Re: [Declude.JunkMail] Logged spam getting to mailbox
Title: Logged spam getting to mailbox
Corby,
Because of MS SMTP handling the E-mail before it reaches my
IMail/Declude system, Declude always inserts it's headers in the proper
block, however MS SMTP can cause some of the pre-Declude headers
(original) to appear in either the top of the body or the bottom of the
body.
Matt
Agid, Corby wrote:
Ok, thanks very much. I'll see
if they'll get me the latest 2.x version to see if that works. Can
you clarify somethingare you saying that you're receiving mail from
the same spammer that's causing my problem, but your system is handling
it correctly?
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Matt
Sent: Tuesday, January 24, 2006 5:37 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Logged spam getting to
mailbox
Corby,
I assumed that you weren't using an MS gateway, I was just letting you
know that what happened to these headers was going to be different on
my system.
I have tons of spam on my system generated by this spamware and it's
all showing the same behavior so I suspect that there is an issue with
what you are receiving as well. It could just be a single CR without
an LF which can look normal in a text viewer, but can throw programs
like Declude and MS SMTP off. This should explain the initial cause of
the issue. The handling of the malformed headers may vary in different
versions of Declude.
For a 2.0.6.16 download, it appears that you will have to ask Declude
directly for this or do the bigger upgrade to 3.x.
Matt
Agid, Corby wrote:
Hi
Matt,
I'm not using any MS
gateway on this. The mail comes into Imail/declude and uses Imail as
the email server. I opened the message with notepad and didn't locate
any misplaced headers. I would like
to try updating to 2.0.6 as you suggest, but I'm not finding any 2.x
downloads on the site. Can you tell me where to
find them? I logged in and found the 3.x downloads.
Thanks for all of your help. This is sure
a head scratcher for me.
Cheers
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Matt
Sent: Tuesday, January 24, 2006 4:59 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Logged spam getting to
mailbox
Corby,
I also received a bunch of these, and one copy that I came up with in a
hold box showed that the headers were in fact broken. My MS SMTP
gateway shows the From, Bcc, and locally inserted MS SMTP headers at
the very bottom of this message. That's how MS SMTP deals with it, but
Declude might deal with it differently, or it might even have broken
your older version of Declude. You should at least upgrade to 2.0.6.16
which is available from their site. Upgrading to 3.x would be
something that you should plan more carefully though as it is a major
change.
I suspect that you are looking at the rendered view of the E-mail, and
since this is a multipart message with both text and HTML segments, it
is not rendering the broken headers in the normal view, but they might
be there if you were to look at the original text source. If the
headers are in the body and your rule in your client is looking for
headers where they belong, that would explain why your filter isn't
working.
Matt
Agid, Corby wrote:
Well I'm somewhat more
confused as I don't really know what "bad folding" means. However, I
don't see any of the X-headers in the message body.
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Matt
Sent: Tuesday, January 24, 2006 2:34 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Logged spam getting
to mailbox
Andrew probably nailed this. In at least some versions of Declude, the
headers that it inserts could land in the body of the message due to
bad folding techniques that the spammer uses (sometimes also legitimate
mailers will produce this flaw). Your client rule is probably
searching for headers and doesn't recognize the header that was
inserted into what became the body due to bad folding. An upgrade may
or may not fix the issue, though there was talk about this issue
several months ago in relation to 3.x and I believe some work was done
to take care of some of it.
Matt
Agid, Corby wrote:
Actually,
I'm still running 2.0.5. I suppose that I should probably upgrade,
eh?
I
don't actually dele
RE: [Declude.JunkMail] Logged spam getting to mailbox
Title: Logged spam getting to mailbox Ok, thanks very much. I'll see if they'll get me the latest 2.x version to see if that works. Can you clarify somethingare you saying that you're receiving mail from the same spammer that's causing my problem, but your system is handling it correctly? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Tuesday, January 24, 2006 5:37 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Logged spam getting to mailbox Corby,I assumed that you weren't using an MS gateway, I was just letting you know that what happened to these headers was going to be different on my system.I have tons of spam on my system generated by this spamware and it's all showing the same behavior so I suspect that there is an issue with what you are receiving as well. It could just be a single CR without an LF which can look normal in a text viewer, but can throw programs like Declude and MS SMTP off. This should explain the initial cause of the issue. The handling of the malformed headers may vary in different versions of Declude.For a 2.0.6.16 download, it appears that you will have to ask Declude directly for this or do the bigger upgrade to 3.x.MattAgid, Corby wrote: Hi Matt, I'm not using any MS gateway on this. The mail comes into Imail/declude and uses Imail as the email server. I opened the message with notepad and didn't locate any misplaced headers. I would like to try updating to 2.0.6 as you suggest, but I'm not finding any 2.x downloads on the site. Can you tell me where to find them? I logged in and found the 3.x downloads. Thanks for all of your help. This is sure a head scratcher for me. Cheers From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of MattSent: Tuesday, January 24, 2006 4:59 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Logged spam getting to mailboxCorby,I also received a bunch of these, and one copy that I came up with in a hold box showed that the headers were in fact broken. My MS SMTP gateway shows the From, Bcc, and locally inserted MS SMTP headers at the very bottom of this message. That's how MS SMTP deals with it, but Declude might deal with it differently, or it might even have broken your older version of Declude. You should at least upgrade to 2.0.6.16 which is available from their site. Upgrading to 3.x would be something that you should plan more carefully though as it is a major change.I suspect that you are looking at the rendered view of the E-mail, and since this is a multipart message with both text and HTML segments, it is not rendering the broken headers in the normal view, but they might be there if you were to look at the original text source. If the headers are in the body and your rule in your client is looking for headers where they belong, that would explain why your filter isn't working.MattAgid, Corby wrote: Well I'm somewhat more confused as I don't really know what "bad folding" means. However, I don't see any of the X-headers in the message body. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of MattSent: Tuesday, January 24, 2006 2:34 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Logged spam getting to mailboxAndrew probably nailed this. In at least some versions of Declude, the headers that it inserts could land in the body of the message due to bad folding techniques that the spammer uses (sometimes also legitimate mailers will produce this flaw). Your client rule is probably searching for headers and doesn't recognize the header that was inserted into what became the body due to bad folding. An upgrade may or may not fix the issue, though there was talk about this issue several months ago in relation to 3.x and I believe some work was done to take care of some of it.MattAgid, Corby wrote: Actually, I'm still running 2.0.5. I suppose that I should probably upgrade, eh? I don't actually delete mail at any score. I use the header information in my email client to sort the incoming messages. Other than this particular bugger, it's worked well for me. From: [EMAIL PROT
Re: [Declude.JunkMail] Logged spam getting to mailbox
Title: Logged spam getting to mailbox
Corby,
I assumed that you weren't using an MS gateway, I was just letting you
know that what happened to these headers was going to be different on
my system.
I have tons of spam on my system generated by this spamware and it's
all showing the same behavior so I suspect that there is an issue with
what you are receiving as well. It could just be a single CR without
an LF which can look normal in a text viewer, but can throw programs
like Declude and MS SMTP off. This should explain the initial cause of
the issue. The handling of the malformed headers may vary in different
versions of Declude.
For a 2.0.6.16 download, it appears that you will have to ask Declude
directly for this or do the bigger upgrade to 3.x.
Matt
Agid, Corby wrote:
Hi
Matt,
I'm not using any MS
gateway on this. The mail comes into Imail/declude and uses Imail as
the email server. I opened the message with notepad and didn't locate
any misplaced headers. I would like
to try updating to 2.0.6 as you suggest, but I'm not finding any 2.x
downloads on the site. Can you tell me where to
find them? I logged in and found the 3.x downloads.
Thanks for all of your help. This is sure
a head scratcher for me.
Cheers
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Matt
Sent: Tuesday, January 24, 2006 4:59 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Logged spam getting to
mailbox
Corby,
I also received a bunch of these, and one copy that I came up with in a
hold box showed that the headers were in fact broken. My MS SMTP
gateway shows the From, Bcc, and locally inserted MS SMTP headers at
the very bottom of this message. That's how MS SMTP deals with it, but
Declude might deal with it differently, or it might even have broken
your older version of Declude. You should at least upgrade to 2.0.6.16
which is available from their site. Upgrading to 3.x would be
something that you should plan more carefully though as it is a major
change.
I suspect that you are looking at the rendered view of the E-mail, and
since this is a multipart message with both text and HTML segments, it
is not rendering the broken headers in the normal view, but they might
be there if you were to look at the original text source. If the
headers are in the body and your rule in your client is looking for
headers where they belong, that would explain why your filter isn't
working.
Matt
Agid, Corby wrote:
Well I'm somewhat more
confused as I don't really know what "bad folding" means. However, I
don't see any of the X-headers in the message body.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Matt
Sent: Tuesday, January 24, 2006 2:34 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Logged spam getting to
mailbox
Andrew probably nailed this. In at least some versions of Declude, the
headers that it inserts could land in the body of the message due to
bad folding techniques that the spammer uses (sometimes also legitimate
mailers will produce this flaw). Your client rule is probably
searching for headers and doesn't recognize the header that was
inserted into what became the body due to bad folding. An upgrade may
or may not fix the issue, though there was talk about this issue
several months ago in relation to 3.x and I believe some work was done
to take care of some of it.
Matt
Agid, Corby wrote:
Actually, I'm still running
2.0.5. I suppose that I should probably upgrade, eh?
I don't actually delete mail at
any score. I use the header information in my email client to sort the
incoming messages. Other than this particular bugger, it's worked
well for me.
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Nick Hayer
Sent: Tuesday, January 24, 2006 1:46 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Logged spam getting
to mailbox
Odd - just because its always the same email. What number do you delete
on? Although the logs will balloon in size running the Declude in DEBUG
may shed some light. I presume this is Declude 3x ver?
-Nick
Agid, Corby wrote:
Hello,
I'm having trouble with a
particular spam message getting to my mailbox each day. The declude
log file shows the scanning and scoring. However, the message that
lands in the mailbox shows no sign of being scanned….ie there are no
X-RBL headers in the mess
RE: [Declude.JunkMail] Logged spam getting to mailbox
Title: Logged spam getting to mailbox Hi Matt, I'm not using any MS gateway on this. The mail comes into Imail/declude and uses Imail as the email server. I opened the message with notepad and didn't locate any misplaced headers. I would like to try updating to 2.0.6 as you suggest, but I'm not finding any 2.x downloads on the site. Can you tell me where to find them? I logged in and found the 3.x downloads. Thanks for all of your help. This is sure a head scratcher for me. Cheers From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Tuesday, January 24, 2006 4:59 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Logged spam getting to mailbox Corby,I also received a bunch of these, and one copy that I came up with in a hold box showed that the headers were in fact broken. My MS SMTP gateway shows the From, Bcc, and locally inserted MS SMTP headers at the very bottom of this message. That's how MS SMTP deals with it, but Declude might deal with it differently, or it might even have broken your older version of Declude. You should at least upgrade to 2.0.6.16 which is available from their site. Upgrading to 3.x would be something that you should plan more carefully though as it is a major change.I suspect that you are looking at the rendered view of the E-mail, and since this is a multipart message with both text and HTML segments, it is not rendering the broken headers in the normal view, but they might be there if you were to look at the original text source. If the headers are in the body and your rule in your client is looking for headers where they belong, that would explain why your filter isn't working.MattAgid, Corby wrote: Well I'm somewhat more confused as I don't really know what "bad folding" means. However, I don't see any of the X-headers in the message body. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of MattSent: Tuesday, January 24, 2006 2:34 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Logged spam getting to mailboxAndrew probably nailed this. In at least some versions of Declude, the headers that it inserts could land in the body of the message due to bad folding techniques that the spammer uses (sometimes also legitimate mailers will produce this flaw). Your client rule is probably searching for headers and doesn't recognize the header that was inserted into what became the body due to bad folding. An upgrade may or may not fix the issue, though there was talk about this issue several months ago in relation to 3.x and I believe some work was done to take care of some of it.MattAgid, Corby wrote: Actually, I'm still running 2.0.5. I suppose that I should probably upgrade, eh? I don't actually delete mail at any score. I use the header information in my email client to sort the incoming messages. Other than this particular bugger, it's worked well for me. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick HayerSent: Tuesday, January 24, 2006 1:46 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Logged spam getting to mailboxOdd - just because its always the same email. What number do you delete on? Although the logs will balloon in size running the Declude in DEBUG may shed some light. I presume this is Declude 3x ver?-NickAgid, Corby wrote: Hello, I'm having trouble with a particular spam message getting to my mailbox each day. The declude log file shows the scanning and scoring. However, the message that lands in the mailbox shows no sign of being scanned….ie there are no X-RBL headers in the message that gets to the mailbox. All of my other mail, whether spam or not spam, still shows X-rbl headers to verify they were scanned. Can you help me understand why the final message doesn’t' show the X-RBL headers? I get about three of these per day, each has the same style, but the IP and From addresses are different. Below are the log snips and message headers. === Dec0123.log 01/23/2006 15:45:52 Q6aae0151a967 CBL:6 FIVETEN-SRC:4 SORBS-DUHL:4 SPAMBAG:2 SPAMHEADERS:3 MS-SNAKEOIL:25 . Total weight = 44. 01/23/2006 15:45:52 Q6aae0151a967
Re: [Declude.JunkMail] Logged spam getting to mailbox
Title: Logged spam getting to mailbox
Corby,
I also received a bunch of these, and one copy that I came up with in a
hold box showed that the headers were in fact broken. My MS SMTP
gateway shows the From, Bcc, and locally inserted MS SMTP headers at
the very bottom
of this message. That's how MS SMTP deals with it, but Declude might
deal with it differently, or it might even have broken your older
version of Declude. You should at least upgrade to 2.0.6.16 which is
available from their site. Upgrading to 3.x would be something that
you should plan more carefully though as it is a major change.
I suspect that you are looking at the rendered view of the E-mail, and
since this is a multipart message with both text and HTML segments, it
is not rendering the broken headers in the normal view, but they might
be there if you were to look at the original text source. If the
headers are in the body and your rule in your client is looking for
headers where they belong, that would explain why your filter isn't
working.
Matt
Agid, Corby wrote:
Well I'm somewhat more
confused as I don't really know what "bad folding" means. However, I
don't see any of the X-headers in the message body.
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Matt
Sent: Tuesday, January 24, 2006 2:34 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Logged spam getting to
mailbox
Andrew probably nailed this. In at least some versions of Declude, the
headers that it inserts could land in the body of the message due to
bad folding techniques that the spammer uses (sometimes also legitimate
mailers will produce this flaw). Your client rule is probably
searching for headers and doesn't recognize the header that was
inserted into what became the body due to bad folding. An upgrade may
or may not fix the issue, though there was talk about this issue
several months ago in relation to 3.x and I believe some work was done
to take care of some of it.
Matt
Agid, Corby wrote:
Actually, I'm still running
2.0.5. I suppose that I should probably upgrade, eh?
I don't actually delete mail at
any score. I use the header information in my email client to sort the
incoming messages. Other than this particular bugger, it's worked
well for me.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Nick Hayer
Sent: Tuesday, January 24, 2006 1:46 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Logged spam getting to
mailbox
Odd - just because its always the same email. What number do you delete
on? Although the logs will balloon in size running the Declude in DEBUG
may shed some light. I presume this is Declude 3x ver?
-Nick
Agid, Corby wrote:
Hello,
I'm having trouble with a
particular spam message getting to my mailbox each day. The declude
log file shows the scanning and scoring. However, the message that
lands in the mailbox shows no sign of being scanned….ie there are no
X-RBL headers in the message that gets to the mailbox. All of my
other mail, whether spam or not spam, still shows X-rbl headers to
verify they were scanned.
Can you help me understand why
the final message doesn’t' show the X-RBL headers? I get about three
of these per day, each has the same style, but the IP and From
addresses are different.
Below are the log snips and
message headers.
===
Dec0123.log
01/23/2006 15:45:52
Q6aae0151a967 CBL:6 FIVETEN-SRC:4 SORBS-DUHL:4 SPAMBAG:2
SPAMHEADERS:3 MS-SNAKEOIL:25 . Total weight = 44.
01/23/2006 15:45:52
Q6aae0151a967 Using [incoming] CFG file
C:\IMail\Declude\mail.agid.com\$default$.junkmail.
01/23/2006 15:45:52
Q6aae0151a967 Msg failed CBL ("Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=68.41.152.175"). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed FIVETEN-SRC
(175.152.41.68.blackholes.five-ten-sg.com.). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed SORBS-DUHL ("Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?68.41.152.175"). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed SPAMBAG
(175.152.41.68.blacklist.spambag.org.). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed SPAMHEADERS (This E-mail has headers
consistent with spam [4000100e].). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed MS-SNAKEOIL (Message failed MS-SNAKEOIL:
52.). Action="">
01/23/2006 15:45:52
Q6aae0151
RE: [Declude.JunkMail] Logged spam getting to mailbox
Title: Logged spam getting to mailbox
Well I'm somewhat more confused as I don't really know
what "bad folding" means. However, I don't see any of the X-headers in the
message body.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
MattSent: Tuesday, January 24, 2006 2:34 PMTo:
Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Logged
spam getting to mailbox
Andrew probably nailed this. In at least some versions of
Declude, the headers that it inserts could land in the body of the message due
to bad folding techniques that the spammer uses (sometimes also legitimate
mailers will produce this flaw). Your client rule is probably searching
for headers and doesn't recognize the header that was inserted into what
became the body due to bad folding. An upgrade may or may not fix the
issue, though there was talk about this issue several months ago in relation
to 3.x and I believe some work was done to take care of some of
it.MattAgid, Corby wrote:
Actually, I'm still running 2.0.5. I
suppose that I should probably upgrade, eh?
I don't actually delete mail at any score.
I use the header information in my email client to sort the incoming
messages. Other than this particular bugger, it's worked
well for me.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Nick HayerSent: Tuesday, January 24, 2006
1:46 PMTo: Declude.JunkMail@declude.comSubject:
Re: [Declude.JunkMail] Logged spam getting to
mailboxOdd - just because its always the same email.
What number do you delete on? Although the logs will balloon in size
running the Declude in DEBUG may shed some light. I presume this is
Declude 3x ver?-NickAgid, Corby wrote:
Hello,
I'm having trouble with a particular spam
message getting to my mailbox each day. The declude log file
shows the scanning and scoring. However, the message that lands in
the mailbox shows no sign of being scanned….ie there are no X-RBL
headers in the message that gets to the mailbox. All of my
other mail, whether spam or not spam, still shows X-rbl headers to
verify they were scanned.
Can you help me understand why the final
message doesn’t' show the X-RBL headers? I get about three of
these per day, each has the same style, but the IP and From addresses
are different.
Below are the log snips and message
headers.
=== Dec0123.log 01/23/2006 15:45:52 Q6aae0151a967 CBL:6 FIVETEN-SRC:4
SORBS-DUHL:4 SPAMBAG:2 SPAMHEADERS:3 MS-SNAKEOIL:25 . Total weight
= 44.
01/23/2006 15:45:52 Q6aae0151a967 Using
[incoming] CFG file
C:\IMail\Declude\mail.agid.com\$default$.junkmail. 01/23/2006 15:45:52 Q6aae0151a967 Msg failed CBL
("Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=68.41.152.175"). Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg
failed FIVETEN-SRC (175.152.41.68.blackholes.five-ten-sg.com.).
Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg
failed SORBS-DUHL ("Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?68.41.152.175"). Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg
failed SPAMBAG (175.152.41.68.blacklist.spambag.org.).
Action=""> 01/23/2006 15:45:52
Q6aae0151a967 Msg failed SPAMHEADERS (This E-mail has headers
consistent with spam [4000100e].). Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg
failed MS-SNAKEOIL (Message failed MS-SNAKEOIL: 52.).
Action=""> 01/23/2006 15:45:52
Q6aae0151a967 Msg failed WEIGHT10-29A (Weight of 44 reaches or
exceeds the limit of 10.). Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg
failed WEIGHT10-29B (Weight of 44 reaches or exceeds the limit of 10.).
Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg
failed WEIGHT30A (Weight of 44 reaches or exceeds the limit of 30.).
Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg
failed SPAMYELLOW (Weight of 44 reaches or exceeds the limit of 10.).
Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg
failed SPAMRED (Weight of 44 reaches or exceeds the limit of 30.).
Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg
failed CATCHALLMAILS (). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 L1 Message OK
Re: [Declude.JunkMail] Logged spam getting to mailbox
Title: Logged spam getting to mailbox
Nick, FYI, by gatewaying through MS SMTP/ORF, that actually normalizes
the headers before it gets to Declude and therefor this behavior is not
seen. You will however see some of the original headers left in the
body on some messages, but not the ones from Declude.
Matt
Nick Hayer wrote:
Agid, Corby wrote:
Actually, I'm still running
2.0.5. I suppose that I should probably upgrade, eh?
I haven't. I'm on 2.16
Other than this particular
bugger, it's worked well for me.
it is odd to me that a particular email from a particular spammer would
not be tagged on a daily basis. Maybe Declude support can offer some
insight. Other than debug like I mentioned I have no idea - I'd be
ask'n Matt or Andy if it happened to me!
-Nick
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Nick
Hayer
Sent: Tuesday, January 24, 2006 1:46 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Logged spam getting to
mailbox
Odd - just because its always the same email. What number do you delete
on? Although the logs will balloon in size running the Declude in DEBUG
may shed some light. I presume this is Declude 3x ver?
-Nick
Agid, Corby wrote:
Hello,
I'm having trouble with a
particular spam message getting to my mailbox each day. The declude
log file shows the scanning and scoring. However, the message that
lands in the mailbox shows no sign of being scanned….ie there are no
X-RBL headers in the message that gets to the mailbox. All of my
other mail, whether spam or not spam, still shows X-rbl headers to
verify they were scanned.
Can you help me understand why
the
final message doesn’t' show the X-RBL headers? I get about three of
these per day, each has the same style, but the IP and From addresses
are different.
Below are the log snips and
message headers.
===
Dec0123.log
01/23/2006 15:45:52
Q6aae0151a967
CBL:6 FIVETEN-SRC:4 SORBS-DUHL:4 SPAMBAG:2 SPAMHEADERS:3 MS-SNAKEOIL:25
. Total weight = 44.
01/23/2006 15:45:52
Q6aae0151a967 Using [incoming] CFG file
C:\IMail\Declude\mail.agid.com\$default$.junkmail.
01/23/2006 15:45:52
Q6aae0151a967
Msg failed CBL ("Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=68.41.152.175"). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed FIVETEN-SRC
(175.152.41.68.blackholes.five-ten-sg.com.). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed SORBS-DUHL ("Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?68.41.152.175"). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed SPAMBAG
(175.152.41.68.blacklist.spambag.org.). Action="">
01/23/2006 15:45:52
Q6aae0151a967
Msg failed SPAMHEADERS (This E-mail has headers consistent with spam
[4000100e].). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed MS-SNAKEOIL (Message failed MS-SNAKEOIL:
52.). Action="">
01/23/2006 15:45:52
Q6aae0151a967
Msg failed WEIGHT10-29A (Weight of 44 reaches or exceeds the limit of
10.). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed WEIGHT10-29B (Weight of 44 reaches or
exceeds the limit of 10.). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed WEIGHT30A (Weight of 44 reaches or exceeds
the limit of 30.). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed SPAMYELLOW (Weight of 44 reaches or
exceeds the limit of 10.). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed SPAMRED (Weight of 44 reaches or exceeds
the limit of 30.). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed CATCHALLMAILS (). Action="">
01/23/2006 15:45:52
Q6aae0151a967
L1 Message OK
01/23/2006 15:45:52
Q6aae0151a967
Subject: Viagra Professional as low as $3.84
01/23/2006 15:45:52
Q6aae0151a967
From: [EMAIL PROTECTED] To: [EMAIL PROTECTED]
IP: 68.41.152.175 ID:
01/23/2006 15:45:52
Q6aae0151a967
Tests failed [weight=44]: CBL=IGNORE FIVETEN-SRC=""
SORBS-DUHL=IGNORE SPAMBAG=IGNORE SPAMHEADERS=WARN MS-SNAKEOIL=IGNORE
WEIGHT10-29A=IGNORE WEIGHT10-29B=IGNORE WEIGHT30A=IGNORE
SPAMYELLOW=WARN SPAMRED=WARN CATCHALLMAILS=WARN
01/23/2006 15:45:52
Q6aae0151a967 Last action = "">
Sys0123.log
01:23 15:45 SMTPD(6aae0151a967)
[216.101.5.133] connect 68.41.152.175 port 4251
01:23 15:45 SMTPD(6aae0151a967)
[68.41.152.175] HELO localhost
01:23 15:
RE: [Declude.JunkMail] Logged spam getting to mailbox
Title: Logged spam getting to mailbox Current version does not fix this "folding" problem. Declude is testing a newer version that may fix the problem, but no joy yet. Matt wrote: From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Tuesday, January 24, 2006 4:34 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Logged spam getting to mailbox Andrew probably nailed this. In at least some versions of Declude, the headers that it inserts could land in the body of the message due to bad folding techniques that the spammer uses (sometimes also legitimate mailers will produce this flaw). Your client rule is probably searching for headers and doesn't recognize the header that was inserted into what became the body due to bad folding. An upgrade may or may not fix the issue, though there was talk about this issue several months ago in relation to 3.x and I believe some work was done to take care of some of it.Matt
Re: [Declude.JunkMail] Logged spam getting to mailbox
Title: Logged spam getting to mailbox
Agid, Corby wrote:
Actually, I'm still running
2.0.5. I suppose that I should probably upgrade, eh?
I haven't. I'm on 2.16
Other than this particular
bugger, it's worked well for me.
it is odd to me that a particular email from a particular spammer would
not be tagged on a daily basis. Maybe Declude support can offer some
insight. Other than debug like I mentioned I have no idea - I'd be
ask'n Matt or Andy if it happened to me!
-Nick
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Nick
Hayer
Sent: Tuesday, January 24, 2006 1:46 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Logged spam getting to
mailbox
Odd - just because its always the same email. What number do you delete
on? Although the logs will balloon in size running the Declude in DEBUG
may shed some light. I presume this is Declude 3x ver?
-Nick
Agid, Corby wrote:
Hello,
I'm having trouble with a
particular spam message getting to my mailbox each day. The declude
log file shows the scanning and scoring. However, the message that
lands in the mailbox shows no sign of being scanned….ie there are no
X-RBL headers in the message that gets to the mailbox. All of my
other mail, whether spam or not spam, still shows X-rbl headers to
verify they were scanned.
Can you help me understand why the
final message doesn’t' show the X-RBL headers? I get about three of
these per day, each has the same style, but the IP and From addresses
are different.
Below are the log snips and
message headers.
===
Dec0123.log
01/23/2006 15:45:52 Q6aae0151a967
CBL:6 FIVETEN-SRC:4 SORBS-DUHL:4 SPAMBAG:2 SPAMHEADERS:3 MS-SNAKEOIL:25
. Total weight = 44.
01/23/2006 15:45:52
Q6aae0151a967 Using [incoming] CFG file
C:\IMail\Declude\mail.agid.com\$default$.junkmail.
01/23/2006 15:45:52 Q6aae0151a967
Msg failed CBL ("Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=68.41.152.175"). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed FIVETEN-SRC
(175.152.41.68.blackholes.five-ten-sg.com.). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed SORBS-DUHL ("Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?68.41.152.175"). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed SPAMBAG
(175.152.41.68.blacklist.spambag.org.). Action="">
01/23/2006 15:45:52 Q6aae0151a967
Msg failed SPAMHEADERS (This E-mail has headers consistent with spam
[4000100e].). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed MS-SNAKEOIL (Message failed MS-SNAKEOIL:
52.). Action="">
01/23/2006 15:45:52 Q6aae0151a967
Msg failed WEIGHT10-29A (Weight of 44 reaches or exceeds the limit of
10.). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed WEIGHT10-29B (Weight of 44 reaches or
exceeds the limit of 10.). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed WEIGHT30A (Weight of 44 reaches or exceeds
the limit of 30.). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed SPAMYELLOW (Weight of 44 reaches or
exceeds the limit of 10.). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed SPAMRED (Weight of 44 reaches or exceeds
the limit of 30.). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed CATCHALLMAILS (). Action="">
01/23/2006 15:45:52 Q6aae0151a967
L1 Message OK
01/23/2006 15:45:52 Q6aae0151a967
Subject: Viagra Professional as low as $3.84
01/23/2006 15:45:52 Q6aae0151a967
From: [EMAIL PROTECTED] To: [EMAIL PROTECTED]
IP: 68.41.152.175 ID:
01/23/2006 15:45:52 Q6aae0151a967
Tests failed [weight=44]: CBL=IGNORE FIVETEN-SRC=""
SORBS-DUHL=IGNORE SPAMBAG=IGNORE SPAMHEADERS=WARN MS-SNAKEOIL=IGNORE
WEIGHT10-29A=IGNORE WEIGHT10-29B=IGNORE WEIGHT30A=IGNORE
SPAMYELLOW=WARN SPAMRED=WARN CATCHALLMAILS=WARN
01/23/2006 15:45:52
Q6aae0151a967 Last action = "">
Sys0123.log
01:23 15:45 SMTPD(6aae0151a967)
[216.101.5.133] connect 68.41.152.175 port 4251
01:23 15:45 SMTPD(6aae0151a967)
[68.41.152.175] HELO localhost
01:23 15:45 SMTPD(6aae0151a967)
[68.41.152.175] Mail From: <[EMAIL PROTECTED]>
01:23 15:45 SMTPD(6aae0151a967)
[68.41.152.175] Rcpt To: <[EMAIL PROTECTED]>
01:23 15:45 SMTPD(6aae0151a967)
[68.41.152.175] C:\IMail\spool\D6aae0151a967.SMD 4723
01:23 15:45 SMTPD(6aae0151a967)
performing antispam checks
01:23 15:45 SMTP-(6aae0151a967)
processing C:\IMail\spool\
Re: [Declude.JunkMail] Logged spam getting to mailbox
Title: Logged spam getting to mailbox
Andrew probably nailed this. In at least some versions of Declude, the
headers that it inserts could land in the body of the message due to
bad folding techniques that the spammer uses (sometimes also legitimate
mailers will produce this flaw). Your client rule is probably
searching for headers and doesn't recognize the header that was
inserted into what became the body due to bad folding. An upgrade may
or may not fix the issue, though there was talk about this issue
several months ago in relation to 3.x and I believe some work was done
to take care of some of it.
Matt
Agid, Corby wrote:
Actually, I'm still running
2.0.5. I suppose that I should probably upgrade, eh?
I don't actually delete mail at
any score. I use the header information in my email client to sort the
incoming messages. Other than this particular bugger, it's worked
well for me.
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Nick
Hayer
Sent: Tuesday, January 24, 2006 1:46 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Logged spam getting to
mailbox
Odd - just because its always the same email. What number do you delete
on? Although the logs will balloon in size running the Declude in DEBUG
may shed some light. I presume this is Declude 3x ver?
-Nick
Agid, Corby wrote:
Hello,
I'm having trouble with a
particular spam message getting to my mailbox each day. The declude
log file shows the scanning and scoring. However, the message that
lands in the mailbox shows no sign of being scanned….ie there are no
X-RBL headers in the message that gets to the mailbox. All of my
other mail, whether spam or not spam, still shows X-rbl headers to
verify they were scanned.
Can you help me understand why the
final message doesn’t' show the X-RBL headers? I get about three of
these per day, each has the same style, but the IP and From addresses
are different.
Below are the log snips and
message headers.
===
Dec0123.log
01/23/2006 15:45:52 Q6aae0151a967
CBL:6 FIVETEN-SRC:4 SORBS-DUHL:4 SPAMBAG:2 SPAMHEADERS:3 MS-SNAKEOIL:25
. Total weight = 44.
01/23/2006 15:45:52
Q6aae0151a967 Using [incoming] CFG file
C:\IMail\Declude\mail.agid.com\$default$.junkmail.
01/23/2006 15:45:52 Q6aae0151a967
Msg failed CBL ("Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=68.41.152.175"). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed FIVETEN-SRC
(175.152.41.68.blackholes.five-ten-sg.com.). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed SORBS-DUHL ("Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?68.41.152.175"). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed SPAMBAG
(175.152.41.68.blacklist.spambag.org.). Action="">
01/23/2006 15:45:52 Q6aae0151a967
Msg failed SPAMHEADERS (This E-mail has headers consistent with spam
[4000100e].). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed MS-SNAKEOIL (Message failed MS-SNAKEOIL:
52.). Action="">
01/23/2006 15:45:52 Q6aae0151a967
Msg failed WEIGHT10-29A (Weight of 44 reaches or exceeds the limit of
10.). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed WEIGHT10-29B (Weight of 44 reaches or
exceeds the limit of 10.). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed WEIGHT30A (Weight of 44 reaches or exceeds
the limit of 30.). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed SPAMYELLOW (Weight of 44 reaches or
exceeds the limit of 10.). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed SPAMRED (Weight of 44 reaches or exceeds
the limit of 30.). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed CATCHALLMAILS (). Action="">
01/23/2006 15:45:52 Q6aae0151a967
L1 Message OK
01/23/2006 15:45:52 Q6aae0151a967
Subject: Viagra Professional as low as $3.84
01/23/2006 15:45:52 Q6aae0151a967
From: [EMAIL PROTECTED] To: [EMAIL PROTECTED]
IP: 68.41.152.175 ID:
01/23/2006 15:45:52 Q6aae0151a967
Tests failed [weight=44]: CBL=IGNORE FIVETEN-SRC=""
SORBS-DUHL=IGNORE SPAMBAG=IGNORE SPAMHEADERS=WARN MS-SNAKEOIL=IGNORE
WEIGHT10-29A=IGNORE WEIGHT10-29B=IGNORE WEIGHT30A=IGNORE
SPAMYELLOW=WARN SPAMRED=WARN CATCHALLMAILS=WARN
01/23/2006 15:45:52
Q6aae0151a967 Last action = "">
Sys0123.log
01:23 15:45 SMTPD(6aae0151a967)
[216.101.5.133] connect 68.41.152.175 port 4251
01:23 15:45 SMTPD(6aae0151a967)
[68.41.152.175] HELO localhost
01:23 15:45 SMT
RE: [Declude.JunkMail] Logged spam getting to mailbox
Title: Logged spam getting to mailbox
Actually, I'm still running 2.0.5. I suppose
that I should probably upgrade, eh?
I don't actually delete mail at any score. I
use the header information in my email client to sort the incoming
messages. Other than this particular bugger, it's worked well
for me.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nick
HayerSent: Tuesday, January 24, 2006 1:46 PMTo:
Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Logged
spam getting to mailbox
Odd - just because its always the same email. What number do you
delete on? Although the logs will balloon in size running the Declude in DEBUG
may shed some light. I presume this is Declude 3x
ver?-NickAgid, Corby wrote:
Hello,
I'm having trouble with a particular spam message
getting to my mailbox each day. The declude log file shows the
scanning and scoring. However, the message that lands in the mailbox
shows no sign of being scanned….ie there are no X-RBL headers in the message
that gets to the mailbox. All of my other mail, whether spam or
not spam, still shows X-rbl headers to verify they were scanned.
Can you help me understand why the final message
doesn’t' show the X-RBL headers? I get about three of these per day,
each has the same style, but the IP and From addresses are
different.
Below are the log snips and message
headers.
===
Dec0123.log 01/23/2006 15:45:52 Q6aae0151a967 CBL:6 FIVETEN-SRC:4
SORBS-DUHL:4 SPAMBAG:2 SPAMHEADERS:3 MS-SNAKEOIL:25 . Total weight =
44.
01/23/2006 15:45:52 Q6aae0151a967 Using
[incoming] CFG file
C:\IMail\Declude\mail.agid.com\$default$.junkmail. 01/23/2006 15:45:52 Q6aae0151a967 Msg failed CBL
("Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=68.41.152.175"). Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg failed
FIVETEN-SRC (175.152.41.68.blackholes.five-ten-sg.com.).
Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg failed
SORBS-DUHL ("Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?68.41.152.175"). Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg failed
SPAMBAG (175.152.41.68.blacklist.spambag.org.). Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg failed
SPAMHEADERS (This E-mail has headers consistent with spam [4000100e].).
Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg failed
MS-SNAKEOIL (Message failed MS-SNAKEOIL: 52.). Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg failed
WEIGHT10-29A (Weight of 44 reaches or exceeds the limit of 10.).
Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg failed
WEIGHT10-29B (Weight of 44 reaches or exceeds the limit of 10.).
Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg failed
WEIGHT30A (Weight of 44 reaches or exceeds the limit of 30.).
Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg failed
SPAMYELLOW (Weight of 44 reaches or exceeds the limit of 10.).
Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg failed
SPAMRED (Weight of 44 reaches or exceeds the limit of 30.).
Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg failed
CATCHALLMAILS (). Action=""> 01/23/2006
15:45:52 Q6aae0151a967 L1 Message OK 01/23/2006 15:45:52 Q6aae0151a967 Subject: Viagra Professional as
low as $3.84 01/23/2006 15:45:52
Q6aae0151a967 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP:
68.41.152.175 ID: 01/23/2006 15:45:52
Q6aae0151a967 Tests failed [weight=44]: CBL=IGNORE FIVETEN-SRC=""
SORBS-DUHL=IGNORE SPAMBAG=IGNORE SPAMHEADERS=WARN MS-SNAKEOIL=IGNORE
WEIGHT10-29A=IGNORE WEIGHT10-29B=IGNORE WEIGHT30A=IGNORE SPAMYELLOW=WARN
SPAMRED=WARN CATCHALLMAILS=WARN
01/23/2006 15:45:52 Q6aae0151a967 Last action
= "">
Sys0123.log 01:23 15:45 SMTPD(6aae0151a967) [216.101.5.133] connect
68.41.152.175 port 4251 01:23 15:45
SMTPD(6aae0151a967) [68.41.152.175] HELO localhost 01:23 15:45 SMTPD(6aae0151a967) [68.41.152.175] Mail
From: <[EMAIL PROTECTED]> 01:23 15:45 SMTPD(6aae0151a967) [68.41.152.175] Rcpt
To: <[EMAIL PROTECTED]> 01:23 15:45 SMTPD(6aae0151a967) [68.41.152.175]
C:\IMail\spool\D6aae0151a967.SMD 4723 01:23 15:45 SMTPD(6aae0151a967) performing antispam checks
01:23 15:45 SMTP-(6aae0151a967) processing
C:\IMail\spool\Q6aae0151a967.SMD 01:23 15:45 SMTP-(6aae0151a967) ldeliver mail.agid.com corby-main
(1) [EMAIL PROTECTED] 5361 01:23 15:45 SMTP-(6aae015
RE: [Declude.JunkMail] Logged spam getting to mailbox
Title: Logged spam getting to mailbox
Corby, to help you rule out "header corruption" I checked
my own logs, and found that I received (and held) three copies of the same spam
message today.
Inspecting each of those with notepad showed that my X-
headers are being added, therefore "header corruption" or "bad folding"
shouldn't be the issue.
Andrew 8)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Agid,
CorbySent: Tuesday, January 24, 2006 1:35 PMTo:
Declude.JunkMail@declude.comSubject: [Declude.JunkMail] Logged spam
getting to mailbox
Hello,
I'm having trouble with a particular spam message
getting to my mailbox each day. The declude log file shows the
scanning and scoring. However, the message that lands in the mailbox
shows no sign of being scanned….ie there are no X-RBL headers in the message
that gets to the mailbox. All of my other mail, whether spam or
not spam, still shows X-rbl headers to verify they were scanned.
Can you help me understand why the final message
doesn’t' show the X-RBL headers? I get about three of these per day,
each has the same style, but the IP and From addresses are
different.
Below are the log snips and message headers.
===
Dec0123.log 01/23/2006 15:45:52 Q6aae0151a967 CBL:6 FIVETEN-SRC:4 SORBS-DUHL:4
SPAMBAG:2 SPAMHEADERS:3 MS-SNAKEOIL:25 . Total weight = 44.
01/23/2006 15:45:52 Q6aae0151a967 Using
[incoming] CFG file C:\IMail\Declude\mail.agid.com\$default$.junkmail.
01/23/2006 15:45:52 Q6aae0151a967 Msg failed
CBL ("Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=68.41.152.175"). Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg failed
FIVETEN-SRC (175.152.41.68.blackholes.five-ten-sg.com.).
Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg failed
SORBS-DUHL ("Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?68.41.152.175"). Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg failed
SPAMBAG (175.152.41.68.blacklist.spambag.org.). Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg failed
SPAMHEADERS (This E-mail has headers consistent with spam [4000100e].).
Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg failed
MS-SNAKEOIL (Message failed MS-SNAKEOIL: 52.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed
WEIGHT10-29A (Weight of 44 reaches or exceeds the limit of 10.).
Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg failed
WEIGHT10-29B (Weight of 44 reaches or exceeds the limit of 10.).
Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg failed
WEIGHT30A (Weight of 44 reaches or exceeds the limit of 30.).
Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg failed
SPAMYELLOW (Weight of 44 reaches or exceeds the limit of 10.).
Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg failed
SPAMRED (Weight of 44 reaches or exceeds the limit of 30.).
Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg failed
CATCHALLMAILS (). Action=""> 01/23/2006
15:45:52 Q6aae0151a967 L1 Message OK 01/23/2006 15:45:52 Q6aae0151a967 Subject: Viagra Professional as
low as $3.84 01/23/2006 15:45:52
Q6aae0151a967 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP:
68.41.152.175 ID: 01/23/2006 15:45:52
Q6aae0151a967 Tests failed [weight=44]: CBL=IGNORE FIVETEN-SRC=""
SORBS-DUHL=IGNORE SPAMBAG=IGNORE SPAMHEADERS=WARN MS-SNAKEOIL=IGNORE
WEIGHT10-29A=IGNORE WEIGHT10-29B=IGNORE WEIGHT30A=IGNORE SPAMYELLOW=WARN
SPAMRED=WARN CATCHALLMAILS=WARN
01/23/2006 15:45:52 Q6aae0151a967 Last action =
"">
Sys0123.log 01:23 15:45 SMTPD(6aae0151a967) [216.101.5.133] connect
68.41.152.175 port 4251 01:23 15:45
SMTPD(6aae0151a967) [68.41.152.175] HELO localhost 01:23 15:45 SMTPD(6aae0151a967) [68.41.152.175] Mail
From: <[EMAIL PROTECTED]> 01:23 15:45
SMTPD(6aae0151a967) [68.41.152.175] Rcpt To: <[EMAIL PROTECTED]>
01:23 15:45 SMTPD(6aae0151a967)
[68.41.152.175] C:\IMail\spool\D6aae0151a967.SMD 4723 01:23 15:45 SMTPD(6aae0151a967) performing antispam
checks 01:23 15:45 SMTP-(6aae0151a967)
processing C:\IMail\spool\Q6aae0151a967.SMD 01:23 15:45 SMTP-(6aae0151a967) ldeliver mail.agid.com corby-main
(1) [EMAIL PROTECTED] 5361 01:23 15:45
SMTP-(6aae0151a967) finished C:\IMail\spool\Q6aae0151a967.SMD
status=1
Email Headers: Received: from localhost [68.41.152.175] by mail.agid.com
(SMTPD-8.21) id AAAE0130; Mon, 23
Jan 2006 15:45:50 -0800 Date: Mon, 23 Jan
2006 18:45:52 +0100 Return-path:
<[EMAIL PROTECTED]> From:
"Adler"<[EMAIL PROTECTED]> To:
<[EMAIL PROTECTED]> Subject: Viagra
Professional as low as $3.84 Message-ID:
<[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type:
multipart/alternative;
boundary="=_NextPart_000_0003_01C618B6.107D4F00" X-Priority: 3 X-MSMa
Re: [Declude.JunkMail] Logged spam getting to mailbox
Title: Logged spam getting to mailbox
Odd - just because its always the same email. What number do you delete
on? Although the logs will balloon in size running the Declude in DEBUG
may shed some light. I presume this is Declude 3x ver?
-Nick
Agid, Corby wrote:
Hello,
I'm having trouble with a particular
spam message getting to my mailbox each day. The declude log file
shows the scanning and scoring. However, the message that lands in the
mailbox shows no sign of being scanned….ie there are no X-RBL headers
in the message that gets to the mailbox. All of my other mail,
whether spam or not spam, still shows X-rbl headers to verify they were
scanned.
Can you help me understand why the
final message doesn’t' show the X-RBL headers? I get about three of
these per day, each has the same style, but the IP and From addresses
are different.
Below are the log snips and message
headers.
===
Dec0123.log
01/23/2006 15:45:52 Q6aae0151a967
CBL:6 FIVETEN-SRC:4 SORBS-DUHL:4 SPAMBAG:2 SPAMHEADERS:3 MS-SNAKEOIL:25
. Total weight = 44.
01/23/2006 15:45:52 Q6aae0151a967
Using [incoming] CFG file
C:\IMail\Declude\mail.agid.com\$default$.junkmail.
01/23/2006 15:45:52 Q6aae0151a967 Msg
failed CBL ("Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=68.41.152.175"). Action="">
01/23/2006 15:45:52 Q6aae0151a967
Msg failed FIVETEN-SRC (175.152.41.68.blackholes.five-ten-sg.com.).
Action="">
01/23/2006 15:45:52 Q6aae0151a967
Msg failed SORBS-DUHL ("Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?68.41.152.175"). Action="">
01/23/2006 15:45:52 Q6aae0151a967
Msg failed SPAMBAG (175.152.41.68.blacklist.spambag.org.).
Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg
failed SPAMHEADERS (This E-mail has headers consistent with spam
[4000100e].). Action="">
01/23/2006 15:45:52 Q6aae0151a967
Msg failed MS-SNAKEOIL (Message failed MS-SNAKEOIL: 52.). Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg
failed WEIGHT10-29A (Weight of 44 reaches or exceeds the limit of 10.).
Action="">
01/23/2006 15:45:52 Q6aae0151a967
Msg failed WEIGHT10-29B (Weight of 44 reaches or exceeds the limit of
10.). Action="">
01/23/2006 15:45:52 Q6aae0151a967
Msg failed WEIGHT30A (Weight of 44 reaches or exceeds the limit of
30.). Action="">
01/23/2006 15:45:52 Q6aae0151a967
Msg failed SPAMYELLOW (Weight of 44 reaches or exceeds the limit of
10.). Action="">
01/23/2006 15:45:52 Q6aae0151a967
Msg failed SPAMRED (Weight of 44 reaches or exceeds the limit of 30.).
Action="">
01/23/2006 15:45:52 Q6aae0151a967
Msg failed CATCHALLMAILS (). Action="">
01/23/2006 15:45:52 Q6aae0151a967 L1
Message OK
01/23/2006 15:45:52 Q6aae0151a967
Subject: Viagra Professional as low as $3.84
01/23/2006 15:45:52 Q6aae0151a967
From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 68.41.152.175 ID:
01/23/2006 15:45:52 Q6aae0151a967
Tests failed [weight=44]: CBL=IGNORE FIVETEN-SRC=""
SORBS-DUHL=IGNORE SPAMBAG=IGNORE SPAMHEADERS=WARN MS-SNAKEOIL=IGNORE
WEIGHT10-29A=IGNORE WEIGHT10-29B=IGNORE WEIGHT30A=IGNORE
SPAMYELLOW=WARN SPAMRED=WARN CATCHALLMAILS=WARN
01/23/2006 15:45:52 Q6aae0151a967
Last action = "">
Sys0123.log
01:23 15:45 SMTPD(6aae0151a967)
[216.101.5.133] connect 68.41.152.175 port 4251
01:23 15:45 SMTPD(6aae0151a967)
[68.41.152.175] HELO localhost
01:23 15:45 SMTPD(6aae0151a967)
[68.41.152.175] Mail From: <[EMAIL PROTECTED]>
01:23 15:45 SMTPD(6aae0151a967)
[68.41.152.175] Rcpt To: <[EMAIL PROTECTED]>
01:23 15:45 SMTPD(6aae0151a967)
[68.41.152.175] C:\IMail\spool\D6aae0151a967.SMD 4723
01:23 15:45 SMTPD(6aae0151a967)
performing antispam checks
01:23 15:45 SMTP-(6aae0151a967)
processing C:\IMail\spool\Q6aae0151a967.SMD
01:23 15:45 SMTP-(6aae0151a967)
ldeliver mail.agid.com corby-main (1) [EMAIL PROTECTED] 5361
01:23 15:45 SMTP-(6aae0151a967)
finished C:\IMail\spool\Q6aae0151a967.SMD status=1
Email Headers:
Received: from localhost [68.41.152.175]
by mail.agid.com
(SMTPD-8.21) id AAAE0130; Mon, 23 Jan
2006 15:45:50 -0800
Date: Mon, 23 Jan 2006 18:45:52 +0100
Return-path: <[EMAIL PROTECTED]>
From: "Adler"<[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: Viagra Professional as low as
$3.84
Message-ID:
<[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="=_NextPart_000_0003_01C618B6.107D4F00"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express
6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE
V6.00.2900.2180
