Re: [Declude.JunkMail] Logged spam getting to mailbox
Title: Logged spam getting to mailbox Corby, Because of MS SMTP handling the E-mail before it reaches my IMail/Declude system, Declude always inserts it's headers in the proper block, however MS SMTP can cause some of the pre-Declude headers (original) to appear in either the top of the body or the bottom of the body. Matt Agid, Corby wrote: Ok, thanks very much. I'll see if they'll get me the latest 2.x version to see if that works. Can you clarify somethingare you saying that you're receiving mail from the same spammer that's causing my problem, but your system is handling it correctly? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Tuesday, January 24, 2006 5:37 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Logged spam getting to mailbox Corby, I assumed that you weren't using an MS gateway, I was just letting you know that what happened to these headers was going to be different on my system. I have tons of spam on my system generated by this spamware and it's all showing the same behavior so I suspect that there is an issue with what you are receiving as well. It could just be a single CR without an LF which can look normal in a text viewer, but can throw programs like Declude and MS SMTP off. This should explain the initial cause of the issue. The handling of the malformed headers may vary in different versions of Declude. For a 2.0.6.16 download, it appears that you will have to ask Declude directly for this or do the bigger upgrade to 3.x. Matt Agid, Corby wrote: Hi Matt, I'm not using any MS gateway on this. The mail comes into Imail/declude and uses Imail as the email server. I opened the message with notepad and didn't locate any misplaced headers. I would like to try updating to 2.0.6 as you suggest, but I'm not finding any 2.x downloads on the site. Can you tell me where to find them? I logged in and found the 3.x downloads. Thanks for all of your help. This is sure a head scratcher for me. Cheers From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Tuesday, January 24, 2006 4:59 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Logged spam getting to mailbox Corby, I also received a bunch of these, and one copy that I came up with in a hold box showed that the headers were in fact broken. My MS SMTP gateway shows the From, Bcc, and locally inserted MS SMTP headers at the very bottom of this message. That's how MS SMTP deals with it, but Declude might deal with it differently, or it might even have broken your older version of Declude. You should at least upgrade to 2.0.6.16 which is available from their site. Upgrading to 3.x would be something that you should plan more carefully though as it is a major change. I suspect that you are looking at the rendered view of the E-mail, and since this is a multipart message with both text and HTML segments, it is not rendering the broken headers in the normal view, but they might be there if you were to look at the original text source. If the headers are in the body and your rule in your client is looking for headers where they belong, that would explain why your filter isn't working. Matt Agid, Corby wrote: Well I'm somewhat more confused as I don't really know what "bad folding" means. However, I don't see any of the X-headers in the message body. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Tuesday, January 24, 2006 2:34 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Logged spam getting to mailbox Andrew probably nailed this. In at least some versions of Declude, the headers that it inserts could land in the body of the message due to bad folding techniques that the spammer uses (sometimes also legitimate mailers will produce this flaw). Your client rule is probably searching for headers and doesn't recognize the header that was inserted into what became the body due to bad folding. An upgrade may or may not fix the issue, though there was talk about this issue several months ago in relation to 3.x and I believe some work was done to take care of some of it. Matt Agid, Corby wrote: Actually, I'm still running 2.0.5. I suppose that I should probably upgrade, eh? I don't actually dele
RE: [Declude.JunkMail] Logged spam getting to mailbox
Title: Logged spam getting to mailbox Ok, thanks very much. I'll see if they'll get me the latest 2.x version to see if that works. Can you clarify somethingare you saying that you're receiving mail from the same spammer that's causing my problem, but your system is handling it correctly? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Tuesday, January 24, 2006 5:37 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Logged spam getting to mailbox Corby,I assumed that you weren't using an MS gateway, I was just letting you know that what happened to these headers was going to be different on my system.I have tons of spam on my system generated by this spamware and it's all showing the same behavior so I suspect that there is an issue with what you are receiving as well. It could just be a single CR without an LF which can look normal in a text viewer, but can throw programs like Declude and MS SMTP off. This should explain the initial cause of the issue. The handling of the malformed headers may vary in different versions of Declude.For a 2.0.6.16 download, it appears that you will have to ask Declude directly for this or do the bigger upgrade to 3.x.MattAgid, Corby wrote: Hi Matt, I'm not using any MS gateway on this. The mail comes into Imail/declude and uses Imail as the email server. I opened the message with notepad and didn't locate any misplaced headers. I would like to try updating to 2.0.6 as you suggest, but I'm not finding any 2.x downloads on the site. Can you tell me where to find them? I logged in and found the 3.x downloads. Thanks for all of your help. This is sure a head scratcher for me. Cheers From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of MattSent: Tuesday, January 24, 2006 4:59 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Logged spam getting to mailboxCorby,I also received a bunch of these, and one copy that I came up with in a hold box showed that the headers were in fact broken. My MS SMTP gateway shows the From, Bcc, and locally inserted MS SMTP headers at the very bottom of this message. That's how MS SMTP deals with it, but Declude might deal with it differently, or it might even have broken your older version of Declude. You should at least upgrade to 2.0.6.16 which is available from their site. Upgrading to 3.x would be something that you should plan more carefully though as it is a major change.I suspect that you are looking at the rendered view of the E-mail, and since this is a multipart message with both text and HTML segments, it is not rendering the broken headers in the normal view, but they might be there if you were to look at the original text source. If the headers are in the body and your rule in your client is looking for headers where they belong, that would explain why your filter isn't working.MattAgid, Corby wrote: Well I'm somewhat more confused as I don't really know what "bad folding" means. However, I don't see any of the X-headers in the message body. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of MattSent: Tuesday, January 24, 2006 2:34 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Logged spam getting to mailboxAndrew probably nailed this. In at least some versions of Declude, the headers that it inserts could land in the body of the message due to bad folding techniques that the spammer uses (sometimes also legitimate mailers will produce this flaw). Your client rule is probably searching for headers and doesn't recognize the header that was inserted into what became the body due to bad folding. An upgrade may or may not fix the issue, though there was talk about this issue several months ago in relation to 3.x and I believe some work was done to take care of some of it.MattAgid, Corby wrote: Actually, I'm still running 2.0.5. I suppose that I should probably upgrade, eh? I don't actually delete mail at any score. I use the header information in my email client to sort the incoming messages. Other than this particular bugger, it's worked well for me. From: [EMAIL PROT
Re: [Declude.JunkMail] Logged spam getting to mailbox
Title: Logged spam getting to mailbox Corby, I assumed that you weren't using an MS gateway, I was just letting you know that what happened to these headers was going to be different on my system. I have tons of spam on my system generated by this spamware and it's all showing the same behavior so I suspect that there is an issue with what you are receiving as well. It could just be a single CR without an LF which can look normal in a text viewer, but can throw programs like Declude and MS SMTP off. This should explain the initial cause of the issue. The handling of the malformed headers may vary in different versions of Declude. For a 2.0.6.16 download, it appears that you will have to ask Declude directly for this or do the bigger upgrade to 3.x. Matt Agid, Corby wrote: Hi Matt, I'm not using any MS gateway on this. The mail comes into Imail/declude and uses Imail as the email server. I opened the message with notepad and didn't locate any misplaced headers. I would like to try updating to 2.0.6 as you suggest, but I'm not finding any 2.x downloads on the site. Can you tell me where to find them? I logged in and found the 3.x downloads. Thanks for all of your help. This is sure a head scratcher for me. Cheers From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Tuesday, January 24, 2006 4:59 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Logged spam getting to mailbox Corby, I also received a bunch of these, and one copy that I came up with in a hold box showed that the headers were in fact broken. My MS SMTP gateway shows the From, Bcc, and locally inserted MS SMTP headers at the very bottom of this message. That's how MS SMTP deals with it, but Declude might deal with it differently, or it might even have broken your older version of Declude. You should at least upgrade to 2.0.6.16 which is available from their site. Upgrading to 3.x would be something that you should plan more carefully though as it is a major change. I suspect that you are looking at the rendered view of the E-mail, and since this is a multipart message with both text and HTML segments, it is not rendering the broken headers in the normal view, but they might be there if you were to look at the original text source. If the headers are in the body and your rule in your client is looking for headers where they belong, that would explain why your filter isn't working. Matt Agid, Corby wrote: Well I'm somewhat more confused as I don't really know what "bad folding" means. However, I don't see any of the X-headers in the message body. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Tuesday, January 24, 2006 2:34 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Logged spam getting to mailbox Andrew probably nailed this. In at least some versions of Declude, the headers that it inserts could land in the body of the message due to bad folding techniques that the spammer uses (sometimes also legitimate mailers will produce this flaw). Your client rule is probably searching for headers and doesn't recognize the header that was inserted into what became the body due to bad folding. An upgrade may or may not fix the issue, though there was talk about this issue several months ago in relation to 3.x and I believe some work was done to take care of some of it. Matt Agid, Corby wrote: Actually, I'm still running 2.0.5. I suppose that I should probably upgrade, eh? I don't actually delete mail at any score. I use the header information in my email client to sort the incoming messages. Other than this particular bugger, it's worked well for me. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick Hayer Sent: Tuesday, January 24, 2006 1:46 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Logged spam getting to mailbox Odd - just because its always the same email. What number do you delete on? Although the logs will balloon in size running the Declude in DEBUG may shed some light. I presume this is Declude 3x ver? -Nick Agid, Corby wrote: Hello, I'm having trouble with a particular spam message getting to my mailbox each day. The declude log file shows the scanning and scoring. However, the message that lands in the mailbox shows no sign of being scanned….ie there are no X-RBL headers in the mess
RE: [Declude.JunkMail] Logged spam getting to mailbox
Title: Logged spam getting to mailbox Hi Matt, I'm not using any MS gateway on this. The mail comes into Imail/declude and uses Imail as the email server. I opened the message with notepad and didn't locate any misplaced headers. I would like to try updating to 2.0.6 as you suggest, but I'm not finding any 2.x downloads on the site. Can you tell me where to find them? I logged in and found the 3.x downloads. Thanks for all of your help. This is sure a head scratcher for me. Cheers From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Tuesday, January 24, 2006 4:59 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Logged spam getting to mailbox Corby,I also received a bunch of these, and one copy that I came up with in a hold box showed that the headers were in fact broken. My MS SMTP gateway shows the From, Bcc, and locally inserted MS SMTP headers at the very bottom of this message. That's how MS SMTP deals with it, but Declude might deal with it differently, or it might even have broken your older version of Declude. You should at least upgrade to 2.0.6.16 which is available from their site. Upgrading to 3.x would be something that you should plan more carefully though as it is a major change.I suspect that you are looking at the rendered view of the E-mail, and since this is a multipart message with both text and HTML segments, it is not rendering the broken headers in the normal view, but they might be there if you were to look at the original text source. If the headers are in the body and your rule in your client is looking for headers where they belong, that would explain why your filter isn't working.MattAgid, Corby wrote: Well I'm somewhat more confused as I don't really know what "bad folding" means. However, I don't see any of the X-headers in the message body. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of MattSent: Tuesday, January 24, 2006 2:34 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Logged spam getting to mailboxAndrew probably nailed this. In at least some versions of Declude, the headers that it inserts could land in the body of the message due to bad folding techniques that the spammer uses (sometimes also legitimate mailers will produce this flaw). Your client rule is probably searching for headers and doesn't recognize the header that was inserted into what became the body due to bad folding. An upgrade may or may not fix the issue, though there was talk about this issue several months ago in relation to 3.x and I believe some work was done to take care of some of it.MattAgid, Corby wrote: Actually, I'm still running 2.0.5. I suppose that I should probably upgrade, eh? I don't actually delete mail at any score. I use the header information in my email client to sort the incoming messages. Other than this particular bugger, it's worked well for me. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick HayerSent: Tuesday, January 24, 2006 1:46 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Logged spam getting to mailboxOdd - just because its always the same email. What number do you delete on? Although the logs will balloon in size running the Declude in DEBUG may shed some light. I presume this is Declude 3x ver?-NickAgid, Corby wrote: Hello, I'm having trouble with a particular spam message getting to my mailbox each day. The declude log file shows the scanning and scoring. However, the message that lands in the mailbox shows no sign of being scanned….ie there are no X-RBL headers in the message that gets to the mailbox. All of my other mail, whether spam or not spam, still shows X-rbl headers to verify they were scanned. Can you help me understand why the final message doesn’t' show the X-RBL headers? I get about three of these per day, each has the same style, but the IP and From addresses are different. Below are the log snips and message headers. === Dec0123.log 01/23/2006 15:45:52 Q6aae0151a967 CBL:6 FIVETEN-SRC:4 SORBS-DUHL:4 SPAMBAG:2 SPAMHEADERS:3 MS-SNAKEOIL:25 . Total weight = 44. 01/23/2006 15:45:52 Q6aae0151a967
Re: [Declude.JunkMail] Logged spam getting to mailbox
Title: Logged spam getting to mailbox Corby, I also received a bunch of these, and one copy that I came up with in a hold box showed that the headers were in fact broken. My MS SMTP gateway shows the From, Bcc, and locally inserted MS SMTP headers at the very bottom of this message. That's how MS SMTP deals with it, but Declude might deal with it differently, or it might even have broken your older version of Declude. You should at least upgrade to 2.0.6.16 which is available from their site. Upgrading to 3.x would be something that you should plan more carefully though as it is a major change. I suspect that you are looking at the rendered view of the E-mail, and since this is a multipart message with both text and HTML segments, it is not rendering the broken headers in the normal view, but they might be there if you were to look at the original text source. If the headers are in the body and your rule in your client is looking for headers where they belong, that would explain why your filter isn't working. Matt Agid, Corby wrote: Well I'm somewhat more confused as I don't really know what "bad folding" means. However, I don't see any of the X-headers in the message body. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Tuesday, January 24, 2006 2:34 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Logged spam getting to mailbox Andrew probably nailed this. In at least some versions of Declude, the headers that it inserts could land in the body of the message due to bad folding techniques that the spammer uses (sometimes also legitimate mailers will produce this flaw). Your client rule is probably searching for headers and doesn't recognize the header that was inserted into what became the body due to bad folding. An upgrade may or may not fix the issue, though there was talk about this issue several months ago in relation to 3.x and I believe some work was done to take care of some of it. Matt Agid, Corby wrote: Actually, I'm still running 2.0.5. I suppose that I should probably upgrade, eh? I don't actually delete mail at any score. I use the header information in my email client to sort the incoming messages. Other than this particular bugger, it's worked well for me. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick Hayer Sent: Tuesday, January 24, 2006 1:46 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Logged spam getting to mailbox Odd - just because its always the same email. What number do you delete on? Although the logs will balloon in size running the Declude in DEBUG may shed some light. I presume this is Declude 3x ver? -Nick Agid, Corby wrote: Hello, I'm having trouble with a particular spam message getting to my mailbox each day. The declude log file shows the scanning and scoring. However, the message that lands in the mailbox shows no sign of being scanned….ie there are no X-RBL headers in the message that gets to the mailbox. All of my other mail, whether spam or not spam, still shows X-rbl headers to verify they were scanned. Can you help me understand why the final message doesn’t' show the X-RBL headers? I get about three of these per day, each has the same style, but the IP and From addresses are different. Below are the log snips and message headers. === Dec0123.log 01/23/2006 15:45:52 Q6aae0151a967 CBL:6 FIVETEN-SRC:4 SORBS-DUHL:4 SPAMBAG:2 SPAMHEADERS:3 MS-SNAKEOIL:25 . Total weight = 44. 01/23/2006 15:45:52 Q6aae0151a967 Using [incoming] CFG file C:\IMail\Declude\mail.agid.com\$default$.junkmail. 01/23/2006 15:45:52 Q6aae0151a967 Msg failed CBL ("Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=68.41.152.175"). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed FIVETEN-SRC (175.152.41.68.blackholes.five-ten-sg.com.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SORBS-DUHL ("Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?68.41.152.175"). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SPAMBAG (175.152.41.68.blacklist.spambag.org.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SPAMHEADERS (This E-mail has headers consistent with spam [4000100e].). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed MS-SNAKEOIL (Message failed MS-SNAKEOIL: 52.). Action=""> 01/23/2006 15:45:52 Q6aae0151
RE: [Declude.JunkMail] Logged spam getting to mailbox
Title: Logged spam getting to mailbox Well I'm somewhat more confused as I don't really know what "bad folding" means. However, I don't see any of the X-headers in the message body. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Tuesday, January 24, 2006 2:34 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Logged spam getting to mailbox Andrew probably nailed this. In at least some versions of Declude, the headers that it inserts could land in the body of the message due to bad folding techniques that the spammer uses (sometimes also legitimate mailers will produce this flaw). Your client rule is probably searching for headers and doesn't recognize the header that was inserted into what became the body due to bad folding. An upgrade may or may not fix the issue, though there was talk about this issue several months ago in relation to 3.x and I believe some work was done to take care of some of it.MattAgid, Corby wrote: Actually, I'm still running 2.0.5. I suppose that I should probably upgrade, eh? I don't actually delete mail at any score. I use the header information in my email client to sort the incoming messages. Other than this particular bugger, it's worked well for me. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick HayerSent: Tuesday, January 24, 2006 1:46 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Logged spam getting to mailboxOdd - just because its always the same email. What number do you delete on? Although the logs will balloon in size running the Declude in DEBUG may shed some light. I presume this is Declude 3x ver?-NickAgid, Corby wrote: Hello, I'm having trouble with a particular spam message getting to my mailbox each day. The declude log file shows the scanning and scoring. However, the message that lands in the mailbox shows no sign of being scanned….ie there are no X-RBL headers in the message that gets to the mailbox. All of my other mail, whether spam or not spam, still shows X-rbl headers to verify they were scanned. Can you help me understand why the final message doesn’t' show the X-RBL headers? I get about three of these per day, each has the same style, but the IP and From addresses are different. Below are the log snips and message headers. === Dec0123.log 01/23/2006 15:45:52 Q6aae0151a967 CBL:6 FIVETEN-SRC:4 SORBS-DUHL:4 SPAMBAG:2 SPAMHEADERS:3 MS-SNAKEOIL:25 . Total weight = 44. 01/23/2006 15:45:52 Q6aae0151a967 Using [incoming] CFG file C:\IMail\Declude\mail.agid.com\$default$.junkmail. 01/23/2006 15:45:52 Q6aae0151a967 Msg failed CBL ("Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=68.41.152.175"). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed FIVETEN-SRC (175.152.41.68.blackholes.five-ten-sg.com.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SORBS-DUHL ("Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?68.41.152.175"). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SPAMBAG (175.152.41.68.blacklist.spambag.org.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SPAMHEADERS (This E-mail has headers consistent with spam [4000100e].). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed MS-SNAKEOIL (Message failed MS-SNAKEOIL: 52.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed WEIGHT10-29A (Weight of 44 reaches or exceeds the limit of 10.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed WEIGHT10-29B (Weight of 44 reaches or exceeds the limit of 10.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed WEIGHT30A (Weight of 44 reaches or exceeds the limit of 30.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SPAMYELLOW (Weight of 44 reaches or exceeds the limit of 10.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SPAMRED (Weight of 44 reaches or exceeds the limit of 30.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed CATCHALLMAILS (). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 L1 Message OK
Re: [Declude.JunkMail] Logged spam getting to mailbox
Title: Logged spam getting to mailbox Nick, FYI, by gatewaying through MS SMTP/ORF, that actually normalizes the headers before it gets to Declude and therefor this behavior is not seen. You will however see some of the original headers left in the body on some messages, but not the ones from Declude. Matt Nick Hayer wrote: Agid, Corby wrote: Actually, I'm still running 2.0.5. I suppose that I should probably upgrade, eh? I haven't. I'm on 2.16 Other than this particular bugger, it's worked well for me. it is odd to me that a particular email from a particular spammer would not be tagged on a daily basis. Maybe Declude support can offer some insight. Other than debug like I mentioned I have no idea - I'd be ask'n Matt or Andy if it happened to me! -Nick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick Hayer Sent: Tuesday, January 24, 2006 1:46 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Logged spam getting to mailbox Odd - just because its always the same email. What number do you delete on? Although the logs will balloon in size running the Declude in DEBUG may shed some light. I presume this is Declude 3x ver? -Nick Agid, Corby wrote: Hello, I'm having trouble with a particular spam message getting to my mailbox each day. The declude log file shows the scanning and scoring. However, the message that lands in the mailbox shows no sign of being scanned….ie there are no X-RBL headers in the message that gets to the mailbox. All of my other mail, whether spam or not spam, still shows X-rbl headers to verify they were scanned. Can you help me understand why the final message doesn’t' show the X-RBL headers? I get about three of these per day, each has the same style, but the IP and From addresses are different. Below are the log snips and message headers. === Dec0123.log 01/23/2006 15:45:52 Q6aae0151a967 CBL:6 FIVETEN-SRC:4 SORBS-DUHL:4 SPAMBAG:2 SPAMHEADERS:3 MS-SNAKEOIL:25 . Total weight = 44. 01/23/2006 15:45:52 Q6aae0151a967 Using [incoming] CFG file C:\IMail\Declude\mail.agid.com\$default$.junkmail. 01/23/2006 15:45:52 Q6aae0151a967 Msg failed CBL ("Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=68.41.152.175"). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed FIVETEN-SRC (175.152.41.68.blackholes.five-ten-sg.com.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SORBS-DUHL ("Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?68.41.152.175"). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SPAMBAG (175.152.41.68.blacklist.spambag.org.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SPAMHEADERS (This E-mail has headers consistent with spam [4000100e].). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed MS-SNAKEOIL (Message failed MS-SNAKEOIL: 52.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed WEIGHT10-29A (Weight of 44 reaches or exceeds the limit of 10.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed WEIGHT10-29B (Weight of 44 reaches or exceeds the limit of 10.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed WEIGHT30A (Weight of 44 reaches or exceeds the limit of 30.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SPAMYELLOW (Weight of 44 reaches or exceeds the limit of 10.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SPAMRED (Weight of 44 reaches or exceeds the limit of 30.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed CATCHALLMAILS (). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 L1 Message OK 01/23/2006 15:45:52 Q6aae0151a967 Subject: Viagra Professional as low as $3.84 01/23/2006 15:45:52 Q6aae0151a967 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 68.41.152.175 ID: 01/23/2006 15:45:52 Q6aae0151a967 Tests failed [weight=44]: CBL=IGNORE FIVETEN-SRC="" SORBS-DUHL=IGNORE SPAMBAG=IGNORE SPAMHEADERS=WARN MS-SNAKEOIL=IGNORE WEIGHT10-29A=IGNORE WEIGHT10-29B=IGNORE WEIGHT30A=IGNORE SPAMYELLOW=WARN SPAMRED=WARN CATCHALLMAILS=WARN 01/23/2006 15:45:52 Q6aae0151a967 Last action = ""> Sys0123.log 01:23 15:45 SMTPD(6aae0151a967) [216.101.5.133] connect 68.41.152.175 port 4251 01:23 15:45 SMTPD(6aae0151a967) [68.41.152.175] HELO localhost 01:23 15:
RE: [Declude.JunkMail] Logged spam getting to mailbox
Title: Logged spam getting to mailbox Current version does not fix this "folding" problem. Declude is testing a newer version that may fix the problem, but no joy yet. Matt wrote: From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Tuesday, January 24, 2006 4:34 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Logged spam getting to mailbox Andrew probably nailed this. In at least some versions of Declude, the headers that it inserts could land in the body of the message due to bad folding techniques that the spammer uses (sometimes also legitimate mailers will produce this flaw). Your client rule is probably searching for headers and doesn't recognize the header that was inserted into what became the body due to bad folding. An upgrade may or may not fix the issue, though there was talk about this issue several months ago in relation to 3.x and I believe some work was done to take care of some of it.Matt
Re: [Declude.JunkMail] Logged spam getting to mailbox
Title: Logged spam getting to mailbox Agid, Corby wrote: Actually, I'm still running 2.0.5. I suppose that I should probably upgrade, eh? I haven't. I'm on 2.16 Other than this particular bugger, it's worked well for me. it is odd to me that a particular email from a particular spammer would not be tagged on a daily basis. Maybe Declude support can offer some insight. Other than debug like I mentioned I have no idea - I'd be ask'n Matt or Andy if it happened to me! -Nick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick Hayer Sent: Tuesday, January 24, 2006 1:46 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Logged spam getting to mailbox Odd - just because its always the same email. What number do you delete on? Although the logs will balloon in size running the Declude in DEBUG may shed some light. I presume this is Declude 3x ver? -Nick Agid, Corby wrote: Hello, I'm having trouble with a particular spam message getting to my mailbox each day. The declude log file shows the scanning and scoring. However, the message that lands in the mailbox shows no sign of being scanned….ie there are no X-RBL headers in the message that gets to the mailbox. All of my other mail, whether spam or not spam, still shows X-rbl headers to verify they were scanned. Can you help me understand why the final message doesn’t' show the X-RBL headers? I get about three of these per day, each has the same style, but the IP and From addresses are different. Below are the log snips and message headers. === Dec0123.log 01/23/2006 15:45:52 Q6aae0151a967 CBL:6 FIVETEN-SRC:4 SORBS-DUHL:4 SPAMBAG:2 SPAMHEADERS:3 MS-SNAKEOIL:25 . Total weight = 44. 01/23/2006 15:45:52 Q6aae0151a967 Using [incoming] CFG file C:\IMail\Declude\mail.agid.com\$default$.junkmail. 01/23/2006 15:45:52 Q6aae0151a967 Msg failed CBL ("Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=68.41.152.175"). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed FIVETEN-SRC (175.152.41.68.blackholes.five-ten-sg.com.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SORBS-DUHL ("Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?68.41.152.175"). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SPAMBAG (175.152.41.68.blacklist.spambag.org.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SPAMHEADERS (This E-mail has headers consistent with spam [4000100e].). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed MS-SNAKEOIL (Message failed MS-SNAKEOIL: 52.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed WEIGHT10-29A (Weight of 44 reaches or exceeds the limit of 10.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed WEIGHT10-29B (Weight of 44 reaches or exceeds the limit of 10.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed WEIGHT30A (Weight of 44 reaches or exceeds the limit of 30.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SPAMYELLOW (Weight of 44 reaches or exceeds the limit of 10.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SPAMRED (Weight of 44 reaches or exceeds the limit of 30.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed CATCHALLMAILS (). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 L1 Message OK 01/23/2006 15:45:52 Q6aae0151a967 Subject: Viagra Professional as low as $3.84 01/23/2006 15:45:52 Q6aae0151a967 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 68.41.152.175 ID: 01/23/2006 15:45:52 Q6aae0151a967 Tests failed [weight=44]: CBL=IGNORE FIVETEN-SRC="" SORBS-DUHL=IGNORE SPAMBAG=IGNORE SPAMHEADERS=WARN MS-SNAKEOIL=IGNORE WEIGHT10-29A=IGNORE WEIGHT10-29B=IGNORE WEIGHT30A=IGNORE SPAMYELLOW=WARN SPAMRED=WARN CATCHALLMAILS=WARN 01/23/2006 15:45:52 Q6aae0151a967 Last action = ""> Sys0123.log 01:23 15:45 SMTPD(6aae0151a967) [216.101.5.133] connect 68.41.152.175 port 4251 01:23 15:45 SMTPD(6aae0151a967) [68.41.152.175] HELO localhost 01:23 15:45 SMTPD(6aae0151a967) [68.41.152.175] Mail From: <[EMAIL PROTECTED]> 01:23 15:45 SMTPD(6aae0151a967) [68.41.152.175] Rcpt To: <[EMAIL PROTECTED]> 01:23 15:45 SMTPD(6aae0151a967) [68.41.152.175] C:\IMail\spool\D6aae0151a967.SMD 4723 01:23 15:45 SMTPD(6aae0151a967) performing antispam checks 01:23 15:45 SMTP-(6aae0151a967) processing C:\IMail\spool\
Re: [Declude.JunkMail] Logged spam getting to mailbox
Title: Logged spam getting to mailbox Andrew probably nailed this. In at least some versions of Declude, the headers that it inserts could land in the body of the message due to bad folding techniques that the spammer uses (sometimes also legitimate mailers will produce this flaw). Your client rule is probably searching for headers and doesn't recognize the header that was inserted into what became the body due to bad folding. An upgrade may or may not fix the issue, though there was talk about this issue several months ago in relation to 3.x and I believe some work was done to take care of some of it. Matt Agid, Corby wrote: Actually, I'm still running 2.0.5. I suppose that I should probably upgrade, eh? I don't actually delete mail at any score. I use the header information in my email client to sort the incoming messages. Other than this particular bugger, it's worked well for me. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick Hayer Sent: Tuesday, January 24, 2006 1:46 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Logged spam getting to mailbox Odd - just because its always the same email. What number do you delete on? Although the logs will balloon in size running the Declude in DEBUG may shed some light. I presume this is Declude 3x ver? -Nick Agid, Corby wrote: Hello, I'm having trouble with a particular spam message getting to my mailbox each day. The declude log file shows the scanning and scoring. However, the message that lands in the mailbox shows no sign of being scanned….ie there are no X-RBL headers in the message that gets to the mailbox. All of my other mail, whether spam or not spam, still shows X-rbl headers to verify they were scanned. Can you help me understand why the final message doesn’t' show the X-RBL headers? I get about three of these per day, each has the same style, but the IP and From addresses are different. Below are the log snips and message headers. === Dec0123.log 01/23/2006 15:45:52 Q6aae0151a967 CBL:6 FIVETEN-SRC:4 SORBS-DUHL:4 SPAMBAG:2 SPAMHEADERS:3 MS-SNAKEOIL:25 . Total weight = 44. 01/23/2006 15:45:52 Q6aae0151a967 Using [incoming] CFG file C:\IMail\Declude\mail.agid.com\$default$.junkmail. 01/23/2006 15:45:52 Q6aae0151a967 Msg failed CBL ("Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=68.41.152.175"). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed FIVETEN-SRC (175.152.41.68.blackholes.five-ten-sg.com.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SORBS-DUHL ("Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?68.41.152.175"). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SPAMBAG (175.152.41.68.blacklist.spambag.org.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SPAMHEADERS (This E-mail has headers consistent with spam [4000100e].). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed MS-SNAKEOIL (Message failed MS-SNAKEOIL: 52.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed WEIGHT10-29A (Weight of 44 reaches or exceeds the limit of 10.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed WEIGHT10-29B (Weight of 44 reaches or exceeds the limit of 10.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed WEIGHT30A (Weight of 44 reaches or exceeds the limit of 30.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SPAMYELLOW (Weight of 44 reaches or exceeds the limit of 10.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SPAMRED (Weight of 44 reaches or exceeds the limit of 30.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed CATCHALLMAILS (). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 L1 Message OK 01/23/2006 15:45:52 Q6aae0151a967 Subject: Viagra Professional as low as $3.84 01/23/2006 15:45:52 Q6aae0151a967 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 68.41.152.175 ID: 01/23/2006 15:45:52 Q6aae0151a967 Tests failed [weight=44]: CBL=IGNORE FIVETEN-SRC="" SORBS-DUHL=IGNORE SPAMBAG=IGNORE SPAMHEADERS=WARN MS-SNAKEOIL=IGNORE WEIGHT10-29A=IGNORE WEIGHT10-29B=IGNORE WEIGHT30A=IGNORE SPAMYELLOW=WARN SPAMRED=WARN CATCHALLMAILS=WARN 01/23/2006 15:45:52 Q6aae0151a967 Last action = ""> Sys0123.log 01:23 15:45 SMTPD(6aae0151a967) [216.101.5.133] connect 68.41.152.175 port 4251 01:23 15:45 SMTPD(6aae0151a967) [68.41.152.175] HELO localhost 01:23 15:45 SMT
RE: [Declude.JunkMail] Logged spam getting to mailbox
Title: Logged spam getting to mailbox Actually, I'm still running 2.0.5. I suppose that I should probably upgrade, eh? I don't actually delete mail at any score. I use the header information in my email client to sort the incoming messages. Other than this particular bugger, it's worked well for me. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick HayerSent: Tuesday, January 24, 2006 1:46 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Logged spam getting to mailbox Odd - just because its always the same email. What number do you delete on? Although the logs will balloon in size running the Declude in DEBUG may shed some light. I presume this is Declude 3x ver?-NickAgid, Corby wrote: Hello, I'm having trouble with a particular spam message getting to my mailbox each day. The declude log file shows the scanning and scoring. However, the message that lands in the mailbox shows no sign of being scanned….ie there are no X-RBL headers in the message that gets to the mailbox. All of my other mail, whether spam or not spam, still shows X-rbl headers to verify they were scanned. Can you help me understand why the final message doesn’t' show the X-RBL headers? I get about three of these per day, each has the same style, but the IP and From addresses are different. Below are the log snips and message headers. === Dec0123.log 01/23/2006 15:45:52 Q6aae0151a967 CBL:6 FIVETEN-SRC:4 SORBS-DUHL:4 SPAMBAG:2 SPAMHEADERS:3 MS-SNAKEOIL:25 . Total weight = 44. 01/23/2006 15:45:52 Q6aae0151a967 Using [incoming] CFG file C:\IMail\Declude\mail.agid.com\$default$.junkmail. 01/23/2006 15:45:52 Q6aae0151a967 Msg failed CBL ("Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=68.41.152.175"). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed FIVETEN-SRC (175.152.41.68.blackholes.five-ten-sg.com.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SORBS-DUHL ("Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?68.41.152.175"). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SPAMBAG (175.152.41.68.blacklist.spambag.org.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SPAMHEADERS (This E-mail has headers consistent with spam [4000100e].). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed MS-SNAKEOIL (Message failed MS-SNAKEOIL: 52.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed WEIGHT10-29A (Weight of 44 reaches or exceeds the limit of 10.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed WEIGHT10-29B (Weight of 44 reaches or exceeds the limit of 10.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed WEIGHT30A (Weight of 44 reaches or exceeds the limit of 30.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SPAMYELLOW (Weight of 44 reaches or exceeds the limit of 10.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SPAMRED (Weight of 44 reaches or exceeds the limit of 30.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed CATCHALLMAILS (). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 L1 Message OK 01/23/2006 15:45:52 Q6aae0151a967 Subject: Viagra Professional as low as $3.84 01/23/2006 15:45:52 Q6aae0151a967 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 68.41.152.175 ID: 01/23/2006 15:45:52 Q6aae0151a967 Tests failed [weight=44]: CBL=IGNORE FIVETEN-SRC="" SORBS-DUHL=IGNORE SPAMBAG=IGNORE SPAMHEADERS=WARN MS-SNAKEOIL=IGNORE WEIGHT10-29A=IGNORE WEIGHT10-29B=IGNORE WEIGHT30A=IGNORE SPAMYELLOW=WARN SPAMRED=WARN CATCHALLMAILS=WARN 01/23/2006 15:45:52 Q6aae0151a967 Last action = ""> Sys0123.log 01:23 15:45 SMTPD(6aae0151a967) [216.101.5.133] connect 68.41.152.175 port 4251 01:23 15:45 SMTPD(6aae0151a967) [68.41.152.175] HELO localhost 01:23 15:45 SMTPD(6aae0151a967) [68.41.152.175] Mail From: <[EMAIL PROTECTED]> 01:23 15:45 SMTPD(6aae0151a967) [68.41.152.175] Rcpt To: <[EMAIL PROTECTED]> 01:23 15:45 SMTPD(6aae0151a967) [68.41.152.175] C:\IMail\spool\D6aae0151a967.SMD 4723 01:23 15:45 SMTPD(6aae0151a967) performing antispam checks 01:23 15:45 SMTP-(6aae0151a967) processing C:\IMail\spool\Q6aae0151a967.SMD 01:23 15:45 SMTP-(6aae0151a967) ldeliver mail.agid.com corby-main (1) [EMAIL PROTECTED] 5361 01:23 15:45 SMTP-(6aae015
RE: [Declude.JunkMail] Logged spam getting to mailbox
Title: Logged spam getting to mailbox Corby, to help you rule out "header corruption" I checked my own logs, and found that I received (and held) three copies of the same spam message today. Inspecting each of those with notepad showed that my X- headers are being added, therefore "header corruption" or "bad folding" shouldn't be the issue. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Agid, CorbySent: Tuesday, January 24, 2006 1:35 PMTo: Declude.JunkMail@declude.comSubject: [Declude.JunkMail] Logged spam getting to mailbox Hello, I'm having trouble with a particular spam message getting to my mailbox each day. The declude log file shows the scanning and scoring. However, the message that lands in the mailbox shows no sign of being scanned….ie there are no X-RBL headers in the message that gets to the mailbox. All of my other mail, whether spam or not spam, still shows X-rbl headers to verify they were scanned. Can you help me understand why the final message doesn’t' show the X-RBL headers? I get about three of these per day, each has the same style, but the IP and From addresses are different. Below are the log snips and message headers. === Dec0123.log 01/23/2006 15:45:52 Q6aae0151a967 CBL:6 FIVETEN-SRC:4 SORBS-DUHL:4 SPAMBAG:2 SPAMHEADERS:3 MS-SNAKEOIL:25 . Total weight = 44. 01/23/2006 15:45:52 Q6aae0151a967 Using [incoming] CFG file C:\IMail\Declude\mail.agid.com\$default$.junkmail. 01/23/2006 15:45:52 Q6aae0151a967 Msg failed CBL ("Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=68.41.152.175"). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed FIVETEN-SRC (175.152.41.68.blackholes.five-ten-sg.com.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SORBS-DUHL ("Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?68.41.152.175"). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SPAMBAG (175.152.41.68.blacklist.spambag.org.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SPAMHEADERS (This E-mail has headers consistent with spam [4000100e].). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed MS-SNAKEOIL (Message failed MS-SNAKEOIL: 52.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed WEIGHT10-29A (Weight of 44 reaches or exceeds the limit of 10.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed WEIGHT10-29B (Weight of 44 reaches or exceeds the limit of 10.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed WEIGHT30A (Weight of 44 reaches or exceeds the limit of 30.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SPAMYELLOW (Weight of 44 reaches or exceeds the limit of 10.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SPAMRED (Weight of 44 reaches or exceeds the limit of 30.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed CATCHALLMAILS (). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 L1 Message OK 01/23/2006 15:45:52 Q6aae0151a967 Subject: Viagra Professional as low as $3.84 01/23/2006 15:45:52 Q6aae0151a967 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 68.41.152.175 ID: 01/23/2006 15:45:52 Q6aae0151a967 Tests failed [weight=44]: CBL=IGNORE FIVETEN-SRC="" SORBS-DUHL=IGNORE SPAMBAG=IGNORE SPAMHEADERS=WARN MS-SNAKEOIL=IGNORE WEIGHT10-29A=IGNORE WEIGHT10-29B=IGNORE WEIGHT30A=IGNORE SPAMYELLOW=WARN SPAMRED=WARN CATCHALLMAILS=WARN 01/23/2006 15:45:52 Q6aae0151a967 Last action = ""> Sys0123.log 01:23 15:45 SMTPD(6aae0151a967) [216.101.5.133] connect 68.41.152.175 port 4251 01:23 15:45 SMTPD(6aae0151a967) [68.41.152.175] HELO localhost 01:23 15:45 SMTPD(6aae0151a967) [68.41.152.175] Mail From: <[EMAIL PROTECTED]> 01:23 15:45 SMTPD(6aae0151a967) [68.41.152.175] Rcpt To: <[EMAIL PROTECTED]> 01:23 15:45 SMTPD(6aae0151a967) [68.41.152.175] C:\IMail\spool\D6aae0151a967.SMD 4723 01:23 15:45 SMTPD(6aae0151a967) performing antispam checks 01:23 15:45 SMTP-(6aae0151a967) processing C:\IMail\spool\Q6aae0151a967.SMD 01:23 15:45 SMTP-(6aae0151a967) ldeliver mail.agid.com corby-main (1) [EMAIL PROTECTED] 5361 01:23 15:45 SMTP-(6aae0151a967) finished C:\IMail\spool\Q6aae0151a967.SMD status=1 Email Headers: Received: from localhost [68.41.152.175] by mail.agid.com (SMTPD-8.21) id AAAE0130; Mon, 23 Jan 2006 15:45:50 -0800 Date: Mon, 23 Jan 2006 18:45:52 +0100 Return-path: <[EMAIL PROTECTED]> From: "Adler"<[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: Viagra Professional as low as $3.84 Message-ID: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_NextPart_000_0003_01C618B6.107D4F00" X-Priority: 3 X-MSMa
Re: [Declude.JunkMail] Logged spam getting to mailbox
Title: Logged spam getting to mailbox Odd - just because its always the same email. What number do you delete on? Although the logs will balloon in size running the Declude in DEBUG may shed some light. I presume this is Declude 3x ver? -Nick Agid, Corby wrote: Hello, I'm having trouble with a particular spam message getting to my mailbox each day. The declude log file shows the scanning and scoring. However, the message that lands in the mailbox shows no sign of being scanned….ie there are no X-RBL headers in the message that gets to the mailbox. All of my other mail, whether spam or not spam, still shows X-rbl headers to verify they were scanned. Can you help me understand why the final message doesn’t' show the X-RBL headers? I get about three of these per day, each has the same style, but the IP and From addresses are different. Below are the log snips and message headers. === Dec0123.log 01/23/2006 15:45:52 Q6aae0151a967 CBL:6 FIVETEN-SRC:4 SORBS-DUHL:4 SPAMBAG:2 SPAMHEADERS:3 MS-SNAKEOIL:25 . Total weight = 44. 01/23/2006 15:45:52 Q6aae0151a967 Using [incoming] CFG file C:\IMail\Declude\mail.agid.com\$default$.junkmail. 01/23/2006 15:45:52 Q6aae0151a967 Msg failed CBL ("Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=68.41.152.175"). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed FIVETEN-SRC (175.152.41.68.blackholes.five-ten-sg.com.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SORBS-DUHL ("Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?68.41.152.175"). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SPAMBAG (175.152.41.68.blacklist.spambag.org.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SPAMHEADERS (This E-mail has headers consistent with spam [4000100e].). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed MS-SNAKEOIL (Message failed MS-SNAKEOIL: 52.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed WEIGHT10-29A (Weight of 44 reaches or exceeds the limit of 10.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed WEIGHT10-29B (Weight of 44 reaches or exceeds the limit of 10.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed WEIGHT30A (Weight of 44 reaches or exceeds the limit of 30.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SPAMYELLOW (Weight of 44 reaches or exceeds the limit of 10.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SPAMRED (Weight of 44 reaches or exceeds the limit of 30.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed CATCHALLMAILS (). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 L1 Message OK 01/23/2006 15:45:52 Q6aae0151a967 Subject: Viagra Professional as low as $3.84 01/23/2006 15:45:52 Q6aae0151a967 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 68.41.152.175 ID: 01/23/2006 15:45:52 Q6aae0151a967 Tests failed [weight=44]: CBL=IGNORE FIVETEN-SRC="" SORBS-DUHL=IGNORE SPAMBAG=IGNORE SPAMHEADERS=WARN MS-SNAKEOIL=IGNORE WEIGHT10-29A=IGNORE WEIGHT10-29B=IGNORE WEIGHT30A=IGNORE SPAMYELLOW=WARN SPAMRED=WARN CATCHALLMAILS=WARN 01/23/2006 15:45:52 Q6aae0151a967 Last action = ""> Sys0123.log 01:23 15:45 SMTPD(6aae0151a967) [216.101.5.133] connect 68.41.152.175 port 4251 01:23 15:45 SMTPD(6aae0151a967) [68.41.152.175] HELO localhost 01:23 15:45 SMTPD(6aae0151a967) [68.41.152.175] Mail From: <[EMAIL PROTECTED]> 01:23 15:45 SMTPD(6aae0151a967) [68.41.152.175] Rcpt To: <[EMAIL PROTECTED]> 01:23 15:45 SMTPD(6aae0151a967) [68.41.152.175] C:\IMail\spool\D6aae0151a967.SMD 4723 01:23 15:45 SMTPD(6aae0151a967) performing antispam checks 01:23 15:45 SMTP-(6aae0151a967) processing C:\IMail\spool\Q6aae0151a967.SMD 01:23 15:45 SMTP-(6aae0151a967) ldeliver mail.agid.com corby-main (1) [EMAIL PROTECTED] 5361 01:23 15:45 SMTP-(6aae0151a967) finished C:\IMail\spool\Q6aae0151a967.SMD status=1 Email Headers: Received: from localhost [68.41.152.175] by mail.agid.com (SMTPD-8.21) id AAAE0130; Mon, 23 Jan 2006 15:45:50 -0800 Date: Mon, 23 Jan 2006 18:45:52 +0100 Return-path: <[EMAIL PROTECTED]> From: "Adler"<[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: Viagra Professional as low as $3.84 Message-ID: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_NextPart_000_0003_01C618B6.107D4F00" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180