RE: [Declude.JunkMail] Negative weight isn't working
Todd, Run you global.cfg on DEBUG see if the test is being called correctly. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, November 09, 2006 11:54 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Negative weight isn't working Hi Everyone - I've been playing with some negative weighting, but it doesn't seem to be working. I have the following in my global.cfg file (down towards the bottom): ALLOWLIST_MED filter D:\IMail\Declude\filters\allowlist_med.txt x -30 0 In my allowlist_med.txt file, I have the following entries: MAILFROM0 ENDSWITH[EMAIL PROTECTED] REVDNS 0 ENDSWITH.asaenet.org However, these messages are still getting caught. When I look at the headers, it doesn't even appear that it is running this test. I have the test listed in $default$.junkmail as ALLOWLIST_MED WARN And in diags.txt as ALLOWLIST_MED FILTER I would like to add some others as well but need to get at least one working first. Any help is appreciated (as always)! Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Negative weight isn't working
Hi David - OK, it appears that it is running the test. Here is a snip of the log: 11/09/2006 13:14:20.937 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-SPAM.txt. 11/09/2006 13:14:21.312 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-GERMAN.txt. 11/09/2006 13:14:21.390 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-SURBL.txt. 11/09/2006 13:14:21.390 q7df6083c3523.smd Filter: Will stop at first hit. 11/09/2006 13:14:21.781 q7df6083c3523.smd Doing filter file D:\iMail\Declude\Filters\Gibberish.txt. 11/09/2006 13:14:22.875 q7df6083c3523.smd Doing filter file D:\iMail\Declude\Filters\Anti-Gibberish.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-COUNTRY.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Checking countries: US . 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_low.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_med.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_high.txt. 11/09/2006 13:14:23.968 q7df6083c3523.smd nIPNOTINMX:-3 . Total weight = -3. However, before I ran the Debug mode I had one of the emails in question caught in the trap, and there was nothing in the headers about an allowlist_med. Which means that there must be something not right in the filter itself. This particular newsletter is listed in my ALLOWLIST_MED as a MAILFROM with the full email address of [EMAIL PROTECTED] Is there a better way to do that? Should I wait to see what the logs look like on the debug mode when the next one comes through later today? Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, November 09, 2006 12:07 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working Todd, Run you global.cfg on DEBUG see if the test is being called correctly. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, November 09, 2006 11:54 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Negative weight isn't working Hi Everyone - I've been playing with some negative weighting, but it doesn't seem to be working. I have the following in my global.cfg file (down towards the bottom): ALLOWLIST_MED filter D:\IMail\Declude\filters\allowlist_med.txt x -30 0 In my allowlist_med.txt file, I have the following entries: MAILFROM0 ENDSWITH[EMAIL PROTECTED] REVDNS 0 ENDSWITH.asaenet.org However, these messages are still getting caught. When I look at the headers, it doesn't even appear that it is running this test. I have the test listed in $default$.junkmail as ALLOWLIST_MED WARN And in diags.txt as ALLOWLIST_MED FILTER I would like to add some others as well but need to get at least one working first. Any help is appreciated (as always)! Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Negative weight isn't working
Where are you getting the MAILFROM address [EMAIL PROTECTED] ? Do you have a header you can post that is addressed to [EMAIL PROTECTED] ? David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, November 09, 2006 2:19 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working Hi David - OK, it appears that it is running the test. Here is a snip of the log: 11/09/2006 13:14:20.937 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-SPAM.txt. 11/09/2006 13:14:21.312 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-GERMAN.txt. 11/09/2006 13:14:21.390 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-SURBL.txt. 11/09/2006 13:14:21.390 q7df6083c3523.smd Filter: Will stop at first hit. 11/09/2006 13:14:21.781 q7df6083c3523.smd Doing filter file D:\iMail\Declude\Filters\Gibberish.txt. 11/09/2006 13:14:22.875 q7df6083c3523.smd Doing filter file D:\iMail\Declude\Filters\Anti-Gibberish.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-COUNTRY.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Checking countries: US . 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_low.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_med.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_high.txt. 11/09/2006 13:14:23.968 q7df6083c3523.smd nIPNOTINMX:-3 . Total weight = -3. However, before I ran the Debug mode I had one of the emails in question caught in the trap, and there was nothing in the headers about an allowlist_med. Which means that there must be something not right in the filter itself. This particular newsletter is listed in my ALLOWLIST_MED as a MAILFROM with the full email address of [EMAIL PROTECTED] Is there a better way to do that? Should I wait to see what the logs look like on the debug mode when the next one comes through later today? Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, November 09, 2006 12:07 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working Todd, Run you global.cfg on DEBUG see if the test is being called correctly. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, November 09, 2006 11:54 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Negative weight isn't working Hi Everyone - I've been playing with some negative weighting, but it doesn't seem to be working. I have the following in my global.cfg file (down towards the bottom): ALLOWLIST_MED filter D:\IMail\Declude\filters\allowlist_med.txt x -30 0 In my allowlist_med.txt file, I have the following entries: MAILFROM0 ENDSWITH[EMAIL PROTECTED] REVDNS 0 ENDSWITH.asaenet.org However, these messages are still getting caught. When I look at the headers, it doesn't even appear that it is running this test. I have the test listed in $default$.junkmail as ALLOWLIST_MED WARN And in diags.txt as ALLOWLIST_MED FILTER I would like to add some others as well but need to get at least one working first. Any help is appreciated (as always)! Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Negative weight isn't working
OK, here is an update with the header of the particular message. Todd Received: from treetso101.mtc.ibsys.com [66.187.204.25] by mail.nnepa.com with ESMTP (SMTPD-8.22) id ACCC0340; Thu, 09 Nov 2006 12:00:44 -0600 Date: Thu, 9 Nov 2006 12:02:02 -0600 (CST) From: KETV.com Newsroom [EMAIL PROTECTED] Reply-to: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] X-unsub: ?unsub.cfm?u=2656017216813-oma_12pm-oma_12pm_1_12000311092006 Subject: [21] KETV.com Noon Headlines To: [EMAIL PROTECTED] Content-type: text/html; charset=us-ascii X-RBL-Warning: MXRATE-ALLOW: GOOD SENDER X-RBL-Warning: HELOBOGUS: Domain treetso101.mtc.ibsys.com has no MX or A records [0301]. X-RBL-Warning: FILTER-SPAM: Message failed FILTER-SPAM test (line 55, weight 15) X-RBL-Warning: GIBBERISH: Message failed GIBBERISH test (line 76, weight 4) X-RBL-Warning: WEIGHT10: Weight of 21 reaches or exceeds the limit of 10. X-Declude-Sender: [EMAIL PROTECTED] [66.187.204.25] X-Declude-Spoolname: D6ccc08932bf7.smd X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.3.14 for spam. http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [21] at 12:01:18 on 09 Nov 2006 X-Declude-Fail: MXRATE-ALLOW [-3], HELOBOGUS [5], FILTER-SPAM [15], GIBBERISH [4], WEIGHT10 [10], WEIGHT15 [15], WEIGHT19 [19], WEIGHT19a [19] X-Country-Chain: UNITED STATES-destination X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 463090338 X-IMail-ThreadID: 6ccc08932bf7 X-Antivirus: AVG for E-mail 7.5.431 [268.14.0/524] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, November 09, 2006 1:19 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working Hi David - OK, it appears that it is running the test. Here is a snip of the log: 11/09/2006 13:14:20.937 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-SPAM.txt. 11/09/2006 13:14:21.312 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-GERMAN.txt. 11/09/2006 13:14:21.390 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-SURBL.txt. 11/09/2006 13:14:21.390 q7df6083c3523.smd Filter: Will stop at first hit. 11/09/2006 13:14:21.781 q7df6083c3523.smd Doing filter file D:\iMail\Declude\Filters\Gibberish.txt. 11/09/2006 13:14:22.875 q7df6083c3523.smd Doing filter file D:\iMail\Declude\Filters\Anti-Gibberish.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-COUNTRY.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Checking countries: US . 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_low.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_med.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_high.txt. 11/09/2006 13:14:23.968 q7df6083c3523.smd nIPNOTINMX:-3 . Total weight = -3. However, before I ran the Debug mode I had one of the emails in question caught in the trap, and there was nothing in the headers about an allowlist_med. Which means that there must be something not right in the filter itself. This particular newsletter is listed in my ALLOWLIST_MED as a MAILFROM with the full email address of [EMAIL PROTECTED] Is there a better way to do that? Should I wait to see what the logs look like on the debug mode when the next one comes through later today? Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, November 09, 2006 12:07 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working Todd, Run you global.cfg on DEBUG see if the test is being called correctly. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, November 09, 2006 11:54 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Negative weight isn't working Hi Everyone - I've been playing with some negative weighting, but it doesn't seem to be working. I have the following in my global.cfg file (down towards the bottom): ALLOWLIST_MED filter D:\IMail\Declude\filters\allowlist_med.txt x -30 0 In my allowlist_med.txt file, I have the following entries: MAILFROM0 ENDSWITH[EMAIL PROTECTED] REVDNS 0 ENDSWITH.asaenet.org However, these messages are still getting caught. When I look at the headers, it doesn't even appear that it is running this test. I have the test listed in $default$.junkmail as ALLOWLIST_MED WARN And in diags.txt as ALLOWLIST_MED FILTER I would like to add some others as well but need to get at least one working first. Any help is appreciated (as always)! Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E
RE: [Declude.JunkMail] Negative weight isn't working
The actual MAILFROM is: X-Declude-Sender: [EMAIL PROTECTED] [66.187.204.25] Not From: KETV.com Newsroom [EMAIL PROTECTED] David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, November 09, 2006 2:44 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working OK, here is an update with the header of the particular message. Todd Received: from treetso101.mtc.ibsys.com [66.187.204.25] by mail.nnepa.com with ESMTP (SMTPD-8.22) id ACCC0340; Thu, 09 Nov 2006 12:00:44 -0600 Date: Thu, 9 Nov 2006 12:02:02 -0600 (CST) From: KETV.com Newsroom [EMAIL PROTECTED] Reply-to: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] X-unsub: ?unsub.cfm?u=2656017216813-oma_12pm-oma_12pm_1_12000311092006 Subject: [21] KETV.com Noon Headlines To: [EMAIL PROTECTED] Content-type: text/html; charset=us-ascii X-RBL-Warning: MXRATE-ALLOW: GOOD SENDER X-RBL-Warning: HELOBOGUS: Domain treetso101.mtc.ibsys.com has no MX or A records [0301]. X-RBL-Warning: FILTER-SPAM: Message failed FILTER-SPAM test (line 55, weight 15) X-RBL-Warning: GIBBERISH: Message failed GIBBERISH test (line 76, weight 4) X-RBL-Warning: WEIGHT10: Weight of 21 reaches or exceeds the limit of 10. X-Declude-Sender: [EMAIL PROTECTED] [66.187.204.25] X-Declude-Spoolname: D6ccc08932bf7.smd X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.3.14 for spam. http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [21] at 12:01:18 on 09 Nov 2006 X-Declude-Fail: MXRATE-ALLOW [-3], HELOBOGUS [5], FILTER-SPAM [15], GIBBERISH [4], WEIGHT10 [10], WEIGHT15 [15], WEIGHT19 [19], WEIGHT19a [19] X-Country-Chain: UNITED STATES-destination X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 463090338 X-IMail-ThreadID: 6ccc08932bf7 X-Antivirus: AVG for E-mail 7.5.431 [268.14.0/524] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, November 09, 2006 1:19 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working Hi David - OK, it appears that it is running the test. Here is a snip of the log: 11/09/2006 13:14:20.937 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-SPAM.txt. 11/09/2006 13:14:21.312 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-GERMAN.txt. 11/09/2006 13:14:21.390 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-SURBL.txt. 11/09/2006 13:14:21.390 q7df6083c3523.smd Filter: Will stop at first hit. 11/09/2006 13:14:21.781 q7df6083c3523.smd Doing filter file D:\iMail\Declude\Filters\Gibberish.txt. 11/09/2006 13:14:22.875 q7df6083c3523.smd Doing filter file D:\iMail\Declude\Filters\Anti-Gibberish.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-COUNTRY.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Checking countries: US . 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_low.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_med.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_high.txt. 11/09/2006 13:14:23.968 q7df6083c3523.smd nIPNOTINMX:-3 . Total weight = -3. However, before I ran the Debug mode I had one of the emails in question caught in the trap, and there was nothing in the headers about an allowlist_med. Which means that there must be something not right in the filter itself. This particular newsletter is listed in my ALLOWLIST_MED as a MAILFROM with the full email address of [EMAIL PROTECTED] Is there a better way to do that? Should I wait to see what the logs look like on the debug mode when the next one comes through later today? Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, November 09, 2006 12:07 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working Todd, Run you global.cfg on DEBUG see if the test is being called correctly. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, November 09, 2006 11:54 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Negative weight isn't working Hi Everyone - I've been playing with some negative weighting, but it doesn't seem to be working. I have the following in my global.cfg file (down towards the bottom): ALLOWLIST_MED filter D:\IMail\Declude\filters\allowlist_med.txt x -30 0 In my allowlist_med.txt file, I have the following entries: MAILFROM0 ENDSWITH[EMAIL PROTECTED] REVDNS 0 ENDSWITH.asaenet.org However, these messages are still getting caught. When I look at the headers
RE: [Declude.JunkMail] Negative weight isn't working
Todd, do this from a command line: C:\Tempnslookup 66.187.204.25 Server: Andrew's.obfuscated.dns.server Address: 192.168.0.1 Name:treets100.ibsys.com Address: 66.187.204.25 C:\Temp That tells me that your REVDNS won't match, because their reverse DNS is *not* the same as the HELO value that you used for your REVDNS test. The same is also true for your use of the MAILFROM, which does not have to match the From: address you see in the header. Look at the X-Declude-Sender: line in the header that has been marked up. The MAILFROM was really [EMAIL PROTECTED]. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, November 09, 2006 11:44 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working OK, here is an update with the header of the particular message. Todd Received: from treetso101.mtc.ibsys.com [66.187.204.25] by mail.nnepa.com with ESMTP (SMTPD-8.22) id ACCC0340; Thu, 09 Nov 2006 12:00:44 -0600 Date: Thu, 9 Nov 2006 12:02:02 -0600 (CST) From: KETV.com Newsroom [EMAIL PROTECTED] Reply-to: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] X-unsub: ?unsub.cfm?u=2656017216813-oma_12pm-oma_12pm_1_12000311092006 Subject: [21] KETV.com Noon Headlines To: [EMAIL PROTECTED] Content-type: text/html; charset=us-ascii X-RBL-Warning: MXRATE-ALLOW: GOOD SENDER X-RBL-Warning: HELOBOGUS: Domain treetso101.mtc.ibsys.com has no MX or A records [0301]. X-RBL-Warning: FILTER-SPAM: Message failed FILTER-SPAM test (line 55, weight 15) X-RBL-Warning: GIBBERISH: Message failed GIBBERISH test (line 76, weight 4) X-RBL-Warning: WEIGHT10: Weight of 21 reaches or exceeds the limit of 10. X-Declude-Sender: [EMAIL PROTECTED] [66.187.204.25] X-Declude-Spoolname: D6ccc08932bf7.smd X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.3.14 for spam. http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [21] at 12:01:18 on 09 Nov 2006 X-Declude-Fail: MXRATE-ALLOW [-3], HELOBOGUS [5], FILTER-SPAM [15], GIBBERISH [4], WEIGHT10 [10], WEIGHT15 [15], WEIGHT19 [19], WEIGHT19a [19] X-Country-Chain: UNITED STATES-destination X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 463090338 X-IMail-ThreadID: 6ccc08932bf7 X-Antivirus: AVG for E-mail 7.5.431 [268.14.0/524] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, November 09, 2006 1:19 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working Hi David - OK, it appears that it is running the test. Here is a snip of the log: 11/09/2006 13:14:20.937 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-SPAM.txt. 11/09/2006 13:14:21.312 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-GERMAN.txt. 11/09/2006 13:14:21.390 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-SURBL.txt. 11/09/2006 13:14:21.390 q7df6083c3523.smd Filter: Will stop at first hit. 11/09/2006 13:14:21.781 q7df6083c3523.smd Doing filter file D:\iMail\Declude\Filters\Gibberish.txt. 11/09/2006 13:14:22.875 q7df6083c3523.smd Doing filter file D:\iMail\Declude\Filters\Anti-Gibberish.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-COUNTRY.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Checking countries: US . 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_low.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_med.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_high.txt. 11/09/2006 13:14:23.968 q7df6083c3523.smd nIPNOTINMX:-3 . Total weight = -3. However, before I ran the Debug mode I had one of the emails in question caught in the trap, and there was nothing in the headers about an allowlist_med. Which means that there must be something not right in the filter itself. This particular newsletter is listed in my ALLOWLIST_MED as a MAILFROM with the full email address of [EMAIL PROTECTED] Is there a better way to do that? Should I wait to see what the logs look like on the debug mode when the next one comes through later today? Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, November 09, 2006 12:07 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working Todd, Run you global.cfg on DEBUG see if the test is being called correctly. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, November 09, 2006 11:54
RE: [Declude.JunkMail] Negative weight isn't working
Oh Geesss (head down, walking towards corner)... Seeing that (now), what's the best practice? MAILFROM [EMAIL PROTECTED] Or MAILFROM @mailer.ibsys.com I would think the more specific, the better. Thanks, David! Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, November 09, 2006 2:02 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working The actual MAILFROM is: X-Declude-Sender: [EMAIL PROTECTED] [66.187.204.25] Not From: KETV.com Newsroom [EMAIL PROTECTED] David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, November 09, 2006 2:44 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working OK, here is an update with the header of the particular message. Todd Received: from treetso101.mtc.ibsys.com [66.187.204.25] by mail.nnepa.com with ESMTP (SMTPD-8.22) id ACCC0340; Thu, 09 Nov 2006 12:00:44 -0600 Date: Thu, 9 Nov 2006 12:02:02 -0600 (CST) From: KETV.com Newsroom [EMAIL PROTECTED] Reply-to: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] X-unsub: ?unsub.cfm?u=2656017216813-oma_12pm-oma_12pm_1_12000311092006 Subject: [21] KETV.com Noon Headlines To: [EMAIL PROTECTED] Content-type: text/html; charset=us-ascii X-RBL-Warning: MXRATE-ALLOW: GOOD SENDER X-RBL-Warning: HELOBOGUS: Domain treetso101.mtc.ibsys.com has no MX or A records [0301]. X-RBL-Warning: FILTER-SPAM: Message failed FILTER-SPAM test (line 55, weight 15) X-RBL-Warning: GIBBERISH: Message failed GIBBERISH test (line 76, weight 4) X-RBL-Warning: WEIGHT10: Weight of 21 reaches or exceeds the limit of 10. X-Declude-Sender: [EMAIL PROTECTED] [66.187.204.25] X-Declude-Spoolname: D6ccc08932bf7.smd X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.3.14 for spam. http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [21] at 12:01:18 on 09 Nov 2006 X-Declude-Fail: MXRATE-ALLOW [-3], HELOBOGUS [5], FILTER-SPAM [15], GIBBERISH [4], WEIGHT10 [10], WEIGHT15 [15], WEIGHT19 [19], WEIGHT19a [19] X-Country-Chain: UNITED STATES-destination X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 463090338 X-IMail-ThreadID: 6ccc08932bf7 X-Antivirus: AVG for E-mail 7.5.431 [268.14.0/524] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, November 09, 2006 1:19 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working Hi David - OK, it appears that it is running the test. Here is a snip of the log: 11/09/2006 13:14:20.937 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-SPAM.txt. 11/09/2006 13:14:21.312 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-GERMAN.txt. 11/09/2006 13:14:21.390 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-SURBL.txt. 11/09/2006 13:14:21.390 q7df6083c3523.smd Filter: Will stop at first hit. 11/09/2006 13:14:21.781 q7df6083c3523.smd Doing filter file D:\iMail\Declude\Filters\Gibberish.txt. 11/09/2006 13:14:22.875 q7df6083c3523.smd Doing filter file D:\iMail\Declude\Filters\Anti-Gibberish.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-COUNTRY.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Checking countries: US . 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_low.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_med.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_high.txt. 11/09/2006 13:14:23.968 q7df6083c3523.smd nIPNOTINMX:-3 . Total weight = -3. However, before I ran the Debug mode I had one of the emails in question caught in the trap, and there was nothing in the headers about an allowlist_med. Which means that there must be something not right in the filter itself. This particular newsletter is listed in my ALLOWLIST_MED as a MAILFROM with the full email address of [EMAIL PROTECTED] Is there a better way to do that? Should I wait to see what the logs look like on the debug mode when the next one comes through later today? Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, November 09, 2006 12:07 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working Todd, Run you global.cfg on DEBUG see if the test is being called correctly. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, November 09, 2006 11:54 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Negative weight isn't working Hi Everyone - I've
Re: [Declude.JunkMail] Negative weight isn't working
What are you adding to outgoing headers in the config? You won't see the test in the headers unless you add a header that displays all of the tests the message fails. Darin. - Original Message - From: Todd Richards [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Thursday, November 09, 2006 2:18 PM Subject: RE: [Declude.JunkMail] Negative weight isn't working Hi David - OK, it appears that it is running the test. Here is a snip of the log: 11/09/2006 13:14:20.937 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-SPAM.txt. 11/09/2006 13:14:21.312 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-GERMAN.txt. 11/09/2006 13:14:21.390 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-SURBL.txt. 11/09/2006 13:14:21.390 q7df6083c3523.smd Filter: Will stop at first hit. 11/09/2006 13:14:21.781 q7df6083c3523.smd Doing filter file D:\iMail\Declude\Filters\Gibberish.txt. 11/09/2006 13:14:22.875 q7df6083c3523.smd Doing filter file D:\iMail\Declude\Filters\Anti-Gibberish.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-COUNTRY.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Checking countries: US . 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_low.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_med.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_high.txt. 11/09/2006 13:14:23.968 q7df6083c3523.smd nIPNOTINMX:-3 . Total weight = -3. However, before I ran the Debug mode I had one of the emails in question caught in the trap, and there was nothing in the headers about an allowlist_med. Which means that there must be something not right in the filter itself. This particular newsletter is listed in my ALLOWLIST_MED as a MAILFROM with the full email address of [EMAIL PROTECTED] Is there a better way to do that? Should I wait to see what the logs look like on the debug mode when the next one comes through later today? Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, November 09, 2006 12:07 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working Todd, Run you global.cfg on DEBUG see if the test is being called correctly. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, November 09, 2006 11:54 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Negative weight isn't working Hi Everyone - I've been playing with some negative weighting, but it doesn't seem to be working. I have the following in my global.cfg file (down towards the bottom): ALLOWLIST_MED filter D:\IMail\Declude\filters\allowlist_med.txt x -30 0 In my allowlist_med.txt file, I have the following entries: MAILFROM 0 ENDSWITH [EMAIL PROTECTED] REVDNS 0 ENDSWITH .asaenet.org However, these messages are still getting caught. When I look at the headers, it doesn't even appear that it is running this test. I have the test listed in $default$.junkmail as ALLOWLIST_MED WARN And in diags.txt as ALLOWLIST_MED FILTER I would like to add some others as well but need to get at least one working first. Any help is appreciated (as always)! Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Negative weight isn't working
Thanks Andrew. I'm starting to catch on. The good news is that everyone else thinks I'm a miracle worker because of the drastic decrease in spam. One of these days I'll break down and tell them the truth. So if you all happen to start getting Thank You cards from people you don't know, that's probably why... Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Thursday, November 09, 2006 2:23 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working Todd, do this from a command line: C:\Tempnslookup 66.187.204.25 Server: Andrew's.obfuscated.dns.server Address: 192.168.0.1 Name:treets100.ibsys.com Address: 66.187.204.25 C:\Temp That tells me that your REVDNS won't match, because their reverse DNS is *not* the same as the HELO value that you used for your REVDNS test. The same is also true for your use of the MAILFROM, which does not have to match the From: address you see in the header. Look at the X-Declude-Sender: line in the header that has been marked up. The MAILFROM was really [EMAIL PROTECTED]. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, November 09, 2006 11:44 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working OK, here is an update with the header of the particular message. Todd Received: from treetso101.mtc.ibsys.com [66.187.204.25] by mail.nnepa.com with ESMTP (SMTPD-8.22) id ACCC0340; Thu, 09 Nov 2006 12:00:44 -0600 Date: Thu, 9 Nov 2006 12:02:02 -0600 (CST) From: KETV.com Newsroom [EMAIL PROTECTED] Reply-to: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] X-unsub: ?unsub.cfm?u=2656017216813-oma_12pm-oma_12pm_1_12000311092006 Subject: [21] KETV.com Noon Headlines To: [EMAIL PROTECTED] Content-type: text/html; charset=us-ascii X-RBL-Warning: MXRATE-ALLOW: GOOD SENDER X-RBL-Warning: HELOBOGUS: Domain treetso101.mtc.ibsys.com has no MX or A records [0301]. X-RBL-Warning: FILTER-SPAM: Message failed FILTER-SPAM test (line 55, weight 15) X-RBL-Warning: GIBBERISH: Message failed GIBBERISH test (line 76, weight 4) X-RBL-Warning: WEIGHT10: Weight of 21 reaches or exceeds the limit of 10. X-Declude-Sender: [EMAIL PROTECTED] [66.187.204.25] X-Declude-Spoolname: D6ccc08932bf7.smd X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.3.14 for spam. http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [21] at 12:01:18 on 09 Nov 2006 X-Declude-Fail: MXRATE-ALLOW [-3], HELOBOGUS [5], FILTER-SPAM [15], GIBBERISH [4], WEIGHT10 [10], WEIGHT15 [15], WEIGHT19 [19], WEIGHT19a [19] X-Country-Chain: UNITED STATES-destination X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 463090338 X-IMail-ThreadID: 6ccc08932bf7 X-Antivirus: AVG for E-mail 7.5.431 [268.14.0/524] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, November 09, 2006 1:19 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working Hi David - OK, it appears that it is running the test. Here is a snip of the log: 11/09/2006 13:14:20.937 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-SPAM.txt. 11/09/2006 13:14:21.312 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-GERMAN.txt. 11/09/2006 13:14:21.390 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-SURBL.txt. 11/09/2006 13:14:21.390 q7df6083c3523.smd Filter: Will stop at first hit. 11/09/2006 13:14:21.781 q7df6083c3523.smd Doing filter file D:\iMail\Declude\Filters\Gibberish.txt. 11/09/2006 13:14:22.875 q7df6083c3523.smd Doing filter file D:\iMail\Declude\Filters\Anti-Gibberish.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-COUNTRY.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Checking countries: US . 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_low.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_med.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_high.txt. 11/09/2006 13:14:23.968 q7df6083c3523.smd nIPNOTINMX:-3 . Total weight = -3. However, before I ran the Debug mode I had one of the emails in question caught in the trap, and there was nothing in the headers about an allowlist_med. Which means that there must be something not right in the filter itself. This particular newsletter is listed in my ALLOWLIST_MED as a MAILFROM with the full email address of [EMAIL PROTECTED] Is there a better way to do that? Should I wait to see what the logs look like on the debug mode when
RE: [Declude.JunkMail] Negative weight isn't working
No problem, Todd. To answer your question in the other thread, yes, more specific is more better. On the other hand, you also have to look at what you're really trying to counterweight. In this case, you could certainly counterweight both the REVDNS of their mailserver, and the particular MAILFROM email address too, but after visiting the site, I suspect that you really don't care about the MAILFROM. You can use the REVDNS -30 ENDSWITH .ibsys.com Just fine. If you do use a MAILFROM, don't use much weight, because viruses harvest all email addresses from the infectee and report them back to the virus writer or spammer, and that address becomes a spoofed MAILFROM later down the road. Viruses also spoof the HELO, so a: HELO -30 ENDSWITH comcast.com Or REVDNS -30 ENDSWITH .comcast.com Would be a bad thing to put in your counterweight file, because a virus is quite likely to come from a zombie on that network. What I'd suggest you do for ibsys.com is look at your FILTER-SPAM test and see why it gave 15 points to this email. You will likely get better mileage (i.e. spend less of your time on your counterweight file making exceptions for MTAs) by assigning only incremental points to text values in your filter files, don't look for the big win by blocking small text phrases or small bits of text in a URL. To go the extra mile (hey, a driving theme today [pun intended]) why not decide which IP4R tests you trust, and/or which external tests you trust, and cancel the dangerously punitive text files? At the top of your FILTER-SPAM test, you *could* put in: TESTSFAILED END CONTAINS MXRATE-ALLOW And then messages like this sample wouldn't have received any points from the FILTER-SPAM test, you would save CPU time on your server, save your user's time in figuring out that they didn't receive that inbound message, and save your time on finding the false positives and making counterweight entries. The downside of making a cancel line in your filter files is that MXRATE-ALLOW will trigger on, say, a well known ISPs' MTA, and you *want* to do content filtering on, say, scam text that is so common from HotMail, Yahoo!, and various international free webmail providers that you wouldn't otherwise hear about. Most Declude users end up with filter files that are focused on kinds of spam and tweak their cancel lines accordingly. There is a great deal of art to this science. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, November 09, 2006 12:42 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working Thanks Andrew. I'm starting to catch on. The good news is that everyone else thinks I'm a miracle worker because of the drastic decrease in spam. One of these days I'll break down and tell them the truth. So if you all happen to start getting Thank You cards from people you don't know, that's probably why... Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Thursday, November 09, 2006 2:23 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working Todd, do this from a command line: C:\Tempnslookup 66.187.204.25 Server: Andrew's.obfuscated.dns.server Address: 192.168.0.1 Name:treets100.ibsys.com Address: 66.187.204.25 C:\Temp That tells me that your REVDNS won't match, because their reverse DNS is *not* the same as the HELO value that you used for your REVDNS test. The same is also true for your use of the MAILFROM, which does not have to match the From: address you see in the header. Look at the X-Declude-Sender: line in the header that has been marked up. The MAILFROM was really [EMAIL PROTECTED]. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, November 09, 2006 11:44 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working OK, here is an update with the header of the particular message. Todd Received: from treetso101.mtc.ibsys.com [66.187.204.25] by mail.nnepa.com with ESMTP (SMTPD-8.22) id ACCC0340; Thu, 09 Nov 2006 12:00:44 -0600 Date: Thu, 9 Nov 2006 12:02:02 -0600 (CST) From: KETV.com Newsroom [EMAIL PROTECTED] Reply-to: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] X-unsub: ?unsub.cfm?u=2656017216813-oma_12pm-oma_12pm_1_12000311092006 Subject: [21] KETV.com Noon Headlines To: [EMAIL PROTECTED] Content-type: text/html; charset=us-ascii X-RBL-Warning: MXRATE-ALLOW: GOOD SENDER X-RBL-Warning: HELOBOGUS: Domain treetso101.mtc.ibsys.com has no MX or A records [0301]. X-RBL-Warning: FILTER-SPAM: Message failed FILTER-SPAM test (line 55, weight 15) X-RBL-Warning: GIBBERISH: Message failed GIBBERISH
RE: [Declude.JunkMail] Negative weight isn't working
Andrew - I learn a lot from people on this list, and you are no exception. I looked to see why the email failed the FILTER-SPAM test, and it was because of ad.doubleclick.net. I think that is common for some of the more well-known news newsletters that I've seen failing. What I could do is give less points for that particular penalty (it's at 15 now and this newsletter missed passing altogether by just 3 points), and then re-visit some of the others that are coming in. I'm still getting a handful of messages that are making it through, and you'd think they would be obvious. Like you said, it's a sort of science and I, for one, apprecaite the time that goes into making this work. This particular negative-weight test probably has way too high, so I think I will adjust those too. I think as I gain a better understanding of what I'm looing for, and how everything works, I will undoubtedly have to tweak things. Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Thursday, November 09, 2006 3:32 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working No problem, Todd. To answer your question in the other thread, yes, more specific is more better. On the other hand, you also have to look at what you're really trying to counterweight. In this case, you could certainly counterweight both the REVDNS of their mailserver, and the particular MAILFROM email address too, but after visiting the site, I suspect that you really don't care about the MAILFROM. You can use the REVDNS -30 ENDSWITH .ibsys.com Just fine. If you do use a MAILFROM, don't use much weight, because viruses harvest all email addresses from the infectee and report them back to the virus writer or spammer, and that address becomes a spoofed MAILFROM later down the road. Viruses also spoof the HELO, so a: HELO -30 ENDSWITH comcast.com Or REVDNS -30 ENDSWITH .comcast.com Would be a bad thing to put in your counterweight file, because a virus is quite likely to come from a zombie on that network. What I'd suggest you do for ibsys.com is look at your FILTER-SPAM test and see why it gave 15 points to this email. You will likely get better mileage (i.e. spend less of your time on your counterweight file making exceptions for MTAs) by assigning only incremental points to text values in your filter files, don't look for the big win by blocking small text phrases or small bits of text in a URL. To go the extra mile (hey, a driving theme today [pun intended]) why not decide which IP4R tests you trust, and/or which external tests you trust, and cancel the dangerously punitive text files? At the top of your FILTER-SPAM test, you *could* put in: TESTSFAILED END CONTAINS MXRATE-ALLOW And then messages like this sample wouldn't have received any points from the FILTER-SPAM test, you would save CPU time on your server, save your user's time in figuring out that they didn't receive that inbound message, and save your time on finding the false positives and making counterweight entries. The downside of making a cancel line in your filter files is that MXRATE-ALLOW will trigger on, say, a well known ISPs' MTA, and you *want* to do content filtering on, say, scam text that is so common from HotMail, Yahoo!, and various international free webmail providers that you wouldn't otherwise hear about. Most Declude users end up with filter files that are focused on kinds of spam and tweak their cancel lines accordingly. There is a great deal of art to this science. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, November 09, 2006 12:42 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working Thanks Andrew. I'm starting to catch on. The good news is that everyone else thinks I'm a miracle worker because of the drastic decrease in spam. One of these days I'll break down and tell them the truth. So if you all happen to start getting Thank You cards from people you don't know, that's probably why... Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Thursday, November 09, 2006 2:23 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working Todd, do this from a command line: C:\Tempnslookup 66.187.204.25 Server: Andrew's.obfuscated.dns.server Address: 192.168.0.1 Name:treets100.ibsys.com Address: 66.187.204.25 C:\Temp That tells me that your REVDNS won't match, because their reverse DNS is *not* the same as the HELO value that you used for your REVDNS test. The same is also true for your use of the MAILFROM, which does not have to match the From: address you see in the header. Look at the X-Declude-Sender: line in the header that has been marked up
