RE: [Declude.JunkMail] BadHeaders?

[David Barker]

Unfortunately you will have to search the RFC's I will check the Declude
code to see if there are any references in the comments. IF there are I will
let you know.

David Barker

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Wednesday, April 30, 2008 1:17 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] BadHeaders?

David,

Thank you for the explanation. I actually wrote the code that generates the
Message-ID.  Do you happen to have a link to documentation that would show
the proper format for the Message-ID?

Thanks,

Dave

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
> Barker
> Sent: Wednesday, April 30, 2008 11:55 AM
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] BadHeaders?
> 
> The E-mail failed the BADHEADERS test. This means the email failed with a
> violation of the RFC. This specific code indicates a incorrect Message-ID:
> in the header.
> 
> David B
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
> Beckstrom
> Sent: Wednesday, April 30, 2008 12:36 PM
> To: declude.junkmail@declude.com
> Subject: [Declude.JunkMail] BadHeaders?
> 
> Hi Everyone,
> 
> We have an application that generates email using Cold Fusion.  The
> application sends email to me.  The email never goes outside of our
servers.
> Declude is flagging the email as having BadHeaders:
> 
> X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client
> [8004000e].
> 
> I don't have a clear understanding of what BadHeaders evaluates.  I
realize
> I can whitelist the email but what I really want to do is figure out how
to
> fix how Cold Fusion formats the email so that it does not trigger the
> BadHeaders test.  We do send email via other applications to outside users
> and so fixing this problem will help insure delivery to those people, too.
> 
> Thanks,
> 
> Dave
> 
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] BadHeaders?

[Dave Beckstrom]

David,

Thank you for the explanation. I actually wrote the code that generates the
Message-ID.  Do you happen to have a link to documentation that would show
the proper format for the Message-ID?

Thanks,

Dave

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
> Barker
> Sent: Wednesday, April 30, 2008 11:55 AM
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] BadHeaders?
> 
> The E-mail failed the BADHEADERS test. This means the email failed with a
> violation of the RFC. This specific code indicates a incorrect Message-ID:
> in the header.
> 
> David B
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
> Beckstrom
> Sent: Wednesday, April 30, 2008 12:36 PM
> To: declude.junkmail@declude.com
> Subject: [Declude.JunkMail] BadHeaders?
> 
> Hi Everyone,
> 
> We have an application that generates email using Cold Fusion.  The
> application sends email to me.  The email never goes outside of our
servers.
> Declude is flagging the email as having BadHeaders:
> 
> X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client
> [8004000e].
> 
> I don't have a clear understanding of what BadHeaders evaluates.  I
realize
> I can whitelist the email but what I really want to do is figure out how
to
> fix how Cold Fusion formats the email so that it does not trigger the
> BadHeaders test.  We do send email via other applications to outside users
> and so fixing this problem will help insure delivery to those people, too.
> 
> Thanks,
> 
> Dave
> 
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] BadHeaders?

[David Barker]

The E-mail failed the BADHEADERS test. This means the email failed with a
violation of the RFC. This specific code indicates a incorrect Message-ID:
in the header.

David B

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Wednesday, April 30, 2008 12:36 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] BadHeaders?

Hi Everyone,

We have an application that generates email using Cold Fusion.  The
application sends email to me.  The email never goes outside of our servers.
Declude is flagging the email as having BadHeaders:

X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client
[8004000e].

I don't have a clear understanding of what BadHeaders evaluates.  I realize
I can whitelist the email but what I really want to do is figure out how to
fix how Cold Fusion formats the email so that it does not trigger the
BadHeaders test.  We do send email via other applications to outside users
and so fixing this problem will help insure delivery to those people, too.

Thanks,

Dave





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] BADHEADERS

[Nick Hayer]

Here ya go Andy:
http://www.declude.com/tools/header.php

-Nick

[EMAIL PROTECTED] wrote:


Hi,

Can someone point me to detailed info on what the BADHEADERS test looks
at and/or how this error can be remedied?  Already looked in the declude 
manual, not enough info.

Thanks, Andrew
ISP guy


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


 


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] BADHEADERS and HELOBOGUS coming up a lot

[Robert Grosshandler]

Hi

You are using both Sniffer and the Invariant Systems URI tests together? 

Maybe I was even denser than I thought, but I thought they sort of
duplicated each other.

Thanks,

Rob 


We have learned over the past year, that most of the built-in tests of
Declude are not effective like they were in the past.  Now yes, DNS lookup
tests are good if you use an active source.  Very good.  And in our
experience in just the past year, external tests called by Declude like
SNIFFER and Invariant Systems ... Very, very, effective.  Infact, we have
removed most of our BODY, HEADERS, and SUBJECT filters; infact about 95% of
them.  We also do use a few of Matt's filters for "scam" detection; but have
lowered much these weights as Invariant's URI program and SNIFFER takes the
most "blunt" in punishing the email.  Matt, on this list, is very good.  :-)
(in my opinion).  So is Andy and Darrell.  I have learned a lot about them
just by being silent on the list and observing their feedbacks.


---
[This E-mail scanned for viruses by Declude Virus]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] BADHEADERS and HELOBOGUS coming up a lot

[Erik]

Hi Kevin,

This email is more our/your FYI than much an answer to your question:

We've also noticed this on other tests of Declude that are built in; but not
much on BADHEADERS.  Decludes BADHEADERS test is a good test and accurate in
our opinion; but we have lowered the score on this test as well as
SPAMHEADERS and HELOBOGUS.

We and (myself; now living outside of USA.. Where email bounces thru servers
to USA and then back to me from USA (to another Country) have notice the
ROUTING test will fail on email received to me; when it is received by a
Country I am in; and where I have respond/created an email to that Country.
And that email is legit. I use SMTP to our servers in USA; so this bypasses
our Declude (incoming authorize email).  Also so does the NOPOSTMASTER and
NOABUSE fail here.  Many ISP's (at least in Eastern Europe) do not use these
anymore.  Although, yes an RFC requirement, they have chose to disregard
that rule; and not setup those addresses.  We have disable these tests in
Declude due to a number of "false" positives.  At first we lowered the
weight returned by these tests... Then later removed them completely.

We have learned over the past year, that most of the built-in tests of
Declude are not effective like they were in the past.  Now yes, DNS lookup
tests are good if you use an active source.  Very good.  And in our
experience in just the past year, external tests called by Declude like
SNIFFER and Invariant Systems ... Very, very, effective.  Infact, we have
removed most of our BODY, HEADERS, and SUBJECT filters; infact about 95% of
them.  We also do use a few of Matt's filters for "scam" detection; but have
lowered much these weights as Invariant's URI program and SNIFFER takes the
most "blunt" in punishing the email.  Matt, on this list, is very good.  :-)
(in my opinion).  So is Andy and Darrell.  I have learned a lot about them
just by being silent on the list and observing their feedbacks.

Now, our servers have only received a maximum of 12,356 emails a day (last
peak recorded on 8/4/2005).  I know other ISP's / servers that use Declude
receive more or less then us.)  The above is based on our usage and
feedback.  Each ISP/email server can be different.

-Erik


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kevin Rogers
Sent: Thursday, August 18, 2005 9:48 PM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] BADHEADERS and HELOBOGUS coming up a lot


These tests (especially BADHEADERS) seem to be catching a lot of legit 
mail lately.  I've attached one of the headers  It seems like many of 
the emails are sent from Exchange servers.  What exactly makes the 
headers bad?Any ideas?

Received: from ss_email.ssc.internal [216.201.186.154] by 
Rogersbenefit.com with ESMTP
(SMTPD-8.21) id AA0C60F44; Wed, 17 Aug 2005 10:55:24 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_=_NextPart_001_01C5A354.6BB3DE4D"
Subject: FW: Erecycler - Request for quote
Date: Wed, 17 Aug 2005 12:52:22 -0500
Message-ID: 
<[EMAIL PROTECTED]> 
 

X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Thread-Topic: Erecycler - Request for quote
Thread-Index: AcWilPivw61uWKcZTbmhEGnyYpc9YgAvrosg
X-Priority: 1
Priority: Urgent
Importance: high
From: "Carrie Mateer"EMAIL PROTECTED"
X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail 
client [840a].
X-RBL-Warning: HELOBOGUS: Domain ss_email.ssc.internal has no MX or A 
records [0301].
X-Declude-Sender: EMAIL PROTECTED [216.201.186.154]
X-Note: Scanned by Declude JunkMail http://www.declude.com/x-note.htm
X-Spam-Tests-Failed: BADHEADERS, HELOBOGUS, WEIGHT10 [13]
X-Note: Scanned by Declude JunkMail http://www.declude.com/x-note.htm
X-Note: This E-mail was sent from mail2.sleepersewell.com 
([216.201.186.154]).
X-RCPT-TO:EMAIL PROTECTED 
 

Status: R
X-UIDL: 417013027
X-IMail-ThreadID: 7a0c0e8c19d1

---
[This E-mail was scanned for viruses.]

---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] BADHEADERS and HELOBOGUS coming up a lot

[Matt]

Kevin,

Microsoft E-mail clients have a nasty habit of excluding the To when 
there are only CC or BCC recipients.  You will almost exclusively see 
this on some sort of E-mail blast from Exchange servers.  The proper 
(RFC compliant) way to construct the headers when no To address is 
specified would be to do something like the following:


   To: undisclosed-recipients:;

You aren't going to fix the issues with the sender in this case unless 
you convince them to put at least one To address in because this is a 
flaw that Microsoft created.  It would be easier to just whitelist them.


One other recommendation would be to lower the scores of the BADHEADERS, 
SPAMHEADERS and HELOBOGUS tests.  IMO, the default config is weighted a 
little heavy with these tests, and they are not highly accurate, and 
they will often enough trigger on legitimate E-mail in groups.


Matt



Kevin Rogers wrote:

Thanks for showing me that sweet tool, Nick.  Has anyone come across 
this error enough to know which mail client was sending it or if it 
could be sent legitmately but still gets flagged?


Not having a To: is pretty bad I assume.

Thanks.


Nick Hayer wrote:


Hi Kevin,


Kevin Rogers wrote:

These tests (especially BADHEADERS) seem to be catching a lot of 
legit mail lately.  I've attached one of the headers  It seems like 
many of the emails are sent from Exchange servers.  What exactly 
makes the headers bad?Any ideas?




Here is what made this one fail the BADHEADERS test:
http://www.declude.com/tools/header.php?code=840a

-Nick






Received: from ss_email.ssc.internal [216.201.186.154] by 
Rogersbenefit.com with ESMTP

(SMTPD-8.21) id AA0C60F44; Wed, 17 Aug 2005 10:55:24 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_=_NextPart_001_01C5A354.6BB3DE4D"
Subject: FW: Erecycler - Request for quote
Date: Wed, 17 Aug 2005 12:52:22 -0500
Message-ID: 
<[EMAIL PROTECTED]> 
 


X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Thread-Topic: Erecycler - Request for quote
Thread-Index: AcWilPivw61uWKcZTbmhEGnyYpc9YgAvrosg
X-Priority: 1
Priority: Urgent
Importance: high
From: "Carrie Mateer"EMAIL PROTECTED"
X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail 
client [840a].
X-RBL-Warning: HELOBOGUS: Domain ss_email.ssc.internal has no MX or 
A records [0301].

X-Declude-Sender: EMAIL PROTECTED [216.201.186.154]
X-Note: Scanned by Declude JunkMail http://www.declude.com/x-note.htm
X-Spam-Tests-Failed: BADHEADERS, HELOBOGUS, WEIGHT10 [13]
X-Note: Scanned by Declude JunkMail http://www.declude.com/x-note.htm
X-Note: This E-mail was sent from mail2.sleepersewell.com 
([216.201.186.154]).
X-RCPT-TO:EMAIL PROTECTED 
 


Status: R
X-UIDL: 417013027
X-IMail-ThreadID: 7a0c0e8c19d1

---
[This E-mail was scanned for viruses.]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses.]




---
[This E-mail was scanned for viruses.]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] BADHEADERS and HELOBOGUS coming up a lot

[Kevin Rogers]

Thanks for showing me that sweet tool, Nick.  Has anyone come across 
this error enough to know which mail client was sending it or if it 
could be sent legitmately but still gets flagged?


Not having a To: is pretty bad I assume.

Thanks.


Nick Hayer wrote:


Hi Kevin,


Kevin Rogers wrote:

These tests (especially BADHEADERS) seem to be catching a lot of 
legit mail lately.  I've attached one of the headers  It seems like 
many of the emails are sent from Exchange servers.  What exactly 
makes the headers bad?Any ideas?



Here is what made this one fail the BADHEADERS test:
http://www.declude.com/tools/header.php?code=840a

-Nick






Received: from ss_email.ssc.internal [216.201.186.154] by 
Rogersbenefit.com with ESMTP

(SMTPD-8.21) id AA0C60F44; Wed, 17 Aug 2005 10:55:24 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_=_NextPart_001_01C5A354.6BB3DE4D"
Subject: FW: Erecycler - Request for quote
Date: Wed, 17 Aug 2005 12:52:22 -0500
Message-ID: 
<[EMAIL PROTECTED]> 
 


X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Thread-Topic: Erecycler - Request for quote
Thread-Index: AcWilPivw61uWKcZTbmhEGnyYpc9YgAvrosg
X-Priority: 1
Priority: Urgent
Importance: high
From: "Carrie Mateer"EMAIL PROTECTED"
X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail 
client [840a].
X-RBL-Warning: HELOBOGUS: Domain ss_email.ssc.internal has no MX or A 
records [0301].

X-Declude-Sender: EMAIL PROTECTED [216.201.186.154]
X-Note: Scanned by Declude JunkMail http://www.declude.com/x-note.htm
X-Spam-Tests-Failed: BADHEADERS, HELOBOGUS, WEIGHT10 [13]
X-Note: Scanned by Declude JunkMail http://www.declude.com/x-note.htm
X-Note: This E-mail was sent from mail2.sleepersewell.com 
([216.201.186.154]).
X-RCPT-TO:EMAIL PROTECTED 
 


Status: R
X-UIDL: 417013027
X-IMail-ThreadID: 7a0c0e8c19d1

---
[This E-mail was scanned for viruses.]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses.]




---
[This E-mail was scanned for viruses.]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] BADHEADERS and HELOBOGUS coming up a lot

[Nick Hayer]

Hi Kevin,


Kevin Rogers wrote:

These tests (especially BADHEADERS) seem to be catching a lot of legit 
mail lately.  I've attached one of the headers  It seems like many of 
the emails are sent from Exchange servers.  What exactly makes the 
headers bad?Any ideas?


Here is what made this one fail the BADHEADERS test:
http://www.declude.com/tools/header.php?code=840a

-Nick






Received: from ss_email.ssc.internal [216.201.186.154] by 
Rogersbenefit.com with ESMTP

(SMTPD-8.21) id AA0C60F44; Wed, 17 Aug 2005 10:55:24 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_=_NextPart_001_01C5A354.6BB3DE4D"
Subject: FW: Erecycler - Request for quote
Date: Wed, 17 Aug 2005 12:52:22 -0500
Message-ID: 
<[EMAIL PROTECTED]> 
 


X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Thread-Topic: Erecycler - Request for quote
Thread-Index: AcWilPivw61uWKcZTbmhEGnyYpc9YgAvrosg
X-Priority: 1
Priority: Urgent
Importance: high
From: "Carrie Mateer"EMAIL PROTECTED"
X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail 
client [840a].
X-RBL-Warning: HELOBOGUS: Domain ss_email.ssc.internal has no MX or A 
records [0301].

X-Declude-Sender: EMAIL PROTECTED [216.201.186.154]
X-Note: Scanned by Declude JunkMail http://www.declude.com/x-note.htm
X-Spam-Tests-Failed: BADHEADERS, HELOBOGUS, WEIGHT10 [13]
X-Note: Scanned by Declude JunkMail http://www.declude.com/x-note.htm
X-Note: This E-mail was sent from mail2.sleepersewell.com 
([216.201.186.154]).
X-RCPT-TO:EMAIL PROTECTED 
 


Status: R
X-UIDL: 417013027
X-IMail-ThreadID: 7a0c0e8c19d1

---
[This E-mail was scanned for viruses.]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] BADHEADERS code 8400000a

[Matt]

Very much appreciated.  Back when I did a review of hits for this, I 
think it was over 95% FP's. Even if that isn't accurate, it's 
problematic enough to allow us to turn it off.

Thanks,

Matt



R. Scott Perry wrote:


I'm using i20 currently. Note that IE and probably Exchange as well, 
will allow a CC field with no To and it would previously produce the 
same results, I mention this because you didn't mention the exception 
, only the BCC exception.  People do of course send out to lists 
using the CC field, especially since IE doesn't show the BCC field by 
default.


It does seem odd the way that RFCs allow the lone Bcc: header, but not 
a lone Cc: header.

I definitely got an FP this morning on this using a BCC to multiple 
addresses:


The problem here is that Microsoft forgot to add a Bcc: header.  It's 
one of those weird things, that a Bcc: header is required even though 
one would think that a Bcc: header shouldn't be present (since it 
won't be completely "b" or "blind" if the header is there).  But if 
there is to "To:" header, the "Bcc:" header should be there.

However, it seems that little spam actually has this problem, so we 
will consider removing it from the BADHEADERS test.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] BADHEADERS code 8400000a

[R. Scott Perry]

I'm using i20 currently. Note that IE and probably Exchange as well, will 
allow a CC field with no To and it would previously produce the same 
results, I mention this because you didn't mention the exception , only 
the BCC exception.  People do of course send out to lists using the CC 
field, especially since IE doesn't show the BCC field by default.
It does seem odd the way that RFCs allow the lone Bcc: header, but not a 
lone Cc: header.

I definitely got an FP this morning on this using a BCC to multiple addresses:
The problem here is that Microsoft forgot to add a Bcc: header.  It's one 
of those weird things, that a Bcc: header is required even though one would 
think that a Bcc: header shouldn't be present (since it won't be completely 
"b" or "blind" if the header is there).  But if there is to "To:" header, 
the "Bcc:" header should be there.

However, it seems that little spam actually has this problem, so we will 
consider removing it from the BADHEADERS test.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] BADHEADERS code 8400000a

[Matt]

I'm using i20 currently. Note that IE and probably Exchange as well, 
will allow a CC field with no To and it would previously produce the 
same results, I mention this because you didn't mention the exception , 
only the BCC exception.  People do of course send out to lists using the 
CC field, especially since IE doesn't show the BCC field by default.

I definitely got an FP this morning on this using a BCC to multiple 
addresses:

From <[EMAIL PROTECTED]> Thu Jan 22 11:09:35 2004
Received: from *.*.*.org [209.105.181.131] by *.com with 
ESMTP
 (SMTPD32-8.05) id A5BB61017C; Thu, 22 Jan 2004 11:09:31 -0500
X-Exclaimer-OnMessagePostCategorize-{71daf94f-e3fe-4bbf-865a-6309cc88575e}: 
C:\Program Files\eXclaimer\eXclaimer.dll - 2.0.4.67
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Content-Transfer-Encoding: 7bit
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
MIME-Version: 1.0
Content-Type: multipart/alternative;
   boundary="_=_NextPart_001_01C3E102.1D744C46"
Subject: [11] Moms
Date: Thu, 22 Jan 2004 11:09:29 -0500
Message-ID: 
<[EMAIL PROTECTED]>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Moms
thread-index: AcPg93uCfg9mp7t5Qme9dmWnmlCzmgACj/+A
From: "Patti Tripoli" <[EMAIL PROTECTED]>
X-MailPure: 
==
X-MailPure: NOLEGITCONTENT: Failed, no legitimate content detected 
(weight 0).
X-MailPure: HELOBOGUS: Failed, bogus connecting server name (weight 4).
X-MailPure: BASE64: Failed, base64 encoded plain text or HTML (weight 3).
X-MailPure: CONCEALED: Failed, concealed message (weight 1).
X-MailPure: BADHEADERS: Failed, non-RFC compliant headers [840a] 
(weight 4).
X-MailPure: SNIFFER-WHITE: Failed, listed in the White Rules category 
(weight 0).
X-MailPure: WORDFILTER-BODY: Message failed WORDFILTER-BODY test (line 
43, weight 1).
X-MailPure: RECIPIENTS - <[EMAIL PROTECTED]>
X-MailPure: 
==
X-MailPure: Spam Score: 11
X-MailPure: Scan Time: 11:09:35 on 01/22/2004
X-MailPure: Spool File: Df5bb0061017ca15e.SMD
X-MailPure: Server Name: *.*.*.org
X-MailPure: SMTP Sender: [EMAIL PROTECTED]
X-MailPure: Received From: *-*-*-*.*.*.net 
[*.*.*.*]
X-MailPure: 
==
X-MailPure: Spam and virus blocking services provided by MailPure.com
X-MailPure: 
==
X-Declude-Date: 01/22/2004 16:09:29 [0]
X-RCPT-TO: <[EMAIL PROTECTED]>
Status: R
X-UIDL: 372977713





R. Scott Perry wrote:


I've been laying low on this one for a while, but BADHEADERS hits for 
not having a proper To address is commonly producing false positives 
on my system with personal E-mail, some of which will cause the 
messages to be held.  The issue here (just in case it was forgotten) 
is that Microsoft allows seemingly all of their mail clients to send 
without specifying a To address, in which case this test gets 
tripped.  This
happens mostly on newsletters or BCC blasts, but it also happens on 
personal E-mail on occasion, and it is very highly associated with 
legit E-mail instead of spam (at least on my system). When sending 
from an Exchange Web mail client, the BASE64 test also gets tripped, 
so this can be problematic based on associations as well.

Would you please remove this from hitting, or at least give us an 
entry to turn it off?


What version of Declude JunkMail are you using?  The latest interim 
release will not trigger the BADHEADERS test if there is a Bcc: header 
but no To: header (whereas previous versions would), since it is 
technically OK to have no To: header if there is a Bcc: header.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] BADHEADERS code 8400000a

[R. Scott Perry]

I've been laying low on this one for a while, but BADHEADERS hits for not 
having a proper To address is commonly producing false positives on my 
system with personal E-mail, some of which will cause the messages to be 
held.  The issue here (just in case it was forgotten) is that Microsoft 
allows seemingly all of their mail clients to send without specifying a To 
address, in which case this test gets tripped.  This
happens mostly on newsletters or BCC blasts, but it also happens on 
personal E-mail on occasion, and it is very highly associated with legit 
E-mail instead of spam (at least on my system). When sending from an 
Exchange Web mail client, the BASE64 test also gets tripped, so this can 
be problematic based on associations as well.

Would you please remove this from hitting, or at least give us an entry to 
turn it off?
What version of Declude JunkMail are you using?  The latest interim release 
will not trigger the BADHEADERS test if there is a Bcc: header but no To: 
header (whereas previous versions would), since it is technically OK to 
have no To: header if there is a Bcc: header.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] BADHEADERS on Message ID

[R. Scott Perry]

BADHEADERS caught the following E-mail for the Message ID.  I'm not sure 
if this is an RFC issue or not though, thinking that it might be due to 
the fact that the ID starts with a period, or maybe because it includes a 
comma???  Could you clarify that this is definitely a valid BADHEADERS hit?
It definitely is:

Message-ID: <.AAA-batch-00866,[EMAIL PROTECTED]>
The comma is illegal in a Message-ID: header (unless it is quoted, although 
I've never seen a Message-ID: header that was quoted).

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] BADHEADERS Question

[Jose Gosende]

Interesting. Thanks for the info!

Jose

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry
Sent: Monday, August 11, 2003 10:43 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] BADHEADERS Question



> > >Legitimate email is failing the BADHEADERS test. Do I need to
> > >modify something on my server so this test does not fail?
>
> > You need to modify something on the mail client (the program sending the
> > E-mail is broken).
>
> > Most likely, upgrading the mail client will fix the problem.

>Why would I need to upgrade my mail client?

Because most people don't like running broken software on their
servers.  Most likely, you're running a beta version of the software
involved.

>It's a ColdFusion page that's sending the email, by the way.

AH!  That explains the problem.

http://www.mail-archive.com/[EMAIL PROTECTED]/msg00661.html
covers getting CF not to fail the SPAMHEADERS test.  Most likely, another
broken part of CF (a bogus HELO/EHLO) is causing IMail to add a broken
header (since IMail generates the header on the assumption that the
HELO/EHLO information is valid), causing it to fail the BADHEADERS
test.  But, that problem will actually go away with the information at the
above URL (since CF will add the header that IMail was adding).

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] BADHEADERS Question

[R. Scott Perry]

> >Legitimate email is failing the BADHEADERS test. Do I need to
> >modify something on my server so this test does not fail?
> You need to modify something on the mail client (the program sending the
> E-mail is broken).
> Most likely, upgrading the mail client will fix the problem.

Why would I need to upgrade my mail client?
Because most people don't like running broken software on their 
servers.  Most likely, you're running a beta version of the software involved.

It's a ColdFusion page that's sending the email, by the way.
AH!  That explains the problem.

http://www.mail-archive.com/[EMAIL PROTECTED]/msg00661.html 
covers getting CF not to fail the SPAMHEADERS test.  Most likely, another 
broken part of CF (a bogus HELO/EHLO) is causing IMail to add a broken 
header (since IMail generates the header on the assumption that the 
HELO/EHLO information is valid), causing it to fail the BADHEADERS 
test.  But, that problem will actually go away with the information at the 
above URL (since CF will add the header that IMail was adding).

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE : [Declude.JunkMail] BADHEADERS Question

[R. Scott Perry]

Do you know also how to fix too that with ASPMAil ?
Upgrading ASPMail to the latest version should take care of the problem.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE : [Declude.JunkMail] BADHEADERS Question

[mail-list]

Hi,

Do you know also how to fix too that with ASPMAil ?

Thanks
Mehdi Blagui

-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la part de Jose Gosende
Envoyé : lundi 11 août 2003 15:49
À : [EMAIL PROTECTED]
Objet : RE: [Declude.JunkMail] BADHEADERS Question


Interesting. Thanks for the info!

Jose

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry
Sent: Monday, August 11, 2003 10:43 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] BADHEADERS Question



> > >Legitimate email is failing the BADHEADERS test. Do I need to
> > >modify something on my server so this test does not fail?
>
> > You need to modify something on the mail client (the program sending
the
> > E-mail is broken).
>
> > Most likely, upgrading the mail client will fix the problem.

>Why would I need to upgrade my mail client?

Because most people don't like running broken software on their
servers.  Most likely, you're running a beta version of the software
involved.

>It's a ColdFusion page that's sending the email, by the way.

AH!  That explains the problem.

http://www.mail-archive.com/[EMAIL PROTECTED]/msg00661.html
covers getting CF not to fail the SPAMHEADERS test.  Most likely,
another
broken part of CF (a bogus HELO/EHLO) is causing IMail to add a broken
header (since IMail generates the header on the assumption that the
HELO/EHLO information is valid), causing it to fail the BADHEADERS
test.  But, that problem will actually go away with the information at
the
above URL (since CF will add the header that IMail was adding).

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] BADHEADERS Question

[Jose Gosende]

Why would I need to upgrade my mail client?
It's a ColdFusion page that's sending the email, by the way.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry
Sent: Monday, August 11, 2003 10:26 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] BADHEADERS Question



>Legitimate email is failing the BADHEADERS test. Do I need to
>modify something on my server so this test does not fail?

You need to modify something on the mail client (the program sending the
E-mail is broken).

Most likely, upgrading the mail client will fix the problem.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] BADHEADERS Question

[R. Scott Perry]

Legitimate email is failing the BADHEADERS test. Do I need to
modify something on my server so this test does not fail?
You need to modify something on the mail client (the program sending the 
E-mail is broken).

Most likely, upgrading the mail client will fix the problem.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] BADHEADERS Code a400010b -- not at/tools/header?

[R. Scott Perry]

I can't retrieve the extended info for code a400010b. Does anyone have
it on hand?


That one is caused by a missing To: header.
-Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] BADHEADERS Test question

[Jim Rooth]

Getting to me...look here, you say you been thinking again!  Sounds like
a retread coming off to me...


Jim Rooth
Klotron, Inc.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of John Tolmachoff
Sent: Friday, September 27, 2002 01:00
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] BADHEADERS Test question


>Thanks Scott, I meant to say SPAMHEADERS in lieu of BADHEADERS...to
ya'll I was RFC ignorant...you had to figure the rest of the ignorance
out on your own...LOL

Me thinks you have been spending too much time around a truck stop again
Jim. The diesel fumes are getting to you again.

:-)>

John Tolmachoff
IT Manager, Network Engineer
RelianceSoft, Inc.
Fullerton, CA  92835
www.reliancesoft.com



---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
---



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] BADHEADERS Test question

[John Tolmachoff]

>Thanks Scott, I meant to say SPAMHEADERS in lieu of BADHEADERS...to
ya'll I was RFC ignorant...you had to figure the rest of the ignorance
out on your own...LOL

Me thinks you have been spending too much time around a truck stop again
Jim. The diesel fumes are getting to you again.

:-)>

John Tolmachoff
IT Manager, Network Engineer
RelianceSoft, Inc.
Fullerton, CA  92835
www.reliancesoft.com



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] BADHEADERS Test question

[Jim Rooth]

Thanks Scott, I meant to say SPAMHEADERS in lieu of BADHEADERS...to
ya'll I was RFC ignorant...you had to figure the rest of the ignorance
out on your own...LOL


Jim Rooth
Klotron, Inc.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry
Sent: Thursday, September 26, 2002 16:56
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] BADHEADERS Test question



>So far I've been very happy with JunkMail. I'm only running a few tests
and
>it's catching a lot of spam and porn. However, I'm noticing the
occasional
>legitimate email from badly formatted clients. For example, JunkMail
caught
>a confirmation email from an online service that one of my co-workers
signed
>up for. This was a good email but it had badly formatted headers.
>Fortunately, I'm not rejecting or deleting emails as of yet but
eventually I
>will. How do you all deal with emails that fail the BADHEADERS test
because
>of poor mail clients/senders but are legit emails that need to be
delivered?
>I'm looking for my "next step" in configuring JunkMail. Any advice is
>appreciated.

I think that Jim's suggestion of relying on the weighting system is the
best answer.

My personal opinion, though, is that the BADHEADERS test should have a
high
weight towards the weighting system, as no mail client should be sending

out E-mail with non-RFC-compliant headers -- that's very bad.  Given how

much spam has increased lately, I think we're getting to the point where

broken E-mail headers can't be ignored any longer.  Note that the
problem
doesn't lie with the overworked mail server administrator on the other
side
-- it lies in the company that designed the mail client, that they are
collecting money from.

The SPAMHEADERS test (headers that are technically RFC-compliant , but
spamlike) will catch E-mail from quite a few poorly designed web sites,
and
*should* be fixed, but since the headers are RFC-compliant, a lower
weight
should be used with the SPAMHEADERS test.
 Scott

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
---



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] BADHEADERS Test question

[R. Scott Perry]

>So far I've been very happy with JunkMail. I'm only running a few tests and
>it's catching a lot of spam and porn. However, I'm noticing the occasional
>legitimate email from badly formatted clients. For example, JunkMail caught
>a confirmation email from an online service that one of my co-workers signed
>up for. This was a good email but it had badly formatted headers.
>Fortunately, I'm not rejecting or deleting emails as of yet but eventually I
>will. How do you all deal with emails that fail the BADHEADERS test because
>of poor mail clients/senders but are legit emails that need to be delivered?
>I'm looking for my "next step" in configuring JunkMail. Any advice is
>appreciated.

I think that Jim's suggestion of relying on the weighting system is the 
best answer.

My personal opinion, though, is that the BADHEADERS test should have a high 
weight towards the weighting system, as no mail client should be sending 
out E-mail with non-RFC-compliant headers -- that's very bad.  Given how 
much spam has increased lately, I think we're getting to the point where 
broken E-mail headers can't be ignored any longer.  Note that the problem 
doesn't lie with the overworked mail server administrator on the other side 
-- it lies in the company that designed the mail client, that they are 
collecting money from.

The SPAMHEADERS test (headers that are technically RFC-compliant , but 
spamlike) will catch E-mail from quite a few poorly designed web sites, and 
*should* be fixed, but since the headers are RFC-compliant, a lower weight 
should be used with the SPAMHEADERS test.
 Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] BADHEADERS Test question

[Jim Rooth]

I do it by a weight system.  Thee are a few of the tests that really
have less value in catching "legitimate" spam.  For instance if you give
a heavy weight to noabuse, you will not receive any mail from Microsoft
as they do not want the emails telling them they are screwing up so
therefore they do not have an 'abuse' account.  BADHEADERS, in my
opinion, should have a lower value.  Many servers out there are
legitimate but have RFC ignorant people running them.  I know, cause I
am one ignorant son of a gun when it comes to RFC!


Jim Rooth
Klotron, Inc.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Troy Hilton
Sent: Thursday, September 26, 2002 15:53
To: Declude Junkmail Forum (E-mail)
Subject: [Declude.JunkMail] BADHEADERS Test question


Hello All,

So far I've been very happy with JunkMail. I'm only running a few tests
and
it's catching a lot of spam and porn. However, I'm noticing the
occasional
legitimate email from badly formatted clients. For example, JunkMail
caught
a confirmation email from an online service that one of my co-workers
signed
up for. This was a good email but it had badly formatted headers.
Fortunately, I'm not rejecting or deleting emails as of yet but
eventually I
will. How do you all deal with emails that fail the BADHEADERS test
because
of poor mail clients/senders but are legit emails that need to be
delivered?
I'm looking for my "next step" in configuring JunkMail. Any advice is
appreciated.

Troy D. Hilton
SofWerks LLC.
[EMAIL PROTECTED]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
---



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] badheaders test

[Troy Hilton]

>Can anyone shed any light on exactly what the BADHEADERS test checks for?

It checks for E-mail headers that are broken (non-RFC-compliant).  There
are a number of different things that it looks for.

OK.

>I've got a client that is sending me legitimate emails but it's failing the
>BADHEADERS test and I can't see why.

To find out, you need to find the code that Declude JunkMail assigned the
E-mail (such as "80200202"). If you use the WARN action, this will appear
in the E-mail headers. Otherwise, you will need to look in the log file.

Ah, that explains why I can't see the code in the headers.

You can look up the code using the "BADHEADERS lookup" at
www.declude.com/tools . The most common reason an E-mail will fail the
BADHEADERS test is because it is missing a Date: header (or has no time
zone or an incorrect time zone). This is illegal, and will often cause
E-mail to get "lost" on a server or mail client. Upgrading the software
sending the E-mail will take care of the problem in almost all cases.

Cool. Thanks Scott.

Troy

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] badheaders test

[R. Scott Perry]

>Can anyone shed any light on exactly what the BADHEADERS test checks for?

It checks for E-mail headers that are broken (non-RFC-compliant).  There 
are a number of different things that it looks for.

>I've got a client that is sending me legitimate emails but it's failing the
>BADHEADERS test and I can't see why.

To find out, you need to find the code that Declude JunkMail assigned the 
E-mail (such as "80200202"). If you use the WARN action, this will appear 
in the E-mail headers. Otherwise, you will need to look in the log file.

You can look up the code using the "BADHEADERS lookup" at 
www.declude.com/tools . The most common reason an E-mail will fail the 
BADHEADERS test is because it is missing a Date: header (or has no time 
zone or an incorrect time zone). This is illegal, and will often cause 
E-mail to get "lost" on a server or mail client. Upgrading the software 
sending the E-mail will take care of the problem in almost all cases.
 -Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Badheaders, Eudora and Incredimail

[R. Scott Perry]

>THis is the header from one of the incredimail messages:
>
>Message-Id: <3D74673B.1E.19449@Tyrone Sons.realnet.co.sz>

This one looks like Incredimail doesn't do an incredible job checking host 
names -- the last I checked, host names could not include a space in them.  :)

>The following is the header from a Eudora mail client:
>
>...
>
>I guess that the reason for the spam test being none is that I whitelisted
>the [EMAIL PROTECTED] e-mail address, and yes your note on the IP
>address is correct as there is an IP address instead of the server name.

Actually, the I address isn't the issue here (although the "X-Sender: 
[EMAIL PROTECTED]" should be "X-Sender: johnrest@[192.168.0.1]", the 
RFCs allow anything in the "X-" headers, so it is technically valid.

This E-mail didn't fail the BADHEADERS test here, just the SPAMHEADERS test 
(because it was sent without a Message-ID: header).  I'm guessing the 
version of Eudora they are running is a beta version, as I haven't heard of 
any legitimate mail clients that don't add the Message-ID: header (usually 
it's poorly designed web apps that have that problem).

-Scott
---
Declude: Anti-virus, Anti-spam and Anti-hijacking solutions for 
IMail.  http://www.declude.com

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Badheaders, Eudora and Incredimail

[Lachezar Karadjov]

Thanks for the prompt reply,

THis is the header from one of the incredimail messages:

Received: from Tyrone Sons [196.31.58.242] by tibiyo.com
  (SMTPD32-7.04) id A7DA483E01C8; Tue, 03 Sep 2002 09:42:18 +0200
MIME-Version: 1.0
Message-Id: <3D74673B.1E.19449@Tyrone Sons.realnet.co.sz>
Date: Tue, 3 Sep 2002 09:39:39 +0200 (South Africa Standard Time)
Content-Type: Multipart/related;
  type="multipart/alternative";
  boundary="Boundary-00=_3MQUP4J1VA40"
X-Mailer: IncrediMail 2001 (1750690)
From: "Tyrone Sons" <[EMAIL PROTECTED]>
X-FID: FEFCEF83-591F-11D4-AF87-0050DAC67E11
X-FVER: 2.0
X-FIT: Letter
X-FCOL: Old Papers
X-FCAT: Stationery
X-FDIS: Celtic Myth
X-Extensions:
SU1CTDEsNDEsgUmBSTgsODQsOMGVTY3FhThNhYUoiU0kOMGdTYGBjYEoJDSZnSyFhUksSU1CTDIs
MCwsSU1CTDMsMCws
X-BG: 
X-BGT: repeat
X-BGC: #ddbb99
X-BGPX: left
X-BGPY: 0px
X-ASN: EE860250-5330-11D4-BA52-0050DAC68030
X-ASNF: 0
X-ASH: EE860250-5330-11D4-BA52-0050DAC68030
X-ASHF: 1
X-AN: A5BE2A00-37CC-11D4-BA36-0050DAC68030
X-ANF: 0
X-AP: A5BE2A00-37CC-11D4-BA36-0050DAC68030
X-APF: 1
X-AD: 7E485C40-4138-11D4-BA3D-0050DAC68030
X-ADF: 0
X-AUTO: X-ASN,X-ASH,X-AN,X-AP,X-AD
X-CNT: ;
X-Priority: 3
To: <[EMAIL PROTECTED]>
Subject: Not sending mail
Reply-To: "Tyrone Sons" <[EMAIL PROTECTED]>
X-Declude-Sender: [EMAIL PROTECTED] [196.31.58.242]
X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for
spam.
X-Spam-Tests-Failed: BADHEADERS
X-RCPT-TO: <[EMAIL PROTECTED]>
Status: U
X-UIDL: 323286068

The following is the header from a Eudora mail client:

Received: from johnresting [196.31.58.24] by realnet.co.sz
  (SMTPD32-7.06) id A891E79A011E; Tue, 03 Sep 2002 17:43:13 +0200
X-Sender: [EMAIL PROTECTED]
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1
Date: Tue, 03 Sep 2002 17:45:53 +0200
To: <[EMAIL PROTECTED]>
From: John Resting <[EMAIL PROTECTED]>
Subject:
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-Id: <200209031743796.SM00321@johnresting>
X-Declude-Sender: [EMAIL PROTECTED] [196.31.58.24]
X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for
spam.
X-Spam-Tests-Failed: None
X-RCPT-TO: <[EMAIL PROTECTED]>
Status: U
X-UIDL: 912182731

I guess that the reason for the spam test being none is that I whitelisted
the [EMAIL PROTECTED] e-mail address, and yes your note on the IP
address is correct as there is an IP address instead of the server name.

Best regards
Lachezar

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry
Sent: Tuesday, September 03, 2002 4:29 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Badheaders, Eudora and Incredimail



>A lot of legitimate e-mail is getting caught because of badheaders.

That is very bad.

Note that any E-mail failing the BADHEADERS test is likely to get caught on
other servers, as well.

>Although we have set revdns, noabuse, nopostmaster and routing to "ignore"
>it appears that they add "weight" when combined.

That is correct, unless you disable those tests, or set the weight to
0.  The IGNORE action only affects the test that it is used with, and does
not take away the weight for that test.

>We've also discovered that the way Eudora and Incredimail write header
>information makes most if not all mail originating from these mail clients
>be caught as spam because of "badheaders"
>
>Is there any workaround?

I often get mail from people using Eudora and Incredimail, and they do not
fail the BADHEADERS test.  So it is likely a problem with the specific
version(s) that you are running, or a setup error.

There is a bug in some versions of Eudora that can cause the BADHEADERS
test to fail if an IP address is entered as the name of the server.  Eudora
will accept this, but assume that it is a host name (not an IP), so when it
generates the Message-ID: header, it uses the format for a hostname rather
than an IP, which breaks the header.

If you post the full headers of one of the E-mails that was caught
(actually, one for Eudora and one for Incredimail would be best), I can
take a look to see what is wrong.
-Scott

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Badheaders, Eudora and Incredimail

[R. Scott Perry]

>A lot of legitimate e-mail is getting caught because of badheaders.

That is very bad.

Note that any E-mail failing the BADHEADERS test is likely to get caught on 
other servers, as well.

>Although we have set revdns, noabuse, nopostmaster and routing to "ignore"
>it appears that they add "weight" when combined.

That is correct, unless you disable those tests, or set the weight to 
0.  The IGNORE action only affects the test that it is used with, and does 
not take away the weight for that test.

>We've also discovered that the way Eudora and Incredimail write header
>information makes most if not all mail originating from these mail clients
>be caught as spam because of "badheaders"
>
>Is there any workaround?

I often get mail from people using Eudora and Incredimail, and they do not 
fail the BADHEADERS test.  So it is likely a problem with the specific 
version(s) that you are running, or a setup error.

There is a bug in some versions of Eudora that can cause the BADHEADERS 
test to fail if an IP address is entered as the name of the server.  Eudora 
will accept this, but assume that it is a host name (not an IP), so when it 
generates the Message-ID: header, it uses the format for a hostname rather 
than an IP, which breaks the header.

If you post the full headers of one of the E-mails that was caught 
(actually, one for Eudora and one for Incredimail would be best), I can 
take a look to see what is wrong.
-Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Badheaders.

[Zul J]

Scott..

Thanks a lot.

-Zul

- Original Message -
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, May 13, 2002 8:50 PM
Subject: Re: [Declude.JunkMail] Badheaders.


>
> >One of our developer created a vb program to send mail using our smtp
> >server but the mail failed the BADHEADERS spam test. Can anyone please
> >give me more info on the BADHEADERS spam test or how to rectify this ?
>
> To find out, you need to find the code that Declude JunkMail assigned the
> E-mail (such as "80200202"). If you use the WARN action, this will appear
> in the E-mail headers. Otherwise, you will need to look in the log file.
>
> You can look up the code using the "BADHEADERS lookup" at
> www.declude.com/tools . The most common reason an E-mail will fail the
> BADHEADERS test is because it is missing a Date: header (or has no time
> zone or an incorrect time zone). This is illegal, and will often cause
> E-mail to get "lost" on a server or mail client.
>  -Scott
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
>
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  You can E-mail
> [EMAIL PROTECTED] for assistance.  You can visit our web
> site at http://www.declude.com .
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

Re: [Declude.JunkMail] Badheaders.

[R. Scott Perry]

>One of our developer created a vb program to send mail using our smtp 
>server but the mail failed the BADHEADERS spam test. Can anyone please 
>give me more info on the BADHEADERS spam test or how to rectify this ?

To find out, you need to find the code that Declude JunkMail assigned the 
E-mail (such as "80200202"). If you use the WARN action, this will appear 
in the E-mail headers. Otherwise, you will need to look in the log file.

You can look up the code using the "BADHEADERS lookup" at 
www.declude.com/tools . The most common reason an E-mail will fail the 
BADHEADERS test is because it is missing a Date: header (or has no time 
zone or an incorrect time zone). This is illegal, and will often cause 
E-mail to get "lost" on a server or mail client.
 -Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

Re: [Declude.JunkMail] badheaders?

[R. Scott Perry]

>I have a message that was flagged as having bad headers.  I tried figuring 
>out the
>code so that I could use your badheader lookup, but I can't figure out 
>what I'm
>supposed to use in there.  Here are the headers.

To find the code, you have the use the WARN action, or check the Declude 
JunkMail log file.  My guess, looking at the headers, is that the problem 
is that there is no "To:" header, which is required.
-Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

Re: [Declude.JunkMail] BADHEADERS and SPAMHEADERS

[Eje Gustafsson]

Unfortunately they do.
Not all mail clients and mail scripts that are used are fully RFC
compliant. Just look at Microsoft Passport password reset service.
badheaders & revdns.

Saw a mac e-mail client the otherday that triggered BOTH badheaders and
spamheaders. :(

Wednesday, March 06, 2002, 10:59:59 AM, you wrote:

PCc> Should a legitimate email ever fail both BADHEADERS and SPAMHEADERS?

PCc> [EMAIL PROTECTED]
PCc> ---

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

RE: [Declude.JunkMail] BADHEADERS and SPAMHEADERS

[R. Scott Perry]

> >> Should a legitimate email ever fail both BADHEADERS and SPAMHEADERS? <<
>
>That's pretty common - the two tests "overlap".

It's pretty common for spam, but should never happen with legitimate mail.

The two tests look for different problems, so no one problem will cause 
both the BADHEADERS and SPAMHEADERS tests to fail, but if there are 
multiple problems, both tests may fail.
 -Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

Re: [Declude.JunkMail] BADHEADERS and SPAMHEADERS

[R. Scott Perry]

>Should a legitimate email ever fail both BADHEADERS and SPAMHEADERS?

No.

No legitimate mail should ever fail the BADHEADERS test.  A legitimate mail 
will only fail that test if it comes from a broken mail client.

Legitimate mail may fail the SPAMHEADERS test, if it is sent from a poorly 
designed mail client (usually one where the programmers felt it would be OK 
for some of the mail it sends to be marked as spam, in return for cheaper 
product).

The BADHEADERS and SPAMHEADERS tests look for different problems, so it is 
possible for an E-mail to fail both of them.
-Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

RE: [Declude.JunkMail] BADHEADERS and SPAMHEADERS

[Andy Schmidt]

>> Should a legitimate email ever fail both BADHEADERS and SPAMHEADERS? <<

That's pretty common - the two tests "overlap".

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

Re: [Declude.JunkMail] BADHEADERS and SPAMHEADERS

[Lee at CybrHost.com]

>From our experience, they will.

Lee
-- 
Lee Woolman, 805-987-3643
CybrHost Corp. - High Speed Ecommerce Hosting,
a Miva Premier Hosting Partner

> From: <[EMAIL PROTECTED]>
> Organization: Computerized Horizons
> Reply-To: [EMAIL PROTECTED]
> Date: Wed, 6 Mar 2002 10:59:59 -0600
> To: <[EMAIL PROTECTED]>
> Subject: [Declude.JunkMail] BADHEADERS and SPAMHEADERS
> 
> Should a legitimate email ever fail both BADHEADERS and SPAMHEADERS?
> 
> [EMAIL PROTECTED]
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> 
> ---
> 
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  You can E-mail
> [EMAIL PROTECTED] for assistance.  You can visit our web
> site at http://www.declude.com .
> 

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

Re: [Declude.JunkMail] BADHEADERS customization

[R. Scott Perry]

>Is there anything we can do to customize the way BADHEADERS tests?  If there
>are several tests that it does, I would like to be able to turn on or off
>those components that give us false positives but be able to use this test
>for components that always find spam. SPAMHEADERS also?

Well, remember that the BADHEADERS test is the one test that really doesn't 
have any false positives.  It only catches E-mail that has broken headers, 
which usually means spam.

There isn't any way currently to choose which headers to look at.  However, 
you can use the WHITELIST feature to whitelist all mail from a certain IP 
or "From:" address if you need to.

Here's the information on how to use the WHITELIST feature (one of those 
"Not yet in the documentation" features):

You add (to \IMail\Declude\global.cfg) the word "WHITELIST", followed by 
"IP", "FROM", or "ANYWHERE", followed by the text to look for.  For 
example, "WHITELIST IP 127.0.0.1" would whitelist any E-mails coming from 
the IP address 127.0.0.1.  You could also use "WHITELIST IP 127.0.0." to 
whitelist any IP beginning with 127.0.0.

Some examples of FROM would be "WHITELIST FROM @declude.com" to whitelist 
any E-mail from declude.com, or "WHITELIST FROM [EMAIL PROTECTED]" to 
just whitelist E-mails from [EMAIL PROTECTED]

An example of ANYWHERE might be "WHITELIST ANYWHERE This is not spam" 
(although you wouldn't want to do that; most E-mail that contains "This is 
not spam" really is spam).

You can have up to 100 WHITELIST entries in your \IMail\Declude\global.cfg 
file.
-Scott

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

RE: [Declude.JunkMail] BADHEADERS

[R. Scott Perry]

>I had a mailing go out a little while ago that failed the spamheaders test
>too.  Here is the log for it:
>
>SPAMHEADERS (bad headers [,C0400202]),
>
>I'd be very interested to know what this means and if I can do something to
>fix it.

That one appears to have a couple problems.

First, it may have failed the BADHEADERS test because of a problem with the 
"Date: " header that violates the RFCs.  Spammers often guess what it 
should look like, and guess wrong.  The RFCs require a time zone, which has 
to be in a certain format.  If it is missing, or not correct, that would 
trigger the BADHEADERS test.

Second, it wasn't sent with a Message-ID: header (although IMail would have 
added one after it was received).  Virtually all legitimate E-mail clients 
add a Message-ID: header.  They aren't required (which is why it's part of 
the SPAMHEADERS test, not the BADHEADERS test), but a good sign of spam.
  -Scott

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

RE: [Declude.JunkMail] BADHEADERS

[Terry L. Fritts]

Scott,

I had a mailing go out a little while ago that failed the spamheaders test
too.  Here is the log for it:

SPAMHEADERS (bad headers [,C0400202]),

I'd be very interested to know what this means and if I can do something to
fix it.



Terry

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

Re: [Declude.JunkMail] BADHEADERS

[R. Scott Perry]

>BADHEADERS problems for me
>
>1) traps my internal mail generated by ASPQMail and Flick's ocxqmail
>(certainly nothing obvious to me about the headers being wrong)
>
>2) trapped most (maybe all) mailing list posts
>
>I just turned it on again and it immediately started trapping imail forum
>posts.

If something is failing the BADHEADERS test, either the mail client that 
sent the E-mail is broken, or Declude isn't working properly.  Either way, 
it's a good idea for us to know.

Could you check the logs to see the code associated with the failure?  You 
should see "Msg failed BADHEADERS []" -- I can look at the code in 
the brackets, and see what is wrong.  I haven't seen any IMail forum mail 
here get caught by the BADHEADERS test.
 -Scott

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .