior. Matt Heimir Eidskrem wrote: Why would no action been taken on this email. We hold on 100. From Declude log: 06/04/2006 17:38:44.987 q60eb0182d92b.smd
AW: AW: [Declude.JunkMail] No action taken
I'm 100% sure that I have exactly the same two actions defined in both global.cfg and $default$.junkmail. They are there for several months now and this server is handling also several gatewayed domains. As I know gatewayed messages are handled as outgoing. Markus -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von John Shacklett Gesendet: Montag, 5. Juni 2006 23:10 An: declude.junkmail@declude.com Betreff: RE: AW: [Declude.JunkMail] No action taken I think that Matt's reply to Markus is right on track. I went back and looked at some headers from my sneaky stock scamspam and it appears that whatever is happening incorrectly is causing these messages to be treated as outgoing and I had a typo in my global.cfg that was preventing my HOLD and DELETE actions from taking place. I haven't seen any slip through since making that repair. That doesn't answer Heimir's basic question about official response. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Heimir Eidskrem Sent: Monday, 05 June 2006 2:53 PM To: declude.junkmail@declude.com Subject: Re: AW: [Declude.JunkMail] No action taken It seems to be obvious that this is a Declude problem with so many reports. Why no response from Declude yet? H. Matt wrote: Markus, Your headers show that it was also a null sender for the messages that bypassed your weights. Also curiously, you are logging in your headers the inorout variable and it shows the message as being outgoing: X-Note: Sent from - [No Reverse DNS] ([210.212.188.106]) outgoing. It appears that Declude is treating all null senders as outgoing, which would then use actions contained in your Global.cfg instead of a JunkMail file, and I'm guessing that you don't have any actions defined in your Global.cfg? Maybe that is the source of the bug. I don't recall this ever happening with 2.x and before, so maybe it's a change of behavior in 3+. Declude??? Matt Markus Gufler wrote: (reposting the same message without attachments) Hi After reading this thread and have seen 3 spam messages in my inbox who has final results-lines in the header with more then 200% of my hold weight I've made some research: Exactly the same is happening here with Declude 3.1.0 and Imail 8.15 from 2006-06-04 20:00:00 GMT+1 on. I have the same actions for in- and outgoing messages in my config files. Normaly a message in v3+ is (MID) logged with 6 lines. Each message with the final action NO ACTIONS WERE TAKEN has only 2 lines in the logfile 06/04/2006 20:00:37.719 q1fa255d9003021bd.smd CBL:10 SPAMCOP:20 ... . Total weight = 360. 06/04/2006 20:00:37.719 q1fa255d9003021bd.smd Cumulative action(s) taken on this email = NO ACTIONS WERE TAKEN With this final weight the defined action is HOLD. I've noted also that this two lines are looking nearly like a whitelisted message: 06/04/2006 19:31:27.015 q18de1b3b00b21c63.smd Action(s) taken for [EMAIL PROTECTED] = WHITELISTED [LAST ACTION=WHITELISTED] 06/04/2006 19:31:27.015 q18de1b3b00b21c63.smd Cumulative action(s) taken on this email = NO ACTIONS WERE TAKEN So it seems to me that something is whitelisting this type of message but I don't know what. Following my logfiles arround 400 spam each one with a final result between 200 and 400% of the defined hold weight has passed the filter instead of being HOLD. Markus -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von John Shacklett Gesendet: Montag, 5. Juni 2006 13:37 An: Declude.JunkMail@declude.com Betreff: RE: [Declude.JunkMail] No action taken This morning I'm seeing a flood of stock spam with scores that are more than double my delete weight getting through with no action taken. I'm looking at one right now with a score of 67, and in my scheme we delete at 30. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Sunday, 04 June 2006 8:21 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No action taken I was noticing the other day on some version of 4.x that bounce messages for a domain that should have been using the settings in my $Default$.JunkMail failed to take those actions. Typically I do per-domain configs, but a few I just have using my $Default$.JunkMail. I noticed this as soon as I upgraded to 4.x, and I'm pretty sure it is a bug. I am not sure if it only affects bounce messages or all messages for those domains (note that all of my domains are gatewayed from the Declude box so they may be treated differently from locally hosted E-mail. I believe that putting the actions in your Global.cfg would take
AW: [Declude.JunkMail] No Tests Run
Glenn, "no tests run" seems the wrong thread title to me. As I can see on my system all tests are running fine only the final action for a certain type of messages appearing in the last 26 hours are confusing decludes hardcoded logic and there is no way for us to solve this by change something in the config files. Question: Could it be that this type of message is causing IMail and not Declude to handle this message as outgoing and maybe also as SMTP-Authed message. This would explain why decludes tests are having so much positive results but the message is whitelisted. Are other admins affected by this problem having the same config? IMail + Declude SMTP-Auth. whitelisted. ? Markus Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Glenn \ WCNetGesendet: Montag, 5. Juni 2006 21:21An: declude.junkmail@declude.comBetreff: [Declude.JunkMail] No Tests Run I've had a swarm of stock-quote spam in the last few days. Declude 1.81, Imail 7.15. Appears from the headers there are no Declude tests running at all on these msgs, but there are Declude headers added. Majority are null senders. Various IPs. Some have my addy referenced as an X-RCPT, some do not. Majority also have an SMTP-FWD header. Those that are to legitimate recipients on my host, none of them (that I've checked thus far) have a fowarding addyset. Some but not all are being sentusing The Bat! client. My Declude logs runup to 800MB per day, difficult to search them for details. Received: from SMTP32-FWD by wcnet.net (SMTP32) id A0E38; Mon, 5 Jun 2006 00:48:32 -0500Received: from SMTP32-FWD by wcnet.net (SMTP32) id A0F48; Mon, 5 Jun 2006 00:48:32 -0500Received: from ZIA [203.81.233.129] by wcnet.net with ESMTP (SMTPD32-7.15) id A5A187B7034E; Mon, 05 Jun 2006 00:48:17 -0500Date: Mon, 5 Jun 2006 05:48:33 -0300From: "Blair Montano" [EMAIL PROTECTED]X-Mailer: The Bat! (3.78.20) PersonalReply-To: [EMAIL PROTECTED]X-Priority: 3 (Normal)Message-ID: [EMAIL PROTECTED]To: [EMAIL PROTECTED]Subject: You Too Can Profit From MicrocapsMIME-Version: 1.0Content-Type: text/plain; charset=us-asciiContent-Transfer-Encoding: 7bitX-Declude-Sender: [203.81.233.129]X-Declude-Spoolname: Dc5a187b7034ef2f2.SMDStatus: RX-UIDL: 323778081 ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
AW: [Declude.JunkMail] Windows Gui Ping
My favority is Superscan. http://www.foundstone.com/ Ressources Free Tools Scanning Tools The newest version is v4. I still prefer v3 (scroll down in the list) it's free, 300kB, no install neededand working great. ping, only, port scanning, ... Markus Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von KevinGesendet: Donnerstag, 1. Juni 2006 23:22An: Declude.JunkMail@declude.comBetreff: [Declude.JunkMail] Windows Gui Ping A little off topic but I remember seeing a post in the past on a great ping program on the list but forgot the name. It'll ping a range of ips and report with it either live or not. Any feedback greatly apprecicated.
AW: [Declude.JunkMail] What happened to the logging since 2.x????, it's HUGE
It's offering some new features and last but not least it a noticeable faster then v2. Markus Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Nick HayerGesendet: Montag, 22. Mai 2006 14:52An: Declude.JunkMail@declude.comBetreff: Re: [Declude.JunkMail] What happened to the logging since 2.x, it's HUGE Hi Matt,Matt wrote: I'm trying an upgrade from the 2.x release for the first time, Why on earth would you want to do that? Was 2x too bug free and you need some excitement?-Nick
[Declude.JunkMail] OT Whois Protector
Does anyone know WhoisProtector? Making a whois-query for euro-autodeals.com the whole response is ~~ Registrant: WhoisProtector Inc. Domain Name:euro-autodeals.com Domain servers in listed order: a.dns.hostway.net b.dns.hostway.net ~~ Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: Live Web Log Analyzer
What is everyone else out there using? Andy, I've had similar problems with Sawmill v6. v7 seems to be a complete rewrite and much more reliable and faster then the previous version. With a little bit of scripting I was also able to add new profiles programatically from previous created templates. So we can activate a new report by a simple click. Login and local refferer domains are configured automatically. Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] adding weight based on x-country-chain
Personaly I wouldn't block or assign weights for certain countries. (keep in mind that COUNTRY and COUNTRIES are not the same) But I've seen excellent results by assigning a relative low wheigt for all IP-blacklists and add additional wheight only if the message is not origininating from "trustworthily" countries. COUNTRYEND STARTSWITHitCOUNTRYEND STARTSWITH... TESTSFAILED 20 CONTAINS CBLTESTSFAILED 10 CONTAINS DSBLTESTSFAILED 25 CONTAINS ORDBTESTSFAILED 30 CONTAINS SPAMCOPTESTSFAILED 30 CONTAINS ... Markus - Original Message - From: Susan Duncan To: Declude.JunkMail@declude.com Sent: Wednesday, February 15, 2006 8:48 AM Subject: [Declude.JunkMail] adding weight based on x-country-chain Is there a way to add a weight based on the country? I do not want to block on country, but the chances of mail coming from somewhere other than Canada or the US is fairly remote, so a weight on country + anything would mean its got a high chance of being spam. I couldnt find anything in the docs on it. Susan Duncan Web/Communications Officer / Agent des Communications/webUnion of Taxation Employees / Syndicat des employées de l'ImpôtTel: 613-235-6704 ext 240Fax: 613-234-7290e-mail: [EMAIL PROTECTED]http://www.ute-sei.org/
RE: [Declude.JunkMail] ANN: SMTP Gateway
Sandy I thought the same and I'm sure many here too. But I preffered ignoring this spam message and withut commenting with the hope to prevent an unnecessary load to a list who's job is to provide support for declude products and nothing else. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sanford Whiteman Sent: Thursday, January 26, 2006 12:35 AM To: Brian Subject: Re: [Declude.JunkMail] ANN: SMTP Gateway I can't believe what is apparently permissible on this list. Has no one realized that this product is a commercial competitor to IMail or SmarterMail, with no relevance to Declude? Don't try that mail is stopped before Declude has to deal with it attempt at association. It is what it is. A separate, commercial anti-spam gateway with no integral link to the now-struggling Declude. At least Len Conrad's free cookbook for IMGate has the exact same features as the one he charges $500 to install. That's always been the redeeming quality of his plugging model. Guess the game has changed. For everyone who's silently letting this go: how'd you feel if Vamsoft started advertising here? Do you think there aren't other people on the list who've kept quiet about similar products and services? --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/do wnload/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2a liases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2alias es/download/release/ --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT - Server Watching.
What software / services do you guys use to watch your servers for up/down status? HostMonitor http://www.ks-soft.net/hostmon.eng/index.htm cheap and reliable Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Sniffer in Persistent Mode using Windows Resource Kit Tools
So for no problem, but how we tell Declude or DecludeProc that he should connect to the service instead of executing the exe? Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Panda Consulting S.A. Luis Alberto Arango Sent: Wednesday, January 18, 2006 1:15 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Sniffer in Persistent Mode using Windows Resource Kit Tools Here is another method to install sniffer in persistent mode. I just want to share it with you and others out there. I hope it is useful. I am not sure if there is information about how to install persistent mode using the windows resource kit tools in this list. So I decided to post it just in case. I have tested for a week and it works fine for me under Windows 2003 I switched to it, since RunSvcExe started to show some errors in my event viewer ==Sniffer in Persistent Mode Using Windows Resource Kit Tools== 1. Create a directory in C: called for example reskit c:\reskit 2. Place the following windows NT/2000/2003 windows resource kit files (they are free). Download the kit from microsoft.com instsrv.exe srvany.exe 3. Run the following command line c:\reskit\instsrv.exe Declude Sniffer c:\reskit\Srvany.exe that will set a service under the name Declude Sniffer 4. Open your registry and look for the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Declude Sniffer 5. Then add a key and name it Parameters 6. Next Add a Value and type this information Value Name:Application Data Type: REG_SZ (String) String: [full path of your sniffer installation]\snfrv2r3.exe xnk05x5vmipeaof7 persistent Note for licensed users: replace snfrv2re.exe with your licenced sniffer application name and xnk05x5vmipeaof7 with the licenced code. 7. In your Services Manager locate the service named Declude Sniffer and start it. 8. Set the Startup Type to Automatic. You are set to go. TO REMOVE THE SERVICE--- if you want to remove the service just type the following command line c:\reskit\instsrv.exe Declude Sniffer REMOVE -Luis Arango __ [Email scanned for viruses] [Email escaneado contra virus] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Spam message size
From last week on I can see spam messages containing one single image. The body is something like img src=cid:5fb45cc53f5274d38075894147920f00 The attached message is an image showing a slightly rotated text message. Interesting: It has a total message size of arround 68 kbytes and so it's maybe above certain threshoulds we've configured in different filters in order to assign negative weights for larger messages. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Combo Filter
Title: Message Hi Goran, I write this because maybe Pete McNeil can clarify it easily. Does SNIFFER have something inside who can identify CMDSPACE? Only if it's not so it would be a good combo filter. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran JovanovicSent: Saturday, January 14, 2006 3:33 PMTo: Declude.JunkMail@declude.comSubject: RE: [Declude.JunkMail] Combo Filter FYI All, I did my CMDSPACE and SNIFFER (all categories have not broken it up yet) combo filter an let it run all day yesterday. That filter triggered on 37.6% of my mail. I ran it yesterday with weight 0 and monitored, there were no false positives at all. Turning it on for real today. Looks like another good test that I am finally adding to my mix. Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Thursday, January 12, 2006 4:47 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Combo Filter That sounds about right from where I sit.You might also think about doing a combo with DUL lists and CMDSPACE, (timeout) with CMDSPACE, and [no reverse DNS] with CMDSPACE. All three of these things are highly associated with zombies, and they are also isolated in terms of the conditions that generate the hits.MattGoran Jovanovic wrote: Ok I tag at 10 and delete at 30 Currently CMDSPACE is 8, SNIFFER is 7 so the combo of these two could be 10? That would make it 25 (not including the default -8 from IPNOTINMX and NOLEGIT) which would still require something else to delete the message. Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of MattSent: Thursday, January 12, 2006 4:04 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Combo Filter Definitely.One of the better points to this combination is that both tests are completely isolated from one another.The only danger is that some bulk E-mail software/providers will trigger CMDSPACE, and Sniffer does have a moderate problem with false positives on bulk E-mail, IMO, so you might get a few false positives on this.MattGoran Jovanovic wrote: Hi, Would CMDSPACE and SNIFFER be a good combo test to have? I already have some other combos with SNIFFER. Thanx Goran Jovanovic Omega Network Solutions
[Declude.JunkMail] Declude v3 CPU usage and processing speed
We've running W2k3 Server on a Dell PE1750 with 3GHz Dual-Xeon CPU and SCSI-Raid system here. Sometimes the proc folder is filling up with thousands of messages and declude is processing it. But it does process them way to slow. While all 4 CPU-Usage graphs in the task manager has an average value of around 50% messages are processed but only around 50 per minute. I've tried to play around with THREADS in declude.cfg Delivery Threads and Listen pipes in Imail Queue Manager Restarted services, and the entire server Moved temporaly out most of the queue files in proc folder None of this changed anything. Why it seems that Declude v3 is not working as fast as possible when there are so much messages waiting for delivery? Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spam leak?
Ummm... Did anybody else get a piece of spam this morning with subject SPAMSPCE: that seems to have been relayed through Declude.com? Yes. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude v3 CPU usage and processing speed
I have worked with customers with similar Dual-Xeon CPU setup and have seen processing of 1000+ emails per minute. We have two of this machines here. It has exactly the same config from the screw who hold the server in the rack up to each dot in the junkmail config file (except the license codes ;-) The first server seems processing messages faster then the second. On the second server the more I play with values the lower CPU-usage and processing goes. After each reboot of decludeproc it's going down a little bit. Neither a reboot solved the problem. When I block incomming SMTP-traffic on the second server it will process around 50 messages per minute by showing up an average CPU usage way below of 50% (currently 20%) 1. What is your THREADS in the Declude.cfg ? Everything from 5 up to 500 2. Are you running many large filters ? I've tried enabling und disabling many filters without any noticeable change. But large filters should create a large cpu-usage. 3. How many virus scanners are you running ? Usualy two but I've also disabled the second for testing without any result 4. Is hyperthreading turned ON or OFF ? Yes task manager is showing up 4 cpu's 5. Are you using any other Directives in your declude.cfg ? Beside THREADS I've currently in use WAITFORMAIL 5000 WINSOCKCLEANUP ON I've tried changing WAITFORMAIL up to 15000 ms as suggested by another v3 Admin and I've also tried adding WAITFORTHREADS 1500 WAITBETWEENTHREADS 1 With values from 150 .. 1500 and 1 .. 1000 without any noticeable change in the task manager cpu usage. The number of queue files in the proc folder is going up and down (something between 1000 and 12000 files) The server is working and delivery messages but only with 50% of his power and speed. Netstat is showing around 100 ETSABLISHED connections and around 50 in TIME_WAIT The process list in the task manager is showing up around 50 entries Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude v3 CPU usage and processing speed
1. Set THREADS 200 Ok set to 200 2. Which virus scanner are you running ? and do you have F-Prot and optionaly McAfee PRESCAN ON in your virus.cfg Yes it was already set to ON 3. Try turning hyperthreading off. Hmm the server is around 40 km away. As I know HAT is enabled/disabled in the bios. 4. Set WAITFORMAIL 500 Ok set to 400 From the manual I understand that this will affect only for empty proc folders. 5. Have you had DNS issues with decludeproc running ? Disable WINSOCKCLEANUP ON Hm what do you mean with DNS issues with decludeproc. I'm not aware of any issue Disbled WINSOCKCLEANUP. 6. Disable WAITFORTHREADS and WAITBETWEENTHREADS As it was per default Nothing changed Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude v3 CPU usage and processing speed
I would try the DNSOVERRIDE x.x.x.x switch in your declude.cfg file. There is a post in the archive from Declude - Bill I beleive that explains more. Can't find any message from Bill Added DNSOVERRIDE without any result Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude v3 CPU usage and processing speed
1. How many messages currently in your \proc ? SRV1 is gone below 1000 SRV2 is still somewhere between 4000 and 6000 messages (going up and down slowly) 2. On average how many threads has decludeproc and what is the highest thread count over a 5 min period check this under your processors, also set the update speed under the view to high Avg: 16 min: 13 max: 17 Why this? My current THREADS value is set to 200. Where should I place declude.cfg ? But after Darells suggestion I noticed another difference between both servers. SRV1 and SRV2 has configured two different DNS servers for lookups (even without DNSOVERERIDE) After disabling all DNS-based tests CPU usage seems going up to an average of 90% but only for certain periods then it's going down back to an avg of 50% Markus David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Friday, January 13, 2006 10:56 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Declude v3 CPU usage and processing speed I would try the DNSOVERRIDE x.x.x.x switch in your declude.cfg file. There is a post in the archive from Declude - Bill I beleive that explains more. Can't find any message from Bill Added DNSOVERRIDE without any result Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude v3 CPU usage and processing speed
But after Darells suggestion I noticed another difference between both servers. SRV1 and SRV2 has configured two different DNS servers for lookups (even without DNSOVERERIDE) After disabling all DNS-based tests CPU usage seems going up to an average of 90% but only for certain periods then it's going down back to an avg of 50% Sorry this was wrong. Disabling DNS-based tests changed nothing. CPU was used by Xwall running on the same server. Xwall is acceppting messages on both servers on port 25 does external recipient verification and from today on (after I've noticed the problems in subject!) it does also block durring SMTP-Envelope messages comming from hosts listed in XBL-SBL. Without this enabled the proc folder would already be filled up with more then 30k messages. Both servers process usually 100k messages each day and they have this done with declude v1.81 until 2005-12-31 and afterwards with declude v.3 Only today it seems they wouldn't work anymore with full speed... :-/ Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude v3 CPU usage and processing speed
Declude.cfg should be in your \Declude folder, is that where it is located ? Hmm strange. It was there and also in the c:\program files\declude folder where it was after the initial installation. Now I've deleted and recreated the declude.cfg file in the declude folder and restarted the service. CPU is now constantly on 95% Can't understand why it not worked before. I've changed this file and restarted decludeproc at least 25 times today. Now I've set back everything to the values as it was yesterday evening and it's still working as it should and as it has donw until this morning. At the moment it's processing around 200 messages/minute and so the number of messages in the proc folder is going down. Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Sniffer weighting
SNIFFER-TRAVELexternal047"C:\IMail\declude\sniffer\yourlicensecode.exe yourverificationcode"850SNIFFER-INSURexternal048"C:\IMail\declude\sniffer\yourlicensecode.exe yourverificationcode"850SNIFFER-AVexternal049"C:\IMail\declude\sniffer\yourlicensecode.exe yourverificationcode"850SNIFFER-MEDIAexternal050"C:\IMail\declude\sniffer\yourlicensecode.exe yourverificationcode"850SNIFFER-SWAREexternal051"C:\IMail\declude\sniffer\yourlicensecode.exe yourverificationcode"800SNIFFER-SNAKEexternal052"C:\IMail\declude\sniffer\yourlicensecode.exe yourverificationcode"990SNIFFER-SCAMSexternal053"C:\IMail\declude\sniffer\yourlicensecode.exe yourverificationcode"600SNIFFER-PORNexternal054"C:\IMail\declude\sniffer\yourlicensecode.exe yourverificationcode"800SNIFFER-MALWAREexternal055"C:\IMail\declude\sniffer\yourlicensecode.exe yourverificationcode"800SNIFFER-INKexternal056"C:\IMail\declude\sniffer\yourlicensecode.exe yourverificationcode"850SNIFFER-RICHexternal057"C:\IMail\declude\sniffer\yourlicensecode.exe yourverificationcode"800SNIFFER-CREDITexternal058"C:\IMail\declude\sniffer\yourlicensecode.exe yourverificationcode"850SNIFFER-CASINOexternal059"C:\IMail\declude\sniffer\yourlicensecode.exe yourverificationcode"850SNIFFER-GENERALexternal060"C:\IMail\declude\sniffer\yourlicensecode.exe yourverificationcode"200SNIFFER-EXP-Aexternal061"C:\IMail\declude\sniffer\yourlicensecode.exe yourverificationcode"50SNIFFER-OBFUSCexternal062"C:\IMail\declude\sniffer\yourlicensecode.exe yourverificationcode"200SNIFFER-EXP-IPexternal063"C:\IMail\declude\sniffer\yourlicensecode.exe yourverificationcode"50 we mark subject line at 80 and hold at 150 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)Sent: Friday, January 13, 2006 8:03 PMTo: Declude.JunkMail@declude.comSubject: RE: [Declude.JunkMail] Sniffer weighting SNIFFER-TRAVEL external 047 "C:\Imail\Sniffer\yourlicensecode.exe yourverificationcode" 15 0 SNIFFER-INSURANCE external 048 "C:\Imail\Sniffer\yourlicensecode.exe yourverificationcode" 15 0 SNIFFER-AV-PUSH external 049 "C:\Imail\Sniffer\yourlicensecode.exe yourverificationcode" 15 0 SNIFFER-WAREZ external 050 "C:\Imail\Sniffer\yourlicensecode.exe yourverificationcode" 25 0 SNIFFER-SPAMWARE external 051 "C:\Imail\Sniffer\yourlicensecode.exe yourverificationcode" 35 0 SNIFFER-SNAKEOIL external 052 "C:\Imail\Sniffer\yourlicensecode.exe yourverificationcode" 35 0 SNIFFER-SCAMS external 053 "C:\Imail\Sniffer\yourlicensecode.exe yourverificationcode" 35 0 SNIFFER-PORN external 054 "C:\Imail\Sniffer\yourlicensecode.exe yourverificationcode" 35 0 SNIFFER-MALWARE external 055 "C:\Imail\Sniffer\yourlicensecode.exe yourverificationcode" 20 0 SNIFFER-INKPRINTING external 056 "C:\Imail\Sniffer\yourlicensecode.exe yourverificationcode" 15 0 SNIFFER-SCHEMES external 057 "C:\Imail\Sniffer\yourlicensecode.exe yourverificationcode" 25 0 SNIFFER-CREDIT external 058 "C:\Imail\Sniffer\yourlicensecode.exe yourverificationcode" 25 0 SNIFFER-GAMBLING external 059 "C:\Imail\Sniffer\yourlicensecode.exe yourverificationcode" 25 0 SNIFFER-EXP-IP external 063 "C:\Imail\Sniffer\yourlicensecode.exe yourverificationcode" 15 0 SNIFFER-OBFUSCATION external 062 "C:\Imail\Sniffer\yourlicensecode.exe yourverificationcode" 25 0 SNIFFER-EXP-ABST external 061 "C:\Imail\Sniffer\yourlicensecode.exe yourverificationcode" 15 0 SNIFFER-GENERAL external 060 "C:\Imail\Sniffer\yourlicensecode.exe yourverificationcode" 20 0 I hold at 25 and delete at 35 except for some clients which get attached at 35 and deleted at 50. John T eServices For You -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran JovanovicSent: Friday, January 13, 2006 10:23 AMTo: Declude.JunkMail@declude.comSubject: [Declude.JunkMail] Sniffer weighting Hi, Does anyone have a good list of all the SNIFFER categories and different weights for them that they would like to share? Thanks Goran Jovanovic Omega Network Solutions
RE: [Declude.JunkMail] Declude v3 CPU usage and processing speed
My conclusion for this day: At the mid of december I decided to switch to declude v3. After several tests we discovered that a simply comment after the license code like CODE abcdefg #mail.domain.com wouldn't work anymore with v3. This would result in a "invalid license code" message in the logfile. But this will happen only in declude.junkmail. The virus config file does still allow a comment after the license code. So it was a little bit difficult to discover. So finaly at the end of december I switched from v1.8x to v3 and have seen a noticeable reduction of cpu-usage My problem today: As the installation process has placed the declude.cfg and other default cfg files to c:\program files\declude I was never sure what's the right declude.cfg file. Now after this day I can't say for sure what it was but the file I've created manualy in the imail/declude folder two weeks ago must had something wrong because it obviously hadn't affected in any way how decludeproc has worked. Now after I've created a new declude.cfg changes in the file have noticeable effects in how the service is working after restarting it. CPU usage: I've never seen a constant cpu-usage like them in David's screen shot. With the default value of threads and the load on my server the cause of abnormal low CPU usage on my server was simply because the thread limit in combination with the time necessary for scanning messages (primary DNS-lookups) prevented processing of all waiting queue files even if there was enough CPU-ressources. This was also the cause I've had seen an increased cpu usage after disabling al DNS-based tests. Each thread finished faster instead of waiting. A value of 200 for THREADS was to high. Beside 100% CPU usage (finaly! :-) RAM usage has increased from around 0,5 to over 1,3 Gigs and even file access was significantly slower. SoI reduced THREADS back to 75 and now it's processing messages very fast even if I enable all ressource intensive tests. Hopefully my "denglish" above is understandable. Normaly I should stay in bed today as I'm more ill then healthy. The mail queues are emtpy so: good night! Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Friday, January 13, 2006 8:04 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Declude v3 CPU usage and processing speed Great news. Now Declude can look for a bug in how it handles certain license codes and maybe fix this for others. Maybe Markus could try the same thing.MattDavid Sullivan wrote: Here's the second result. This is very strange. We took the OHN and license ID's from another box, yet to be put in production, that also showed 25% utilization with NO mail flow. Look at the graph with that box's credentials on this box. Declude IS running and processing ALL external tests. Based on this graph, this would now be our most efficient box.
RE: [Declude.JunkMail] Sandy's 5xx event sink
I've tried it out and it seems running fine. But for our situation I need something that is able to verify trough an external application and on the recipients pop3-server in realtime if the mailbox is valid. So we've tested Xwall and it seems running fine with more then 100k Messages/day. At the same time I've switched to Declude v3 and a I can see it has reduced significantly CPU-usage even if now with Xwall each message accepted by Xwall is processed a second time by Imail/Declude. The problem is that MDLP at the moment is not able to parse the new Declude v3 logformat and so my hourly reports does not work since the reconfiguration. With Xwall it would also be possible to block all messages comming from a host IP without PTR-record. Anyone beside AOL Co. has already enabled such a test? Looking to the results of MDLP from last month I can see that 77% of all incomming messages has valid REVDNS records. From the other 23% 20% seems to be clearly spam and most of the other 3% are in a grey zone who it's hard to say if it's legit or not. I fear if I enable Envelope blocking for sending IP's without REVDNS record this will block some legit messages send from non-mailservers (web-forms, admin. status messages, ...) Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Wednesday, January 11, 2006 11:39 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Sandy's 5xx event sink For those using Sandy's 5xx event sink including Sandy how is it working out for you? Are any of you using it with 10K+ email addresses? How is the performance of it with a scan of the list for each mail? How do you update the file once you have it in place - i.e. just ftp a new copy over the existing. Has this caused any issues with mail rejection when its being updated (for example what if the event sink can't access the file while it was being updated). Just your general thoughts? Right now I am using a homebrew extract the email addresses out of AD through a Windows Service that FTP's it up to a central point where another Windows Service goes and grabs it and imports it into imail as aliases. This works and is fine - but I hate the whole routing it out to a subdomain thing. It works, but feels clunky. Thoughts? Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Sandy's 5xx event sink
Yes, that's my opinion too. But as Zombie networks are still growing and so their power is growing too I search something that can block effectively durring SMTP envelope. Yesterday I've had 20k spam messages (all with the same message + random content) comming from more then 1000 different IP's. The peak was more the 6000 messages between 5 minutes. By accepting anything and analizing it afterward as Declude can do it would be possible to block all spam messages but at the same time I've a overfilled queue and a noticeable and in some cases inacceptable delivery delay. My idea is to have something that is able to check for missing REVDNS-records and/or HELOISIP and if there are more then x of them between let's say 5 minutes enable Envelope-Blocking for missing REVDNS and/or HELOISIP. This should avoid false positives and durring bot-network-attacks it should allow a very effective and resource friendly protection against thousands of messages. The same tecnique should also work with IP-Blacklists and by sending a service temporary unavailable instead of blocking the message theoretically it would avoid nearly all false positives because legit MTA's even with missing REVDNS or HELOISIP should retry it after some minutes. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Doherty Sent: Thursday, January 12, 2006 2:15 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Sandy's 5xx event sink Hi, Markus- We don't block on a missing PTR record, but some people do. There are people who block if the PTR record doesn't match the HELO or EHLO string, and some who block if the HELO/EHLO, PTR, and A records don't match perfectly. IMO, anybody who blocks based on a failing a single test is not doing their clients any favors. There are exceptions to that, of course - for known spammers, etc. - but for random incoming mail, there's some legit stuff coming in to us that lacks a PTR record. For us, the PTR record check is just one of the tests we run. It is weighted heavily, but it is not decisive by itself. -Dave Doherty Skywaves, Inc. - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Thursday, January 12, 2006 3:38 AM Subject: RE: [Declude.JunkMail] Sandy's 5xx event sink ... With Xwall it would also be possible to block all messages comming from a host IP without PTR-record. Anyone beside AOL Co. has already enabled such a test? Looking to the results of MDLP from last month I can see that 77% of all incomming messages has valid REVDNS records. From the other 23% 20% seems to be clearly spam and most of the other 3% are in a grey zone who it's hard to say if it's legit or not. I fear if I enable Envelope blocking for sending IP's without REVDNS record this will block some legit messages send from non-mailservers (web-forms, admin. status messages, ...) Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Sandy's 5xx event sink
ok. As I know AOL is blocking all messages comming from IP's without REVDNS. How Comcast and AOL is handling this? Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Thursday, January 12, 2006 3:23 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Sandy's 5xx event sink Markus,Just last week Comcast lit up a new mail server that had no reverse DNS entry. This type of thing happens all the time. Plus there might be an issue with timeouts if your software can't differentiate between that and a true absence of a reverse DNS value. Either way, it will definitely create issues.MattMarkus Gufler wrote: Yes, that's my opinion too. But as Zombie networks are still growing and so their power is growing too I search something that can block effectively durring SMTP envelope. Yesterday I've had 20k spam messages (all with the same message + random content) comming from more then 1000 different IP's. The peak was more the 6000 messages between 5 minutes. By accepting anything and analizing it afterward as Declude can do it would be possible to block all spam messages but at the same time I've a overfilled queue and a noticeable and in some cases inacceptable delivery delay. My idea is to have something that is able to check for missing REVDNS-records and/or HELOISIP and if there are more then x of them between let's say 5 minutes enable Envelope-Blocking for missing REVDNS and/or HELOISIP. This should avoid false positives and durring bot-network-attacks it should allow a very effective and resource friendly protection against thousands of messages. The same tecnique should also work with IP-Blacklists and by sending a "service temporary unavailable" instead of blocking the message theoretically it would avoid nearly all false positives because legit MTA's even with missing REVDNS or HELOISIP should retry it after some minutes. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dave Doherty Sent: Thursday, January 12, 2006 2:15 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Sandy's 5xx event sink Hi, Markus- We don't block on a missing PTR record, but some people do. There are people who block if the PTR record doesn't match the HELO or EHLO string, and some who block if the HELO/EHLO, PTR, and A records don't match perfectly. IMO, anybody who blocks based on a failing a single test is not doing their clients any favors. There are exceptions to that, of course - for known spammers, etc. - but for random incoming mail, there's some legit stuff coming in to us that lacks a PTR record. For us, the PTR record check is just one of the tests we run. It is weighted heavily, but it is not decisive by itself. -Dave Doherty Skywaves, Inc. - Original Message ----- From: "Markus Gufler" [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Thursday, January 12, 2006 3:38 AM Subject: RE: [Declude.JunkMail] Sandy's 5xx event sink ... With Xwall it would also be possible to block all messages comming from a host IP without PTR-record. Anyone beside AOL Co. has already enabled such a test? Looking to the results of MDLP from last month I can see that 77% of all incomming messages has valid REVDNS records. From the other 23% 20% seems to be clearly spam and most of the other 3% are in a grey zone who it's hard to say if it's legit or not. I fear if I enable Envelope blocking for sending IP's without REVDNS record this will block some legit messages send from non-mailservers (web-forms, admin. status messages, ...) Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Combo Filter
Title: Message Matt for this case I recommend using TESTSFAILEDEND CONTAINSSNIFFER-TRAVELTESTSFAILEDEND CONTAINSSNIFFER-INSURTESTSFAILEDEND CONTAINSSNIFFER-AVTESTSFAILEDEND CONTAINSSNIFFER-MEDIATESTSFAILEDEND CONTAINSSNIFFER-SWARETESTSFAILEDEND CONTAINSSNIFFER-SNAKETESTSFAILEDEND CONTAINSSNIFFER-SCAMSTESTSFAILEDEND CONTAINSSNIFFER-PORNTESTSFAILEDEND CONTAINSSNIFFER-MALWARETESTSFAILEDEND CONTAINSSNIFFER-INKTESTSFAILEDEND CONTAINSSNIFFER-CREDITTESTSFAILEDEND CONTAINSSNIFFER-CASINOTESTSFAILEDEND CONTAINSSNIFFER-OBFUSCTESTSFAILEDEND CONTAINSSNIFFER-GENERAL and maybe also TESTSFAILEDEND CONTAINSSNIFFER-RICH instead of TESTSFAILED 10 CONTAINSSNIFFER ...for the initial end statement(s) in the combo-filter. This because only two or tre SNIFFER exit codes seems not to bee very reliable (even if they are still good): 61, 63 and maybe also 57. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Thursday, January 12, 2006 10:04 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Combo Filter Definitely.One of the better points to this combination is that both tests are completely isolated from one another.The only danger is that some bulk E-mail software/providers will trigger CMDSPACE, and Sniffer does have a moderate problem with false positives on bulk E-mail, IMO, so you might get a few false positives on this.MattGoran Jovanovic wrote: Hi, Would CMDSPACE and SNIFFER be a good combo test to have? I already have some other combos with SNIFFER. Thanx Goran Jovanovic Omega Network Solutions
[Declude.JunkMail] V3 updated filter files
Question: what files in v3 are read once durring service startup and what files are read for each message. For example what happens if I update certain text filter files but do not restart the decludeproc ? Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] V3 updated filter files
Ok, thank you for the fast response. Your intention to streamline the product is welcome to me. Maybe you can simplify for us admins things me anabling some or different methods to start a re-read of the config and filter files. For example: 1.) Watch for a certain email processed by declude 2.) watch for one specific single file if it's placed by another application in the config-directory declude will reload once all config files 3.) write a little appliaction that can run as sceduled task and watch regulary all configuration files. If some file is updated a relaod to the running process is initiated. just some idea... Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Franco-Rocha Sent: Thursday, January 05, 2006 1:45 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] V3 updated filter files Markus, There is currently no need to restart the Decludeproc service when you change a filter or configuration file; files are read for each message processed, just as with the versions of Declude prior to 3.x. This will not always be the case, however, as we continue to streamline and modify the product. If and when it becomes necessary to restart the service after file modification, we will make it clear to our users. You should be aware of the diags.txt file that is created by the Decludeproc service. It is created once, after the service has started and the first email has been processed. It is not created again, unless the service is restarted. So, if you modify your global.cfg while the Decludeproc service is running, the changes will be seen immediately by the system, but the changes will not be reflected in the diags.txt file unless the service is restarted. David Franco-Rocha Declude Technical / Engineering - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Thursday, January 05, 2006 7:30 AM Subject: [Declude.JunkMail] V3 updated filter files Question: what files in v3 are read once durring service startup and what files are read for each message. For example what happens if I update certain text filter files but do not restart the decludeproc ? Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Review folder
Another question: What's happened with messages in the review-folder? Whas they delivered and why are they stored in this folder? Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Hardware Issue
Martin, How do you update Declude Junkmail without updating declude eva? Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Evans Martin Sent: Wednesday, December 28, 2005 2:53 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Hardware Issue While we are on the subject of licensing ... I have JunkMail Pro on which I maintain a current service contract and keep the version as current as I feel comfortable doing. I also have Declude Virus that works perfectly well in whatever version is installed. I haven't updated it in forever. When I purchased my JunkMail service contract, I was informed a few days later that I would also be required to purchase a Declude Virus contract if I wanted to maintain my JunkMail service contract. Barry was nice enough to make an exception this year but didn't sound like he was eager to continue this practice. Do I have to purchase service contracts on both products if I only care about upgrades on one? Will I be forced to purchase 2 contracts when my current one expires, etc. Thanks, Evans Martin --- EVANS MARTIN [EMAIL PROTECTED] HOSTING: http://www.martek.net PROGRAMMING: http://www.martekware.com iPlus Info Browser - IPB's IMail Migration Tool, password browser, reporting suite make IPlus Info Browser something no IMail administrator should be without. http://www.martek.net/Default.aspx?tabid=96 -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of David Franco-Rocha Sent: Wednesday, December 28, 2005 6:00 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Hardware Issue Don, Your license to run the software does not expire. What does expire is your right to download new updates of the software. David Franco-Rocha Declude Technical / Engineering - Original Message - From: [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, December 27, 2005 7:13 PM Subject: Re: [Declude.JunkMail] Hardware Issue David, Thanks for the response but I only understand part of your answer. An expired license agreement is not equal to an expired license to run the software. I know when I have an expired license agreement but when does my license to run the software expire? Don - Original Message - From: David Franco-Rocha [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, December 27, 2005 5:50 AM Subject: Re: [Declude.JunkMail] Hardware Issue An expired license agreement is not equal to an expired license to run the software. It simply does not allow you to update the software, but you can continue to run the version you have been running. David Franco-Rocha Declude Technical / Engineering - Original Message - From: [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, December 27, 2005 1:17 AM Subject: Re: [Declude.JunkMail] Hardware Issue I too have stayed at the 1.82 version while keeping my service contract up to date. I am not ambitious enough to work through all the 2.x and 3.x issues. A heart felt thank you goes out to those of you who are. With the new licensing policy in 3.x, what happens when I decide not to renew the service agreement? Will all the Declude software I have stop working? Am I paying for it's usage only while I have a valid service agreement? It used to be that the service agreement allowed me major version upgrades when they were available without paying an additional fee. Am I now paying for a license to use the software? Don - Original Message - From: Darin Cox [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Monday, December 26, 2005 3:03 PM Subject: Re: [Declude.JunkMail] Hardware Issue Bottom line is we were told if the license server was offline we would not be impacted. It is seeming now that that statement was not true, though I should withhold judgement until we hear exactly why this had an impact. Very glad I've stuck with 1.82 at the moment, though we had a service agreement that entitled us to upgrade to 3.x. I would certainly like to know what will be done to the software licensing to make sure this problem does not happen again. Otherwise, since mail is considered a critical system, Declude needs to staff 24/7 to address problems as they arise. Darin. - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Monday, December 26, 2005 3:50 PM
RE: [Declude.JunkMail] SmarterMail 3.0
web-based forum: I have to go there each day and spend some minutes to find out what's going on. My 24 hours each day are short enough that I will do that one, two or some more days but then I will left the forum until I havea new problem. And for shure not to see if someone maybe has a problem where I mabe can help. list-based forum: new postings are comming in and I can see them. If the subject is well choosen I can easily see if it's something important, or maybe something I've already solved and so can share an easy solution. Are there many replies on a new thread? = it's an indicator that it can be maybe something interesting or important for me too. All the rest can be ignored. mail-client rules move all my incomming list-messages to subfolders so that I have my normal inbox for the daily work. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert E. SpivackSent: Wednesday, December 21, 2005 10:42 AMTo: Declude.JunkMail@declude.comSubject: RE: [Declude.JunkMail] SmarterMail 3.0 The community support for SmarterMail is much smaller (or at least quieter). We are running one SM server for a client and Ive posted several questions on the SM support forums and have not received any responses at all. Similar posts to Imail or Declude discussion lists have always resulted in lots of replies with useful help. Obviously the products are different and the questions are different, but so far Im not impressed with the size/responsiveness of the community. Thats an important factor we will consider seriously before migrating any other servers from Imail to SM saving a few hundred dollars in license costs is insignificant if we cant get help one way or another as quickly. (Needless to say, the SM questions were on issues that SM tech support provided courteous but not helpful replies when first submitted privately as an email support case, so I was hoping for help from the community) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Evans MartinSent: Tuesday, December 20, 2005 10:48 PMTo: Declude.JunkMail@declude.comSubject: RE: [Declude.JunkMail] SmarterMail 3.0 Its such a breath of fresh air having been in the IMail camp for the last several years. LOL! Evans Martin EVANS MARTIN [EMAIL PROTECTED] HOSTING: http://www.martek.net PROGRAMMING: http://www.martekware.com iPlus Info Browser IPBs IMail Migration Tool, password browser, reporting suite make IPlus Info Browser something no IMail administrator should be without. http://www.martek.net/Default.aspx?tabid=96 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary SteinerSent: Tuesday, December 20, 2005 6:48 PMTo: Declude.JunkMail@declude.comSubject: [Declude.JunkMail] SmarterMail 3.0 The following was posted today on SmarterTools web forums: Q: When will we expect to see v. 3? A: The release date depends on the results of final QA. The product is essentially done, just making sure that all the bugs are out of it. Since mail servers are so critical to people's infrastructure, we work extremely hard to make a stable release with no issues that are going to bite you. We don't sacrifice stability for a quick release. Assuming everything is in good order (which to this point it appears to be), release will be middle of January. You can view the original post at http://forums.smartertools.com/forums/2/11125/ShowPost.aspx#11125
RE: [Declude.JunkMail] Decludeproc abend
"abend" in German means "evening". good Abend! :-) Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)Sent: Wednesday, December 21, 2005 10:23 PMTo: Declude.JunkMail@declude.comSubject: RE: [Declude.JunkMail] Decludeproc abend Is abend some kind of French word? ;) John T eServices For You -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran JovanovicSent: Wednesday, December 21, 2005 1:13 PMTo: Declude.JunkMail@declude.comSubject: [Declude.JunkMail] Decludeproc abend I have had decludeproc 3.0.5.22 abend on me twice today. Is there anything I should be doing to capture information about this? I have automatic restart enabled so it starts again but I am not super happy with it abending. Any hints on what (if anything) I can/should be doing? Goran Jovanovic Omega Network Solutions
RE: [Declude.JunkMail] Nasty Spammer
Try a text filter file like BODY 20 BEGINSWITH img src=cid: Do you have an example if this type of spam. Maybe you can post a zip-archive with the entire message file (header + body) Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Sunday, December 18, 2005 7:02 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Nasty Spammer I'm getting rather irritated with this one. We're getting spam which contains only one line: img src=cid:1dd0fa2ddee584b7e4937d9e77a06d69 Is there some way to make a filter where if img src=cid is found on the first line then set a weight? No legitimate email should ever contain only the one statement. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Nasty Spammer
I've seen now what type of message you mean. It was already discussed in the last two weeks under the cbl-thread. Seems that the spammer this time use a very simple way to send the spam with the black borders. The body contains nothing else then img src=cid:[random-string] The message is always failing CMDSPACE and in this case also SNIFFER-GENERAL Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Sunday, December 18, 2005 7:02 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Nasty Spammer I'm getting rather irritated with this one. We're getting spam which contains only one line: img src=cid:1dd0fa2ddee584b7e4937d9e77a06d69 Is there some way to make a filter where if img src=cid is found on the first line then set a weight? No legitimate email should ever contain only the one statement. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Is anyone sucessfully blocking these?
Title: Message look at the "CBL Fw:news" -thread soe days ago. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sharyn SchmidtSent: Thursday, December 15, 2005 6:07 PMTo: Declude.JunkMail@declude.comSubject: [Declude.JunkMail] Is anyone sucessfully blocking these? This is actually a.gif embedded in the email. I have been blocking using the name of the gif but it changes with each one, so these are still getting through. Any suggestions? Sharyn Subject: News Report
RE: [Declude.JunkMail] REVDNS
I'm going to try REVDNS END CONTAINS (timeout) Can you send a message from an IP who will timeout for REVDNS? Declude support? Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] REVDNS
Thank you Scott, Serge, why do you use such a filter? A SpamDomain-Test should do this even bether. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Monday, December 12, 2005 3:58 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] REVDNS REVDNS 10 IS (Timeout) - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Monday, December 12, 2005 1:42 AM Subject: RE: [Declude.JunkMail] REVDNS I think it may be (timeout). I know Scott Fisher posted a filter the other day that had the exact text on what it is when rev dns times out. It was a message from Scott Fisher on the cbl-thread and as I can see he posted a line TESTSFAILED 50 CONTAINS REVDNS-TIMEOUT So it would be interesting know what's exactly in his text filter file REVDNS-TIMEOUT Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] REVDNS
Is a REVDNS-timeout such a frequent thing? Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Monday, December 12, 2005 4:31 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] REVDNS Spamdomains tests do not trigger on a REVDNS Timeout. - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Monday, December 12, 2005 9:14 AM Subject: RE: [Declude.JunkMail] REVDNS Thank you Scott, Serge, why do you use such a filter? A SpamDomain-Test should do this even bether. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Monday, December 12, 2005 3:58 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] REVDNS REVDNS 10 IS (Timeout) - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Monday, December 12, 2005 1:42 AM Subject: RE: [Declude.JunkMail] REVDNS I think it may be (timeout). I know Scott Fisher posted a filter the other day that had the exact text on what it is when rev dns times out. It was a message from Scott Fisher on the cbl-thread and as I can see he posted a line TESTSFAILED 50 CONTAINS REVDNS-TIMEOUT So it would be interesting know what's exactly in his text filter file REVDNS-TIMEOUT Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] ANN: 5xxSink 0.5.01 update, IIS SMTP text-file recipient validator now supports 'nobody' wildcard domains
Sandy, I've tested the previous version and it seem's working great. The next step will be testing it with several thousands of valid recipients. Would it be an idea to develope it in this way that different virt. IIS-SMTP-Services can use 5xxSink with different prescan.txt and rcptlist.txt So for example if I have one domain with many valid recipients I can configure it on a separate IP/MX/IIS-virt-SRV, in order to avoid that messages for some hundred or thousands of other domains - each one with one up to around 20 valid recipients - must be checked against the entire list of valid recipients of the big domain. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sanford Whiteman Sent: Monday, December 12, 2005 9:13 AM To: Declude.JunkMail@declude.com; IMail_Forum@list.ipswitch.com; Declude.Virus@declude.com; sniffer@SortMonster.com Subject: [Declude.JunkMail] ANN: 5xxSink 0.5.01 update, IIS SMTP text-file recipient validator now supports 'nobody' wildcard domains -- 5XXSINK Release 0.5.01 12/12/2005 * Release notes for this version: [ + Added feature] [ * Improved/changed feature ] [ - Bug fix ] [ ^ Cosmetic/naming change ] [+] Added new feature, RHS PRESCANNING, to help with processing of large recipient lists under certain circumstances. The prescan.txt file, if it exists, is scanned before the rcptlist.txt. If a match is found, processing continues in rcptlist.txt. If no match, 550 is returned immediately. If no prescan.txt is found, the feature is not enabled. The intent of prescan.txt is that it can be a global repository for allowed RHS (right-hand-side, i.e. domain) strings. You list all of your domains in prescan.txt as follows: @example.com @example.net etc. When messages are processed, they are FIRST matched against this list. This allows you to cut down the initial scan for recipients at _unknown_ domains substantially; for example, if you have 100 hosted domains with 100 users each, and you are the erroneous victim of a directory harvesting attack against a domain you DO NOT host, rejections with prescan.txt in place will take 1% of the time they if the entire rcptlist.txt were scanned! However, be somewhat careful: scanning prescan.txt does add its own overhead. If you are not concerned about such pure-DoS attacks, you will end up lengthening the lookup time for each recipient, though likely the effect would be negligible. NOTE #1: if prescan.txt is enabled, users _must_ have their domain listed in prescan.txt AND their username in rcptlist.txt (or, if they are in a wildcard domain, they must have that domain listed in prescan.txt _and_ in rcptlist.txt). NOTE #2: RHS prescanning is not the same as domain wildcards. Do not be confused. See below. [*] Official support for DOMAIN WILDCARDS. This support in fact existed previously, but I was determined to discourage people from using it, since I'm such an opponent of 'nobody' setups. Well, a few people wrote to me and changed my mind. Anyway, when you enter wildcards, you do not use the asterisk (*) character. You simply enter domain names like so: @example.com [EMAIL PROTECTED] @example.net [EMAIL PROTECTED] You may as well put your domain wildcards at the top of your list, so they get processed first. You're going to need all the help you can get processing the backscatter. . . . --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] REVDNS
I think it may be (timeout). I know Scott Fisher posted a filter the other day that had the exact text on what it is when rev dns times out. It was a message from Scott Fisher on the cbl-thread and as I can see he posted a line TESTSFAILED 50 CONTAINS REVDNS-TIMEOUT So it would be interesting know what's exactly in his text filter file REVDNS-TIMEOUT Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Gtube?
Maybe it's not realy important, but anyone know's Gtube, the EICAR-like Spam test-mail? http://spamassassin.apache.org/gtube/ Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: Mail Building up in IMail Spool Directory
Do you have a list of valid recipients for this store and forward customer? If yes search for Sanford Whiteman's posting this week with the subject ANN: Availability of 5xxSink 0.5.00, IIS SMTP event sink for text-file recipient validation Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Tuesday, December 06, 2005 5:13 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] OT: Mail Building up in IMail Spool Directory Hello, All, Starting at about 7:51am this morning there's been an inordinate amount of e-mail building up in my imail/spool directory. I've checked the logs and it appears that we are accepting all e-mail in to the server but not all of it is being sent out. I haven't been able to 100% confirm it but it appears that all of the e-mail which is being held so far is incoming e-mail for our Store and Forward spam filtering customers. The weird thing about it is I'm finding lots of e-mail in the spool directory that are clearly spam and will probably be identified as spam if it ever reached Declude. It's almost as if the SMTP server hasn't even attempted delivering any of this e-mail even once. Does anyone know what could possibly be going on here? I'm aware of the IMail forum but I thought I'd try here first. Thanks In Advance, Dan Geiser [EMAIL PROTECTED] --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: Re[2]: [Declude.JunkMail] ANN: Availability of 5xxSink 0.5.00, IIS SMTP event sink for text-file recipient validation
This seems a great thing. It should also allow me to run gatewaying services to a restricted number of recipients, or in other words: offer relaying packages for 10, 20, 30, ... users. How much users are realistic vor 5xxSink? Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Paranoia
What's even funnier is by the time I am ready to get in bed, Europe is going to work. yawning mmmh, what? ... ... Ah, hi guys, good morning from Europe! We've around 12 inches of snow here over night. Where's the snowshovel? Maybe I will add BANEXT .snow to my config file ;-) /yawning Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: another SOBERing though
I was just thinking the same thing, that strictly going by file name would not be best. Well at least it would be ressource friendly. Some thoughts: Count attached file names but 1)ignore extensions like gif, jpg, pdf, ... or alternatively look only for known risky extensions like zip, exe, com... 2)ignore files that are below x and above y of file size 3)ignore messages comming from certain sources (this whitelist can be adapted after finding a false positive) As I can immagine this tool should work in the background and block messages only durring a new outbreak. (if it will work like we want) So it can/should also send a mail alert to the admin so that he immediately can keep an eye on whats going on there. Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] CMDSPACE Failures
Another way that you could deal with this specific Microsoft Office Outlook build is to create a filter that contains the following: HEADERS -8 CONTAINS Microsoft Office Outlook, Build 11.0.5510 ...but keep in mind that some Spammers write in the headers exactly this string to pass spam-filters. If you cant WHITELIST AUTH or certain IP-ranges your only choice is to use CMD-space in combination of filters. For example if SNIFFER + CMDSPACE fails or if CMDSPACE and a filter file that contains some forreign countries you can't be sure that none of your customers will never send a legit message from there. Maybe you have all you client configurations set to use a certain host name as outgoing smtp-server while the official host name in the MX-Records for all incomming messages is another one. In this case you can point the outgoing smtp IP to another machine and set up there a SMTP-relay that forwards all messages to your actual mail server. Then you can whitelist all messages coming from the relay servers IP. But now you have to solve how to configure the relay server without becoming an open relay Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude with SmarterMail 3.0
Nice to know! Now it's time to set up the new mailserver ;-) Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Franco-Rocha [ Declude ] Sent: Friday, October 28, 2005 3:32 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Declude with SmarterMail 3.0 The 3.0 version of SmarterMail, yet to be released, will pass authentication information to Declude. For those of you who have been patiently waiting to implement WHITELIST AUTH with SmarterMail, please be advised that Declude will support that functionality with SmarterMail 3.0. David Franco-Rocha Declude Technical / Engineering --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] found something new to me
I want to use combo filtering with testsfailed to further punish emails that fail two or more of the reliable tests. Travis, I do a similar thing for a long time now and I'm very happy with the following solution: 1.) create a new filter test COMBO-IP4R: COMBO-IP4R filter C:\IMail\Declude\combo_ip4r.txt x 0 0 2.) In this file write all you're reliable IP4R-Tests. For example ~ TESTSFAILED 0 CONTAINSCBL TESTSFAILED 0 CONTAINSDSBL TESTSFAILED 0 CONTAINSSPAMCOP TESTSFAILED 0 CONTAINSXBL-DYNA ... ~ 3.) Now you can create additional COMBO-Test files. For example COMBO-IP4R-SNIFFER filter C:\IMail\Declude\combo_ip4r_sniffer.txt x 0 0 4.) In this file write the points you want to add if one of the IP4R tests has failed at the same time with SNIFFER ~~ TESTSFAILED END NOTCONTAINS COMBO-IP4R TESTSFAILED 30 CONTAINS SNIFFER-TRAVEL TESTSFAILED 30 CONTAINS SNIFFER-INSUR TESTSFAILED 30 CONTAINS SNIFFER-AV TESTSFAILED 30 CONTAINS SNIFFER-MEDIA TESTSFAILED 30 CONTAINS SNIFFER-SWARE TESTSFAILED 30 CONTAINS SNIFFER-SNAKE TESTSFAILED 30 CONTAINS SNIFFER-SCAMS TESTSFAILED 30 CONTAINS SNIFFER-PORN TESTSFAILED 30 CONTAINS SNIFFER-MALWARE TESTSFAILED 30 CONTAINS SNIFFER-INK TESTSFAILED 10 CONTAINS SNIFFER-RICH TESTSFAILED 30 CONTAINS SNIFFER-CREDIT TESTSFAILED 30 CONTAINS SNIFFER-CASINO TESTSFAILED 30 CONTAINS SNIFFER-OBFUSC TESTSFAILED 30 CONTAINS SNIFFER-GENERAL ~~ As you can see you can also assign different additional points for different SNIFFER result codes if you've split up SNIFFER in multiple tests for each result code. Some additional things you can do For example write at teh top of the file 2.) something like COUNTRY END STARTSWITH us and there will be no additional points for messages orriginating from the USA. (maybe this will not have so much sense as in my case where most legit messages came from Italy, Austria and Germany So I've also lowered the weight of all IP4R-tests in my global.cfg file to a very low weight and have set up an additional filter file having at the top some END-statements for certain countries. Then below are the same TESTFAILED-lines as in the file 4.) So I can assign relative high weights to IP4R-tests for messages comming from foreign countries and lower weights for all messages comming from Italy and neighbors. Tests I've found very usable for COMBO-tests are CMDSPACE SNIFFER INVURIBL SPAMDOMAINS Hope this helps Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] OT: Mailing software
Hi Spamfighters, This one I have a maybe little strange question. One of our customers (a touristic office) has collected over years email-adresses of all their customers. (I'v already checked: it was and is a clear opt-in checkbox on the contact form) Hovewer the number of email-adresses is a little bit high and the customer has asked us for something that can send out their newsletters and manage returning feedback and non-delivery reports in order to keep their adresslist up-to-date. I know, it sounds like a new little bulk-mail sender, but as I can confirm that's an opt-in list and I don't want that this customer sends out this messages over our mailserver without our knowledge, I want to ask if someone knows some software (win32, or ASP-script-based) who can do this in a clean way? Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: Store and Forward Spam Filtering to Multiple IPs
... 66.148.217.251 domain.com 70.60.133.251 domain.com will this mechanism rotate through both IPs or will it also just use whichever it hits first when reading from the top of the list down? Or is it just a bad idea in general to do this and we will just have to change the IP manually if one ISP goes down? I think this will always forward messages to the first entry, and so it will not do what you want. We've had the same request and so we've defined all our storeforward IP's in a simple database table. This database contains domains, primary and eventualy secondary MX IP's. Then we've set up our monitoring system to try to reach the primary MX on port 25. if this will fail two consecutive times the action is a simple script that does the following 1.) mark this domain in the table as fault 2.) read all active entries from the table and choose the primary MX or the secondary if marked as fault 3.) write a new hosts file 4.) stop and start the Imail smtp service If the monitoring system can see again the primary MX on port 25 there is a similar script that put's back to the primary mx this domain. Hope this helps Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] new all_list.dat file
Thank you! Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Wednesday, September 28, 2005 12:08 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Country Test Very odd Results Hey Guys, I just uploaded a new http://www.declude.com/version/release/all_list.dat see if this solves the problems that you have been seeing. David Barker www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, September 27, 2005 5:11 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Country Test Very odd Results Dave, I pulled that version down and compared the two (file sizes) and they were the same. I put that one in just in case. Darrell Dave Doherty writes: Hi Darrell-- This might have nothing at all to do with it, but maybe you need to update ALL_LIST.DAT... http://www.declude.com/version/release/all_list.dat There was a thread on this recently. Apparently, ARIN recently reassigned some blocks. -Dave Doherty Skywaves, Inc. - Original Message - From: Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, September 27, 2005 4:14 PM Subject: [Declude.JunkMail] Country Test Very odd Results Anyone want to take a stab at this one I would appreciate it. 216.55.166.147 - IPWHOIS Says its being used in San Diego CA Declude via Countries Test Reports 09/27/2005 14:58:39.015 q96320ffe0578da59.smd Msg failed COUNTRY (Message failed COUNTRY test (line 15, weight 5)). Action=WARN. Line 15: is the country AR The message was directly send from 216.55.166.147 so there were no other hops in the message in case it caught it in the country chain. It's just really weird as I am getting all kinds of messages that are legit seemingly get triggered on the country and mailfrom test.. Any thoughts? Darrell - --- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- -- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Two Utilities (SpamSize ipHarvest)
We wrote two very quick custom utilites for a customer that may be of use to you. All are provided as is free of charge. SpamSize... ipHarvest ... Darrell, This are simple but great tools! Specially the ipharvest-tool can be used in a monitoring system to alert automaticaly on abnormal high failed delivery attempts. Thank you! Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Latest ALL_LIST.DAT
David thank ou for the link. Gary, The all_list.dat file is a database of net-blocks (IP-ranges) that are assigned to certain countries. Declude looks at the delivery chain of messages in the mail header and can construct the country-chain by comparing the IP-Adresses in the mail-header with the data in the all_list.dat file. It's similar to the geolocation tecnology used by some websites (http://en.wikipedia.org/wiki/Geolocation_software) As ARIN, RIPE Co. continuosly does assign remove and move net-blocks we have to update the all_list.dat file from time to time. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Tuesday, September 20, 2005 4:08 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Latest ALL_LIST.DAT So what is the ALL_LIST.DAT? How is it used? I couldn't find it described in the JunkMail documentation or in the Knowledge Base. Is this a binary file that we shouldn't be messing with? How can we correlate it with any country filter we might be using? Though while looking through the Knowledge Base, I found this new entry: http://support.declude.com/Customer/KBArticle.aspx?articleid=3 5KBSearchID=1023 I found a copy of ALL_LIST.DAT in the Declude directory that was installed with 2.0.6. It has a date on it of 4/11/2005. Original Message From: David Barker [EMAIL PROTECTED] Sent: Monday, September 19, 2005 5:23 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Latest ALL_LIST.DAT At this point the latest ALL_LIST.DAT (Monday, April 11, 2005) is currently located here: http://www.declude.com/version/release/all_list.dat There will be a new ALL_LIST.DAT with the release of Declude 3.0 David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J Porter Sent: Monday, September 19, 2005 5:02 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Latest ALL_LIST.DAT I think the ALL_LIST.DAT file is some sort of compressed list and not accessible via an editor... right??? Anyway, I found have a link where I got it some time back. http://www.declude.com/release/178/all_list.dat I haven't updated our server with it yet, so I have no idea how recent it is. Does anyone know if it's been updated recently? ~Joe - Original Message - From: Gary Steiner [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Monday, September 19, 2005 10:58 AM Subject: Re: [Declude.JunkMail] Latest ALL_LIST.DAT I guess this would be the best source for current country codes: http://www.iso.ch/iso/en/prods-services/iso3166ma/02iso-3166-code-list s/list -en1.html ARIN's list lets you break it down by region: http://www.arin.net/community/countries.html Original Message From: Darrell \([EMAIL PROTECTED]) [EMAIL PROTECTED] Sent: Monday, September 19, 2005 11:50 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Latest ALL_LIST.DAT Dan, This would make sense since ARIN just completed another round of assignment of the BOGON's. Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Dan Geiser writes: Hello, All, I think it's possible that my ALL_LIST.DAT needs to be updated because I'm starting to receive legit e-mails from Yahoo IPs that come up as ARIN Unlisted. My current ALL_LIST.DAT is dated 4/08/2005. Is there a newer copy that we can download somewhere? Thanks, Much! Dan Geiser [EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Latest ALL_LIST.DAT
I'm still on v1.82 but have a valid SA and my all_list.dat file is older then 04/08/2005. Where can I get the newest dat-file? Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Monday, September 19, 2005 5:29 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Latest ALL_LIST.DAT Hello, All, I think it's possible that my ALL_LIST.DAT needs to be updated because I'm starting to receive legit e-mails from Yahoo IPs that come up as ARIN Unlisted. My current ALL_LIST.DAT is dated 4/08/2005. Is there a newer copy that we can download somewhere? Thanks, Much! Dan Geiser [EMAIL PROTECTED] --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPFPass - good or bad?
Looking at the last 80.000 messages on our Mailserver SPFPASS has had a positive result on 11% Following the final weight after all spam tests 7 from this 11% was right. The other 4% was a wrong result. SPFFAIL will only catch around 1% of all processed messages. Nearly all of the catched right as spam. Only 0.12% has had a wrong result. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Dodell Sent: Thursday, September 08, 2005 7:28 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] SPFPass - good or bad? I've noticed a bunch of spam with SPFPass grades that have negated the spam databases (I have SPFPass at -5) ... is anyone finding that SPFPass is working with spammers using legitimate ISP's? david - Internet Dental Forum www.internetdentalforum.org Dentalcast Podcast www.dentalcast.net --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] EServices Autowhite?
You will probably need to add the virtual host keys as well, but you certainly will be able to fake it out using the Registry alone. No IMail EXEs will be necessary to install. Maybe not only virtal host keys but also one for each user mailbox. Autowhite does a great job at my side here, but I would suggest the following: The current way to keep all data in numerous files es the same file-based way as declude 1.x and 2.x has done. Now with the new declude v3 service it would be great to have this functionality inside the service (or added as a module) This module could keep a RAM-based database of MAILFROM = MAILTO communication of the last - let's say - 7 days. A.) If the combination MFROM-MTO has had previous email communication with final weights below a certain treshold (=legit msgs) then add a negative weight for further messages (the same thing that Autowhite already does) B.) If the same MFROM has send a certain number of msgs with a final weight in the grey zone do something like - move the message to a temporary hold folder an check the message again after - let's say one hour - in the hope that Blacklists, InvURIBL and Sniffer has new patterns to catch the msg as spam. - send an alert to the admin as he can look what's going on with this type of messages C.) If there is some mail loop (for example if a message is send to at least two recipients using un unpatched exchange pop3-connector) this module could also identify this repeatedly send messages having the same checksum or msgs size. If there are more then x messages in - let's say - 3 hours send an alert to the administrator as he can put this mailfrom adress to the SMTP-envelope kill list until the mail loop is broken by at least one of the exchange admin's. The RAM-based database can be stored in a file if declude is shutdown regulary, so that the data is imediatly available after a restart of the service or the entire server. The database could also clean old records based on his lastupdate-timestamp and maybe it could also alert the admin if there is a suspicious number of unknown viruses or vulnerabilities in a certain timerange. Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] IP4r Tests not running
What happens if you nslookup from the imail/declude server to your configured Nameservers and querry something? Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don Brown Sent: Wednesday, August 24, 2005 3:29 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] IP4r Tests not running I am looking for some trouble-shooting ideas. Our IP4R tests are Not running, but all other tests seem to be running fine. Imail 8.21, Declude 1.82 The below snip is from the Declude Junkmail log is Debug mode. Declude Support confirms that the log shows the IP4R tests are Not running and they have already looked at our configs and find no issues. The only trouble-shooting suggestion we have, right now, is to change the order of the tests in the Global.cfg, which shouldn't make any difference. There are no DNS failure errors in the log or anything else that would logically point to some potential issue. Any ideas? 08/24/2005 08:09:17.281 Q717402002ebf Test #0: DYNHELO [dynhelo] - may skip-1 08/24/2005 08:09:17.281 Q717402002ebf Test #1: BLACKIP [ipfile] - may skip-1 08/24/2005 08:09:17.281 Q717402002ebf Test #2: UCEPROTECRDO [ip4r] - may skip-1 08/24/2005 08:09:17.281 Q717402002ebf Test #3: UCEPROTECMUL [ip4r] - may skip-1 08/24/2005 08:09:17.281 Q717402002ebf Test #4: FILT-UCEPROTECT [filter] - may skip-1 08/24/2005 08:09:17.281 Q717402002ebf Test #5: MXRATE-BLACK [ip4r] - may skip-1 08/24/2005 08:09:17.281 Q717402002ebf Test #6: MXRATE-PROBABLE [ip4r] - may skip-1 08/24/2005 08:09:17.281 Q717402002ebf Test #7: AHBLRELAYS [ip4r] - may skip-1 08/24/2005 08:09:17.281 Q717402002ebf Test #8: AHBLPROXIES [ip4r] - may skip-1 08/24/2005 08:09:17.281 Q717402002ebf Test #9: AHBLSOURCES [ip4r] - may skip-1 08/24/2005 08:09:17.281 Q717402002ebf Test #10: AHBLPSSL [ip4r] - may skip-1 08/24/2005 08:09:17.281 Q717402002ebf Test #11: AHBLFORMMAIL [ip4r] - may skip-1 08/24/2005 08:09:17.281 Q717402002ebf Test #12: AHBL-HOP1 [dnsbl] - may skip-1 08/24/2005 08:09:17.281 Q717402002ebf Test #13: AHBLSHOOT [ip4r] - may skip-1 08/24/2005 08:09:17.281 Q717402002ebf Test #14: AHBLCOMPDDOS [ip4r] - may skip-1 Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] IMail 8.02
and threading is fun, you pretty much have everything in place to communicate back and forth between processes. allowing many instances of declude to talk to each other. That's what I mean. Maybe this will allow us also to have/create new functionality. For example (I don't know if I'm the only admin stressed by unpached Exchange POP3-connectors who create endless repeated delivery of one single message) such a new declude architecture could create RAM-based mind lists containing frequent/suspect mailfrom-addresses, sender-ips or subject-lines and after a certain threeshold add a certain weight or send an email alert to the postmaster... Maybe we can see also something like a grey-tub where suspicious messages are keept for some minutes then checked again and with in the meantime collected data classified as ham, spam or virus. Even if external tests and av-engines must still be called for each single message the performance should be noticeable bether. Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] CMDSPACE
Up to this point I have not seen a false positive from a legit mail server. Have others? Yes. Older version of Tobit Infocenter has failed CMDSPACE. I've send them some informations about the effectiveness of the CMDSPACE test and as I know they have changed their MTA in never releases. This happened around a year ago. Then there is also the good old pullmail.exe that will fail the CMDSPACE test CMDSPACE on my servers is able to catch around 30% of all processed messages as spam. (54% is hold as spam, 46% delivered as ham) Nevertheless there is around 1% of all messages classified as legit but with a positive CMDSPACE result. Looking at the subject line (I haven't the headers of this messages) it seems to me that from this 1% some are spam messages slipping trough the weighting system. Much more are automated messages like Newsletters, order confirmations, Webform-requests ond so on. But there are also some few subject lines beginning with RE: and FWD: looking very legit. As any user on my server must authenticate and auth-ed users are whitelisted it looks like there are some very few MTA's that will fail CMDSPACE. Anyone knows what MTA is used at nestle.com? Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] IMail 8.02
I've running Imail 8.15 and the Declude 1.82 here and everything is running fine. Do you realy need Imail 8.2? Declude as a multi-threaded service sound very promising. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Heimir Eidskrem Sent: Tuesday, August 23, 2005 3:32 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] IMail 8.02 Its been over 2.5 months to fix a problem that is mission critical for many of us. Pleased with the result? Sorry but this is getting stupid. Pleased with the result will be its working. It means it does not crash our server. It means we keep our clients. It sounds like Declude is making a *new* version instead of fixing the problem now. I really dont have time to wait until Declude thinks they have a better product - I need a working product now. Amazing how fast a company can go down the tube. Mine included when products does not work. Bill Billman wrote: It does appear that some people have been missing the updates regarding the Declude/IMail 8.2 situation. Declude has been working on a new version in order to deal with the changes brought about with the introduction if IMail 8.2. This has involved some major changes to the application and to quote Scott Perry 'Although it is taking a bit longer than expected, I think you will be pleased with the results.' The next version of Declude will execute as a multi threaded Windows service. The configuration files and logging will remain as is so there will minimal effort to upgrade. Internal testing is underway and there are plans to enter open beta soon. Bill Billman Director of Engineering Declude - internet security software 978.499.2933 office 603.930.4886 mobile 978.477.8930 fax [EMAIL PROTECTED] www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Heimir Eidskrem Sent: Tuesday, August 23, 2005 12:32 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] IMail 8.02 I just noticed that it was posted June 5. Whats the deal? 2.5 months later and no update? Bring back Scott please. This is not good enough. Heimir Eidskrem wrote: Well, good to know. I spent this weekend troubleshooting this problem. Our SMTP process would blow up then the SMTP becomes unresponsive. Almost like tar pitting. I wish I had known this Friday :( I hope this is the number 1 priority for them. Heimir Darrell ([EMAIL PROTECTED]) wrote: Declude posted this a couple weeks back and are still working on testing the new version that resolves the issues with 8.2x http://www.mail-archive.com/declude.junkmail@declude.com/ms g24792.htm l Darrell -- DLAnalyzer - Comprehensive reporting for Declude Junkmail and Virus. Download it today - http://www.invariantsystems.com Orillia ProNet Administration writes: Hi. I am running Imail 8.15hf2 as my mail server and Declude 1.82. I want to upgrade to Imail 8.21. any issues with that and Declude 1.82? -- Regards, Orillia ProNet Administration Orillia ProNet 22A Colborne Street West Orillia, Ontairo L3V 2Y3 705-329-3949 [EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Google redirect links
Any idea how to catch this? h t t p : / / w w w . g o o g l e . l i / u r l ? q = http%3A%2F%2Fwww%2Ebestflirt%2Ebiz%2Fcms%2F%3Fgo%3Dtpwid=ifniq=8 Both invURIBL and SNIFFER hasn't catched it. Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Google redirect links
I'd report it as an open redirector to google. Then collect a few samples and create a filter to attack it. As I can see this link will work on all cTLD-google domains (google.li google.it google.de google.fr ...) and also google.com Maybe sniffer can do this bether then any normal text filter. And what about invURIBL? As I can understand this will outwit URI tests because only the google domain will be tested and never be positive. Maybe a new functionality to set up a list of known open redirectors so that invURIBL can test the right URI? Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: DNS attacks
Any dns experts on the list? I'm not an expert but ...The server needs to do dns lookups for our clients, That's not a problem as long as you allow outgoing DNS traffic on your firewall (or in your case cisco router) and needs to be available to other internet DNS servers for information on domains we host. I assume this service is provided to the entire world because this DNS-server is one of the primary DNS-servers for at least one public domain name. Question: what type of queries are this you describbed above? Are they querrieng info's about domain names you're hosting or are this requests for completely other domains and your server does the lookup and report the result to the client. If this is the case you should disable this in your DNS-server configuration. For more help you maybe need a real DNS expert... Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] VIRUS WARNING
Before rebooting my server I allways RENAME a dangerous file... ..maybe this will not work as long as the processes run and can't be stopped in the task manager. But if possible I too rename the original malware file and create a new one. (new empty textfile renamed to the previous filename) Then set it to read only. If the malware resides somewhere else and will try to restore the original file if it was deleted by some virus/spyware-scanner this should help preventing a new infection. Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spam Domains File Format
Title: Message Here's an example ~ @paypal.com .paypal.citibank.com.ssmb.comfleet.com.bkb.comwellsfargo.com.norwest.com.ebay.com .emailebay.com@ebay.com .ebay.com~ incomming emails has to match mailfrom and revdns The optional second column is an alias. Due to this arrangement it's only possible to set one single possible alias as each second row for the same domain will already have caused to fail this test at the first row. Be carefull with short domainnames without @ and dots as this can trigger also longer domainnames ending with this string. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul FuhrmeisterSent: Wednesday, August 10, 2005 6:24 PMTo: Declude.JunkMail@declude.comSubject: [Declude.JunkMail] Spam Domains File Format What is the file format for the spamdomains.txt file? I'm looking at the file but can't figure it out and can't find a description of the format anywhere. Paul Fuhrmeister
RE: [Declude.JunkMail] SmarterMail vs iMail
Excellent list, Matt. Some of this I've allready discovered durring my tests. Hopefully people at smartertools can read this. At the moment I hope they will address at least the most important things.A wrong sorted send folder is nothing against something that will bring us admins critical errors or problems, especially in ISP enviroments. As I've seen Smartermail seems to be working great and beeing developed in a more actual and future-save ".NET-style" instead of "CGImail" but at the moment I can't switch to Smartermail without a.) keeping some of our users on IMail or b.) take away some features that are important for some of our users and also spam detection. For example consider SMTP-AUTH: Most of our - and I believe not only our - customers are using Outlook as EMail Client. There is an excellent test in spam filtering called CMDSPACE. It's very simple and resource-friendly. It's also pretty reliable and last but not least it's catching a significant part of all incomming spam. The problem: Any message comming from one of our customers using MS Outlook will also fail this test. As an ISP we cannot whitelist a certain IP-range and need the ability to whitelist all users that has authenticated before sending out messages trough our server. Simple cause and - Ibelieve - simply to solve. Let's see what will happen with v3. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Monday, August 08, 2005 9:54 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] SmarterMail vs iMail I have actually moved my hosted E-mail over to SmarterMail despite my displeasure with the lack of ability to block non-authenticated messages and the way that they handled the answers. I came to the conclusion that SmarterMail just wasn't very well set up to handle the deluge of requests from their customers (or didn't respond appropriately), but other companies in this space will mostly not do a very good job themselves. For me, since I am not doing any Declude stuff on SmarterMail, and I don't have a ton of hosted E-mail business, I figured that I could tolerate the shortcomings for a period of time and so I took the leap. Having scanning and hosted E-mail on the same server presented bigger challenges for me and I need to rectify them for QOS reasons (scanning can be bursty).SmarterMail 2.6 is definitely a 'green' product, though certainly not as green as it's predecessors. I would imagine that it all depends on one's specific requirements, and how willing they might be to wait for a new version of SmarterMail that should address some of the issues. 3.0 is rumored to start development at some point in the near future.After moving over to SmarterMail for hosted E-mail, I started taking a list of it's shortcomings, both in comparison to IMail, and also generically (some of which might also be shortcomings of IMail). If I was using Declude on my SmarterMail box, the list would be different. There is one big issue for me with Declude and SmarterMail being that it has no capability for WHITELIST AUTH, but the value of this will be different for every administrator. So anyway, here's a list of things that I have found and that people should watch out for if they matter to them: 1) Mailbox sizes can't be locked down. Domain admins can override the default value set by the system administrator, so in effect there is no control over what your domain admins might set for mail box sizes.2) Built-in antispam whitelists are based on the Mail From address matching a local user instead of something that checks to see if it was authenticated. I consider this to be a beginner's error in spam blocking technique and ultimately this was one of the things that prevented me from constructing a work-around for restricting E-mail to only what was authenticated or came from my scanning server.3) Built-in antispam will count any A record returned from a blacklist query as a positive hit regardless of the value returned.4) No capability for Program Aliases.5) Autoresponder can't be removed from the webmail interface. I don't allow autoresponders from the server due to looping and backscatter issues, and I could only break the functionality and change the label to show that it was disabled. This has already resulted in customers asking me to re-enable it. On IMail I was able to remove the option entirely.6) Catch-all (nobody) addresses can't be disabled from the domain administrator's interface. I think we all know how bad catch-all's are these days, and while the system admin's interface allows you to disable it, it still is functional, or at least the interface to it is.7) Uses a proprietary mailbox format. Mailbox files are a mix of binary and ASCII data. This limits options when editing a
RE: [Declude.JunkMail] RBL's becoming worthless...
Chuck, Here some numbers from my side: 100k messages in the last 7 days 50.5% identified as legit, 49.5% as spam (viruses was filtered out before) The best IP4R-based tests was CBL (21%, 0.37%FP), SPAMCOP (21%, 0.47%FP) and XBL-DYNA (19%, 0.27%FP) So they catch less then 50% of incoming spam without creating a significant number of false positives. FIVETEN-SRC was able to catch 24% of spam but has also had FP's on around 6% of all processed messages. A text-filter combining the results of different IP4R-based tests has reached a catch rate of 36%. I consider it the current maximum that can be reached with IP4r-based tests by having a - let's say - moderate number of false positives. INV-URIBL instead can catch 37% of all messages as spam and I must say that up to now I haven't had time to try improving the INV-URIBL configfile. (Any suggestion is welcome!) It's also important that the number of FP's for this test is near to zero. SNIFFER was able to catch 47% of all spam messages but I must also say that there was a significant number of false positives (5%). Most of them generated by SNIFFER-GENERAL and SNIFFER-RICH. SPAMCHK has had correct results on around 45% of all messages, but also had around 7% of FP's Other excelent tests was CMDSPACE (30%, 1%FP) and HELOISIP (13%, 0.17%FP) Due to Decludes weighting system and the combination of all this tests I can see between 10 and 20 spam messages each month in my inbox, by catching more then 300 spams each day. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Tuesday, July 26, 2005 7:57 PM To: Declude. JunkMail Subject: [Declude.JunkMail] RBL's becoming worthless... In the last several months we have seen large quantity of spam coming from IP blocks that never seem to get listed on any RBL. Spamcop is about the only one that picks some of them up and once in awhile spamhaus. There was a block last night that sent several hundred and sendbase.org showed they had detected no email from that block. The reason I bring this up is because when we first started blocking spam I would say the blacklists would catch almost 90% so we relied heavily on the blacklist. With the blacklists not being as effective we need to rely on other tests like sniffer but that misses alot also. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Strange messages (Subject: 1)
In the last hours a I can see some strange messages (see attached samples) send from different servers and obviously forged mailfrom adresses. Each message has as Subject and as Body 1 and an attached but empty file named 1.txt The mailfrom-adress seems to be the first part of the recipients adress + some random domain name. I've added 1.txt to the Declude Virus BANNAME-List. Markus ---BeginMessage--- 1 1.txt Description: Binary data ---End Message--- ---BeginMessage--- 1 1.txt Description: Binary data ---End Message---
RE: [Declude.JunkMail] SmarterMail shortcomings in a gateway environment
Matt, I'm not sure if this will help you. As I understand you and other people go to use the alternative port 587 just because more and more ISP's are blocking outgoing SMTP-traffic on port 25. I must say that in my region here I know only one ISP doing this and we've resolved the problem by implementing stunnel (www.stunnel.org) So we tell to people having a internet connection with blocked port 25 that they should switch the configuration in the mailclient to our server running stunnel and activate SSL for outgoing SMTP-connections. Now I don't know if this will help you because I can't understand exactly why do you need SMTP-Auth only on this port and not on the port 25 too. Not missunderstand me: I'm sure you know what you want to do. Just I can't follow at the moment. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Friday, July 15, 2005 12:50 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] SmarterMail shortcomings in a gateway environment Why does this always happen to me... I was looking to leave my IMail/Declude setup as my gateway spam blocking component, and move hosted E-mail to a different server. All I needed in the hosted mail server was something that could be configured in such a way as to only accept SMTP AUTH E-mail or E-mail that only came from my own gateway. I figured that SmarterMail with port 587 support (the SMTP submission port) would do the trick. Well, it turns out that despite earlier claims, SmarterMail supports another SMTP port of your choosing, but it doesn't limit it to SMTP AUTH-only. This means that the spammers that have a habit of bypassing your MX records for indefinite periods of time will be able to still hit the SmarterMail server and bypass the scanning gateways. I found a post from two days ago that pointed out this major shortcoming, and despite an earlier thread on the topic, it turns out that this is a real limitation. I started searching for alternative methods around this, such as setting up a custom zone that blacklists the whole Internet except for the IP space of my scanning servers and using their internal spam blocking to delete anything that didn't come from my own space or was AUTHed. I ran into another problem here however...their blacklist capabilities don't allow for unique result codes, so anything that returns a result from a blacklist is treated as a positive hit. I had to actually create a CNAME record for a bogus domain to correspond to this space in order to work around that limitation and it worked. I then however figured out that they do not whitelist based on SMTP AUTH, but instead, they whitelist anything with a local address, and if a user doesn't have a local address in their headers but still AUTH's, it won't be whitelisted. So due to this shortsighted implementation on multiple fronts, there is no practical way to accomplish this and have it be reliable. I also came across another thread while researching things where some fellow Declude users were pointing out how their gateway configuration affected blacklists. We all know here that when gatewaying through a different server, you need something that is the equivalent of IPBYPASS for the gateway. They overlooked this, and after it was pointed out to them they suggested that they instead test all hops, which would have resulted in tagging many messages that are sent from clients on DUL IP space. I'm not sure that by the end of the thread that the concept stuck with them. It is a very pretty application, but it has a lot of settings within it and a few of them don't seem very well thought out. I E-mailed their tech support asking for ways around this or an indication of plans to support AUTH-only on the SMTP submission port and they ducked the questions saying that it wasn't possible to do at this time and directed my ticket to their sales staff so that I could get a refund. Unfortunately they seem to need to create a functional whitelisting mechanism for AUTHed users also for this to work instead of one based on the Mail From address. I'm a little put off by the short answers in response to such things, and the rubber stamped reply that it will be added to their suggestion database. Maybe I'm expecting too much... At this point, I'm looking for alternatives...including using IMail on the new server (I can do this with 8.20).I am also hopeful that maybe some of the others around here have run into this issue and possibly have some alternative suggestions. While I don't want to support IMail any longer and feel that they might again pull the rug out from under me, I can migrate things in a snap and I won't have to worry about taking a risk with SmarterMail. Matt -- = MailPure
RE: [Declude.JunkMail] Un-Obfuscating Subjects
The ?B? in the encoded string tells you that it's a base64 decoded message. Googling for decode base64 should help you. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Friday, July 08, 2005 4:55 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Un-Obfuscating Subjects Hello, All, When reviewing caught spam I usually have a handful of messages with subjects that are obfuscated. I know they aren't really obfuscated but instead are using a different encoding. Does anyone have a web site or tool where I could go and drop in the text, e.g... =?iso-8859-1?B?SG9ybnkgcGlsbHMgLSA3NSUgT0ZG?= so I can see exactly what the user would be seeing if the e-mail actually made it all the way to the e-mail client? Thanks In Advance, Dan Geiser [EMAIL PROTECTED] --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] For Marcus Gufler or Reidmann
Thanks for reporting this. I've forwarded it to Wolfgang as I have no access to this server. Hopefully it's only a defacement. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Heimir Eidskrem Sent: Tuesday, June 14, 2005 6:16 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] For Marcus Gufler or Reidmann I think it just a defacement exploiting the PHP-Nuke system. I feel kind of bad for posting it here but could not find anywhere else to post or notify them via email. H. Matt wrote: Looks like this hacker is targeting sites that make use of PHP-Nuke (a content management system). Maybe it's just a simple defacement that makes use of the tool instead of a full server hack. Matt Heimir Eidskrem wrote: www.spamchk.com is hacked. I could not find an email address on your site to report this too. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] For Marcus Gufler or Reidmann
It was a defacement and it's restored now. Looks like PHPNuke and it's derivates has seriuos security problems. Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Admin Web for Declude
The control panel for dummies approach of Postini now lets us defer the tweaks back to the user. Too much spam getting through? Well, sir, please log in to your Message Center (Postini lingo for web control panel) and crank up your settings. That's what we do for our customers and that's what we call service and that's the reason our customers are choosing us. ;-) Important email not getting through? Just log in and with an easy-to-use Web GUI adjust your allowed or disallowed lists. In the last months we set up a declude weighting system where messages we consider 200% spam are hold. The range between 100% and 199% was amrked in the subject line with [SPAM low] [SPAM mid] [SPAM high] or was hold on the server and each recipient who has received also legit messages in this timerange received one notify message with a link to a web frontend where he can logon and review his hold messages. (just a list of mailfrom and subjectline, the user can click on the message to requeue it or click on a clear-button at the end of the list) In addition the user can choose if he don't want receiving further notification, if he don't want spam- or virusfiltering and he can also choose his own spam-filter-risk-level. By choosing one of this levels his recipient address was added to a filter file. Instead of changing the hold level for this user we've added or substracted some points from the final weight of each of his messages. The user had not must understand this just click on some check- or dropdown-boxes and what should I say: We've dropped the entire webfrontend-part as it turned out, that A.) several people after the first login can't remember the password they've choosen some hours ago B.) most people don't understand absolutely nothing about how mail filering works and they also don't want understand it. They have already enough problems with their own work. C.) We've watched what people has done after logging on and have seen: Most people after the first logon have requeued some messages. After one week most people have choosen to not receive notifies anymore. D.) The option to choose different risk-levels has caused way more requests to our support then all requests for false positive holds before. Now we mark the subject line for messages between 100 and 200% of what we consider spam and let the user choose what he want to do with this messages by explaining him trough websites the message processing rules in his client software. Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Admin Web for Declude
Quite some time ago, there was mention about an Admin Web for Declude, is this available or does anyone have something to share? Declude is so flexible and can do so much different things that it would be nearly impossible to write a clickplay-frontend. There was already a discussion. The question is: Do you want as much a possible functions to manage your email traffic with the drawback that you must know exactly what you need and what you're doing or do you want some less functions but this as easy as installing windows? Also what do you mean by admin web? Something that will write your configuration file and prevent wrong settings from your side (what's wrong?) or do you need something to let end-users choose different settings for their own mailbox? Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] German political spam
Also, Markus' optimization of checking CMDSPACE before SUBJECT checking will not work in two cases: I've discovered another rare one. It seems like certain MTA's does correct commandspaces and so a forwarded messages from one of this MTA's will pass the filter files as it hasn't failed CMDSPACE Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] German political spam
Anyone else getting hit with massive waves of German spam as a byproduct of modified Sober code continuing from around 2 pm EDT today, or am I 'unique' in this? Update: I've noted that this type of messages always will fail CMDSPACE Please take care that the links that are part of the message body does not have to do anything with the initiator(s) of this messages. For example www.heise.de is an important german computer magazine and always strive for announcing security risk, spam tecniques and so on. www.spiegel.de is a big german magazine and I'm 100% sure that it has nothing to do with this type of spam. Largely blocking this URI's in Blacklists maybe it's exactly what this spammers want. Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] German political spam
I don't know l ibasoli.de but other domains like s piegel.de has absolutely nothing to do with the spammers. It's the online version of a really big, important and excellent german magazine and it's not good to block messages containing this domain if you don't want block also the flow of legit information. The same for h eise.de http://www.h eise.de/newsticker/meldung/59562 For example contains a short description of whats going on and also some user comments that have posted their spamassassin and postfix filter files for this type of spam: http://www.h eise.de/newsticker/foren/go.shtml?forum_id=78695list=1hs=0c=7992164 On the other side there are also links like n pd.de and I fear this is also the source of this spam campain. It's a german party, fortunately not realy large but unfortunately growing. The idea behind this party: look backwards in german story for 60-70 years. :-/ Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Sunday, May 15, 2005 4:27 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] German political spam Actually, looking at this again I checked yesterday's log files. It seems that most of the domains were starting to be caught on SURBL and other URI lists around 8pm Eastern. 2005-05-14 20:02:57.171 2005-05-14 20:02:57.296 E:\IMAIL\SPOOL\D91ACBA660122CE0A.SMD rocknord.de 127.0.0.4 on multi.surbl.org [4] [Total Weight=2] 2005-05-14 21:47:07.609 2005-05-14 21:47:08.828 E:\IMAIL\SPOOL\DAA10CCE60118147C.SMD spiegel.de 127.0.0.2 on multi.surbl.org [2] [Total Weight=7] 2005-05-14 21:48:01.046 2005-05-14 21:48:02.328 E:\IMAIL\SPOOL\DAA4D12BC0264FFE5.SMD npd.de 127.0.0.2 on multi.surbl.org [2] [Total Weight=7] 2005-05-14 21:50:54.968 2005-05-14 21:50:55.281 E:\IMAIL\SPOOL\DAAFBBD960122AAD1.SMD rp-online.de 127.0.0.2 on multi.surbl.org [2] [Total Weight=7] Darrell -- --- invURIBL - Intelligent URI Filtering. Stops 85%+ SPAM with the default configuration. Download a copy today - http://www.invariantsystems.com - Original Message - From: Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Sunday, May 15, 2005 10:02 AM Subject: Re: [Declude.JunkMail] German political spam Markus, I have noticed that most of these messages at the start of this campaign were getting caught on SURBL using invURIBL. Do you know anything about that domain listed below? 2005-05-15 00:19:19.890 2005-05-15 00:19:19.968 E:\IMAIL\SPOOL\DCDC4C1BB006E894A.SMD libasoli.de 127.0.0.2 on multi.surbl.org [2] [Total Weight=7] Darrell --- invURIBL - Intelligent URI Filtering. Stops 85%+ SPAM with the default configuration. Download a copy today - http://www.invariantsystems.com - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Sunday, May 15, 2005 3:37 AM Subject: RE: [Declude.JunkMail] German political spam Anyone else getting hit with massive waves of German spam as a byproduct of modified Sober code continuing from around 2 pm EDT today, or am I 'unique' in this? Update: I've noted that this type of messages always will fail CMDSPACE Please take care that the links that are part of the message body does not have to do anything with the initiator(s) of this messages. For example www.heise.de is an important german computer magazine and always strive for announcing security risk, spam tecniques and so on. www.spiegel.de is a big german magazine and I'm 100% sure that it has nothing to do with this type of spam. Largely blocking this URI's in Blacklists maybe it's exactly what this spammers want. Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] German political spam
The direct link for spamassassins filter file is http://www.filterregel.de.vu/rassistische_mails_2.cf Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] German political spam
Correct. And along those lines, two thoughts come to mind. 1 Many of your users may see hundreds(maybe thousands) of nondeliverable\unknown user bounces. 'Damage control Monday' should be fun this week. Strange but at the moment I can't see only a very low number of NDR's Some NDR's are filtered by the same subject line filters if the bouncing MTA does keep the original subject line in the subject. Maybe we have to change our filters to look for the known patterns also in the body. There are only some NDR's having the original message as attachment and some other challenge/response messages. What Do you think about body-filtering the already known subject lines in order to prevent NDR overfilled mailboxes tomorrow? BTW: A large part of italy, austria, germany and maybe others does have free this Monday so I believe the spammers has well choosen this date. Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] AV After Junkmail
Yes I've reverted back because Junkmail has catched many virus messages. As we've had running vulnerability alerts containing a requeue link there was a risk, that certain users click on a link to requeue an infected message. As we don't send out vulnerability alerts anymore maybe it would be an idea to think about reenabling AVAFTERJM. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Thursday, May 05, 2005 2:16 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] AV After Junkmail Markus, Does this mean you reverted back? I only ask this because you mention you had it on for a long time until 2004. Darrell --- invURIBL - Intelligent URI Filtering. Stops 85%+ SPAM with the default configuration. Download a copy today - http://www.invariantsystems.com - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Wednesday, May 04, 2005 6:43 PM Subject: RE: [Declude.JunkMail] AV After Junkmail How many people are running this AVAFTERJM ON. Also, I am curious to see what your experience with this has been. Besides being careful about returning messages to the queue was there any other downsides? I've had set this switch to ON for a long time until 2004 has begun the still continuing wave of mail worms. This has caused many many virus messages being hold as spam. A lot more of review work and as you said the risk that some human could requeue a message who seems legit but contains a virus. Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] AV After Junkmail
How many people are running this AVAFTERJM ON. Also, I am curious to see what your experience with this has been. Besides being careful about returning messages to the queue was there any other downsides? I've had set this switch to ON for a long time until 2004 has begun the still continuing wave of mail worms. This has caused many many virus messages being hold as spam. A lot more of review work and as you said the risk that some human could requeue a message who seems legit but contains a virus. Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Alternative drug spellings
Scott, I'll go to try your tool. Looking at the filter file I can see a lot of interesting declude like filter commands that looks very very interesting. Maybe people at declude could give a look to this filter files... In addition I want to add: Maybe you can add the following replacements for obfusticating strings | = K |{ = K ; = i Last question: What weighting system (hold weight) are you using? I asume your filter file is perpared for this hold weight. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Monday, April 25, 2005 4:36 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Alternative drug spellings I have an vb program that I run that de-obfuscates the subject line and runs it against a filter file. It'll catch lots of alternative drug spellings: http://it.farmprogress.com/declude/obfsubj.htm - Original Message - From: Dan Horne [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Monday, April 25, 2005 9:10 AM Subject: [Declude.JunkMail] Alternative drug spellings Does anyone have a good, long filter file with a bunch of alternative spellings for the various drugs the spammers hawk? I know it is impossible to create a comprehensive list of them all, but if someone has a good start then I would love it if you could share it. We have been getting several of these that are just above our hold weight and I'd like to have a specific filter for this to pump it above the delete weight. Thanks, Dan Horne --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Whitelist to a recipient
Title: Whitelist to a recipient We have the same problem. We've solved our whitelisting for certain users by creating a whitelist text filter file ALLRECIPS-5000IS[EMAIL PROTECTED], [EMAIL PROTECTED] Now certain messages having multiple recipients wouldn't be whitelisted by the -5000 counterwheigt and so not really whitelisted. An option to split up all messages having multiple recipients in multiple messages with only one recipient maybe wouldn't be very good because it would also create numerous legit messages. Maybe we can have a filter file command that would split up multi-recipient-messages if at least one line in the filter file (see example above) will fail. There must not be one message for each recipient. It should be enough if the whitelisted recipient is removed from the recipients list in the queue file of the original message. just an idea... Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Monday, April 25, 2005 9:29 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Whitelist to a recipient Corby,If you have Declude Virus Pro, you can set up per-user configurations which are explained in the manual (http://www.declude.com/Version/Manuals/2.0.6.asp). You should also take note that multiple recipient spams can still be deleted when they are also received by others that have configs that redefine the handling of the message (HOLD or DELETE for example). There is a new action called DELETE_RECIPIENT that can stop this, but also can have other effects and needs to be studied before using.On all other versions of Declude, you can try "bypasswhitelist" which was created primarily for this purpose. From the manual: "This optional test instructs Declude JunkMail to bypass any whitelisting for E-mails with at least a specific number of recipients and at least a specific weight. For example, you could define a test with the following line in the \{MAILSERVER}\Declude\global.cfg file: BYPASSWHITELIST bypasswhitelist 60 5 0 0. The 60 refers to the weight the E-mail must reach, and the 5 refers to the minimum number of recipients. In this case, it would attempt to bypass the whitelisting for E-mail with 5 or more recipients and a weight of 60 or higher."MattAgid, Corby wrote: We have a recipient on our system that doesn't want spam filtering. Simple enough, I added a WHITELIST TO in global.cfg file. This appears to have the consequence of whitelisting spam that is also addressed to others. He gets his spam, but so does everyone else the spam is addressed to. I see there is an option for per user whitelisting. What would the entry looklike? Is this the best way to handle this problem? Corby -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
RE: [Declude.JunkMail] Imail crashes after declude 2.0.6
Title: Message DEP can be configured under Control panel system advanced performance select the new third tab. It's my new top for "idiotic placementsin a GUI configuration" Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Tuesday, April 19, 2005 5:34 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Imail crashes after declude 2.0.6 I don't know if this is of any help here, but two new SP1 features that I don't understand and I fear to some extent are the "Application Experience Lookup Service" and "Data Execution Prevention (DEP)". It seems like both might represent overhead to things like Declude which are called from a command line along with all of the applications that it calls, and it might not be wise to run them in such an environment. I haven't tried turning them off yet, but I was just starting the process of researching them. The "Application Experience Lookup Service" can be turned off in Services, and "Data Execution Prevention (DEP)" is controlled by the boot.ini. I can't find hardly any information on the "Application Experience Lookup Service", but "Data Execution Prevention (DEP)" has a KB article about it: http://support.microsoft.com/kb/875352There is also another level of DCOM security, and this may or may not cause issues with .NET stuff. I don't know.I haven't tried upping from Declude 1.82 yet as I wanted to apply SP1 and make sure that it was workable before introducing something else that was new to the environment.MattErik wrote: I'll add our point too. We also are crashing with 2.0.6 (also SP1 installed). We've put back 1.82 into production. No issues. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of scott_pownerSent: Tuesday, April 19, 2005 4:35 PMTo: Declude.JunkMail@declude.comSubject: RE: [Declude.JunkMail] Imail crashes after declude 2.0.6 We just put SP1 on this morning but have not had a crash since we went back to 1.81 on Declude. Thanks, Scott -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Gufler MarkusSent: Tuesday, April 19, 2005 8:31 AMTo: Declude.JunkMail@declude.comSubject: RE: [Declude.JunkMail] Imail crashes after declude 2.0.6 I haven't upgraded jet to v2 but can see the same problems with imail since installed win2003 SP1 Haven't seen any crash since removing SP1 but this is not 100% sure at the moment.I will report it later this week. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of scott_pownerSent: Tuesday, April 19, 2005 1:48 PMTo: Declude.JunkMail@declude.comSubject: [Declude.JunkMail] Imail crashes after declude 2.0.6 Last Friday I finally upgraded from 1.81 to 2.0.6. We use Declude Pro Anti-Spam and Anti-Virus. On Friday after the install Imail web messaging crashed several times. We let the problem go until Monday. On Monday the problems got worse with numerous crashes of web messaging. I finally recopied 1.81 and have been crash free for 2 hours. What is going on with 2.0.6? Do I need to reconfigure something? Win2003 on a xeon processor with 2gb memory. Thank you, Scott Powner MIU4 [EMAIL PROTECTED]-- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =