[Declude.JunkMail] Spamdomains test
Does the Spamdomains tests use the mailfrom or the From: address to compare to the revdns. I'm betting it is the mailfrom address. Thanks Stu --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spamdomains test
Stu, The spamdomains test uses the mailfrom address. Declude derives all its sender and recipient information from the envelope, not the message headers. David Franco-Rocha Declude Technical / Engineering - Original Message - From: [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, January 06, 2006 10:50 AM Subject: [Declude.JunkMail] Spamdomains test Does the Spamdomains tests use the mailfrom or the From: address to compare to the revdns. I'm betting it is the mailfrom address. Thanks Stu --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spamdomains test
Thanks Bill. I checked the archives and found one from Nov.28,2003 ... just got it setup. thanks again, Larry Craddock - Original Message - From: Bill Landry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, May 28, 2004 12:34 AM Subject: Re: [Declude.JunkMail] Spamdomains test - Original Message - From: Larry Craddock [EMAIL PROTECTED] Thanks everyone. Now that I understand how to use the test, does anyone have a spamdomains.txt file that includes the entries for the domains most commonly used that they could share? Check the archives, Larry. I have posted mine to the list several times. If you cannot locate it, send me a e-mail off-list and I will send it to you. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Spamdomains test
I think I need a little more detail on the spamdomains test. Here's the entire explanation from the manual: [This test will catch E-mail that is not coming from a mailserver that it should be coming from. This test will only work if you set up a file listing domains that you wish to be included in this test. Specifically, it will check the return address of the E-mail, and then check to see if the reverse DNS entry of the IP that the E-mail was sent from contains the domain name. If not, the E-mail fails the test. For example, if hotmail.com is listed in the \IMail\Declude\spamdomains.txt file, then an E-mail coming from law2.hotmail.com would not fail the test, but an E-mail from mail.example.ru would fail the test.] But I'm sure I've seen discussion someplace with reference to lines containing more than just a domain name in the spamdomains.txt file ... or is that all that's needed besides enabling the test? Larry Craddock --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spamdomains test
But I'm sure I've seen discussion someplace with reference to lines containing more than just a domain name in the spamdomains.txt file ... or is that all that's needed besides enabling the test? That's a new feature, that allows you to have an alias (for lack of a better word) that can be used in conjunction with the domain name. So a line example.com would require that any E-mail address from @example.com must have a reverse DNS entry containing example.com. However, if legitimate @example.com E-mail can also be sent from @example.net, then you could have a line example.com example.net. With that line, an E-mail from @example.com could have a reverse DNS entry containing example.com or example.net (but it would not apply to users with an @example.net return address). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Spamdomains test
So a line example.com would require that any E-mail address from @example.com must have a reverse DNS entry containing example.com. However, if legitimate @example.com E-mail can also be sent from @example.net, then you could have a line example.com example.net. Scott, any thoughts on my suggestion of an extended SPFDOMAINS test type with which you could manually maintain SPF-formatted policies for given domains, running the data through the existing SPF parser? --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange Addresses into IMail Aliases! http://www.mailmage.com/products/software/freeutils/exchange2aliases/download/release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spamdomains test
Using the dnsbl type of test and a custom zone, you could extend this through DNS. For instance: MPBL-SPAMDOMAINS dnsbl %REVDNS%.%RHSBL%.spamdomains.example.com 127.0.0.2 4 0 In your custom zone, you could construct records like so: *.aol.com.aol.comA 127.0.0.1 TXT ( "Good Entry" ) *.aol.comA 127.0.0.2 TXT ( "Bad Entry" ) I haven't yet tested this, but I believe that the wildcarding will work to give you the proper result. Essentially you define a single bad entry, and then one good entry for every set of reverse DNS with Mail >From domain. Unlike SPAMDOMAINS, this could accomodate more than two different reverse DNS domains. The downside is that I don't know what it will do if Declude can't resolve a reverse DNS entry, or more accurately, what value will Declude use in place of the reverse DNS entry (this might be something to provide as an exception for each entry). Alternatively, you could also use the %HELO% in combination with %RHSBL% since those don't need to do lookups. Same thing goes for %IP4R% as well if you wish to do it in a fashion similar to SPF. Matt Sanford Whiteman wrote: So a line "example.com" would require that any E-mail address from @example.com must have a reverse DNS entry containing "example.com". However, if legitimate @example.com E-mail can also be sent from @example.net, then you could have a line "example.com example.net". Scott, any thoughts on my suggestion of an extended SPFDOMAINS test type with which you could manually maintain SPF-formatted policies for given domains, running the data through the existing SPF parser? --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange Addresses into IMail Aliases! http://www.mailmage.com/products/software/freeutils/exchange2aliases/download/release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re[2]: [Declude.JunkMail] Spamdomains test
Using the dnsbl type of test and a custom zone, you could extend this through DNS. For instance: MPBL-SPAMDOMAINS dnsbl%REVDNS%.%RHSBL%.spamdomains.example.com 127.0.0.240 Interesting idea, Matt. Still way too much management compared to SPF-compatibleformatting,though. The ability to append ._spf.example.com to SPF queries, or use the SPFDOMAINS text list, would be a lot easier. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange Addresses into IMail Aliases! http://www.mailmage.com/products/software/freeutils/exchange2aliases/download/release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spamdomains test
I've been planing on trying this for about a week now, and I'm still not convinced that it will work. From my standpoint though, this represents a good way to remove a tad bit more processing and maintain a system to be shared on multiple servers without having to update text files. This idea originally came from my desire to qualify two pieces of information when whitelisting. Using this technique, you could effectively whitelist without fear of forging, though of course the possibility would still exist. You could credit messages that pass such a test such as from amazon.com, coming from an amazon.com reverse DNS entry, and that would be much stronger than systems like BondedSener which relies only on the IP, where servers can still be hijacked or infected. This is also a much more efficient way to credit messages than to maintain long lists of whitelist address and as above, it's a good format for a distributed system with multiple scanning servers that can be updated in real-time. My biggest wish though is that both the To: address and the Reply-To: address were exposed through variables and filters, because that would allow me to apply credit to things that use VERP and also put it in DNS instead of using body or header filters to do the dirty work. Matt Sanford Whiteman wrote: Using the dnsbl type of test and a custom zone, you could extend this through DNS. For instance: MPBL-SPAMDOMAINS dnsbl%REVDNS%.%RHSBL%.spamdomains.example.com 127.0.0.240 Interesting idea, Matt. Still way too much management compared to SPF-compatibleformatting,though. The ability to append ._spf.example.com to SPF queries, or use the SPFDOMAINS text list, would be a lot easier. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange Addresses into IMail Aliases! http://www.mailmage.com/products/software/freeutils/exchange2aliases/download/release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] Spamdomains test
Thanks everyone. Now that I understand how to use the test, does anyone have a spamdomains.txt file that includes the entries for the domains most commonly used that they could share? Larry Craddock
Re: [Declude.JunkMail] Spamdomains test
- Original Message - From: Larry Craddock [EMAIL PROTECTED] Thanks everyone. Now that I understand how to use the test, does anyone have a spamdomains.txt file that includes the entries for the domains most commonly used that they could share? Check the archives, Larry. I have posted mine to the list several times. If you cannot locate it, send me a e-mail off-list and I will send it to you. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] SpamDomains test not working consistently
Scott, I am noticing SpamDomains test is not working consistently. Lots of messages are being properly flagged, but many that should be flagged but are not. I can provide samples, if you would like. Thanks for looking into this. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamDomains test not working consistently
Scott, I am noticing SpamDomains test is not working consistently. Lots of messages are being properly flagged, but many that should be flagged but are not. I can provide samples, if you would like. Yes, samples would be very helpful. Also, what version are you running? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamDomains test not working consistently
- Original Message - From: R. Scott Perry [EMAIL PROTECTED] Scott, I am noticing SpamDomains test is not working consistently. Lots of messages are being properly flagged, but many that should be flagged but are not. I can provide samples, if you would like. Yes, samples would be very helpful. Also, what version are you running? Never mind, I see what's happening. My name server is not responding to queries for about 3 minutes right after midnight while some reports are being generated. Sorry for the false alarm. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.