Re: [Declude.JunkMail] General Filter
Yeah, I saw that when I was looking at the utilities yesterday. That will save me poking around and trying to plug all the email addresses into a list. Thanks At 05:39 PM 8/31/2005, Dave Doherty wrote: Orim- We are preparing to send a mass message to all accounts on this issue. A handy utility, in case you don't know about it, is mailall.exe in your Imail directory. Docs are at http://www.ipswitch.com/Support/ICS/guides/IMailServer/8_2/IMailUGHTML/Chapter%2022%20cmd_line8.html -Dave - Original Message - From: Orin Wells [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Wednesday, August 31, 2005 4:35 PM Subject: RE: [Declude.JunkMail] General Filter At 12:29 PM 8/31/2005, Dave Beckstrom wrote: Aren't they authenticating to Imail, and aren't you white listing authenticated senders? Wellthat is another issue we are finally being forced to address. In the first place we are still running iMail 7.07 - we weren't willing to pay what I considered to be overpriced upgarde fees. So we can't use the Whitelist Auth option. We have a lot of users who know how to read their email, but not much more. So moving them up to full authentication was something we put off until we ran into ORDB finding that they could relay through the Root account even though it had a changed password and was disabled. That still bothers me, but that is the way it is. We had relay for local user set and this had served us OK up to now. We now have to bite the bullet and force all the users to learn how to set the authentication option in their various email applications. It would have been handy if the manufacturers had all set this as a default, but they don't. They each seem to have it somewhere different from each of the others and like to change things from one version to the next. Especially Netscape. We are preparing to send a mass message to all accounts on this issue. I think most have been instructed over the past year or so to be prepared to do this so it may not be as bad as I fear. As for whitelisting we have not done this with local domains because of the limitation on whitelisting in Declude (200) in the golobal.cfg file. We have not so far tried to use the domain level whitelist file. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] General Filter
You might consider putting a space after the short words in your body filters. - Original Message - From: Orin Wells [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Wednesday, August 31, 2005 2:10 PM Subject: [Declude.JunkMail] General Filter I am having a problem with a client whose email to other members of her domain is getting trapped by the GeneralFilter (words or phrases we have added because they seem to mostly appear in spam). In this particular case the triggering word seems to be P*O*R*N* without the stars. I suspect what is happening is that the encoded attached word document just happens to have this set of letters in sequence in the encrypted data that is attached to the email file in imail. It does not appear in the word document itself. But when I look at the raw file on the server I can see this. I take it from this that Declude when it scans the body of the message also scans any attachment that is sitting there in the encrypted mode. If so is there a way around this? Can I tell it not to scan the encrypted attachments or to expand them first? If this sort of thing is in the latest Declude Junkmail manual, someone just tell me to read TFM. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] General Filter
You could try adding the following or something similar at the beginning of your filter BODYEND CONTAINSContent-Transfer-Encoding: base64 Or instead of END a -10 depending n the values in your filter. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Orin Wells Sent: Wednesday, August 31, 2005 3:11 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] General Filter I am having a problem with a client whose email to other members of her domain is getting trapped by the GeneralFilter (words or phrases we have added because they seem to mostly appear in spam). In this particular case the triggering word seems to be P*O*R*N* without the stars. I suspect what is happening is that the encoded attached word document just happens to have this set of letters in sequence in the encrypted data that is attached to the email file in imail. It does not appear in the word document itself. But when I look at the raw file on the server I can see this. I take it from this that Declude when it scans the body of the message also scans any attachment that is sitting there in the encrypted mode. If so is there a way around this? Can I tell it not to scan the encrypted attachments or to expand them first? If this sort of thing is in the latest Declude Junkmail manual, someone just tell me to read TFM. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] General Filter
BODY filters are generally the LAST test you want to rely on for several reasons, including problems with encoding (such as you are witnessing) and resources used. However, what concerns me is why are any actions being taken on messages sent from one person in a domain to another person in the same domain. Aren't they authenticating to Imail, and aren't you white listing authenticated senders? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Orin Wells Sent: Wednesday, August 31, 2005 12:11 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] General Filter I am having a problem with a client whose email to other members of her domain is getting trapped by the GeneralFilter (words or phrases we have added because they seem to mostly appear in spam). In this particular case the triggering word seems to be P*O*R*N* without the stars. I suspect what is happening is that the encoded attached word document just happens to have this set of letters in sequence in the encrypted data that is attached to the email file in imail. It does not appear in the word document itself. But when I look at the raw file on the server I can see this. I take it from this that Declude when it scans the body of the message also scans any attachment that is sitting there in the encrypted mode. If so is there a way around this? Can I tell it not to scan the encrypted attachments or to expand them first? If this sort of thing is in the latest Declude Junkmail manual, someone just tell me to read TFM. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] General Filter
Orin, Declude unfortunately scans the entire undecoded message with BODY or ANYWHERE filters. Because base64 encoding uses mostly letters and numbers, larger attachments can hit shorter words such as the one you pointed out. As a rule of thumb, you should add a space to the end of the word in your filter file if it is 5 or fewer characters. base64 encoding can't have spaces in it so that will prevent it from hitting. This technique can also prevent hits on words that aren't intended. For instance po rnographic would also hit your filter, but you might not want to ban that word, and adding a space would prevent this from happening. You may find that filtering for baned words is not a constructive use of time due to the false positives that it can cause and the time spent dealing with issues. Ditching the filter and paying $325/year for Sniffer would net far better results, and the price is generally very reasonable for a server. Matt Orin Wells wrote: I am having a problem with a client whose email to other members of her domain is getting trapped by the GeneralFilter (words or phrases we have added because they seem to mostly appear in spam). In this particular case the triggering word seems to be P*O*R*N* without the stars. I suspect what is happening is that the encoded attached word document just happens to have this set of letters in sequence in the encrypted data that is attached to the email file in imail. It does not appear in the word document itself. But when I look at the raw file on the server I can see this. I take it from this that Declude when it scans the body of the message also scans any attachment that is sitting there in the encrypted mode. If so is there a way around this? Can I tell it not to scan the encrypted attachments or to expand them first? If this sort of thing is in the latest Declude Junkmail manual, someone just tell me to read TFM. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] General Filter
John, I left a voicemail message for you this morning to call me. Please give me a call ASAP. Thanks, Dave -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Wednesday, August 31, 2005 2:24 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] General Filter BODY filters are generally the LAST test you want to rely on for several reasons, including problems with encoding (such as you are witnessing) and resources used. However, what concerns me is why are any actions being taken on messages sent from one person in a domain to another person in the same domain. Aren't they authenticating to Imail, and aren't you white listing authenticated senders? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Orin Wells Sent: Wednesday, August 31, 2005 12:11 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] General Filter I am having a problem with a client whose email to other members of her domain is getting trapped by the GeneralFilter (words or phrases we have added because they seem to mostly appear in spam). In this particular case the triggering word seems to be P*O*R*N* without the stars. I suspect what is happening is that the encoded attached word document just happens to have this set of letters in sequence in the encrypted data that is attached to the email file in imail. It does not appear in the word document itself. But when I look at the raw file on the server I can see this. I take it from this that Declude when it scans the body of the message also scans any attachment that is sitting there in the encrypted mode. If so is there a way around this? Can I tell it not to scan the encrypted attachments or to expand them first? If this sort of thing is in the latest Declude Junkmail manual, someone just tell me to read TFM. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] General Filter
At 12:29 PM 8/31/2005, Dave Beckstrom wrote: Aren't they authenticating to Imail, and aren't you white listing authenticated senders? Wellthat is another issue we are finally being forced to address. In the first place we are still running iMail 7.07 - we weren't willing to pay what I considered to be overpriced upgarde fees. So we can't use the Whitelist Auth option. We have a lot of users who know how to read their email, but not much more. So moving them up to full authentication was something we put off until we ran into ORDB finding that they could relay through the Root account even though it had a changed password and was disabled. That still bothers me, but that is the way it is. We had relay for local user set and this had served us OK up to now. We now have to bite the bullet and force all the users to learn how to set the authentication option in their various email applications. It would have been handy if the manufacturers had all set this as a default, but they don't. They each seem to have it somewhere different from each of the others and like to change things from one version to the next. Especially Netscape. We are preparing to send a mass message to all accounts on this issue. I think most have been instructed over the past year or so to be prepared to do this so it may not be as bad as I fear. As for whitelisting we have not done this with local domains because of the limitation on whitelisting in Declude (200) in the golobal.cfg file. We have not so far tried to use the domain level whitelist file. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] General Filter
Orim- We are preparing to send a mass message to all accounts on this issue. A handy utility, in case you don't know about it, is mailall.exe in your Imail directory. Docs are at http://www.ipswitch.com/Support/ICS/guides/IMailServer/8_2/IMailUGHTML/Chapter%2022%20cmd_line8.html -Dave - Original Message - From: Orin Wells [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Wednesday, August 31, 2005 4:35 PM Subject: RE: [Declude.JunkMail] General Filter At 12:29 PM 8/31/2005, Dave Beckstrom wrote: Aren't they authenticating to Imail, and aren't you white listing authenticated senders? Wellthat is another issue we are finally being forced to address. In the first place we are still running iMail 7.07 - we weren't willing to pay what I considered to be overpriced upgarde fees. So we can't use the Whitelist Auth option. We have a lot of users who know how to read their email, but not much more. So moving them up to full authentication was something we put off until we ran into ORDB finding that they could relay through the Root account even though it had a changed password and was disabled. That still bothers me, but that is the way it is. We had relay for local user set and this had served us OK up to now. We now have to bite the bullet and force all the users to learn how to set the authentication option in their various email applications. It would have been handy if the manufacturers had all set this as a default, but they don't. They each seem to have it somewhere different from each of the others and like to change things from one version to the next. Especially Netscape. We are preparing to send a mass message to all accounts on this issue. I think most have been instructed over the past year or so to be prepared to do this so it may not be as bad as I fear. As for whitelisting we have not done this with local domains because of the limitation on whitelisting in Declude (200) in the golobal.cfg file. We have not so far tried to use the domain level whitelist file. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
