Re: [Declude.JunkMail] Something new with v 2.0.6
Title: Message The Space was the issue. Added the "-" and all is well. - Original Message - From: Matt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 4:37 PM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Fred,Those are all legit. Andy has keen eyes and I suspect that he may have identified the trigger, though it would be a bug in Declude to behave in this way, but a minor one.The examples that you gave all have no spaces prior to the first colon, and that is compliant. The one that Andy gave was clearly not, and it is the one that is also causing you problems.MattFrederick Samarelli wrote: Good Thought but I have these others without problem. Thanks. XINHEADER X-Note: Total spam weight of this E-mail is %WEIGHT%.XINHEADERX-RBL-Warning: Total weight: %WEIGHT%XINHEADERX-Note: This E-mail was scanned filtered by TCB [%VERSION%] for SPAM virus.XINHEADERX-Note: Sent from: %MAILFROM%XINHEADERX-Note: Sent from Reverse DNS: %REVDNS% ([%REMOTEIP%])XINHEADERX-Note: Recipient(s): %REALRECIPS%- Original Message - From: Andy Schmidt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 4:02 PM Subject: RE: [Declude.JunkMail] Something new with v 2.0.6 Hi Frederick: I don't know if this has been asked/suggested already and I don't have time to go back to the RFCs to see if embedded spaces are permitted in the header name. But have you ever tried eliminating that space: XINHEADERX-Spam-Tests-Failed Weight: %TESTSFAILEDWITHWEIGHTS% replace with: XINHEADERX-Spam-Tests-Failed-Weight: %TESTSFAILEDWITHWEIGHTS% May be the problem is that there is a CR/LF followed by a line that contains no header name(due to the embedded space) following by another CR/LF. May be those two CR/LF without valid header information inbetween are interpreted as "start of message body" by some entities? Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Frederick SamarelliSent: Wednesday, April 13, 2005 03:42 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Something new with v 2.0.6 Mike/Matt (thanks for your help) You should be able to duplicated by just forwarding an email to an outside account using the problem line at the bottom. As not to confuse things I simplified the process. Send an email from [EMAIL PROTECTED]= [EMAIL PROTECTED](forwarded to) = [EMAIL PROTECTED] This run through only one server on my network. Header from My AOL account. Return-Path: [EMAIL PROTECTED]Received: from rly-xm04.mx.aol.com (rly-xm04.mail.aol.com [172.20.83.105]) by air-xm03.mail.aol.com (v105.26) with ESMTP id MAILINXM31-606425d743d132; Wed, 13 Apr 2005 15:34:25 -0400Received: from bks.tcbinc.com (bks.tcbinc.com [64.124.117.196]) by rly-xm04.mx.aol.com (v105.26) with ESMTP id MAILRELAYINXM42-606425d743d132; Wed, 13 Apr 2005 15:34:21 -0400Received: from SMTP32-FWD by bks.tcbinc.com (SMTP32) id A741100040470EC67; Wed, 13 Apr 2005 15:33:42 Received: from web51806.mail.yahoo.com [206.190.38.237] by bks.tcbinc.com (SMTPD32-8.15) id A41140470; Wed, 13 Apr 2005 15:33:37 -0400Received: (qmail 50369 invoked by uid 60001); 13 Apr 2005 19:34:12 -Comment: DomainKeys? See http://antispam.yahoo.com/domainkeysDomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=M12dWrk8x99pS4FhLTVJbfbgIc60YrjkjS/Vi2yiCoare5X2fk5F+zDzAA2XuOKAyAuKoj3EEGBHc6gPlwybZ/TMSShXoJtIypUpKUZZrm7SoU0rx30hedmPe9IecDArBynamRJFf8HjmCsGFKGIwJhKUjwV4wNnw1wLdarF7SE= ;Message-ID: [EMAIL PROTECTED]Received: from [64.124.117.139] by web51806.mail.yahoo.com via HTTP; Wed, 13 Apr 2005 12:34:12 PDTDate: Wed, 13 Apr 2005 12:34:12 -0700 (PDT)From: Frederick Samarelli [EMAIL PROTECTED]Subject: test10To: [EMAIL PROTECTED]MIME-Version: 1.0Content-Type: text/plain; charset=us-asciiX-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0.X-Declude-Sender: [EMAIL PROTECTED] [206.190.38.237]X-Declude-Spoolname: D741100040470EC67.SMDX-Note: Total spam weight of this E-mail is 0.X-RBL-Warning: Total weight: 0X-Note: This E-mail was scanned filtered by TCB [2.0.6] for SPAM virus.X-Spam-Tests-Failed: SNIFFER
RE: [Declude.JunkMail] Something new with v 2.0.6
Title: Message Hi Frederick: May be you should also post the relevant lines from the Globa.cfg so that one can see what lines you requested to be inserted. Also, which of these lines specifically are incorrect? Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederick SamarelliSent: Wednesday, April 13, 2005 01:08 AMTo: Declude.JunkMail@declude.comSubject: [Declude.JunkMail] Something new with v 2.0.6 Since I upgraded to v 2.0.6 from 2.0.5 I am getting the below header info included in the body of emails that are being forwarded. Any ideas. X-Spam-Tests-Failed Weight: SNIFFERZERO [0], FILTER-MAILFROM [5]X-Spam-Time:00:00:12X-Note: Total spam weight of this E-mail is 5X-Note: This E-mail was scanned filtered by Declude [2.0.6] for SPAM virusX-Spam-Tests-Failed: SNIFFERZERO, FILTER-MAILFROMX-Weight: 5X-Mailfrom: X-Note: Sent from: X-Note: Sent from Reverse DNS: (Private IP) ([127.0.0.1])X-Hello: X-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain:
RE: [Declude.JunkMail] Something new with v 2.0.6
Title: Message He said they are included in the BODY of the email, not the headers. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy SchmidtSent: Wednesday, April 13, 2005 10:02 AMTo: Declude.JunkMail@declude.comSubject: RE: [Declude.JunkMail] Something new with v 2.0.6 Hi Frederick: May be you should also post the relevant lines from the Globa.cfg so that one can see what lines you requested to be inserted. Also, which of these lines specifically are incorrect? Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederick SamarelliSent: Wednesday, April 13, 2005 01:08 AMTo: Declude.JunkMail@declude.comSubject: [Declude.JunkMail] Something new with v 2.0.6 Since I upgraded to v 2.0.6 from 2.0.5 I am getting the below header info included in the body of emails that are being forwarded. Any ideas. X-Spam-Tests-Failed Weight: SNIFFERZERO [0], FILTER-MAILFROM [5]X-Spam-Time:00:00:12X-Note: Total spam weight of this E-mail is 5X-Note: This E-mail was scanned filtered by Declude [2.0.6] for SPAM virusX-Spam-Tests-Failed: SNIFFERZERO, FILTER-MAILFROMX-Weight: 5X-Mailfrom: X-Note: Sent from: X-Note: Sent from Reverse DNS: (Private IP) ([127.0.0.1])X-Hello: X-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain:
Re: [Declude.JunkMail] Something new with v 2.0.6
Title: Message They are all a problem. They show up in the body of the email after it is forwarded. If I pull the email directly from the server it is fine. Noting shows in the body. If I have that email account setup to forward to another address the email shows with all these lines at the top of the body of the message. The lines represent all my XINHEADER references. - Original Message - From: Andy Schmidt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:02 AM Subject: RE: [Declude.JunkMail] Something new with v 2.0.6 Hi Frederick: May be you should also post the relevant lines from the Globa.cfg so that one can see what lines you requested to be inserted. Also, which of these lines specifically are incorrect? Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederick SamarelliSent: Wednesday, April 13, 2005 01:08 AMTo: Declude.JunkMail@declude.comSubject: [Declude.JunkMail] Something new with v 2.0.6 Since I upgraded to v 2.0.6 from 2.0.5 I am getting the below header info included in the body of emails that are being forwarded. Any ideas. X-Spam-Tests-Failed Weight: SNIFFERZERO [0], FILTER-MAILFROM [5]X-Spam-Time:00:00:12X-Note: Total spam weight of this E-mail is 5X-Note: This E-mail was scanned filtered by Declude [2.0.6] for SPAM virusX-Spam-Tests-Failed: SNIFFERZERO, FILTER-MAILFROMX-Weight: 5X-Mailfrom: X-Note: Sent from: X-Note: Sent from Reverse DNS: (Private IP) ([127.0.0.1])X-Hello: X-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain:
Re: [Declude.JunkMail] Something new with v 2.0.6
Title: Message Any chance of a Double CR in one of your XINHEADER lines? That could cause a mail client to think everything below it is part of the body...perhaps even a blank XINHEADER could cause it... Darin. - Original Message - From: Frederick Samarelli To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:13 AM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 They are all a problem. They show up in the body of the email after it is forwarded. If I pull the email directly from the server it is fine. Noting shows in the body. If I have that email account setup to forward to another address the email shows with all these lines at the top of the body of the message. The lines represent all my XINHEADER references. - Original Message - From: Andy Schmidt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:02 AM Subject: RE: [Declude.JunkMail] Something new with v 2.0.6 Hi Frederick: May be you should also post the relevant lines from the Globa.cfg so that one can see what lines you requested to be inserted. Also, which of these lines specifically are incorrect? Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederick SamarelliSent: Wednesday, April 13, 2005 01:08 AMTo: Declude.JunkMail@declude.comSubject: [Declude.JunkMail] Something new with v 2.0.6 Since I upgraded to v 2.0.6 from 2.0.5 I am getting the below header info included in the body of emails that are being forwarded. Any ideas. X-Spam-Tests-Failed Weight: SNIFFERZERO [0], FILTER-MAILFROM [5]X-Spam-Time:00:00:12X-Note: Total spam weight of this E-mail is 5X-Note: This E-mail was scanned filtered by Declude [2.0.6] for SPAM virusX-Spam-Tests-Failed: SNIFFERZERO, FILTER-MAILFROMX-Weight: 5X-Mailfrom: X-Note: Sent from: X-Note: Sent from Reverse DNS: (Private IP) ([127.0.0.1])X-Hello: X-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain:
Re: [Declude.JunkMail] Something new with v 2.0.6
I think we're going to have to see the Global.CFG to figure out if there's a misconfiguration. I certainly looks like your entireXINHEADER config is duplicated. Darin. - Original Message - From: Frederick Samarelli To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:34 AM Subject: [Declude.JunkMail] Something new with v 2.0.6 HEADER Received: from dns2.tcbinc.net [64.124.116.30] by bks.tcbinc.com (SMTPD32-8.15) id A5E13540470; Wed, 13 Apr 2005 03:10:25 -0400Received: from mail.tcbinc.net ([64.124.116.40])by dns2.tcbinc.net (SMSSMTP 4.1.0.19) with SMTP id M2005041303105928414for [EMAIL PROTECTED]; Wed, 13 Apr 2005 03:10:59 -0400Received: from SMTP32-FWD by mail.tcbinc.net (SMTP32) id AC601002507EA4CF6; Wed, 13 Apr 2005 03:10:59 -0400Received: from ADS [64.124.116.10] by mail.tcbinc.net (SMTPD32-8.15) id A6012507EA; Wed, 13 Apr 2005 03:10:57 -0400SUBJECT: Virus FoundMessage-Id: [EMAIL PROTECTED]X-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0.X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command.X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail.X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8c20].X-RBL-Warning: WEIGHT10: Total weight between 10 and 14.X-Declude-Sender: [EMAIL PROTECTED] [64.124.116.10]X-Declude-Spoolname: DC601002507EA4CF6.SMDX-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0.X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail.X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8c20].X-RBL-Warning: HELOBOGUS: Domain ADS has no MX or A records [0301].X-Declude-Sender: [EMAIL PROTECTED] [64.124.116.10]X-Declude-Spoolname: DC5E1035404704CAF.SMDX-Note: Total spam weight of this E-mail is 3.X-RBL-Warning: Total weight: 3X-Note: This E-mail was scanned filtered by TCB [2.0.6] for SPAM virus.X-Spam-Tests-Failed: SNIFFERZERO, SPFPASS, BADHEADERS, HELOBOGUSX-Spam-Tests-Failed Weight: SNIFFERZERO [0], SPFPASS [0], BADHEADERS [2], HELOBOGUS [1]X-Spam-Time:03:10:29X-Weight: 3X-Mailfrom: fred.tcbinc.netX-Note: Sent from: [EMAIL PROTECTED]X-Note: Sent from Reverse DNS: ads.tcbinc.net ([64.124.116.10])X-Hello: ADSX-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain: UNITED STATES-destinationFrom: [EMAIL PROTECTED]Date: Wed, 13 Apr 2005 03:10:29 -0400X-RCPT-TO: [EMAIL PROTECTED]Status: UX-UIDL: 411698213 BODY: X-Spam-Tests-Failed Weight: SNIFFERZERO [0], CMDSPACE [8], SPFPASS [0], BADHEADERS [2], WEIGHT10 [10]X-Spam-Time:03:10:59X-Note: Total spam weight of this E-mail is 10X-Note: This E-mail was scanned filtered by Declude [2.0.6] for SPAM virusX-Spam-Tests-Failed: SNIFFERZERO, CMDSPACE, SPFPASS, BADHEADERS, WEIGHT10X-Weight: 10X-Mailfrom: fred.tcbinc.netX-Note: Sent from: [EMAIL PROTECTED]X-Note: Sent from Reverse DNS: ads.tcbinc.net ([64.124.116.10])X-Hello: ADSX-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain: UNITED STATES-destinationDate: Wed, 13 Apr 2005 03:10:59 -0400 Virus:[EMAIL PROTECTED]Alert: Virus FoundComputer: DNS2Date: 04/13/2005Time: 03:10:54 AMSeverity: CriticalSource: Norton AntiVirus Corporate Edition
Re: [Declude.JunkMail] Something new with v 2.0.6
See attached config. The problem only started after the update from 2.0.5 to 2.0.6 - Original Message - From: Darin Cox To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:39 AM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 I think we're going to have to see the Global.CFG to figure out if there's a misconfiguration. I certainly looks like your entireXINHEADER config is duplicated. Darin. - Original Message - From: Frederick Samarelli To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:34 AM Subject: [Declude.JunkMail] Something new with v 2.0.6 HEADER Received: from dns2.tcbinc.net [64.124.116.30] by bks.tcbinc.com (SMTPD32-8.15) id A5E13540470; Wed, 13 Apr 2005 03:10:25 -0400Received: from mail.tcbinc.net ([64.124.116.40])by dns2.tcbinc.net (SMSSMTP 4.1.0.19) with SMTP id M2005041303105928414for [EMAIL PROTECTED]; Wed, 13 Apr 2005 03:10:59 -0400Received: from SMTP32-FWD by mail.tcbinc.net (SMTP32) id AC601002507EA4CF6; Wed, 13 Apr 2005 03:10:59 -0400Received: from ADS [64.124.116.10] by mail.tcbinc.net (SMTPD32-8.15) id A6012507EA; Wed, 13 Apr 2005 03:10:57 -0400SUBJECT: Virus FoundMessage-Id: [EMAIL PROTECTED]X-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0.X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command.X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail.X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8c20].X-RBL-Warning: WEIGHT10: Total weight between 10 and 14.X-Declude-Sender: [EMAIL PROTECTED] [64.124.116.10]X-Declude-Spoolname: DC601002507EA4CF6.SMDX-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0.X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail.X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8c20].X-RBL-Warning: HELOBOGUS: Domain ADS has no MX or A records [0301].X-Declude-Sender: [EMAIL PROTECTED] [64.124.116.10]X-Declude-Spoolname: DC5E1035404704CAF.SMDX-Note: Total spam weight of this E-mail is 3.X-RBL-Warning: Total weight: 3X-Note: This E-mail was scanned filtered by TCB [2.0.6] for SPAM virus.X-Spam-Tests-Failed: SNIFFERZERO, SPFPASS, BADHEADERS, HELOBOGUSX-Spam-Tests-Failed Weight: SNIFFERZERO [0], SPFPASS [0], BADHEADERS [2], HELOBOGUS [1]X-Spam-Time:03:10:29X-Weight: 3X-Mailfrom: fred.tcbinc.netX-Note: Sent from: [EMAIL PROTECTED]X-Note: Sent from Reverse DNS: ads.tcbinc.net ([64.124.116.10])X-Hello: ADSX-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain: UNITED STATES-destinationFrom: [EMAIL PROTECTED]Date: Wed, 13 Apr 2005 03:10:29 -0400X-RCPT-TO: [EMAIL PROTECTED]Status: UX-UIDL: 411698213 BODY: X-Spam-Tests-Failed Weight: SNIFFERZERO [0], CMDSPACE [8], SPFPASS [0], BADHEADERS [2], WEIGHT10 [10]X-Spam-Time:03:10:59X-Note: Total spam weight of this E-mail is 10X-Note: This E-mail was scanned filtered by Declude [2.0.6] for SPAM virusX-Spam-Tests-Failed: SNIFFERZERO, CMDSPACE, SPFPASS, BADHEADERS, WEIGHT10X-Weight: 10X-Mailfrom: fred.tcbinc.netX-Note: Sent from: [EMAIL PROTECTED]X-Note: Sent from Reverse DNS: ads.tcbinc.net ([64.124.116.10])X-Hello: ADSX-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain: UNITED STATES-destinationDate: Wed, 13 Apr 2005 03:10:59 -0400 Virus:[EMAIL PROTECTED]Alert: Virus FoundComputer: DNS2Date: 04/13/2005Time: 03:10:54 AMSeverity: CriticalSource: Norton AntiVirus Corporate Edition GLOBAL.CFG Description: Binary data
Re: [Declude.JunkMail] Something new with v 2.0.6
Fred, It looks like two full sets of Declude's XINHEADER's, and something caused a double line break in it. I am also having a problem understanding the path that this E-mail took, and maybe that will give you some clues. There is something forwarding the message and that might partially explain why it has two sets of headers, but the double line break shouldn't appear there. Maybe you could explain the path that this took: 64.124.116.10 (IMail) - SMTP32-FWD (Probably also IMail) - 64.124.116.40 (SMSSMTP, Symantec???) - 64.124.116.30 (IMail again). I am going to guess that it is possible that Declude is getting confused based on the body being in a format similar to a header where there is a word followed by a colon, and in the process, it might be inserting the headers in the wrong location when it is adding them the second time. Total guess there of course. I suspect that the path is causing some form of double-processing, possibly the Symantec SMSSMTP piece, and that if you could resolve that, the problem might go away. Also note that the headers show a 30 second difference between the headers, so it's going somewhere. So to summarize, it looks like it's being double-processed due to some mechanism involving SMSSMTP, and Declude is maybe parsing the message incorrectly for where to insert the second set of headers, and if you could get it to only process it once (remove forwarding/looping possible issue), the symptom might go away. If so, Declude might also want to look at the parsing code for where to insert the headers and account for the condition in future releases as I'm sure that isn't intentional. Matt Frederick Samarelli wrote: See attached config. The problem only started after the update from 2.0.5 to 2.0.6 - Original Message - From: Darin Cox To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:39 AM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 I think we're going to have to see the Global.CFG to figure out if there's a misconfiguration. I certainly looks like your entireXINHEADER config is duplicated. Darin. - Original Message - From: Frederick Samarelli To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:34 AM Subject: [Declude.JunkMail] Something new with v 2.0.6 HEADER Received: from dns2.tcbinc.net [64.124.116.30] by bks.tcbinc.com (SMTPD32-8.15) id A5E13540470; Wed, 13 Apr 2005 03:10:25 -0400 Received: from mail.tcbinc.net ([64.124.116.40]) by dns2.tcbinc.net (SMSSMTP 4.1.0.19) with SMTP id M2005041303105928414 for [EMAIL PROTECTED]; Wed, 13 Apr 2005 03:10:59 -0400 Received: from SMTP32-FWD by mail.tcbinc.net (SMTP32) id AC601002507EA4CF6; Wed, 13 Apr 2005 03:10:59 -0400 Received: from ADS [64.124.116.10] by mail.tcbinc.net (SMTPD32-8.15) id A6012507EA; Wed, 13 Apr 2005 03:10:57 -0400 SUBJECT: Virus Found Message-Id: [EMAIL PROTECTED] X-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0. X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command. X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail. X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8c20]. X-RBL-Warning: WEIGHT10: Total weight between 10 and 14. X-Declude-Sender: [EMAIL PROTECTED] [64.124.116.10] X-Declude-Spoolname: DC601002507EA4CF6.SMD X-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0. X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail. X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8c20]. X-RBL-Warning: HELOBOGUS: Domain ADS has no MX or A records [0301]. X-Declude-Sender: [EMAIL PROTECTED] [64.124.116.10] X-Declude-Spoolname: DC5E1035404704CAF.SMD X-Note: Total spam weight of this E-mail is 3. X-RBL-Warning: Total weight: 3 X-Note: This E-mail was scanned filtered by TCB [2.0.6] for SPAM virus. X-Spam-Tests-Failed: SNIFFERZERO, SPFPASS, BADHEADERS, HELOBOGUS X-Spam-Tests-Failed Weight: SNIFFERZERO [0], SPFPASS [0], BADHEADERS [2], HELOBOGUS [1] X-Spam-Time:03:10:29 X-Weight: 3 X-Mailfrom: fred.tcbinc.net X-Note: Sent from: [EMAIL PROTECTED] X-Note: Sent from Reverse DNS: ads.tcbinc.net ([64.124.116.10]) X-Hello: ADS X-Note: Recipient(s): [EMAIL PROTECTED] X-Country-Chain: UNITED STATES-destination From: [EMAIL PROTECTED] Date: Wed, 13 Apr 2005 03:10:29 -0400 X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 411698213 BODY: X-Spam-Tests-Failed Weight: SNIFFERZERO [0], CMDSPACE [8], SPFPASS [0], BADHEADERS [2], WEIGHT10 [10] X-Spam-Time:03:10:59 X-Note: Total spam weight of this E-mail is 10 X-Note: This E-mail was scanned filtered by Declude [2.0.6] for SPAM virus X-Spam-Tests-Failed: SNIFFERZERO, CMDSPACE, SPFPASS, BADHEADERS, WEIGHT10 X-Weight: 10 X-Mailfrom: fred.tcbinc.net X-Note: Sent from: [EMAIL PROTECTED] X-Note: Sent from Reverse DNS: ads.tcbinc.net ([64.124.116.10]) X-Hello: ADS X-Note
Re: [Declude.JunkMail] Something new with v 2.0.6
This is not the case. I sent a test from my Yahoo account to my imail account. If I look at it in Imail it is ok. If I do the test again having a forward in on my imail account to an AOL account the header info get placed in the top of the BODY when I received it at my AOL account. See below from the TEXT of the BODY. X-Spam-Tests-Failed Weight: SNIFFERZERO [0]X-Spam-Time:12:53:55X-Note: Total spam weight of this E-mail is 0X-Note: This E-mail was scanned filtered by Declude [2.0.6] for SPAM virusX-Spam-Tests-Failed: SNIFFERZEROX-Weight: 0X-Mailfrom: samarelli.yahoo.comX-Note: Sent from: [EMAIL PROTECTED]X-Note: Sent from Reverse DNS: web51803.mail.yahoo.com ([206.190.38.234])X-Hello: web51803.mail.yahoo.comX-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain: UNITED STATES-destinationX-AOL-IP: 64.124.116.40X-AOL-SCOLL-SCORE:0:0:0:X-AOL-SCOLL-URL_COUNT:0 - Original Message - From: Matt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 11:49 AM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Fred,It looks like two full sets of Declude's XINHEADER's, and something caused a double line break in it. I am also having a problem understanding the path that this E-mail took, and maybe that will give you some clues. There is something forwarding the message and that might partially explain why it has two sets of headers, but the double line break shouldn't appear there.Maybe you could explain the path that this took: 64.124.116.10 (IMail) - SMTP32-FWD (Probably also IMail) - 64.124.116.40 (SMSSMTP, Symantec???) - 64.124.116.30 (IMail again).I am going to guess that it is possible that Declude is getting confused based on the body being in a format similar to a header where there is a word followed by a colon, and in the process, it might be inserting the headers in the wrong location when it is adding them the second time. Total guess there of course. I suspect that the path is causing some form of double-processing, possibly the Symantec SMSSMTP piece, and that if you could resolve that, the problem might go away. Also note that the headers show a 30 second difference between the headers, so it's going somewhere.So to summarize, it looks like it's being double-processed due to some mechanism involving SMSSMTP, and Declude is maybe parsing the message incorrectly for where to insert the second set of headers, and if you could get it to only process it once (remove forwarding/looping possible issue), the symptom might go away. If so, Declude might also want to look at the parsing code for where to insert the headers and account for the condition in future releases as I'm sure that isn't intentional.MattFrederick Samarelli wrote: See attached config. The problem only started after the update from 2.0.5 to 2.0.6 - Original Message - From: Darin Cox To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:39 AM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 I think we're going to have to see the Global.CFG to figure out if there's a misconfiguration. I certainly looks like your entireXINHEADER config is duplicated. Darin. - Original Message - From: Frederick Samarelli To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:34 AM Subject: [Declude.JunkMail] Something new with v 2.0.6 HEADER Received: from dns2.tcbinc.net [64.124.116.30] by bks.tcbinc.com (SMTPD32-8.15) id A5E13540470; Wed, 13 Apr 2005 03:10:25 -0400Received: from mail.tcbinc.net ([64.124.116.40])by dns2.tcbinc.net (SMSSMTP 4.1.0.19) with SMTP id M2005041303105928414for [EMAIL PROTECTED]; Wed, 13 Apr 2005 03:10:59 -0400Received: from SMTP32-FWD by mail.tcbinc.net (SMTP32) id AC601002507EA4CF6; Wed, 13 Apr 2005 03:10:59 -0400Received: from ADS [64.124.116.10] by mail.tcbinc.net (SMTPD32-8.15) id A6012507EA; Wed, 13 Apr 2005 03:10:57 -0400SUBJECT: Virus FoundMessage-Id: [EMAIL PROTECTED]X-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0.X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command.X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail.X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8c20].X-RBL-Warning: WEIGHT10: Total weight between 10 and 14.X-Declude-Sender: [EMAIL PROTECTED] [64.124.116.10]X-Declude-Spoolname: DC601002507EA4CF6.SMDX-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0.X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail.X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client
Re: [Declude.JunkMail] Something new with v 2.0.6
Found the problem. It was this line. #XINHEADERX-Spam-Tests-Failed Weight: %TESTSFAILEDWITHWEIGHTS% I removed it and problem went away. Any thoughts.
Re: [Declude.JunkMail] Something new with v 2.0.6
Fred, The example that you sent earlier was being processed twice and it was passing through IMail to Symantec and back to IMail with some other forwarding mechanism as well, and the headers were written 30 seconds apart. I think that understanding what is happening there might be beneficial to uncovering the issue at hand, and maybe there are steps in that chain that are unnecessary or out of place. I don't doubt that 2.0.6 might have introduced a bug that is reacting to this condition, but the path the E-mail is taking doesn't seem normal and that could be affecting it, and probably is why others aren't reporting this. Knowing what is going on within your system might also help Declude diagnose the issue better also. Your config looks just fine, but the path the E-mail is taking looks abnormal to me. Matt Frederick Samarelli wrote: This is not the case. I sent a test from my Yahoo account to my imail account. If I look at it in Imail it is ok. If I do the test again having a forward in on my imail account to an AOL account the header info get placed in the top of the BODY when I received it at my AOL account. See below from the TEXT of the BODY. X-Spam-Tests-Failed Weight: SNIFFERZERO [0] X-Spam-Time:12:53:55 X-Note: Total spam weight of this E-mail is 0 X-Note: This E-mail was scanned filtered by Declude [2.0.6] for SPAM virus X-Spam-Tests-Failed: SNIFFERZERO X-Weight: 0 X-Mailfrom: samarelli.yahoo.com X-Note: Sent from: [EMAIL PROTECTED] X-Note: Sent from Reverse DNS: web51803.mail.yahoo.com ([206.190.38.234]) X-Hello: web51803.mail.yahoo.com X-Note: Recipient(s): [EMAIL PROTECTED] X-Country-Chain: UNITED STATES-destination X-AOL-IP: 64.124.116.40 X-AOL-SCOLL-SCORE:0:0:0: X-AOL-SCOLL-URL_COUNT:0 - Original Message - From: Matt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 11:49 AM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Fred, It looks like two full sets of Declude's XINHEADER's, and something caused a double line break in it. I am also having a problem understanding the path that this E-mail took, and maybe that will give you some clues. There is something forwarding the message and that might partially explain why it has two sets of headers, but the double line break shouldn't appear there. Maybe you could explain the path that this took: 64.124.116.10 (IMail) - SMTP32-FWD (Probably also IMail) - 64.124.116.40 (SMSSMTP, Symantec???) - 64.124.116.30 (IMail again). I am going to guess that it is possible that Declude is getting confused based on the body being in a format similar to a header where there is a word followed by a colon, and in the process, it might be inserting the headers in the wrong location when it is adding them the second time. Total guess there of course. I suspect that the path is causing some form of double-processing, possibly the Symantec SMSSMTP piece, and that if you could resolve that, the problem might go away. Also note that the headers show a 30 second difference between the headers, so it's going somewhere. So to summarize, it looks like it's being double-processed due to some mechanism involving SMSSMTP, and Declude is maybe parsing the message incorrectly for where to insert the second set of headers, and if you could get it to only process it once (remove forwarding/looping possible issue), the symptom might go away. If so, Declude might also want to look at the parsing code for where to insert the headers and account for the condition in future releases as I'm sure that isn't intentional. Matt Frederick Samarelli wrote: See attached config. The problem only started after the update from 2.0.5 to 2.0.6 - Original Message - From: Darin Cox To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:39 AM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 I think we're going to have to see the Global.CFG to figure out if there's a misconfiguration. I certainly looks like your entireXINHEADER config is duplicated. Darin. - Original Message - From: Frederick Samarelli To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:34 AM Subject: [Declude.JunkMail] Something new with v 2.0.6 HEADER Received: from dns2.tcbinc.net [64.124.116.30] by bks.tcbinc.com (SMTPD32-8.15) id A5E13540470; Wed, 13 Apr 2005 03:10:25 -0400 Received: from mail.tcbinc.net ([64.124.116.40]) by dns2.tcbinc.net (SMSSMTP 4.1.0.19) with SMTP id M2005041303105928414 for [EMAIL PROTECTED]; Wed, 13 Apr 2005 03:10:59 -0400 Received: from SMTP32-FWD by mail.tcbinc.net (SMTP32) id AC601002507EA4CF6; Wed
Re: [Declude.JunkMail] Something new with v 2.0.6
We have incoming email scanned by Symantec Gateway Antivirus then have to sent to the imail server. For some of my tests I bypassed the Symantec server and the problem remained. Only removing the line listed fixed the problem. - Original Message - From: Matt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 1:43 PM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Fred,The example that you sent earlier was being processed twice and it was passing through IMail to Symantec and back to IMail with some other forwarding mechanism as well, and the headers were written 30 seconds apart. I think that understanding what is happening there might be beneficial to uncovering the issue at hand, and maybe there are steps in that chain that are unnecessary or out of place.I don't doubt that 2.0.6 might have introduced a bug that is reacting to this condition, but the path the E-mail is taking doesn't seem normal and that could be affecting it, and probably is why others aren't reporting this. Knowing what is going on within your system might also help Declude diagnose the issue better also.Your config looks just fine, but the path the E-mail is taking looks abnormal to me.MattFrederick Samarelli wrote: This is not the case. I sent a test from my Yahoo account to my imail account. If I look at it in Imail it is ok. If I do the test again having a forward in on my imail account to an AOL account the header info get placed in the top of the BODY when I received it at my AOL account. See below from the TEXT of the BODY. X-Spam-Tests-Failed Weight: SNIFFERZERO [0]X-Spam-Time:12:53:55X-Note: Total spam weight of this E-mail is 0X-Note: This E-mail was scanned filtered by Declude [2.0.6] for SPAM virusX-Spam-Tests-Failed: SNIFFERZEROX-Weight: 0X-Mailfrom: samarelli.yahoo.comX-Note: Sent from: [EMAIL PROTECTED]X-Note: Sent from Reverse DNS: web51803.mail.yahoo.com ([206.190.38.234])X-Hello: web51803.mail.yahoo.comX-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain: UNITED STATES-destinationX-AOL-IP: 64.124.116.40X-AOL-SCOLL-SCORE:0:0:0:X-AOL-SCOLL-URL_COUNT:0 - Original Message - From: Matt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 11:49 AM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Fred,It looks like two full sets of Declude's XINHEADER's, and something caused a double line break in it. I am also having a problem understanding the path that this E-mail took, and maybe that will give you some clues. There is something forwarding the message and that might partially explain why it has two sets of headers, but the double line break shouldn't appear there.Maybe you could explain the path that this took: 64.124.116.10 (IMail) - SMTP32-FWD (Probably also IMail) - 64.124.116.40 (SMSSMTP, Symantec???) - 64.124.116.30 (IMail again).I am going to guess that it is possible that Declude is getting confused based on the body being in a format similar to a header where there is a word followed by a colon, and in the process, it might be inserting the headers in the wrong location when it is adding them the second time. Total guess there of course. I suspect that the path is causing some form of double-processing, possibly the Symantec SMSSMTP piece, and that if you could resolve that, the problem might go away. Also note that the headers show a 30 second difference between the headers, so it's going somewhere.So to summarize, it looks like it's being double-processed due to some mechanism involving SMSSMTP, and Declude is maybe parsing the message incorrectly for where to insert the second set of headers, and if you could get it to only process it once (remove forwarding/looping possible issue), the symptom might go away. If so, Declude might also want to look at the parsing code for where to insert the headers and account for the condition in future releases as I'm sure that isn't intentional.MattFrederick Samarelli wrote: See attached config. The problem only started after the update from 2.0.5 to 2.0.6 - Original Message - From: Darin Cox To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:39 AM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 I think we're going to have to see the Global.CFG to figure out if there's a misconfiguration. I
Re: [Declude.JunkMail] Something new with v 2.0.6
Which line? Darin. - Original Message - From: Frederick Samarelli To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 1:58 PM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 We have incoming email scanned by Symantec Gateway Antivirus then have to sent to the imail server. For some of my tests I bypassed the Symantec server and the problem remained. Only removing the line listed fixed the problem. - Original Message - From: Matt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 1:43 PM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Fred,The example that you sent earlier was being processed twice and it was passing through IMail to Symantec and back to IMail with some other forwarding mechanism as well, and the headers were written 30 seconds apart. I think that understanding what is happening there might be beneficial to uncovering the issue at hand, and maybe there are steps in that chain that are unnecessary or out of place.I don't doubt that 2.0.6 might have introduced a bug that is reacting to this condition, but the path the E-mail is taking doesn't seem normal and that could be affecting it, and probably is why others aren't reporting this. Knowing what is going on within your system might also help Declude diagnose the issue better also.Your config looks just fine, but the path the E-mail is taking looks abnormal to me.MattFrederick Samarelli wrote: This is not the case. I sent a test from my Yahoo account to my imail account. If I look at it in Imail it is ok. If I do the test again having a forward in on my imail account to an AOL account the header info get placed in the top of the BODY when I received it at my AOL account. See below from the TEXT of the BODY. X-Spam-Tests-Failed Weight: SNIFFERZERO [0]X-Spam-Time:12:53:55X-Note: Total spam weight of this E-mail is 0X-Note: This E-mail was scanned filtered by Declude [2.0.6] for SPAM virusX-Spam-Tests-Failed: SNIFFERZEROX-Weight: 0X-Mailfrom: samarelli.yahoo.comX-Note: Sent from: [EMAIL PROTECTED]X-Note: Sent from Reverse DNS: web51803.mail.yahoo.com ([206.190.38.234])X-Hello: web51803.mail.yahoo.comX-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain: UNITED STATES-destinationX-AOL-IP: 64.124.116.40X-AOL-SCOLL-SCORE:0:0:0:X-AOL-SCOLL-URL_COUNT:0 - Original Message - From: Matt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 11:49 AM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Fred,It looks like two full sets of Declude's XINHEADER's, and something caused a double line break in it. I am also having a problem understanding the path that this E-mail took, and maybe that will give you some clues. There is something forwarding the message and that might partially explain why it has two sets of headers, but the double line break shouldn't appear there.Maybe you could explain the path that this took: 64.124.116.10 (IMail) - SMTP32-FWD (Probably also IMail) - 64.124.116.40 (SMSSMTP, Symantec???) - 64.124.116.30 (IMail again).I am going to guess that it is possible that Declude is getting confused based on the body being in a format similar to a header where there is a word followed by a colon, and in the process, it might be inserting the headers in the wrong location when it is adding them the second time. Total guess there of course. I suspect that the path is causing some form of double-processing, possibly the Symantec SMSSMTP piece, and that if you could resolve that, the problem might go away. Also note that the headers show a 30 second difference between the headers, so it's going somewhere.So to summarize, it looks like it's being double-processed due to some mechanism involving SMSSMTP, and Declude is maybe parsing the message incorrectly for where to insert the second set of headers, and if you could get it to only process it once (remove forwarding/looping possible issue), the symptom might go away. If so, Declude might also want to look at the parsing code for where to insert the headers and account for the condition in future releases as I'm sure that isn't intentional.MattFrederick Samarelli wrote: See attached config. The problem only started after the update from 2.0.5 to 2.0.6 - Original Message - From: Darin Cox To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:39 AM
Re: [Declude.JunkMail] Something new with v 2.0.6
Fred, The line that you commented out looked fine to me, so that is strange. What concerns me is that the message is being processed twice by Declude. I would hate to see this happen with other things as that is a waste of resources. As long as we're still guessing and thinking out loud, maybe 2.0.5 wasn't double-processing the E-mail and now 2.0.6 is, and that might have uncovered a bug with the XINHEADER insertion that may have existed before...or maybe a new %TESTSFAILEDWITHWEIGHTS% bug. I recall in a more recent version of IMail that the behavior in IMail had changed and Scott had to code a fix into Declude so that it wouldn't double process forwarded messages. Maybe that code is broken or lost due to recent tweaking. I would imagine that over the years there were a lot of small things that Scott programmed into the product that resolved quirks with IMail but could be overlooked or lost in recoding for new features and fixes. Another very strange thing is that the following headers I don't believe get added to an E-mail until it lands in an account, but they appeared before the second set of Declude headers in the message: X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 411698213 I can't tell however if IMail inserted them after the first time through or after the second time through. If they were added the first time through that might be odd behavior that Declude wasn't expecting to see...but then again it may be equally plausible that space aliens have hijacked your server and are just having their laughs :) I guess that's it for my speculation. Matt Frederick Samarelli wrote: We have incoming email scanned by Symantec Gateway Antivirus then have to sent to the imail server. For some of my tests I bypassed the Symantec server and the problem remained. Only removing the line listed fixed the problem. - Original Message - From: Matt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 1:43 PM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Fred, The example that you sent earlier was being processed twice and it was passing through IMail to Symantec and back to IMail with some other forwarding mechanism as well, and the headers were written 30 seconds apart. I think that understanding what is happening there might be beneficial to uncovering the issue at hand, and maybe there are steps in that chain that are unnecessary or out of place. I don't doubt that 2.0.6 might have introduced a bug that is reacting to this condition, but the path the E-mail is taking doesn't seem normal and that could be affecting it, and probably is why others aren't reporting this. Knowing what is going on within your system might also help Declude diagnose the issue better also. Your config looks just fine, but the path the E-mail is taking looks abnormal to me. Matt Frederick Samarelli wrote: This is not the case. I sent a test from my Yahoo account to my imail account. If I look at it in Imail it is ok. If I do the test again having a forward in on my imail account to an AOL account the header info get placed in the top of the BODY when I received it at my AOL account. See below from the TEXT of the BODY. X-Spam-Tests-Failed Weight: SNIFFERZERO [0] X-Spam-Time:12:53:55 X-Note: Total spam weight of this E-mail is 0 X-Note: This E-mail was scanned filtered by Declude [2.0.6] for SPAM virus X-Spam-Tests-Failed: SNIFFERZERO X-Weight: 0 X-Mailfrom: samarelli.yahoo.com X-Note: Sent from: [EMAIL PROTECTED] X-Note: Sent from Reverse DNS: web51803.mail.yahoo.com ([206.190.38.234]) X-Hello: web51803.mail.yahoo.com X-Note: Recipient(s): [EMAIL PROTECTED] X-Country-Chain: UNITED STATES-destination X-AOL-IP: 64.124.116.40 X-AOL-SCOLL-SCORE:0:0:0: X-AOL-SCOLL-URL_COUNT:0 - Original Message - From: Matt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 11:49 AM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Fred, It looks like two full sets of Declude's XINHEADER's, and something caused a double line break in it. I am also having a problem understanding the path that this E-mail took, and maybe that will give you some clues. There is something forwarding the message and that might partially explain why it has two sets of headers, but the double line break shouldn't appear there. Maybe you could explain the path that this took: 64.124.116.10 (IMail) - SMTP32-FWD (Probably also IMail) - 64.124.116.40 (SMSSMTP, Symantec???) - 64.124.116.30 (IMail again). I am going to guess that it is possible that Declude is getting confused based on the body being in a format similar to a header where there is a word followed
RE: [Declude.JunkMail] Something new with v 2.0.6
Hi Fred and Matt, The received headers showed that the mail went through the following hosts: ads.tcbinc.net mail.tcbinc.net dns2.tcbinc.net bks.tcbinc.com It seems like two of those hosts were running Imail/declude (or one was a multi-homed machine running Imail/declude that was given the email twice). Fred probably isn't explaining his setup because it works well in all other cases and he doesn't think the configuration is relevant to this problem - but it is confusing for the outsider who is analyzing the problem. It also looks to me like the email routing may be relevant to the problem. If the problem is reproducible in an environment without the extra routing, then it should be investigated and fixed. I'm not able to test this at the moment however. Even if it occurs only in a set up with the extra routing it should still be investigated to determine if it is a bug in declude or in something else - but only those with multiple decludes would be able to test that. Sorry I can't help more. Best Regards Mike Higgins HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x14 (Business) Fax: +1 201 934-9206 http://www.HM-Software.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, April 13, 2005 2:32 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Fred, The line that you commented out looked fine to me, so that is strange. What concerns me is that the message is being processed twice by Declude. I would hate to see this happen with other things as that is a waste of resources. As long as we're still guessing and thinking out loud, maybe 2.0.5 wasn't double-processing the E-mail and now 2.0.6 is, and that might have uncovered a bug with the XINHEADER insertion that may have existed before...or maybe a new %TESTSFAILEDWITHWEIGHTS% bug. I recall in a more recent version of IMail that the behavior in IMail had changed and Scott had to code a fix into Declude so that it wouldn't double process forwarded messages. Maybe that code is broken or lost due to recent tweaking. I would imagine that over the years there were a lot of small things that Scott programmed into the product that resolved quirks with IMail but could be overlooked or lost in recoding for new features and fixes. Another very strange thing is that the following headers I don't believe get added to an E-mail until it lands in an account, but they appeared before the second set of Declude headers in the message: X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 411698213 I can't tell however if IMail inserted them after the first time through or after the second time through. If they were added the first time through that might be odd behavior that Declude wasn't expecting to see...but then again it may be equally plausible that space aliens have hijacked your server and are just having their laughs :) I guess that's it for my speculation. Matt Frederick Samarelli wrote: We have incoming email scanned by Symantec Gateway Antivirus then have to sent to the imail server. For some of my tests I bypassed the Symantec server and the problem remained. Only removing the line listed fixed the problem. - Original Message - From: Matt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 1:43 PM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Fred, The example that you sent earlier was being processed twice and it was passing through IMail to Symantec and back to IMail with some other forwarding mechanism as well, and the headers were written 30 seconds apart. I think that understanding what is happening there might be beneficial to uncovering the issue at hand, and maybe there are steps in that chain that are unnecessary or out of place. I don't doubt that 2.0.6 might have introduced a bug that is reacting to this condition, but the path the E-mail is taking doesn't seem normal and that could be affecting it, and probably is why others aren't reporting this. Knowing what is going on within your system might also help Declude diagnose the issue better also. Your config looks just fine, but the path the E-mail is taking looks abnormal to me. Matt Frederick Samarelli wrote: This is not the case. I sent a test from my Yahoo account to my imail account. If I look at it in Imail it is ok. If I do the test again having a forward in on my imail account to an AOL account the header info get placed in the top of the BODY when I received it at my AOL account. See below from the TEXT of the BODY. X-Spam-Tests-Failed Weight: SNIFFERZERO [0] X-Spam-Time:12:53:55 X-Note: Total spam weight of this E-mail is 0 X-Note: This E-mail was scanned filtered by Declude [2.0.6] for SPAM virus X-Spam-Tests-Failed: SNIFFERZERO X-Weight: 0 X-Mailfrom: samarelli.yahoo.com X-Note: Sent from: [EMAIL
Re: [Declude.JunkMail] Something new with v 2.0.6
Mike/Matt (thanks for your help) You should be able to duplicated by just forwarding an email to an outside account using the problem line at the bottom. As not to confuse things I simplified the process. Send an email from [EMAIL PROTECTED]= [EMAIL PROTECTED](forwarded to) = [EMAIL PROTECTED] This run through only one server on my network. Header from My AOL account. Return-Path: [EMAIL PROTECTED]Received: from rly-xm04.mx.aol.com (rly-xm04.mail.aol.com [172.20.83.105]) by air-xm03.mail.aol.com (v105.26) with ESMTP id MAILINXM31-606425d743d132; Wed, 13 Apr 2005 15:34:25 -0400Received: from bks.tcbinc.com (bks.tcbinc.com [64.124.117.196]) by rly-xm04.mx.aol.com (v105.26) with ESMTP id MAILRELAYINXM42-606425d743d132; Wed, 13 Apr 2005 15:34:21 -0400Received: from SMTP32-FWD by bks.tcbinc.com (SMTP32) id A741100040470EC67; Wed, 13 Apr 2005 15:33:42 Received: from web51806.mail.yahoo.com [206.190.38.237] by bks.tcbinc.com (SMTPD32-8.15) id A41140470; Wed, 13 Apr 2005 15:33:37 -0400Received: (qmail 50369 invoked by uid 60001); 13 Apr 2005 19:34:12 -Comment: DomainKeys? See http://antispam.yahoo.com/domainkeysDomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=M12dWrk8x99pS4FhLTVJbfbgIc60YrjkjS/Vi2yiCoare5X2fk5F+zDzAA2XuOKAyAuKoj3EEGBHc6gPlwybZ/TMSShXoJtIypUpKUZZrm7SoU0rx30hedmPe9IecDArBynamRJFf8HjmCsGFKGIwJhKUjwV4wNnw1wLdarF7SE= ;Message-ID: [EMAIL PROTECTED]Received: from [64.124.117.139] by web51806.mail.yahoo.com via HTTP; Wed, 13 Apr 2005 12:34:12 PDTDate: Wed, 13 Apr 2005 12:34:12 -0700 (PDT)From: Frederick Samarelli [EMAIL PROTECTED]Subject: test10To: [EMAIL PROTECTED]MIME-Version: 1.0Content-Type: text/plain; charset=us-asciiX-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0.X-Declude-Sender: [EMAIL PROTECTED] [206.190.38.237]X-Declude-Spoolname: D741100040470EC67.SMDX-Note: Total spam weight of this E-mail is 0.X-RBL-Warning: Total weight: 0X-Note: This E-mail was scanned filtered by TCB [2.0.6] for SPAM virus.X-Spam-Tests-Failed: SNIFFERZERO Message Body (should only be the word test10) X-Spam-Tests-Failed Weight: SNIFFERZERO [0]X-Spam-Time:15:33:42X-Weight: 0X-Mailfrom: samarelli.yahoo.comX-Note: Sent from: [EMAIL PROTECTED]X-Note: Sent from Reverse DNS: web51806.mail.yahoo.com ([206.190.38.237])X-Hello: web51806.mail.yahoo.comX-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain: UNITED STATES-destinationX-AOL-IP: 64.124.117.196X-AOL-SCOLL-SCORE:0:0:0:X-AOL-SCOLL-URL_COUNT:0test10 Culprit: XINHEADERX-Spam-Tests-Failed Weight: %TESTSFAILEDWITHWEIGHTS%
Re: [Declude.JunkMail] Something new with v 2.0.6
Based on this I would agree then that the %TESTSFAILEDWITHWEIGHTS% variable is inserting a double CRLF instead of a single one, and this would seem to explain everything else that I was commenting on as it would seem to follow that the other things were merely effects of this, and complicated/obfuscated by the double-processing that isn't present in this example. Maybe you could try one thing; retype that line from scratch after deleting it just to make sure there are not garbage non-printing characters showing up at the end of the line. Beyond that, I would imagine that someone at Declude has been listening and will shortly confirm the issue, or maybe someone else that has already installed 2.0.6 could set up an account to forward using this header variable in their config and check to see if the same behavior repeats itself on other systems. Matt Frederick Samarelli wrote: Mike/Matt (thanks for your help) You should be able to duplicated by just forwarding an email to an outside account using the problem line at the bottom. As not to confuse things I simplified the process. Send an email from [EMAIL PROTECTED]= [EMAIL PROTECTED](forwarded to) = [EMAIL PROTECTED] This run through only one server on my network. Header from My AOL account. Return-Path: [EMAIL PROTECTED] Received: from rly-xm04.mx.aol.com (rly-xm04.mail.aol.com [172.20.83.105]) by air-xm03.mail.aol.com (v105.26) with ESMTP id MAILINXM31-606425d743d132; Wed, 13 Apr 2005 15:34:25 -0400 Received: from bks.tcbinc.com (bks.tcbinc.com [64.124.117.196]) by rly-xm04.mx.aol.com (v105.26) with ESMTP id MAILRELAYINXM42-606425d743d132; Wed, 13 Apr 2005 15:34:21 -0400 Received: from SMTP32-FWD by bks.tcbinc.com (SMTP32) id A741100040470EC67; Wed, 13 Apr 2005 15:33:42 Received: from web51806.mail.yahoo.com [206.190.38.237] by bks.tcbinc.com (SMTPD32-8.15) id A41140470; Wed, 13 Apr 2005 15:33:37 -0400 Received: (qmail 50369 invoked by uid 60001); 13 Apr 2005 19:34:12 - Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=M12dWrk8x99pS4FhLTVJbfbgIc60YrjkjS/Vi2yiCoare5X2fk5F+zDzAA2XuOKAyAuKoj3EEGBHc6gPlwybZ/TMSShXoJtIypUpKUZZrm7SoU0rx30hedmPe9IecDArBynamRJFf8HjmCsGFKGIwJhKUjwV4wNnw1wLdarF7SE= ; Message-ID: [EMAIL PROTECTED] Received: from [64.124.117.139] by web51806.mail.yahoo.com via HTTP; Wed, 13 Apr 2005 12:34:12 PDT Date: Wed, 13 Apr 2005 12:34:12 -0700 (PDT) From: Frederick Samarelli [EMAIL PROTECTED] Subject: test10 To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0. X-Declude-Sender: [EMAIL PROTECTED] [206.190.38.237] X-Declude-Spoolname: D741100040470EC67.SMD X-Note: Total spam weight of this E-mail is 0. X-RBL-Warning: Total weight: 0 X-Note: This E-mail was scanned filtered by TCB [2.0.6] for SPAM virus. X-Spam-Tests-Failed: SNIFFERZERO Message Body (should only be the word test10) X-Spam-Tests-Failed Weight: SNIFFERZERO [0] X-Spam-Time:15:33:42 X-Weight: 0 X-Mailfrom: samarelli.yahoo.com X-Note: Sent from: [EMAIL PROTECTED] X-Note: Sent from Reverse DNS: web51806.mail.yahoo.com ([206.190.38.237]) X-Hello: web51806.mail.yahoo.com X-Note: Recipient(s): [EMAIL PROTECTED] X-Country-Chain: UNITED STATES-destination X-AOL-IP: 64.124.117.196 X-AOL-SCOLL-SCORE:0:0:0: X-AOL-SCOLL-URL_COUNT:0 test10 Culprit: XINHEADERX-Spam-Tests-Failed Weight: %TESTSFAILEDWITHWEIGHTS% -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
RE: [Declude.JunkMail] Something new with v 2.0.6
Title: Message Hi Frederick: I don't know if this has been asked/suggested already and I don't have time to go back to the RFCs to see if embedded spaces are permitted in the header name. But have you ever tried eliminating that space: XINHEADERX-Spam-Tests-Failed Weight: %TESTSFAILEDWITHWEIGHTS% replace with: XINHEADERX-Spam-Tests-Failed-Weight: %TESTSFAILEDWITHWEIGHTS% May be the problem is that there is a CR/LF followed by a line that contains no header name(due to the embedded space) following by another CR/LF. May be those two CR/LF without valid header information inbetween are interpreted as "start of message body" by some entities? Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederick SamarelliSent: Wednesday, April 13, 2005 03:42 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Something new with v 2.0.6 Mike/Matt (thanks for your help) You should be able to duplicated by just forwarding an email to an outside account using the problem line at the bottom. As not to confuse things I simplified the process. Send an email from [EMAIL PROTECTED]= [EMAIL PROTECTED](forwarded to) = [EMAIL PROTECTED] This run through only one server on my network. Header from My AOL account. Return-Path: [EMAIL PROTECTED]Received: from rly-xm04.mx.aol.com (rly-xm04.mail.aol.com [172.20.83.105]) by air-xm03.mail.aol.com (v105.26) with ESMTP id MAILINXM31-606425d743d132; Wed, 13 Apr 2005 15:34:25 -0400Received: from bks.tcbinc.com (bks.tcbinc.com [64.124.117.196]) by rly-xm04.mx.aol.com (v105.26) with ESMTP id MAILRELAYINXM42-606425d743d132; Wed, 13 Apr 2005 15:34:21 -0400Received: from SMTP32-FWD by bks.tcbinc.com (SMTP32) id A741100040470EC67; Wed, 13 Apr 2005 15:33:42 Received: from web51806.mail.yahoo.com [206.190.38.237] by bks.tcbinc.com (SMTPD32-8.15) id A41140470; Wed, 13 Apr 2005 15:33:37 -0400Received: (qmail 50369 invoked by uid 60001); 13 Apr 2005 19:34:12 -Comment: DomainKeys? See http://antispam.yahoo.com/domainkeysDomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=M12dWrk8x99pS4FhLTVJbfbgIc60YrjkjS/Vi2yiCoare5X2fk5F+zDzAA2XuOKAyAuKoj3EEGBHc6gPlwybZ/TMSShXoJtIypUpKUZZrm7SoU0rx30hedmPe9IecDArBynamRJFf8HjmCsGFKGIwJhKUjwV4wNnw1wLdarF7SE= ;Message-ID: [EMAIL PROTECTED]Received: from [64.124.117.139] by web51806.mail.yahoo.com via HTTP; Wed, 13 Apr 2005 12:34:12 PDTDate: Wed, 13 Apr 2005 12:34:12 -0700 (PDT)From: Frederick Samarelli [EMAIL PROTECTED]Subject: test10To: [EMAIL PROTECTED]MIME-Version: 1.0Content-Type: text/plain; charset=us-asciiX-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0.X-Declude-Sender: [EMAIL PROTECTED] [206.190.38.237]X-Declude-Spoolname: D741100040470EC67.SMDX-Note: Total spam weight of this E-mail is 0.X-RBL-Warning: Total weight: 0X-Note: This E-mail was scanned filtered by TCB [2.0.6] for SPAM virus.X-Spam-Tests-Failed: SNIFFERZERO Message Body (should only be the word test10) X-Spam-Tests-Failed Weight: SNIFFERZERO [0]X-Spam-Time:15:33:42X-Weight: 0X-Mailfrom: samarelli.yahoo.comX-Note: Sent from: [EMAIL PROTECTED]X-Note: Sent from Reverse DNS: web51806.mail.yahoo.com ([206.190.38.237])X-Hello: web51806.mail.yahoo.comX-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain: UNITED STATES-destinationX-AOL-IP: 64.124.117.196X-AOL-SCOLL-SCORE:0:0:0:X-AOL-SCOLL-URL_COUNT:0test10 Culprit: XINHEADERX-Spam-Tests-Failed Weight: %TESTSFAILEDWITHWEIGHTS%
Re: [Declude.JunkMail] Something new with v 2.0.6
Title: Message Good Thought but I have these others without problem. Thanks. XINHEADER X-Note: Total spam weight of this E-mail is %WEIGHT%.XINHEADERX-RBL-Warning: Total weight: %WEIGHT%XINHEADERX-Note: This E-mail was scanned filtered by TCB [%VERSION%] for SPAM virus.XINHEADERX-Note: Sent from: %MAILFROM%XINHEADERX-Note: Sent from Reverse DNS: %REVDNS% ([%REMOTEIP%])XINHEADERX-Note: Recipient(s): %REALRECIPS%- Original Message - From: Andy Schmidt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 4:02 PM Subject: RE: [Declude.JunkMail] Something new with v 2.0.6 Hi Frederick: I don't know if this has been asked/suggested already and I don't have time to go back to the RFCs to see if embedded spaces are permitted in the header name. But have you ever tried eliminating that space: XINHEADERX-Spam-Tests-Failed Weight: %TESTSFAILEDWITHWEIGHTS% replace with: XINHEADERX-Spam-Tests-Failed-Weight: %TESTSFAILEDWITHWEIGHTS% May be the problem is that there is a CR/LF followed by a line that contains no header name(due to the embedded space) following by another CR/LF. May be those two CR/LF without valid header information inbetween are interpreted as "start of message body" by some entities? Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederick SamarelliSent: Wednesday, April 13, 2005 03:42 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Something new with v 2.0.6 Mike/Matt (thanks for your help) You should be able to duplicated by just forwarding an email to an outside account using the problem line at the bottom. As not to confuse things I simplified the process. Send an email from [EMAIL PROTECTED]= [EMAIL PROTECTED](forwarded to) = [EMAIL PROTECTED] This run through only one server on my network. Header from My AOL account. Return-Path: [EMAIL PROTECTED]Received: from rly-xm04.mx.aol.com (rly-xm04.mail.aol.com [172.20.83.105]) by air-xm03.mail.aol.com (v105.26) with ESMTP id MAILINXM31-606425d743d132; Wed, 13 Apr 2005 15:34:25 -0400Received: from bks.tcbinc.com (bks.tcbinc.com [64.124.117.196]) by rly-xm04.mx.aol.com (v105.26) with ESMTP id MAILRELAYINXM42-606425d743d132; Wed, 13 Apr 2005 15:34:21 -0400Received: from SMTP32-FWD by bks.tcbinc.com (SMTP32) id A741100040470EC67; Wed, 13 Apr 2005 15:33:42 Received: from web51806.mail.yahoo.com [206.190.38.237] by bks.tcbinc.com (SMTPD32-8.15) id A41140470; Wed, 13 Apr 2005 15:33:37 -0400Received: (qmail 50369 invoked by uid 60001); 13 Apr 2005 19:34:12 -Comment: DomainKeys? See http://antispam.yahoo.com/domainkeysDomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=M12dWrk8x99pS4FhLTVJbfbgIc60YrjkjS/Vi2yiCoare5X2fk5F+zDzAA2XuOKAyAuKoj3EEGBHc6gPlwybZ/TMSShXoJtIypUpKUZZrm7SoU0rx30hedmPe9IecDArBynamRJFf8HjmCsGFKGIwJhKUjwV4wNnw1wLdarF7SE= ;Message-ID: [EMAIL PROTECTED]Received: from [64.124.117.139] by web51806.mail.yahoo.com via HTTP; Wed, 13 Apr 2005 12:34:12 PDTDate: Wed, 13 Apr 2005 12:34:12 -0700 (PDT)From: Frederick Samarelli [EMAIL PROTECTED]Subject: test10To: [EMAIL PROTECTED]MIME-Version: 1.0Content-Type: text/plain; charset=us-asciiX-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0.X-Declude-Sender: [EMAIL PROTECTED] [206.190.38.237]X-Declude-Spoolname: D741100040470EC67.SMDX-Note: Total spam weight of this E-mail is 0.X-RBL-Warning: Total weight: 0X-Note: This E-mail was scanned filtered by TCB [2.0.6] for SPAM virus.X-Spam-Tests-Failed: SNIFFERZERO Message Body (should only be the word test10) X-Spam-Tests-Failed Weight: SNIFFERZERO [0]X-Spam-Time:15:33:42X-Weight: 0X-Mailfrom: samarelli.yahoo.comX-Note: Sent from: [EMAIL PROTECTED]X-Note: Sent from Reverse DNS: web51806.mail.yahoo.com ([206.190.38.237])X-Hello: web51806.mail.yahoo.comX-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain: UNITED STATES-destinationX-AOL-IP: 64.124.117.196X-AOL-SCOLL-SCORE:0:0:0:X-AOL-SCOLL-URL_COUNT:0test10 Culprit: XINHEADERX-Spam-Tests-Failed Weight: %TESTSFAILEDWITHWEIGHTS%
RE: [Declude.JunkMail] Something new with v 2.0.6
Title: Message Well - NONE of those have an embedded space in the Header name!? X-Note: X-RBL-Warning: vs. X-Spam-Tests-Failed Weight: Have you TRIED what I suggested? Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederick SamarelliSent: Wednesday, April 13, 2005 04:28 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Something new with v 2.0.6 Good Thought but I have these others without problem. Thanks. XINHEADER X-Note: Total spam weight of this E-mail is %WEIGHT%.XINHEADERX-RBL-Warning: Total weight: %WEIGHT%XINHEADERX-Note: This E-mail was scanned filtered by TCB [%VERSION%] for SPAM virus.XINHEADERX-Note: Sent from: %MAILFROM%XINHEADERX-Note: Sent from Reverse DNS: %REVDNS% ([%REMOTEIP%])XINHEADERX-Note: Recipient(s): %REALRECIPS%
Re: [Declude.JunkMail] Something new with v 2.0.6
Title: Message It may be an issue with having a space before the first colon. I seem to remember something like that in the past. Worth a try anyway... Darin. - Original Message - From: Frederick Samarelli To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 4:27 PM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Good Thought but I have these others without problem. Thanks. XINHEADER X-Note: Total spam weight of this E-mail is %WEIGHT%.XINHEADERX-RBL-Warning: Total weight: %WEIGHT%XINHEADERX-Note: This E-mail was scanned filtered by TCB [%VERSION%] for SPAM virus.XINHEADERX-Note: Sent from: %MAILFROM%XINHEADERX-Note: Sent from Reverse DNS: %REVDNS% ([%REMOTEIP%])XINHEADERX-Note: Recipient(s): %REALRECIPS%- Original Message - From: Andy Schmidt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 4:02 PM Subject: RE: [Declude.JunkMail] Something new with v 2.0.6 Hi Frederick: I don't know if this has been asked/suggested already and I don't have time to go back to the RFCs to see if embedded spaces are permitted in the header name. But have you ever tried eliminating that space: XINHEADERX-Spam-Tests-Failed Weight: %TESTSFAILEDWITHWEIGHTS% replace with: XINHEADERX-Spam-Tests-Failed-Weight: %TESTSFAILEDWITHWEIGHTS% May be the problem is that there is a CR/LF followed by a line that contains no header name(due to the embedded space) following by another CR/LF. May be those two CR/LF without valid header information inbetween are interpreted as "start of message body" by some entities? Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederick SamarelliSent: Wednesday, April 13, 2005 03:42 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Something new with v 2.0.6 Mike/Matt (thanks for your help) You should be able to duplicated by just forwarding an email to an outside account using the problem line at the bottom. As not to confuse things I simplified the process. Send an email from [EMAIL PROTECTED]= [EMAIL PROTECTED](forwarded to) = [EMAIL PROTECTED] This run through only one server on my network. Header from My AOL account. Return-Path: [EMAIL PROTECTED]Received: from rly-xm04.mx.aol.com (rly-xm04.mail.aol.com [172.20.83.105]) by air-xm03.mail.aol.com (v105.26) with ESMTP id MAILINXM31-606425d743d132; Wed, 13 Apr 2005 15:34:25 -0400Received: from bks.tcbinc.com (bks.tcbinc.com [64.124.117.196]) by rly-xm04.mx.aol.com (v105.26) with ESMTP id MAILRELAYINXM42-606425d743d132; Wed, 13 Apr 2005 15:34:21 -0400Received: from SMTP32-FWD by bks.tcbinc.com (SMTP32) id A741100040470EC67; Wed, 13 Apr 2005 15:33:42 Received: from web51806.mail.yahoo.com [206.190.38.237] by bks.tcbinc.com (SMTPD32-8.15) id A41140470; Wed, 13 Apr 2005 15:33:37 -0400Received: (qmail 50369 invoked by uid 60001); 13 Apr 2005 19:34:12 -Comment: DomainKeys? See http://antispam.yahoo.com/domainkeysDomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=M12dWrk8x99pS4FhLTVJbfbgIc60YrjkjS/Vi2yiCoare5X2fk5F+zDzAA2XuOKAyAuKoj3EEGBHc6gPlwybZ/TMSShXoJtIypUpKUZZrm7SoU0rx30hedmPe9IecDArBynamRJFf8HjmCsGFKGIwJhKUjwV4wNnw1wLdarF7SE= ;Message-ID: [EMAIL PROTECTED]Received: from [64.124.117.139] by web51806.mail.yahoo.com via HTTP; Wed, 13 Apr 2005 12:34:12 PDTDate: Wed, 13 Apr 2005 12:34:12 -0700 (PDT)From: Frederick Samarelli [EMAIL PROTECTED]Subject: test10To: [EMAIL PROTECTED]MIME-Version: 1.0Content-Type: text/plain; charset=us-asciiX-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0.X-Declude-Sender: [EMAIL PROTECTED] [206.190.38.237]X-Declude-Spoolname: D741100040470EC67.SMDX-Note: Total spam weight of this E-mail is 0.X-RBL-Warning: Total weight: 0X-Note: This E-mail was scanned filtered by TCB [2.0.6] for SPAM virus.X-Spam-Tests-Failed: SNIFFERZERO Message Body (should only be the word test10) X-Spam-Tests-Failed Weight: SNIFFERZERO [0]X-Spam-Time:15:33:42X-Weight: 0X-Mailfrom: samarelli.yahoo.comX-Note: Sent from: [EMAIL PROTECTED]X-Note: Sent from Reverse DNS: web51806.mail.yahoo.com ([206.190.38.237])X-Hello: web51806.mail.yahoo.comX-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain: UNITED STATES-destinationX-AOL-IP: 64.124.117.196X-AOL-SCOLL-SCORE:0:0:0:X-AOL-SCOLL-URL_COUNT:0test10 Culprit: XINHEADERX-Spam-Tests-Failed Weight: %TESTSFAILEDWITHWEIGHTS%
RE: [Declude.JunkMail] Something new with v 2.0.6
Title: Message Fredrick, But with these there are no spaces in the x line: but with this one X-Spam-Tests-Failed-Weight: there is a space. David B www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederick SamarelliSent: Wednesday, April 13, 2005 4:28 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Something new with v 2.0.6 Good Thought but I have these others without problem. Thanks. XINHEADER X-Note: Total spam weight of this E-mail is %WEIGHT%.XINHEADERX-RBL-Warning: Total weight: %WEIGHT%XINHEADERX-Note: This E-mail was scanned filtered by TCB [%VERSION%] for SPAM virus.XINHEADERX-Note: Sent from: %MAILFROM%XINHEADERX-Note: Sent from Reverse DNS: %REVDNS% ([%REMOTEIP%])XINHEADERX-Note: Recipient(s): %REALRECIPS%- Original Message - From: Andy Schmidt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 4:02 PM Subject: RE: [Declude.JunkMail] Something new with v 2.0.6 Hi Frederick: I don't know if this has been asked/suggested already and I don't have time to go back to the RFCs to see if embedded spaces are permitted in the header name. But have you ever tried eliminating that space: XINHEADERX-Spam-Tests-Failed Weight: %TESTSFAILEDWITHWEIGHTS% replace with: XINHEADERX-Spam-Tests-Failed-Weight: %TESTSFAILEDWITHWEIGHTS% May be the problem is that there is a CR/LF followed by a line that contains no header name(due to the embedded space) following by another CR/LF. May be those two CR/LF without valid header information inbetween are interpreted as "start of message body" by some entities? Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederick SamarelliSent: Wednesday, April 13, 2005 03:42 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Something new with v 2.0.6 Mike/Matt (thanks for your help) You should be able to duplicated by just forwarding an email to an outside account using the problem line at the bottom. As not to confuse things I simplified the process. Send an email from [EMAIL PROTECTED]= [EMAIL PROTECTED](forwarded to) = [EMAIL PROTECTED] This run through only one server on my network. Header from My AOL account. Return-Path: [EMAIL PROTECTED]Received: from rly-xm04.mx.aol.com (rly-xm04.mail.aol.com [172.20.83.105]) by air-xm03.mail.aol.com (v105.26) with ESMTP id MAILINXM31-606425d743d132; Wed, 13 Apr 2005 15:34:25 -0400Received: from bks.tcbinc.com (bks.tcbinc.com [64.124.117.196]) by rly-xm04.mx.aol.com (v105.26) with ESMTP id MAILRELAYINXM42-606425d743d132; Wed, 13 Apr 2005 15:34:21 -0400Received: from SMTP32-FWD by bks.tcbinc.com (SMTP32) id A741100040470EC67; Wed, 13 Apr 2005 15:33:42 Received: from web51806.mail.yahoo.com [206.190.38.237] by bks.tcbinc.com (SMTPD32-8.15) id A41140470; Wed, 13 Apr 2005 15:33:37 -0400Received: (qmail 50369 invoked by uid 60001); 13 Apr 2005 19:34:12 -Comment: DomainKeys? See http://antispam.yahoo.com/domainkeysDomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=M12dWrk8x99pS4FhLTVJbfbgIc60YrjkjS/Vi2yiCoare5X2fk5F+zDzAA2XuOKAyAuKoj3EEGBHc6gPlwybZ/TMSShXoJtIypUpKUZZrm7SoU0rx30hedmPe9IecDArBynamRJFf8HjmCsGFKGIwJhKUjwV4wNnw1wLdarF7SE= ;Message-ID: [EMAIL PROTECTED]Received: from [64.124.117.139] by web51806.mail.yahoo.com via HTTP; Wed, 13 Apr 2005 12:34:12 PDTDate: Wed, 13 Apr 2005 12:34:12 -0700 (PDT)From: Frederick Samarelli [EMAIL PROTECTED]Subject: test10To: [EMAIL PROTECTED]MIME-Version: 1.0Content-Type: text/plain; charset=us-asciiX-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0.X-Declude-Sender: [EMAIL PROTECTED] [206.190.38.237]X-Declude-Spoolname: D741100040470EC67.SMDX-Note: Total spam weight of this E-mail is 0.X-RBL-Warning: Total weight: 0X-Note: This E-mail was scanned filtered by TCB [2.0.6] for SPAM virus.X-Spam-Tests-Failed: SNIFFERZERO Message Body (should only be the word test10) X-Spam-Tests-Failed Weight: SNIFFERZERO [0]X-Spam-Time:15:33:42X-Weight: 0X-Mailfrom: samarelli.yahoo.comX-Note: Sent from: [EMAIL PROTECTED]X-Note: Sent from Reverse DNS: web51806.mail.yahoo.com ([206.190.38.237])X-Hello: web51806.mail.yahoo.comX-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain: UNITED STATES-destinationX-AOL-IP: 64.124.117.196X-AOL-SCOLL-SCORE:0:0:0:X-AOL-SCOLL-URL_COUNT:0test10 Culprit: XINHEADERX-Spam-Tests-Failed Weight: %TESTSFAILEDWITHWEIGHTS%__ NOD32 1.1059 (20050412) Information __This message was checked by NOD32 antivirus system.http:/
Re: [Declude.JunkMail] Something new with v 2.0.6
Title: Message Fred, Those are all legit. Andy has keen eyes and I suspect that he may have identified the trigger, though it would be a bug in Declude to behave in this way, but a minor one. The examples that you gave all have no spaces prior to the first colon, and that is compliant. The one that Andy gave was clearly not, and it is the one that is also causing you problems. Matt Frederick Samarelli wrote: Good Thought but I have these others without problem. Thanks. XINHEADER X-Note: Total spam weight of this E-mail is %WEIGHT%. XINHEADERX-RBL-Warning: Total weight: %WEIGHT% XINHEADERX-Note: This E-mail was scanned filtered by TCB [%VERSION%] for SPAM virus. XINHEADERX-Note: Sent from: %MAILFROM% XINHEADERX-Note: Sent from Reverse DNS: %REVDNS% ([%REMOTEIP%]) XINHEADERX-Note: Recipient(s): %REALRECIPS% - Original Message - From: Andy Schmidt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 4:02 PM Subject: RE: [Declude.JunkMail] Something new with v 2.0.6 Hi Frederick: I don't know if this has been asked/suggested already and I don't have time to go back to the RFCs to see if embedded spaces are permitted in the header name. But have you ever tried eliminating that space: XINHEADERX-Spam-Tests-Failed Weight: %TESTSFAILEDWITHWEIGHTS% replace with: XINHEADERX-Spam-Tests-Failed-Weight: %TESTSFAILEDWITHWEIGHTS% May be the problem is that there is a CR/LF followed by a line that contains no header name(due to the embedded space) following by another CR/LF. May be those two CR/LF without valid header information inbetween are interpreted as "start of message body" by some entities? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Frederick Samarelli Sent: Wednesday, April 13, 2005 03:42 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Mike/Matt (thanks for your help) You should be able to duplicated by just forwarding an email to an outside account using the problem line at the bottom. As not to confuse things I simplified the process. Send an email from [EMAIL PROTECTED]= [EMAIL PROTECTED](forwarded to) = [EMAIL PROTECTED] This run through only one server on my network. Header from My AOL account. Return-Path: [EMAIL PROTECTED] Received: from rly-xm04.mx.aol.com (rly-xm04.mail.aol.com [172.20.83.105]) by air-xm03.mail.aol.com (v105.26) with ESMTP id MAILINXM31-606425d743d132; Wed, 13 Apr 2005 15:34:25 -0400 Received: from bks.tcbinc.com (bks.tcbinc.com [64.124.117.196]) by rly-xm04.mx.aol.com (v105.26) with ESMTP id MAILRELAYINXM42-606425d743d132; Wed, 13 Apr 2005 15:34:21 -0400 Received: from SMTP32-FWD by bks.tcbinc.com (SMTP32) id A741100040470EC67; Wed, 13 Apr 2005 15:33:42 Received: from web51806.mail.yahoo.com [206.190.38.237] by bks.tcbinc.com (SMTPD32-8.15) id A41140470; Wed, 13 Apr 2005 15:33:37 -0400 Received: (qmail 50369 invoked by uid 60001); 13 Apr 2005 19:34:12 - Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=M12dWrk8x99pS4FhLTVJbfbgIc60YrjkjS/Vi2yiCoare5X2fk5F+zDzAA2XuOKAyAuKoj3EEGBHc6gPlwybZ/TMSShXoJtIypUpKUZZrm7SoU0rx30hedmPe9IecDArBynamRJFf8HjmCsGFKGIwJhKUjwV4wNnw1wLdarF7SE= ; Message-ID: [EMAIL PROTECTED] Received: from [64.124.117.139] by web51806.mail.yahoo.com via HTTP; Wed, 13 Apr 2005 12:34:12 PDT Date: Wed, 13 Apr 2005 12:34:12 -0700 (PDT) From: Frederick Samarelli [EMAIL PROTECTED] Subject: test10 To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0. X-Declude-Sender: [EMAIL PROTECTED] [206.190.38.237] X-Declude-Spoolname: D741100040470EC67.SMD X-Note: Total spam weight of this E-mail is 0. X-RBL-Warning: Total weight: 0 X-Note: This E-mail was scanned filtered by TCB [2.0.6] for SPAM virus. X-Spam-Tests-Failed: SNIFFERZERO Message Body (should only be the word test10) X-Spam-Tests-Failed Weight: SNIFFERZERO [0] X-Spam-Time:15:33:42 X-Weight: 0 X-Mailfrom: samarelli.yahoo.com X-Note: Sent from: [EMAIL PROTECTED] X-Note: Sent from Reverse DNS: web51806.mail.yahoo.com ([206.190.38.237]) X-Hello: web51806.mail.yahoo.com X-Note: Recipient(s): [EMAIL PROTECTED] X-Country-Chain: UNITED STATES-destination X-AOL-IP: 64.124.117.196 X-AOL-SCOLL-SCORE:0:0:0: X-AOL-SCOLL-URL_COUNT:0 test10 Culprit: XINHEADERX-Spam-Tests-Failed Weight: %TESTSFAILEDWITHWEIGHTS% -- = MailPure custom filters for Declude JunkMail
RE: [Declude.JunkMail] Something new with v 2.0.6
Title: Message Okay, let me try it this way... RFC 822 states: 3.1.2. STRUCTURE OF HEADER FIELDS Once a field has been unfolded, it may be viewed as being com- posed of a field-name followed by a colon (":"), followed by a field-body, and terminated by a carriage-return/line-feed. The field-name must be composed of printable ASCII characters (i.e., characters that have values between 33. and 126., decimal, except colon). The field-body may be composed of any ASCII characters, except CR or LF. (While CR and/or LF may be present in the actual text, they are removed by the action of unfolding the field.) My reading of the RFC is, that 0x20 (32) is NOT permitted as a header field name! Thus: X-Spam-Tests-Failed Weight: is NOT to be interpreted as a valid header! Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederick SamarelliSent: Wednesday, April 13, 2005 04:28 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Something new with v 2.0.6 Good Thought but I have these others without problem. Thanks. XINHEADER X-Note: Total spam weight of this E-mail is %WEIGHT%.XINHEADERX-RBL-Warning: Total weight: %WEIGHT%XINHEADERX-Note: This E-mail was scanned filtered by TCB [%VERSION%] for SPAM virus.XINHEADERX-Note: Sent from: %MAILFROM%XINHEADERX-Note: Sent from Reverse DNS: %REVDNS% ([%REMOTEIP%])XINHEADERX-Note: Recipient(s): %REALRECIPS%- Original Message - From: Andy Schmidt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 4:02 PM Subject: RE: [Declude.JunkMail] Something new with v 2.0.6 Hi Frederick: I don't know if this has been asked/suggested already and I don't have time to go back to the RFCs to see if embedded spaces are permitted in the header name. But have you ever tried eliminating that space: XINHEADERX-Spam-Tests-Failed Weight: %TESTSFAILEDWITHWEIGHTS% replace with: XINHEADERX-Spam-Tests-Failed-Weight: %TESTSFAILEDWITHWEIGHTS% May be the problem is that there is a CR/LF followed by a line that contains no header name(due to the embedded space) following by another CR/LF. May be those two CR/LF without valid header information inbetween are interpreted as "start of message body" by some entities? Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederick SamarelliSent: Wednesday, April 13, 2005 03:42 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Something new with v 2.0.6 Mike/Matt (thanks for your help) You should be able to duplicated by just forwarding an email to an outside account using the problem line at the bottom. As not to confuse things I simplified the process. Send an email from [EMAIL PROTECTED]= [EMAIL PROTECTED](forwarded to) = [EMAIL PROTECTED] This run through only one server on my network. Header from My AOL account. Return-Path: [EMAIL PROTECTED]Received: from rly-xm04.mx.aol.com (rly-xm04.mail.aol.com [172.20.83.105]) by air-xm03.mail.aol.com (v105.26) with ESMTP id MAILINXM31-606425d743d132; Wed, 13 Apr 2005 15:34:25 -0400Received: from bks.tcbinc.com (bks.tcbinc.com [64.124.117.196]) by rly-xm04.mx.aol.com (v105.26) with ESMTP id MAILRELAYINXM42-606425d743d132; Wed, 13 Apr 2005 15:34:21 -0400Received: from SMTP32-FWD by bks.tcbinc.com (SMTP32) id A741100040470EC67; Wed, 13 Apr 2005 15:33:42 Received: from web51806.mail.yahoo.com [206.190.38.237] by bks.tcbinc.com (SMTPD32-8.15) id A41140470; Wed, 13 Apr 2005 15:33:37 -0400Received: (qmail 50369 invoked by uid 60001); 13 Apr 2005 19:34:12 -Comment: DomainKeys? See http://antispam.yahoo.com/domainkeysDomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=M12dWrk8x99pS4FhLTVJbfbgIc60YrjkjS/Vi2yiCoare5X2fk5F+zDzAA2XuOKAyAuKoj3EEGBHc6gPlwybZ/TMSShXoJtIypUpKUZZrm7SoU0rx30hedmPe9IecDArBynamRJFf8HjmCsGFKGIwJhKUjwV4wNnw1wLdarF7SE= ;Message-ID: [EMAIL PROTECTED]Received: from [64.124.117.139] by web51806.mail.yahoo.com via HTTP; Wed, 13 Apr 2005 12:34:12 PDTDate: Wed, 13 Apr 2005 12:34:12 -0700 (PDT)From: Frederick Samarelli [EMAIL PROTECTED]Subject: test10To: [EMAIL PROTECTED]MIME-Version: 1.0Content-Type: text/plain; charset=us-asciiX-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0.X-Declude-Sender: [EMAIL PROTECTED] [206.
RE: [Declude.JunkMail] Something new with v 2.0.6
On 13 Apr 2005 at 16:44, Andy Schmidt wrote: Very well done Andy.. -Nick Okay, let me try it this way... RFC 822 states: 3.1.2. STRUCTURE OF HEADER FIELDS Once a field has been unfolded, it may be viewed as being com- posed of a field-name followed by a colon (:), followed by a field-body, and terminated by a carriage-return/line-feed. The field-name must be composed of printable ASCII characters (i.e., characters that have values between 33. and 126., decimal, except colon). The field-body may be composed of any ASCII characters, except CR or LF. (While CR and/or LF may be present in the actual text, they are removed by the action of unfolding the field.) My reading of the RFC is, that 0x20 (32) is NOT permitted as a header field name! Thus: X-Spam-Tests-Failed Weight: is NOT to be interpreted as a valid header! Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Frederick Samarelli Sent: Wednesday, April 13, 2005 04:28 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Good Thought but I have these others without problem. Thanks. XINHEADER X-Note: Total spam weight of this E-mail is %WEIGHT%. XINHEADERX-RBL-Warning: Total weight: %WEIGHT% XINHEADERX-Note: This E-mail was scanned filtered by TCB [%VERSION%] for SPAM virus. XINHEADERX-Note: Sent from: %MAILFROM% XINHEADERX-Note: Sent from Reverse DNS: %REVDNS% ([%REMOTEIP%]) XINHEADERX-Note: Recipient(s): %REALRECIPS% - Original Message - From: Andy Schmidt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 4:02 PM Subject: RE: [Declude.JunkMail] Something new with v 2.0.6 Hi Frederick: I don't know if this has been asked/suggested already and I don't have time to go back to the RFCs to see if embedded spaces are permitted in the header name. But have you ever tried eliminating that space: XINHEADERX-Spam-Tests-Failed Weight: %TESTSFAILEDWITHWEIGHTS% replace with: XINHEADERX-Spam-Tests-Failed-Weight: %TESTSFAILEDWITHWEIGHTS% May be the problem is that there is a CR/LF followed by a line that contains no header name(due to the embedded space) following by another CR/LF. May be those two CR/LF without valid header information inbetween are interpreted as start of message body by some entities? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Frederick Samarelli Sent: Wednesday, April 13, 2005 03:42 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Mike/Matt (thanks for your help) You should be able to duplicated by just forwarding an email to an outside account using the problem line at the bottom. As not to confuse things I simplified the process. Send an email from [EMAIL PROTECTED] [EMAIL PROTECTED](forwarded to) = [EMAIL PROTECTED] This run through only one server on my network. Header from My AOL account. Return-Path: [EMAIL PROTECTED] Received: from rly-xm04.mx.aol.com (rly-xm04.mail.aol.com [172.20.83.105]) by air-xm03.mail.aol.com (v105.26) with ESMTP id MAILINXM31-606425d743d132; Wed, 13 Apr 2005 15:34:25 -0400 Received: from bks.tcbinc.com (bks.tcbinc.com [64.124.117.196]) by rly-xm04.mx.aol.com (v105.26) with ESMTP id MAILRELAYINXM42- 606425d743d132; Wed, 13 Apr 2005 15:34:21 -0400 Received: from SMTP32-FWD by bks.tcbinc.com (SMTP32) id A741100040470EC67; Wed, 13 Apr 2005 15:33:42 Received: from web51806.mail.yahoo.com [206.190.38.237] by bks.tcbinc.com (SMTPD32-8.15) id A41140470; Wed, 13 Apr 2005 15:33:37 -0400 Received: (qmail 50369 invoked by uid 60001); 13 Apr 2005 19:34:12 - Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=M12dWrk8x99pS4FhLTVJbfbgIc60YrjkjS/Vi2yiCoare5X2fk5F+zDzAA2XuOKAyAuK oj3EEGBHc6gPlwybZ/TMSShXoJtIypUpKUZZrm7SoU0rx30hedmPe9IecDArBynamRJFf8 HjmCsGFKGIwJhKUjwV4wNnw1wLdarF7SE= ; Message-ID: [EMAIL PROTECTED] Received: from [64.124.117.139] by web51806.mail.yahoo.com via HTTP; Wed, 13 Apr 2005 12:34:12 PDT Date: Wed, 13 Apr 2005 12:34:12 -0700 (PDT) From: Frederick Samarelli [EMAIL PROTECTED] Subject: test10 To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0. X-Declude-Sender: [EMAIL PROTECTED] [206.190.38.237] X-Declude-Spoolname: D741100040470EC67.SMD X-Note: Total spam weight of this E-mail is 0. X-RBL-Warning: Total weight: 0 X-Note: This E-mail was scanned filtered by TCB [2.0.6] for SPAM virus. X-Spam-Tests-Failed: SNIFFERZERO Message Body (should only be the word test10
Re: [Declude.JunkMail] Something new with v 2.0.6
Title: Message Andy, Knowing Scott, I could see him adding a double line break when the header name was invalid so as to not write an invalid header. I suppose that could be seen as a form of error handling, though it's not the way that I would tend to approach the same issue if in fact the case. I also suppose that it is possible that his E-mail client is adding the double line breaks to the interpreted output that he is viewing and it might in fact all appear without line breaks in the uninterpreted source. Either way, I'm sure that this fixed the issue. Matt Andy Schmidt wrote: Dear Matt: it would be a bug in Declude to behave in this way You may be right - but I'm not that certain about that being a bug (unless you expect Declude to perform a "syntax check" ofthese user headers). RFC822 states: 3.1.1. LONG HEADER FIELDS Each header field can be viewed as a single, logical line of ASCII characters, comprising a field-name and a field-body. For convenience, the field-body portion of this conceptual entity can be split into a multiple-line representation; this is called "folding". The general rule is that wherever there may be linear-white-space (NOT simply LWSP-chars), a CRLF immediately followed by AT LEAST one LWSP-char may instead be inserted. In other words, as long as CRLF is followed by a SPACE in the new line, the line X-Spam-Tests-Failed Weight would have to be treated as a conintuation of the PRIORheader field. However, in the absence of: a) a leading space, b) a valid header field name it might actually be PROPER to err on the side of safety and consider this the "end" of the headers. After all, we don't want to create a vulnerability where someone could insert "data"into the header that Outlook might skip... Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Wednesday, April 13, 2005 04:37 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Fred, Those are all legit. Andy has keen eyes and I suspect that he may have identified the trigger, though it would be a bug in Declude to behave in this way, but a minor one. The examples that you gave all have no spaces prior to the first colon, and that is compliant. The one that Andy gave was clearly not, and it is the one that is also causing you problems. Matt Frederick Samarelli wrote: Good Thought but I have these others without problem. Thanks. XINHEADER X-Note: Total spam weight of this E-mail is %WEIGHT%. XINHEADERX-RBL-Warning: Total weight: %WEIGHT% XINHEADERX-Note: This E-mail was scanned filtered by TCB [%VERSION%] for SPAM virus. XINHEADERX-Note: Sent from: %MAILFROM% XINHEADERX-Note: Sent from Reverse DNS: %REVDNS% ([%REMOTEIP%]) XINHEADERX-Note: Recipient(s): %REALRECIPS% - Original Message - From: Andy Schmidt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 4:02 PM Subject: RE: [Declude.JunkMail] Something new with v 2.0.6 Hi Frederick: I don't know if this has been asked/suggested already and I don't have time to go back to the RFCs to see if embedded spaces are permitted in the header name. But have you ever tried eliminating that space: XINHEADERX-Spam-Tests-Failed Weight: %TESTSFAILEDWITHWEIGHTS% replace with: XINHEADERX-Spam-Tests-Failed-Weight: %TESTSFAILEDWITHWEIGHTS% May be the problem is that there is a CR/LF followed by a line that contains no header name(due to the embedded space) following by another CR/LF. May be those two CR/LF without valid header information inbetween are interpreted as "start of message body" by some entities? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Frederick Samarelli Sent: Wednesday, April 13, 2005 03:42 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Mike/Matt (thanks for your help) You should be able to duplicated by just forwarding an email to an outside account using the problem line at the bottom. As not to confuse things I simplified the process. Send an email from [EMAIL PROTECTED]= [EMAIL PROTECTED](forwarded to) = [EMAIL PROTECTED]