Re: [Declude.JunkMail] failed to fail test ?
Yet this piece of mail did come though with a very low rate and didn't fail the HOLOBOGUS ? Received: from fament.com [63.165.214.42] by imail.fament.com with ESMTP (SMTPD32-8.03) id AD019930280; Sat, 22 Nov 2003 19:27:29 -0600 That's because the HELO is fament.com, and fament.com has an MX record. Therefore, it is a valid HELO. However, 63.165.214.42 is not in the MX record of fament.com, so: X-Tests-Failed: IPNOTINMX, REVDNS. it failed the IPNOTINMX test. Wouldn't helobogus add it's weight to it ? Or have I miss understood the helobogus test ? How can I punish servers that try claim be from my domain like the above ? HELOBOGUS just looks for bogus HELO entries (such as random characters, IPs masquerading as hostnames, and made-up domains). IPNOTINMX checks for IPs that aren't listed in the sender domain's MX records (note that it is not unusual for legitimate mail to be sent this way). In this case, SPAMDOMAINS may be the best answer, as it will require the reverse DNS entry of the sending computer to include the domain name in the return address -- but only for domains that you specify. So if you list fament.com, this mail would have been caught. But if you do list your domain, you need to be sure that people sending mail through your server come from IPs with your domain in the reverse DNS entry. And how could the score end up at -2 ? What is the math behind it. Declude JunkMail adds all the weights for the E-mail, which came out to -2 here. The confusing parts are things like negative weights (either kind -- a test that has a weight of -2, or a test that has a weight that is added for E-mail that does NOT fail the test, like the IPNOTINMX and NOLEGITCONTENT tests), and filters where multiple lines can match. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] failed to fail test ?
Thanks Scott for clearing things up for me.. Since all my dailup and highspeed customers have correct revdns and everyone outside our network have to use smtp auth (running WHITELIST AUTH) then there should be no implications to do a spamdomain with fament.com. If this is the case then time to add all my own domains in there and cut of another potential spamhole... Best regards, Eje Aya Gustafsson mailto:[EMAIL PROTECTED] The Family Entertainment Network http://www.fament.com Phone : 620-231- Fax : 240-376-7272 - Your Full Time Professionals - Online Store http://www.wisp-router.com/ MikroTik, Star-OS, PACWireless, EnGenius, RF Industries -- Yet this piece of mail did come though with a very low rate and didn't fail the HOLOBOGUS ? Received: from fament.com [63.165.214.42] by imail.fament.com with ESMTP (SMTPD32-8.03) id AD019930280; Sat, 22 Nov 2003 19:27:29 -0600 RSP That's because the HELO is fament.com, and fament.com has an MX RSP record. Therefore, it is a valid HELO. RSP However, 63.165.214.42 is not in the MX record of fament.com, so: X-Tests-Failed: IPNOTINMX, REVDNS. RSP it failed the IPNOTINMX test. Wouldn't helobogus add it's weight to it ? Or have I miss understood the helobogus test ? How can I punish servers that try claim be from my domain like the above ? RSP HELOBOGUS just looks for bogus HELO entries (such as random characters, IPs RSP masquerading as hostnames, and made-up domains). RSP IPNOTINMX checks for IPs that aren't listed in the sender domain's MX RSP records (note that it is not unusual for legitimate mail to be sent this way). RSP In this case, SPAMDOMAINS may be the best answer, as it will require the RSP reverse DNS entry of the sending computer to include the domain name in the RSP return address -- but only for domains that you specify. So if you list RSP fament.com, this mail would have been caught. But if you do list your RSP domain, you need to be sure that people sending mail through your server RSP come from IPs with your domain in the reverse DNS entry. And how could the score end up at -2 ? What is the math behind it. RSP Declude JunkMail adds all the weights for the E-mail, which came out to -2 RSP here. RSP The confusing parts are things like negative weights (either kind -- a test RSP that has a weight of -2, or a test that has a weight that is added for RSP E-mail that does NOT fail the test, like the IPNOTINMX and NOLEGITCONTENT RSP tests), and filters where multiple lines can match. RSP -Scott RSP --- RSP Declude JunkMail: The advanced anti-spam solution for IMail mailservers. RSP Declude Virus: Catches known viruses and is the leader in mailserver RSP vulnerability detection. RSP Find out what you've been missing: Ask about our free 30-day evaluation. RSP --- RSP [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] RSP --- RSP This E-mail came from the Declude.JunkMail mailing list. To RSP unsubscribe, just send an E-mail to [EMAIL PROTECTED], and RSP type unsubscribe Declude.JunkMail. The archives can be found RSP at http://www.mail-archive.com. -- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] failed to fail test ?
Eje, There are instances where an entry for your local domain would fail SPAMDOMAINS on a legit E-mail. This generally happens as a result of E-mail scripts that forge the MAILFROM address so that it matches the submitted E-mail, it happens with things like greeting cards and send-a-links (americangreetings.com for instance), and it happens with some bulk-mailing E-mailers that your own customers might be using to send other local users legit E-mail. Watch this carefully if you add it because it definitely will result in some false positives, though it may be more or less problematic depending on your client base (individuals have bigger issues with greeting cards and send-a-links, and businesses have bigger issues with E-mail scripts and legit bulk mailers). I have this test scored only at 20% or 30% of my fail weight (I can't recall) Matt Eje Gustafsson wrote: Thanks Scott for clearing things up for me.. Since all my dailup and highspeed customers have correct revdns and everyone outside our network have to use smtp auth (running WHITELIST AUTH) then there should be no implications to do a spamdomain with fament.com. If this is the case then time to add all my own domains in there and cut of another potential spamhole... Best regards, Eje Aya Gustafsson mailto:[EMAIL PROTECTED] The Family Entertainment Network http://www.fament.com Phone : 620-231- Fax : 240-376-7272 - Your Full Time Professionals - Online Store http://www.wisp-router.com/ MikroTik, Star-OS, PACWireless, EnGenius, RF Industries --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] failed to fail test ?
I have the following two tests in my global.cfg (along with others) HELOBOGUS helovalid x x 6 0 IPNOTINMX ipnotinmx x x 0 -3 REVDNS revdnsexistsx x 7 0 NOLEGITCONTENT nolegitcontent x x 0 -8 Yet this piece of mail did come though with a very low rate and didn't fail the HOLOBOGUS ? Received: from fament.com [63.165.214.42] by imail.fament.com with ESMTP (SMTPD32-8.03) id AD019930280; Sat, 22 Nov 2003 19:27:29 -0600 Received: from DJQ92P11 [192.168.123.124] by fament.com with eSMTP; Sat, 22 Nov 2003 19:27:21 -0600 Message-ID: [EMAIL PROTECTED] From: ryan [EMAIL PROTECTED] To: [EMAIL PROTECTED] X-Tests-Failed: IPNOTINMX, REVDNS. X-Note: Total spam weight of this E-mail is -2. By default everything supposed to be -11 on a good e-mail. 63.165.214.42 is NOT a valid MX record for fament.com Wouldn't helobogus add it's weight to it ? Or have I miss understood the helobogus test ? How can I punish servers that try claim be from my domain like the above ? And how could the score end up at -2 ? What is the math behind it. The -3 and -8 in the 6th column are the only - I have in that column anywhere. So if it's -8 + 7 then shouldn't the weight be -1 and not -2 ? But most important how can I punish servers that claim to be fament.com if they are not ? Best regards, Eje Aya Gustafsson mailto:[EMAIL PROTECTED] The Family Entertainment Network http://www.fament.com Phone : 620-231- Fax : 240-376-7272 - Your Full Time Professionals - Online Store http://www.wisp-router.com/ MikroTik, Star-OS, PACWireless, EnGenius, RF Industries -- -- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.