Re: [Declude.JunkMail] Something new with v 2.0.6
Title: Message The Space was the issue. Added the "-" and all is well. - Original Message - From: Matt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 4:37 PM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Fred,Those are all legit. Andy has keen eyes and I suspect that he may have identified the trigger, though it would be a bug in Declude to behave in this way, but a minor one.The examples that you gave all have no spaces prior to the first colon, and that is compliant. The one that Andy gave was clearly not, and it is the one that is also causing you problems.MattFrederick Samarelli wrote: Good Thought but I have these others without problem. Thanks. XINHEADER X-Note: Total spam weight of this E-mail is %WEIGHT%.XINHEADERX-RBL-Warning: Total weight: %WEIGHT%XINHEADERX-Note: This E-mail was scanned filtered by TCB [%VERSION%] for SPAM virus.XINHEADERX-Note: Sent from: %MAILFROM%XINHEADERX-Note: Sent from Reverse DNS: %REVDNS% ([%REMOTEIP%])XINHEADERX-Note: Recipient(s): %REALRECIPS%- Original Message - From: Andy Schmidt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 4:02 PM Subject: RE: [Declude.JunkMail] Something new with v 2.0.6 Hi Frederick: I don't know if this has been asked/suggested already and I don't have time to go back to the RFCs to see if embedded spaces are permitted in the header name. But have you ever tried eliminating that space: XINHEADERX-Spam-Tests-Failed Weight: %TESTSFAILEDWITHWEIGHTS% replace with: XINHEADERX-Spam-Tests-Failed-Weight: %TESTSFAILEDWITHWEIGHTS% May be the problem is that there is a CR/LF followed by a line that contains no header name(due to the embedded space) following by another CR/LF. May be those two CR/LF without valid header information inbetween are interpreted as "start of message body" by some entities? Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Frederick SamarelliSent: Wednesday, April 13, 2005 03:42 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Something new with v 2.0.6 Mike/Matt (thanks for your help) You should be able to duplicated by just forwarding an email to an outside account using the problem line at the bottom. As not to confuse things I simplified the process. Send an email from [EMAIL PROTECTED]= [EMAIL PROTECTED](forwarded to) = [EMAIL PROTECTED] This run through only one server on my network. Header from My AOL account. Return-Path: [EMAIL PROTECTED]Received: from rly-xm04.mx.aol.com (rly-xm04.mail.aol.com [172.20.83.105]) by air-xm03.mail.aol.com (v105.26) with ESMTP id MAILINXM31-606425d743d132; Wed, 13 Apr 2005 15:34:25 -0400Received: from bks.tcbinc.com (bks.tcbinc.com [64.124.117.196]) by rly-xm04.mx.aol.com (v105.26) with ESMTP id MAILRELAYINXM42-606425d743d132; Wed, 13 Apr 2005 15:34:21 -0400Received: from SMTP32-FWD by bks.tcbinc.com (SMTP32) id A741100040470EC67; Wed, 13 Apr 2005 15:33:42 Received: from web51806.mail.yahoo.com [206.190.38.237] by bks.tcbinc.com (SMTPD32-8.15) id A41140470; Wed, 13 Apr 2005 15:33:37 -0400Received: (qmail 50369 invoked by uid 60001); 13 Apr 2005 19:34:12 -Comment: DomainKeys? See http://antispam.yahoo.com/domainkeysDomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=M12dWrk8x99pS4FhLTVJbfbgIc60YrjkjS/Vi2yiCoare5X2fk5F+zDzAA2XuOKAyAuKoj3EEGBHc6gPlwybZ/TMSShXoJtIypUpKUZZrm7SoU0rx30hedmPe9IecDArBynamRJFf8HjmCsGFKGIwJhKUjwV4wNnw1wLdarF7SE= ;Message-ID: [EMAIL PROTECTED]Received: from [64.124.117.139] by web51806.mail.yahoo.com via HTTP; Wed, 13 Apr 2005 12:34:12 PDTDate: Wed, 13 Apr 2005 12:34:12 -0700 (PDT)From: Frederick Samarelli [EMAIL PROTECTED]Subject: test10To: [EMAIL PROTECTED]MIME-Version: 1.0Content-Type: text/plain; charset=us-asciiX-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0.X-Declude-Sender: [EMAIL PROTECTED] [206.190.38.237]X-Declude-Spoolname: D741100040470EC67.SMDX-Note: Total spam weight of this E-mail is 0.X-RBL-Warning: Total weight: 0X-Note: This E-mail was scanned filtered by TCB [2.0.6] for SPAM virus.X-Spam-Tests-Failed: SNIFFER
RE: [Declude.JunkMail] Something new with v 2.0.6
Title: Message Hi Frederick: May be you should also post the relevant lines from the Globa.cfg so that one can see what lines you requested to be inserted. Also, which of these lines specifically are incorrect? Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederick SamarelliSent: Wednesday, April 13, 2005 01:08 AMTo: Declude.JunkMail@declude.comSubject: [Declude.JunkMail] Something new with v 2.0.6 Since I upgraded to v 2.0.6 from 2.0.5 I am getting the below header info included in the body of emails that are being forwarded. Any ideas. X-Spam-Tests-Failed Weight: SNIFFERZERO [0], FILTER-MAILFROM [5]X-Spam-Time:00:00:12X-Note: Total spam weight of this E-mail is 5X-Note: This E-mail was scanned filtered by Declude [2.0.6] for SPAM virusX-Spam-Tests-Failed: SNIFFERZERO, FILTER-MAILFROMX-Weight: 5X-Mailfrom: X-Note: Sent from: X-Note: Sent from Reverse DNS: (Private IP) ([127.0.0.1])X-Hello: X-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain:
RE: [Declude.JunkMail] Something new with v 2.0.6
Title: Message He said they are included in the BODY of the email, not the headers. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy SchmidtSent: Wednesday, April 13, 2005 10:02 AMTo: Declude.JunkMail@declude.comSubject: RE: [Declude.JunkMail] Something new with v 2.0.6 Hi Frederick: May be you should also post the relevant lines from the Globa.cfg so that one can see what lines you requested to be inserted. Also, which of these lines specifically are incorrect? Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederick SamarelliSent: Wednesday, April 13, 2005 01:08 AMTo: Declude.JunkMail@declude.comSubject: [Declude.JunkMail] Something new with v 2.0.6 Since I upgraded to v 2.0.6 from 2.0.5 I am getting the below header info included in the body of emails that are being forwarded. Any ideas. X-Spam-Tests-Failed Weight: SNIFFERZERO [0], FILTER-MAILFROM [5]X-Spam-Time:00:00:12X-Note: Total spam weight of this E-mail is 5X-Note: This E-mail was scanned filtered by Declude [2.0.6] for SPAM virusX-Spam-Tests-Failed: SNIFFERZERO, FILTER-MAILFROMX-Weight: 5X-Mailfrom: X-Note: Sent from: X-Note: Sent from Reverse DNS: (Private IP) ([127.0.0.1])X-Hello: X-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain:
Re: [Declude.JunkMail] Something new with v 2.0.6
Title: Message They are all a problem. They show up in the body of the email after it is forwarded. If I pull the email directly from the server it is fine. Noting shows in the body. If I have that email account setup to forward to another address the email shows with all these lines at the top of the body of the message. The lines represent all my XINHEADER references. - Original Message - From: Andy Schmidt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:02 AM Subject: RE: [Declude.JunkMail] Something new with v 2.0.6 Hi Frederick: May be you should also post the relevant lines from the Globa.cfg so that one can see what lines you requested to be inserted. Also, which of these lines specifically are incorrect? Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederick SamarelliSent: Wednesday, April 13, 2005 01:08 AMTo: Declude.JunkMail@declude.comSubject: [Declude.JunkMail] Something new with v 2.0.6 Since I upgraded to v 2.0.6 from 2.0.5 I am getting the below header info included in the body of emails that are being forwarded. Any ideas. X-Spam-Tests-Failed Weight: SNIFFERZERO [0], FILTER-MAILFROM [5]X-Spam-Time:00:00:12X-Note: Total spam weight of this E-mail is 5X-Note: This E-mail was scanned filtered by Declude [2.0.6] for SPAM virusX-Spam-Tests-Failed: SNIFFERZERO, FILTER-MAILFROMX-Weight: 5X-Mailfrom: X-Note: Sent from: X-Note: Sent from Reverse DNS: (Private IP) ([127.0.0.1])X-Hello: X-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain:
Re: [Declude.JunkMail] Something new with v 2.0.6
Title: Message Any chance of a Double CR in one of your XINHEADER lines? That could cause a mail client to think everything below it is part of the body...perhaps even a blank XINHEADER could cause it... Darin. - Original Message - From: Frederick Samarelli To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:13 AM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 They are all a problem. They show up in the body of the email after it is forwarded. If I pull the email directly from the server it is fine. Noting shows in the body. If I have that email account setup to forward to another address the email shows with all these lines at the top of the body of the message. The lines represent all my XINHEADER references. - Original Message - From: Andy Schmidt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:02 AM Subject: RE: [Declude.JunkMail] Something new with v 2.0.6 Hi Frederick: May be you should also post the relevant lines from the Globa.cfg so that one can see what lines you requested to be inserted. Also, which of these lines specifically are incorrect? Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederick SamarelliSent: Wednesday, April 13, 2005 01:08 AMTo: Declude.JunkMail@declude.comSubject: [Declude.JunkMail] Something new with v 2.0.6 Since I upgraded to v 2.0.6 from 2.0.5 I am getting the below header info included in the body of emails that are being forwarded. Any ideas. X-Spam-Tests-Failed Weight: SNIFFERZERO [0], FILTER-MAILFROM [5]X-Spam-Time:00:00:12X-Note: Total spam weight of this E-mail is 5X-Note: This E-mail was scanned filtered by Declude [2.0.6] for SPAM virusX-Spam-Tests-Failed: SNIFFERZERO, FILTER-MAILFROMX-Weight: 5X-Mailfrom: X-Note: Sent from: X-Note: Sent from Reverse DNS: (Private IP) ([127.0.0.1])X-Hello: X-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain:
Re: [Declude.JunkMail] Something new with v 2.0.6
I think we're going to have to see the Global.CFG to figure out if there's a misconfiguration. I certainly looks like your entireXINHEADER config is duplicated. Darin. - Original Message - From: Frederick Samarelli To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:34 AM Subject: [Declude.JunkMail] Something new with v 2.0.6 HEADER Received: from dns2.tcbinc.net [64.124.116.30] by bks.tcbinc.com (SMTPD32-8.15) id A5E13540470; Wed, 13 Apr 2005 03:10:25 -0400Received: from mail.tcbinc.net ([64.124.116.40])by dns2.tcbinc.net (SMSSMTP 4.1.0.19) with SMTP id M2005041303105928414for [EMAIL PROTECTED]; Wed, 13 Apr 2005 03:10:59 -0400Received: from SMTP32-FWD by mail.tcbinc.net (SMTP32) id AC601002507EA4CF6; Wed, 13 Apr 2005 03:10:59 -0400Received: from ADS [64.124.116.10] by mail.tcbinc.net (SMTPD32-8.15) id A6012507EA; Wed, 13 Apr 2005 03:10:57 -0400SUBJECT: Virus FoundMessage-Id: [EMAIL PROTECTED]X-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0.X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command.X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail.X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8c20].X-RBL-Warning: WEIGHT10: Total weight between 10 and 14.X-Declude-Sender: [EMAIL PROTECTED] [64.124.116.10]X-Declude-Spoolname: DC601002507EA4CF6.SMDX-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0.X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail.X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8c20].X-RBL-Warning: HELOBOGUS: Domain ADS has no MX or A records [0301].X-Declude-Sender: [EMAIL PROTECTED] [64.124.116.10]X-Declude-Spoolname: DC5E1035404704CAF.SMDX-Note: Total spam weight of this E-mail is 3.X-RBL-Warning: Total weight: 3X-Note: This E-mail was scanned filtered by TCB [2.0.6] for SPAM virus.X-Spam-Tests-Failed: SNIFFERZERO, SPFPASS, BADHEADERS, HELOBOGUSX-Spam-Tests-Failed Weight: SNIFFERZERO [0], SPFPASS [0], BADHEADERS [2], HELOBOGUS [1]X-Spam-Time:03:10:29X-Weight: 3X-Mailfrom: fred.tcbinc.netX-Note: Sent from: [EMAIL PROTECTED]X-Note: Sent from Reverse DNS: ads.tcbinc.net ([64.124.116.10])X-Hello: ADSX-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain: UNITED STATES-destinationFrom: [EMAIL PROTECTED]Date: Wed, 13 Apr 2005 03:10:29 -0400X-RCPT-TO: [EMAIL PROTECTED]Status: UX-UIDL: 411698213 BODY: X-Spam-Tests-Failed Weight: SNIFFERZERO [0], CMDSPACE [8], SPFPASS [0], BADHEADERS [2], WEIGHT10 [10]X-Spam-Time:03:10:59X-Note: Total spam weight of this E-mail is 10X-Note: This E-mail was scanned filtered by Declude [2.0.6] for SPAM virusX-Spam-Tests-Failed: SNIFFERZERO, CMDSPACE, SPFPASS, BADHEADERS, WEIGHT10X-Weight: 10X-Mailfrom: fred.tcbinc.netX-Note: Sent from: [EMAIL PROTECTED]X-Note: Sent from Reverse DNS: ads.tcbinc.net ([64.124.116.10])X-Hello: ADSX-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain: UNITED STATES-destinationDate: Wed, 13 Apr 2005 03:10:59 -0400 Virus:[EMAIL PROTECTED]Alert: Virus FoundComputer: DNS2Date: 04/13/2005Time: 03:10:54 AMSeverity: CriticalSource: Norton AntiVirus Corporate Edition
Re: [Declude.JunkMail] Something new with v 2.0.6
See attached config. The problem only started after the update from 2.0.5 to 2.0.6 - Original Message - From: Darin Cox To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:39 AM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 I think we're going to have to see the Global.CFG to figure out if there's a misconfiguration. I certainly looks like your entireXINHEADER config is duplicated. Darin. - Original Message - From: Frederick Samarelli To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:34 AM Subject: [Declude.JunkMail] Something new with v 2.0.6 HEADER Received: from dns2.tcbinc.net [64.124.116.30] by bks.tcbinc.com (SMTPD32-8.15) id A5E13540470; Wed, 13 Apr 2005 03:10:25 -0400Received: from mail.tcbinc.net ([64.124.116.40])by dns2.tcbinc.net (SMSSMTP 4.1.0.19) with SMTP id M2005041303105928414for [EMAIL PROTECTED]; Wed, 13 Apr 2005 03:10:59 -0400Received: from SMTP32-FWD by mail.tcbinc.net (SMTP32) id AC601002507EA4CF6; Wed, 13 Apr 2005 03:10:59 -0400Received: from ADS [64.124.116.10] by mail.tcbinc.net (SMTPD32-8.15) id A6012507EA; Wed, 13 Apr 2005 03:10:57 -0400SUBJECT: Virus FoundMessage-Id: [EMAIL PROTECTED]X-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0.X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command.X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail.X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8c20].X-RBL-Warning: WEIGHT10: Total weight between 10 and 14.X-Declude-Sender: [EMAIL PROTECTED] [64.124.116.10]X-Declude-Spoolname: DC601002507EA4CF6.SMDX-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0.X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail.X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8c20].X-RBL-Warning: HELOBOGUS: Domain ADS has no MX or A records [0301].X-Declude-Sender: [EMAIL PROTECTED] [64.124.116.10]X-Declude-Spoolname: DC5E1035404704CAF.SMDX-Note: Total spam weight of this E-mail is 3.X-RBL-Warning: Total weight: 3X-Note: This E-mail was scanned filtered by TCB [2.0.6] for SPAM virus.X-Spam-Tests-Failed: SNIFFERZERO, SPFPASS, BADHEADERS, HELOBOGUSX-Spam-Tests-Failed Weight: SNIFFERZERO [0], SPFPASS [0], BADHEADERS [2], HELOBOGUS [1]X-Spam-Time:03:10:29X-Weight: 3X-Mailfrom: fred.tcbinc.netX-Note: Sent from: [EMAIL PROTECTED]X-Note: Sent from Reverse DNS: ads.tcbinc.net ([64.124.116.10])X-Hello: ADSX-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain: UNITED STATES-destinationFrom: [EMAIL PROTECTED]Date: Wed, 13 Apr 2005 03:10:29 -0400X-RCPT-TO: [EMAIL PROTECTED]Status: UX-UIDL: 411698213 BODY: X-Spam-Tests-Failed Weight: SNIFFERZERO [0], CMDSPACE [8], SPFPASS [0], BADHEADERS [2], WEIGHT10 [10]X-Spam-Time:03:10:59X-Note: Total spam weight of this E-mail is 10X-Note: This E-mail was scanned filtered by Declude [2.0.6] for SPAM virusX-Spam-Tests-Failed: SNIFFERZERO, CMDSPACE, SPFPASS, BADHEADERS, WEIGHT10X-Weight: 10X-Mailfrom: fred.tcbinc.netX-Note: Sent from: [EMAIL PROTECTED]X-Note: Sent from Reverse DNS: ads.tcbinc.net ([64.124.116.10])X-Hello: ADSX-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain: UNITED STATES-destinationDate: Wed, 13 Apr 2005 03:10:59 -0400 Virus:[EMAIL PROTECTED]Alert: Virus FoundComputer: DNS2Date: 04/13/2005Time: 03:10:54 AMSeverity: CriticalSource: Norton AntiVirus Corporate Edition GLOBAL.CFG Description: Binary data
Re: [Declude.JunkMail] Something new with v 2.0.6
Fred, It looks like two full sets of Declude's XINHEADER's, and something caused a double line break in it. I am also having a problem understanding the path that this E-mail took, and maybe that will give you some clues. There is something forwarding the message and that might partially explain why it has two sets of headers, but the double line break shouldn't appear there. Maybe you could explain the path that this took: 64.124.116.10 (IMail) - SMTP32-FWD (Probably also IMail) - 64.124.116.40 (SMSSMTP, Symantec???) - 64.124.116.30 (IMail again). I am going to guess that it is possible that Declude is getting confused based on the body being in a format similar to a header where there is a word followed by a colon, and in the process, it might be inserting the headers in the wrong location when it is adding them the second time. Total guess there of course. I suspect that the path is causing some form of double-processing, possibly the Symantec SMSSMTP piece, and that if you could resolve that, the problem might go away. Also note that the headers show a 30 second difference between the headers, so it's going somewhere. So to summarize, it looks like it's being double-processed due to some mechanism involving SMSSMTP, and Declude is maybe parsing the message incorrectly for where to insert the second set of headers, and if you could get it to only process it once (remove forwarding/looping possible issue), the symptom might go away. If so, Declude might also want to look at the parsing code for where to insert the headers and account for the condition in future releases as I'm sure that isn't intentional. Matt Frederick Samarelli wrote: See attached config. The problem only started after the update from 2.0.5 to 2.0.6 - Original Message - From: Darin Cox To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:39 AM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 I think we're going to have to see the Global.CFG to figure out if there's a misconfiguration. I certainly looks like your entireXINHEADER config is duplicated. Darin. - Original Message - From: Frederick Samarelli To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:34 AM Subject: [Declude.JunkMail] Something new with v 2.0.6 HEADER Received: from dns2.tcbinc.net [64.124.116.30] by bks.tcbinc.com (SMTPD32-8.15) id A5E13540470; Wed, 13 Apr 2005 03:10:25 -0400 Received: from mail.tcbinc.net ([64.124.116.40]) by dns2.tcbinc.net (SMSSMTP 4.1.0.19) with SMTP id M2005041303105928414 for [EMAIL PROTECTED]; Wed, 13 Apr 2005 03:10:59 -0400 Received: from SMTP32-FWD by mail.tcbinc.net (SMTP32) id AC601002507EA4CF6; Wed, 13 Apr 2005 03:10:59 -0400 Received: from ADS [64.124.116.10] by mail.tcbinc.net (SMTPD32-8.15) id A6012507EA; Wed, 13 Apr 2005 03:10:57 -0400 SUBJECT: Virus Found Message-Id: [EMAIL PROTECTED] X-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0. X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command. X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail. X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8c20]. X-RBL-Warning: WEIGHT10: Total weight between 10 and 14. X-Declude-Sender: [EMAIL PROTECTED] [64.124.116.10] X-Declude-Spoolname: DC601002507EA4CF6.SMD X-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0. X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail. X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8c20]. X-RBL-Warning: HELOBOGUS: Domain ADS has no MX or A records [0301]. X-Declude-Sender: [EMAIL PROTECTED] [64.124.116.10] X-Declude-Spoolname: DC5E1035404704CAF.SMD X-Note: Total spam weight of this E-mail is 3. X-RBL-Warning: Total weight: 3 X-Note: This E-mail was scanned filtered by TCB [2.0.6] for SPAM virus. X-Spam-Tests-Failed: SNIFFERZERO, SPFPASS, BADHEADERS, HELOBOGUS X-Spam-Tests-Failed Weight: SNIFFERZERO [0], SPFPASS [0], BADHEADERS [2], HELOBOGUS [1] X-Spam-Time:03:10:29 X-Weight: 3 X-Mailfrom: fred.tcbinc.net X-Note: Sent from: [EMAIL PROTECTED] X-Note: Sent from Reverse DNS: ads.tcbinc.net ([64.124.116.10]) X-Hello: ADS X-Note: Recipient(s): [EMAIL PROTECTED] X-Country-Chain: UNITED STATES-destination From: [EMAIL PROTECTED] Date: Wed, 13 Apr 2005 03:10:29 -0400 X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 411698213 BODY: X-Spam-Tests-Failed Weight: SNIFFERZERO [0], CMDSPACE [8], SPFPASS [0], BADHEADERS [2], WEIGHT10 [10] X-Spam-Time:03:10:59 X-Note: Total spam weight of this E-mail is 10 X-Note: This E-mail was scanned filtered by Declude [2.0.6] for SPAM virus X-Spam-Tests-Failed: SNIFFERZERO, CMDSPACE, SPFPASS, BADHEADERS, WEIGHT10 X-Weight: 10 X-Mailfrom: fred.tcbinc.net X-Note: Sent from: [EMAIL PROTECTED] X-Note: Sent from Reverse DNS: ads.tcbinc.net ([64.124.116.10]) X-Hello: ADS X-Note
Re: [Declude.JunkMail] Something new with v 2.0.6
This is not the case. I sent a test from my Yahoo account to my imail account. If I look at it in Imail it is ok. If I do the test again having a forward in on my imail account to an AOL account the header info get placed in the top of the BODY when I received it at my AOL account. See below from the TEXT of the BODY. X-Spam-Tests-Failed Weight: SNIFFERZERO [0]X-Spam-Time:12:53:55X-Note: Total spam weight of this E-mail is 0X-Note: This E-mail was scanned filtered by Declude [2.0.6] for SPAM virusX-Spam-Tests-Failed: SNIFFERZEROX-Weight: 0X-Mailfrom: samarelli.yahoo.comX-Note: Sent from: [EMAIL PROTECTED]X-Note: Sent from Reverse DNS: web51803.mail.yahoo.com ([206.190.38.234])X-Hello: web51803.mail.yahoo.comX-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain: UNITED STATES-destinationX-AOL-IP: 64.124.116.40X-AOL-SCOLL-SCORE:0:0:0:X-AOL-SCOLL-URL_COUNT:0 - Original Message - From: Matt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 11:49 AM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Fred,It looks like two full sets of Declude's XINHEADER's, and something caused a double line break in it. I am also having a problem understanding the path that this E-mail took, and maybe that will give you some clues. There is something forwarding the message and that might partially explain why it has two sets of headers, but the double line break shouldn't appear there.Maybe you could explain the path that this took: 64.124.116.10 (IMail) - SMTP32-FWD (Probably also IMail) - 64.124.116.40 (SMSSMTP, Symantec???) - 64.124.116.30 (IMail again).I am going to guess that it is possible that Declude is getting confused based on the body being in a format similar to a header where there is a word followed by a colon, and in the process, it might be inserting the headers in the wrong location when it is adding them the second time. Total guess there of course. I suspect that the path is causing some form of double-processing, possibly the Symantec SMSSMTP piece, and that if you could resolve that, the problem might go away. Also note that the headers show a 30 second difference between the headers, so it's going somewhere.So to summarize, it looks like it's being double-processed due to some mechanism involving SMSSMTP, and Declude is maybe parsing the message incorrectly for where to insert the second set of headers, and if you could get it to only process it once (remove forwarding/looping possible issue), the symptom might go away. If so, Declude might also want to look at the parsing code for where to insert the headers and account for the condition in future releases as I'm sure that isn't intentional.MattFrederick Samarelli wrote: See attached config. The problem only started after the update from 2.0.5 to 2.0.6 - Original Message - From: Darin Cox To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:39 AM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 I think we're going to have to see the Global.CFG to figure out if there's a misconfiguration. I certainly looks like your entireXINHEADER config is duplicated. Darin. - Original Message - From: Frederick Samarelli To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:34 AM Subject: [Declude.JunkMail] Something new with v 2.0.6 HEADER Received: from dns2.tcbinc.net [64.124.116.30] by bks.tcbinc.com (SMTPD32-8.15) id A5E13540470; Wed, 13 Apr 2005 03:10:25 -0400Received: from mail.tcbinc.net ([64.124.116.40])by dns2.tcbinc.net (SMSSMTP 4.1.0.19) with SMTP id M2005041303105928414for [EMAIL PROTECTED]; Wed, 13 Apr 2005 03:10:59 -0400Received: from SMTP32-FWD by mail.tcbinc.net (SMTP32) id AC601002507EA4CF6; Wed, 13 Apr 2005 03:10:59 -0400Received: from ADS [64.124.116.10] by mail.tcbinc.net (SMTPD32-8.15) id A6012507EA; Wed, 13 Apr 2005 03:10:57 -0400SUBJECT: Virus FoundMessage-Id: [EMAIL PROTECTED]X-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0.X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command.X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail.X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8c20].X-RBL-Warning: WEIGHT10: Total weight between 10 and 14.X-Declude-Sender: [EMAIL PROTECTED] [64.124.116.10]X-Declude-Spoolname: DC601002507EA4CF6.SMDX-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0.X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail.X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client
Re: [Declude.JunkMail] Something new with v 2.0.6
Found the problem. It was this line. #XINHEADERX-Spam-Tests-Failed Weight: %TESTSFAILEDWITHWEIGHTS% I removed it and problem went away. Any thoughts.
Re: [Declude.JunkMail] Something new with v 2.0.6
Fred, The example that you sent earlier was being processed twice and it was passing through IMail to Symantec and back to IMail with some other forwarding mechanism as well, and the headers were written 30 seconds apart. I think that understanding what is happening there might be beneficial to uncovering the issue at hand, and maybe there are steps in that chain that are unnecessary or out of place. I don't doubt that 2.0.6 might have introduced a bug that is reacting to this condition, but the path the E-mail is taking doesn't seem normal and that could be affecting it, and probably is why others aren't reporting this. Knowing what is going on within your system might also help Declude diagnose the issue better also. Your config looks just fine, but the path the E-mail is taking looks abnormal to me. Matt Frederick Samarelli wrote: This is not the case. I sent a test from my Yahoo account to my imail account. If I look at it in Imail it is ok. If I do the test again having a forward in on my imail account to an AOL account the header info get placed in the top of the BODY when I received it at my AOL account. See below from the TEXT of the BODY. X-Spam-Tests-Failed Weight: SNIFFERZERO [0] X-Spam-Time:12:53:55 X-Note: Total spam weight of this E-mail is 0 X-Note: This E-mail was scanned filtered by Declude [2.0.6] for SPAM virus X-Spam-Tests-Failed: SNIFFERZERO X-Weight: 0 X-Mailfrom: samarelli.yahoo.com X-Note: Sent from: [EMAIL PROTECTED] X-Note: Sent from Reverse DNS: web51803.mail.yahoo.com ([206.190.38.234]) X-Hello: web51803.mail.yahoo.com X-Note: Recipient(s): [EMAIL PROTECTED] X-Country-Chain: UNITED STATES-destination X-AOL-IP: 64.124.116.40 X-AOL-SCOLL-SCORE:0:0:0: X-AOL-SCOLL-URL_COUNT:0 - Original Message - From: Matt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 11:49 AM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Fred, It looks like two full sets of Declude's XINHEADER's, and something caused a double line break in it. I am also having a problem understanding the path that this E-mail took, and maybe that will give you some clues. There is something forwarding the message and that might partially explain why it has two sets of headers, but the double line break shouldn't appear there. Maybe you could explain the path that this took: 64.124.116.10 (IMail) - SMTP32-FWD (Probably also IMail) - 64.124.116.40 (SMSSMTP, Symantec???) - 64.124.116.30 (IMail again). I am going to guess that it is possible that Declude is getting confused based on the body being in a format similar to a header where there is a word followed by a colon, and in the process, it might be inserting the headers in the wrong location when it is adding them the second time. Total guess there of course. I suspect that the path is causing some form of double-processing, possibly the Symantec SMSSMTP piece, and that if you could resolve that, the problem might go away. Also note that the headers show a 30 second difference between the headers, so it's going somewhere. So to summarize, it looks like it's being double-processed due to some mechanism involving SMSSMTP, and Declude is maybe parsing the message incorrectly for where to insert the second set of headers, and if you could get it to only process it once (remove forwarding/looping possible issue), the symptom might go away. If so, Declude might also want to look at the parsing code for where to insert the headers and account for the condition in future releases as I'm sure that isn't intentional. Matt Frederick Samarelli wrote: See attached config. The problem only started after the update from 2.0.5 to 2.0.6 - Original Message - From: Darin Cox To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:39 AM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 I think we're going to have to see the Global.CFG to figure out if there's a misconfiguration. I certainly looks like your entireXINHEADER config is duplicated. Darin. - Original Message - From: Frederick Samarelli To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:34 AM Subject: [Declude.JunkMail] Something new with v 2.0.6 HEADER Received: from dns2.tcbinc.net [64.124.116.30] by bks.tcbinc.com (SMTPD32-8.15) id A5E13540470; Wed, 13 Apr 2005 03:10:25 -0400 Received: from mail.tcbinc.net ([64.124.116.40]) by dns2.tcbinc.net (SMSSMTP 4.1.0.19) with SMTP id M2005041303105928414 for [EMAIL PROTECTED]; Wed, 13 Apr 2005 03:10:59 -0400 Received: from SMTP32-FWD by mail.tcbinc.net (SMTP32) id AC601002507EA4CF6; Wed
Re: [Declude.JunkMail] Something new with v 2.0.6
We have incoming email scanned by Symantec Gateway Antivirus then have to sent to the imail server. For some of my tests I bypassed the Symantec server and the problem remained. Only removing the line listed fixed the problem. - Original Message - From: Matt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 1:43 PM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Fred,The example that you sent earlier was being processed twice and it was passing through IMail to Symantec and back to IMail with some other forwarding mechanism as well, and the headers were written 30 seconds apart. I think that understanding what is happening there might be beneficial to uncovering the issue at hand, and maybe there are steps in that chain that are unnecessary or out of place.I don't doubt that 2.0.6 might have introduced a bug that is reacting to this condition, but the path the E-mail is taking doesn't seem normal and that could be affecting it, and probably is why others aren't reporting this. Knowing what is going on within your system might also help Declude diagnose the issue better also.Your config looks just fine, but the path the E-mail is taking looks abnormal to me.MattFrederick Samarelli wrote: This is not the case. I sent a test from my Yahoo account to my imail account. If I look at it in Imail it is ok. If I do the test again having a forward in on my imail account to an AOL account the header info get placed in the top of the BODY when I received it at my AOL account. See below from the TEXT of the BODY. X-Spam-Tests-Failed Weight: SNIFFERZERO [0]X-Spam-Time:12:53:55X-Note: Total spam weight of this E-mail is 0X-Note: This E-mail was scanned filtered by Declude [2.0.6] for SPAM virusX-Spam-Tests-Failed: SNIFFERZEROX-Weight: 0X-Mailfrom: samarelli.yahoo.comX-Note: Sent from: [EMAIL PROTECTED]X-Note: Sent from Reverse DNS: web51803.mail.yahoo.com ([206.190.38.234])X-Hello: web51803.mail.yahoo.comX-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain: UNITED STATES-destinationX-AOL-IP: 64.124.116.40X-AOL-SCOLL-SCORE:0:0:0:X-AOL-SCOLL-URL_COUNT:0 - Original Message - From: Matt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 11:49 AM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Fred,It looks like two full sets of Declude's XINHEADER's, and something caused a double line break in it. I am also having a problem understanding the path that this E-mail took, and maybe that will give you some clues. There is something forwarding the message and that might partially explain why it has two sets of headers, but the double line break shouldn't appear there.Maybe you could explain the path that this took: 64.124.116.10 (IMail) - SMTP32-FWD (Probably also IMail) - 64.124.116.40 (SMSSMTP, Symantec???) - 64.124.116.30 (IMail again).I am going to guess that it is possible that Declude is getting confused based on the body being in a format similar to a header where there is a word followed by a colon, and in the process, it might be inserting the headers in the wrong location when it is adding them the second time. Total guess there of course. I suspect that the path is causing some form of double-processing, possibly the Symantec SMSSMTP piece, and that if you could resolve that, the problem might go away. Also note that the headers show a 30 second difference between the headers, so it's going somewhere.So to summarize, it looks like it's being double-processed due to some mechanism involving SMSSMTP, and Declude is maybe parsing the message incorrectly for where to insert the second set of headers, and if you could get it to only process it once (remove forwarding/looping possible issue), the symptom might go away. If so, Declude might also want to look at the parsing code for where to insert the headers and account for the condition in future releases as I'm sure that isn't intentional.MattFrederick Samarelli wrote: See attached config. The problem only started after the update from 2.0.5 to 2.0.6 - Original Message - From: Darin Cox To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:39 AM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 I think we're going to have to see the Global.CFG to figure out if there's a misconfiguration. I
Re: [Declude.JunkMail] Something new with v 2.0.6
Which line? Darin. - Original Message - From: Frederick Samarelli To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 1:58 PM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 We have incoming email scanned by Symantec Gateway Antivirus then have to sent to the imail server. For some of my tests I bypassed the Symantec server and the problem remained. Only removing the line listed fixed the problem. - Original Message - From: Matt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 1:43 PM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Fred,The example that you sent earlier was being processed twice and it was passing through IMail to Symantec and back to IMail with some other forwarding mechanism as well, and the headers were written 30 seconds apart. I think that understanding what is happening there might be beneficial to uncovering the issue at hand, and maybe there are steps in that chain that are unnecessary or out of place.I don't doubt that 2.0.6 might have introduced a bug that is reacting to this condition, but the path the E-mail is taking doesn't seem normal and that could be affecting it, and probably is why others aren't reporting this. Knowing what is going on within your system might also help Declude diagnose the issue better also.Your config looks just fine, but the path the E-mail is taking looks abnormal to me.MattFrederick Samarelli wrote: This is not the case. I sent a test from my Yahoo account to my imail account. If I look at it in Imail it is ok. If I do the test again having a forward in on my imail account to an AOL account the header info get placed in the top of the BODY when I received it at my AOL account. See below from the TEXT of the BODY. X-Spam-Tests-Failed Weight: SNIFFERZERO [0]X-Spam-Time:12:53:55X-Note: Total spam weight of this E-mail is 0X-Note: This E-mail was scanned filtered by Declude [2.0.6] for SPAM virusX-Spam-Tests-Failed: SNIFFERZEROX-Weight: 0X-Mailfrom: samarelli.yahoo.comX-Note: Sent from: [EMAIL PROTECTED]X-Note: Sent from Reverse DNS: web51803.mail.yahoo.com ([206.190.38.234])X-Hello: web51803.mail.yahoo.comX-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain: UNITED STATES-destinationX-AOL-IP: 64.124.116.40X-AOL-SCOLL-SCORE:0:0:0:X-AOL-SCOLL-URL_COUNT:0 - Original Message - From: Matt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 11:49 AM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Fred,It looks like two full sets of Declude's XINHEADER's, and something caused a double line break in it. I am also having a problem understanding the path that this E-mail took, and maybe that will give you some clues. There is something forwarding the message and that might partially explain why it has two sets of headers, but the double line break shouldn't appear there.Maybe you could explain the path that this took: 64.124.116.10 (IMail) - SMTP32-FWD (Probably also IMail) - 64.124.116.40 (SMSSMTP, Symantec???) - 64.124.116.30 (IMail again).I am going to guess that it is possible that Declude is getting confused based on the body being in a format similar to a header where there is a word followed by a colon, and in the process, it might be inserting the headers in the wrong location when it is adding them the second time. Total guess there of course. I suspect that the path is causing some form of double-processing, possibly the Symantec SMSSMTP piece, and that if you could resolve that, the problem might go away. Also note that the headers show a 30 second difference between the headers, so it's going somewhere.So to summarize, it looks like it's being double-processed due to some mechanism involving SMSSMTP, and Declude is maybe parsing the message incorrectly for where to insert the second set of headers, and if you could get it to only process it once (remove forwarding/looping possible issue), the symptom might go away. If so, Declude might also want to look at the parsing code for where to insert the headers and account for the condition in future releases as I'm sure that isn't intentional.MattFrederick Samarelli wrote: See attached config. The problem only started after the update from 2.0.5 to 2.0.6 - Original Message - From: Darin Cox To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:39 AM
Re: [Declude.JunkMail] Something new with v 2.0.6
Fred, The line that you commented out looked fine to me, so that is strange. What concerns me is that the message is being processed twice by Declude. I would hate to see this happen with other things as that is a waste of resources. As long as we're still guessing and thinking out loud, maybe 2.0.5 wasn't double-processing the E-mail and now 2.0.6 is, and that might have uncovered a bug with the XINHEADER insertion that may have existed before...or maybe a new %TESTSFAILEDWITHWEIGHTS% bug. I recall in a more recent version of IMail that the behavior in IMail had changed and Scott had to code a fix into Declude so that it wouldn't double process forwarded messages. Maybe that code is broken or lost due to recent tweaking. I would imagine that over the years there were a lot of small things that Scott programmed into the product that resolved quirks with IMail but could be overlooked or lost in recoding for new features and fixes. Another very strange thing is that the following headers I don't believe get added to an E-mail until it lands in an account, but they appeared before the second set of Declude headers in the message: X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 411698213 I can't tell however if IMail inserted them after the first time through or after the second time through. If they were added the first time through that might be odd behavior that Declude wasn't expecting to see...but then again it may be equally plausible that space aliens have hijacked your server and are just having their laughs :) I guess that's it for my speculation. Matt Frederick Samarelli wrote: We have incoming email scanned by Symantec Gateway Antivirus then have to sent to the imail server. For some of my tests I bypassed the Symantec server and the problem remained. Only removing the line listed fixed the problem. - Original Message - From: Matt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 1:43 PM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Fred, The example that you sent earlier was being processed twice and it was passing through IMail to Symantec and back to IMail with some other forwarding mechanism as well, and the headers were written 30 seconds apart. I think that understanding what is happening there might be beneficial to uncovering the issue at hand, and maybe there are steps in that chain that are unnecessary or out of place. I don't doubt that 2.0.6 might have introduced a bug that is reacting to this condition, but the path the E-mail is taking doesn't seem normal and that could be affecting it, and probably is why others aren't reporting this. Knowing what is going on within your system might also help Declude diagnose the issue better also. Your config looks just fine, but the path the E-mail is taking looks abnormal to me. Matt Frederick Samarelli wrote: This is not the case. I sent a test from my Yahoo account to my imail account. If I look at it in Imail it is ok. If I do the test again having a forward in on my imail account to an AOL account the header info get placed in the top of the BODY when I received it at my AOL account. See below from the TEXT of the BODY. X-Spam-Tests-Failed Weight: SNIFFERZERO [0] X-Spam-Time:12:53:55 X-Note: Total spam weight of this E-mail is 0 X-Note: This E-mail was scanned filtered by Declude [2.0.6] for SPAM virus X-Spam-Tests-Failed: SNIFFERZERO X-Weight: 0 X-Mailfrom: samarelli.yahoo.com X-Note: Sent from: [EMAIL PROTECTED] X-Note: Sent from Reverse DNS: web51803.mail.yahoo.com ([206.190.38.234]) X-Hello: web51803.mail.yahoo.com X-Note: Recipient(s): [EMAIL PROTECTED] X-Country-Chain: UNITED STATES-destination X-AOL-IP: 64.124.116.40 X-AOL-SCOLL-SCORE:0:0:0: X-AOL-SCOLL-URL_COUNT:0 - Original Message - From: Matt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 11:49 AM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Fred, It looks like two full sets of Declude's XINHEADER's, and something caused a double line break in it. I am also having a problem understanding the path that this E-mail took, and maybe that will give you some clues. There is something forwarding the message and that might partially explain why it has two sets of headers, but the double line break shouldn't appear there. Maybe you could explain the path that this took: 64.124.116.10 (IMail) - SMTP32-FWD (Probably also IMail) - 64.124.116.40 (SMSSMTP, Symantec???) - 64.124.116.30 (IMail again). I am going to guess that it is possible that Declude is getting confused based on the body being in a format similar to a header where there is a word followed
RE: [Declude.JunkMail] Something new with v 2.0.6
Hi Fred and Matt, The received headers showed that the mail went through the following hosts: ads.tcbinc.net mail.tcbinc.net dns2.tcbinc.net bks.tcbinc.com It seems like two of those hosts were running Imail/declude (or one was a multi-homed machine running Imail/declude that was given the email twice). Fred probably isn't explaining his setup because it works well in all other cases and he doesn't think the configuration is relevant to this problem - but it is confusing for the outsider who is analyzing the problem. It also looks to me like the email routing may be relevant to the problem. If the problem is reproducible in an environment without the extra routing, then it should be investigated and fixed. I'm not able to test this at the moment however. Even if it occurs only in a set up with the extra routing it should still be investigated to determine if it is a bug in declude or in something else - but only those with multiple decludes would be able to test that. Sorry I can't help more. Best Regards Mike Higgins HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x14 (Business) Fax: +1 201 934-9206 http://www.HM-Software.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, April 13, 2005 2:32 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Fred, The line that you commented out looked fine to me, so that is strange. What concerns me is that the message is being processed twice by Declude. I would hate to see this happen with other things as that is a waste of resources. As long as we're still guessing and thinking out loud, maybe 2.0.5 wasn't double-processing the E-mail and now 2.0.6 is, and that might have uncovered a bug with the XINHEADER insertion that may have existed before...or maybe a new %TESTSFAILEDWITHWEIGHTS% bug. I recall in a more recent version of IMail that the behavior in IMail had changed and Scott had to code a fix into Declude so that it wouldn't double process forwarded messages. Maybe that code is broken or lost due to recent tweaking. I would imagine that over the years there were a lot of small things that Scott programmed into the product that resolved quirks with IMail but could be overlooked or lost in recoding for new features and fixes. Another very strange thing is that the following headers I don't believe get added to an E-mail until it lands in an account, but they appeared before the second set of Declude headers in the message: X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 411698213 I can't tell however if IMail inserted them after the first time through or after the second time through. If they were added the first time through that might be odd behavior that Declude wasn't expecting to see...but then again it may be equally plausible that space aliens have hijacked your server and are just having their laughs :) I guess that's it for my speculation. Matt Frederick Samarelli wrote: We have incoming email scanned by Symantec Gateway Antivirus then have to sent to the imail server. For some of my tests I bypassed the Symantec server and the problem remained. Only removing the line listed fixed the problem. - Original Message - From: Matt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 1:43 PM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Fred, The example that you sent earlier was being processed twice and it was passing through IMail to Symantec and back to IMail with some other forwarding mechanism as well, and the headers were written 30 seconds apart. I think that understanding what is happening there might be beneficial to uncovering the issue at hand, and maybe there are steps in that chain that are unnecessary or out of place. I don't doubt that 2.0.6 might have introduced a bug that is reacting to this condition, but the path the E-mail is taking doesn't seem normal and that could be affecting it, and probably is why others aren't reporting this. Knowing what is going on within your system might also help Declude diagnose the issue better also. Your config looks just fine, but the path the E-mail is taking looks abnormal to me. Matt Frederick Samarelli wrote: This is not the case. I sent a test from my Yahoo account to my imail account. If I look at it in Imail it is ok. If I do the test again having a forward in on my imail account to an AOL account the header info get placed in the top of the BODY when I received it at my AOL account. See below from the TEXT of the BODY. X-Spam-Tests-Failed Weight: SNIFFERZERO [0] X-Spam-Time:12:53:55 X-Note: Total spam weight of this E-mail is 0 X-Note: This E-mail was scanned filtered by Declude [2.0.6] for SPAM virus X-Spam-Tests-Failed: SNIFFERZERO X-Weight: 0 X-Mailfrom: samarelli.yahoo.com X-Note: Sent from: [EMAIL
Re: [Declude.JunkMail] Something new with v 2.0.6
Mike/Matt (thanks for your help) You should be able to duplicated by just forwarding an email to an outside account using the problem line at the bottom. As not to confuse things I simplified the process. Send an email from [EMAIL PROTECTED]= [EMAIL PROTECTED](forwarded to) = [EMAIL PROTECTED] This run through only one server on my network. Header from My AOL account. Return-Path: [EMAIL PROTECTED]Received: from rly-xm04.mx.aol.com (rly-xm04.mail.aol.com [172.20.83.105]) by air-xm03.mail.aol.com (v105.26) with ESMTP id MAILINXM31-606425d743d132; Wed, 13 Apr 2005 15:34:25 -0400Received: from bks.tcbinc.com (bks.tcbinc.com [64.124.117.196]) by rly-xm04.mx.aol.com (v105.26) with ESMTP id MAILRELAYINXM42-606425d743d132; Wed, 13 Apr 2005 15:34:21 -0400Received: from SMTP32-FWD by bks.tcbinc.com (SMTP32) id A741100040470EC67; Wed, 13 Apr 2005 15:33:42 Received: from web51806.mail.yahoo.com [206.190.38.237] by bks.tcbinc.com (SMTPD32-8.15) id A41140470; Wed, 13 Apr 2005 15:33:37 -0400Received: (qmail 50369 invoked by uid 60001); 13 Apr 2005 19:34:12 -Comment: DomainKeys? See http://antispam.yahoo.com/domainkeysDomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=M12dWrk8x99pS4FhLTVJbfbgIc60YrjkjS/Vi2yiCoare5X2fk5F+zDzAA2XuOKAyAuKoj3EEGBHc6gPlwybZ/TMSShXoJtIypUpKUZZrm7SoU0rx30hedmPe9IecDArBynamRJFf8HjmCsGFKGIwJhKUjwV4wNnw1wLdarF7SE= ;Message-ID: [EMAIL PROTECTED]Received: from [64.124.117.139] by web51806.mail.yahoo.com via HTTP; Wed, 13 Apr 2005 12:34:12 PDTDate: Wed, 13 Apr 2005 12:34:12 -0700 (PDT)From: Frederick Samarelli [EMAIL PROTECTED]Subject: test10To: [EMAIL PROTECTED]MIME-Version: 1.0Content-Type: text/plain; charset=us-asciiX-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0.X-Declude-Sender: [EMAIL PROTECTED] [206.190.38.237]X-Declude-Spoolname: D741100040470EC67.SMDX-Note: Total spam weight of this E-mail is 0.X-RBL-Warning: Total weight: 0X-Note: This E-mail was scanned filtered by TCB [2.0.6] for SPAM virus.X-Spam-Tests-Failed: SNIFFERZERO Message Body (should only be the word test10) X-Spam-Tests-Failed Weight: SNIFFERZERO [0]X-Spam-Time:15:33:42X-Weight: 0X-Mailfrom: samarelli.yahoo.comX-Note: Sent from: [EMAIL PROTECTED]X-Note: Sent from Reverse DNS: web51806.mail.yahoo.com ([206.190.38.237])X-Hello: web51806.mail.yahoo.comX-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain: UNITED STATES-destinationX-AOL-IP: 64.124.117.196X-AOL-SCOLL-SCORE:0:0:0:X-AOL-SCOLL-URL_COUNT:0test10 Culprit: XINHEADERX-Spam-Tests-Failed Weight: %TESTSFAILEDWITHWEIGHTS%
Re: [Declude.JunkMail] Something new with v 2.0.6
Based on this I would agree then that the %TESTSFAILEDWITHWEIGHTS% variable is inserting a double CRLF instead of a single one, and this would seem to explain everything else that I was commenting on as it would seem to follow that the other things were merely effects of this, and complicated/obfuscated by the double-processing that isn't present in this example. Maybe you could try one thing; retype that line from scratch after deleting it just to make sure there are not garbage non-printing characters showing up at the end of the line. Beyond that, I would imagine that someone at Declude has been listening and will shortly confirm the issue, or maybe someone else that has already installed 2.0.6 could set up an account to forward using this header variable in their config and check to see if the same behavior repeats itself on other systems. Matt Frederick Samarelli wrote: Mike/Matt (thanks for your help) You should be able to duplicated by just forwarding an email to an outside account using the problem line at the bottom. As not to confuse things I simplified the process. Send an email from [EMAIL PROTECTED]= [EMAIL PROTECTED](forwarded to) = [EMAIL PROTECTED] This run through only one server on my network. Header from My AOL account. Return-Path: [EMAIL PROTECTED] Received: from rly-xm04.mx.aol.com (rly-xm04.mail.aol.com [172.20.83.105]) by air-xm03.mail.aol.com (v105.26) with ESMTP id MAILINXM31-606425d743d132; Wed, 13 Apr 2005 15:34:25 -0400 Received: from bks.tcbinc.com (bks.tcbinc.com [64.124.117.196]) by rly-xm04.mx.aol.com (v105.26) with ESMTP id MAILRELAYINXM42-606425d743d132; Wed, 13 Apr 2005 15:34:21 -0400 Received: from SMTP32-FWD by bks.tcbinc.com (SMTP32) id A741100040470EC67; Wed, 13 Apr 2005 15:33:42 Received: from web51806.mail.yahoo.com [206.190.38.237] by bks.tcbinc.com (SMTPD32-8.15) id A41140470; Wed, 13 Apr 2005 15:33:37 -0400 Received: (qmail 50369 invoked by uid 60001); 13 Apr 2005 19:34:12 - Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=M12dWrk8x99pS4FhLTVJbfbgIc60YrjkjS/Vi2yiCoare5X2fk5F+zDzAA2XuOKAyAuKoj3EEGBHc6gPlwybZ/TMSShXoJtIypUpKUZZrm7SoU0rx30hedmPe9IecDArBynamRJFf8HjmCsGFKGIwJhKUjwV4wNnw1wLdarF7SE= ; Message-ID: [EMAIL PROTECTED] Received: from [64.124.117.139] by web51806.mail.yahoo.com via HTTP; Wed, 13 Apr 2005 12:34:12 PDT Date: Wed, 13 Apr 2005 12:34:12 -0700 (PDT) From: Frederick Samarelli [EMAIL PROTECTED] Subject: test10 To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0. X-Declude-Sender: [EMAIL PROTECTED] [206.190.38.237] X-Declude-Spoolname: D741100040470EC67.SMD X-Note: Total spam weight of this E-mail is 0. X-RBL-Warning: Total weight: 0 X-Note: This E-mail was scanned filtered by TCB [2.0.6] for SPAM virus. X-Spam-Tests-Failed: SNIFFERZERO Message Body (should only be the word test10) X-Spam-Tests-Failed Weight: SNIFFERZERO [0] X-Spam-Time:15:33:42 X-Weight: 0 X-Mailfrom: samarelli.yahoo.com X-Note: Sent from: [EMAIL PROTECTED] X-Note: Sent from Reverse DNS: web51806.mail.yahoo.com ([206.190.38.237]) X-Hello: web51806.mail.yahoo.com X-Note: Recipient(s): [EMAIL PROTECTED] X-Country-Chain: UNITED STATES-destination X-AOL-IP: 64.124.117.196 X-AOL-SCOLL-SCORE:0:0:0: X-AOL-SCOLL-URL_COUNT:0 test10 Culprit: XINHEADERX-Spam-Tests-Failed Weight: %TESTSFAILEDWITHWEIGHTS% -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
RE: [Declude.JunkMail] Something new with v 2.0.6
Title: Message Hi Frederick: I don't know if this has been asked/suggested already and I don't have time to go back to the RFCs to see if embedded spaces are permitted in the header name. But have you ever tried eliminating that space: XINHEADERX-Spam-Tests-Failed Weight: %TESTSFAILEDWITHWEIGHTS% replace with: XINHEADERX-Spam-Tests-Failed-Weight: %TESTSFAILEDWITHWEIGHTS% May be the problem is that there is a CR/LF followed by a line that contains no header name(due to the embedded space) following by another CR/LF. May be those two CR/LF without valid header information inbetween are interpreted as "start of message body" by some entities? Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederick SamarelliSent: Wednesday, April 13, 2005 03:42 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Something new with v 2.0.6 Mike/Matt (thanks for your help) You should be able to duplicated by just forwarding an email to an outside account using the problem line at the bottom. As not to confuse things I simplified the process. Send an email from [EMAIL PROTECTED]= [EMAIL PROTECTED](forwarded to) = [EMAIL PROTECTED] This run through only one server on my network. Header from My AOL account. Return-Path: [EMAIL PROTECTED]Received: from rly-xm04.mx.aol.com (rly-xm04.mail.aol.com [172.20.83.105]) by air-xm03.mail.aol.com (v105.26) with ESMTP id MAILINXM31-606425d743d132; Wed, 13 Apr 2005 15:34:25 -0400Received: from bks.tcbinc.com (bks.tcbinc.com [64.124.117.196]) by rly-xm04.mx.aol.com (v105.26) with ESMTP id MAILRELAYINXM42-606425d743d132; Wed, 13 Apr 2005 15:34:21 -0400Received: from SMTP32-FWD by bks.tcbinc.com (SMTP32) id A741100040470EC67; Wed, 13 Apr 2005 15:33:42 Received: from web51806.mail.yahoo.com [206.190.38.237] by bks.tcbinc.com (SMTPD32-8.15) id A41140470; Wed, 13 Apr 2005 15:33:37 -0400Received: (qmail 50369 invoked by uid 60001); 13 Apr 2005 19:34:12 -Comment: DomainKeys? See http://antispam.yahoo.com/domainkeysDomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=M12dWrk8x99pS4FhLTVJbfbgIc60YrjkjS/Vi2yiCoare5X2fk5F+zDzAA2XuOKAyAuKoj3EEGBHc6gPlwybZ/TMSShXoJtIypUpKUZZrm7SoU0rx30hedmPe9IecDArBynamRJFf8HjmCsGFKGIwJhKUjwV4wNnw1wLdarF7SE= ;Message-ID: [EMAIL PROTECTED]Received: from [64.124.117.139] by web51806.mail.yahoo.com via HTTP; Wed, 13 Apr 2005 12:34:12 PDTDate: Wed, 13 Apr 2005 12:34:12 -0700 (PDT)From: Frederick Samarelli [EMAIL PROTECTED]Subject: test10To: [EMAIL PROTECTED]MIME-Version: 1.0Content-Type: text/plain; charset=us-asciiX-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0.X-Declude-Sender: [EMAIL PROTECTED] [206.190.38.237]X-Declude-Spoolname: D741100040470EC67.SMDX-Note: Total spam weight of this E-mail is 0.X-RBL-Warning: Total weight: 0X-Note: This E-mail was scanned filtered by TCB [2.0.6] for SPAM virus.X-Spam-Tests-Failed: SNIFFERZERO Message Body (should only be the word test10) X-Spam-Tests-Failed Weight: SNIFFERZERO [0]X-Spam-Time:15:33:42X-Weight: 0X-Mailfrom: samarelli.yahoo.comX-Note: Sent from: [EMAIL PROTECTED]X-Note: Sent from Reverse DNS: web51806.mail.yahoo.com ([206.190.38.237])X-Hello: web51806.mail.yahoo.comX-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain: UNITED STATES-destinationX-AOL-IP: 64.124.117.196X-AOL-SCOLL-SCORE:0:0:0:X-AOL-SCOLL-URL_COUNT:0test10 Culprit: XINHEADERX-Spam-Tests-Failed Weight: %TESTSFAILEDWITHWEIGHTS%
Re: [Declude.JunkMail] Something new with v 2.0.6
Title: Message
Good Thought but I have these others without
problem. Thanks.
XINHEADER X-Note: Total spam weight of
this E-mail is %WEIGHT%.XINHEADERX-RBL-Warning: Total
weight: %WEIGHT%XINHEADERX-Note: This E-mail was scanned
filtered by TCB [%VERSION%] for SPAM
virus.XINHEADERX-Note: Sent from:
%MAILFROM%XINHEADERX-Note: Sent from Reverse DNS: %REVDNS%
([%REMOTEIP%])XINHEADERX-Note: Recipient(s):
%REALRECIPS%- Original Message -
From:
Andy Schmidt
To: Declude.JunkMail@declude.com
Sent: Wednesday, April 13, 2005 4:02
PM
Subject: RE: [Declude.JunkMail] Something
new with v 2.0.6
Hi
Frederick:
I
don't know if this has been asked/suggested already and I don't have time to
go back to the RFCs to see if embedded spaces are permitted in the header
name. But have you ever tried eliminating that space:
XINHEADERX-Spam-Tests-Failed Weight:
%TESTSFAILEDWITHWEIGHTS%
replace with:
XINHEADERX-Spam-Tests-Failed-Weight:
%TESTSFAILEDWITHWEIGHTS%
May
be the problem is that there is a CR/LF followed by a line that contains no
header name(due to the embedded space) following by another CR/LF.
May be those two CR/LF without valid header information inbetween are
interpreted as "start of message body" by some
entities?
Best
RegardsAndy SchmidtPhone: +1 201 934-3414 x20
(Business)Fax: +1 201 934-9206
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Frederick
SamarelliSent: Wednesday, April 13, 2005 03:42 PMTo:
Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail]
Something new with v 2.0.6
Mike/Matt (thanks for your help) You
should be able to duplicated by just forwarding an email to an outside
account using the problem line at the bottom.
As not to confuse things I simplified
the process.
Send an email from [EMAIL PROTECTED]= [EMAIL PROTECTED](forwarded to)
= [EMAIL PROTECTED]
This run through only one server on my
network.
Header from My AOL
account.
Return-Path: [EMAIL PROTECTED]Received:
from rly-xm04.mx.aol.com (rly-xm04.mail.aol.com [172.20.83.105]) by
air-xm03.mail.aol.com (v105.26) with ESMTP id MAILINXM31-606425d743d132;
Wed, 13 Apr 2005 15:34:25 -0400Received: from bks.tcbinc.com
(bks.tcbinc.com [64.124.117.196]) by rly-xm04.mx.aol.com (v105.26) with
ESMTP id MAILRELAYINXM42-606425d743d132; Wed, 13 Apr 2005 15:34:21
-0400Received: from SMTP32-FWD by bks.tcbinc.com (SMTP32) id
A741100040470EC67; Wed, 13 Apr 2005 15:33:42 Received: from
web51806.mail.yahoo.com [206.190.38.237] by bks.tcbinc.com
(SMTPD32-8.15) id A41140470; Wed, 13 Apr 2005 15:33:37 -0400Received:
(qmail 50369 invoked by uid 60001); 13 Apr 2005 19:34:12 -Comment:
DomainKeys? See http://antispam.yahoo.com/domainkeysDomainKey-Signature:
a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com;
b=M12dWrk8x99pS4FhLTVJbfbgIc60YrjkjS/Vi2yiCoare5X2fk5F+zDzAA2XuOKAyAuKoj3EEGBHc6gPlwybZ/TMSShXoJtIypUpKUZZrm7SoU0rx30hedmPe9IecDArBynamRJFf8HjmCsGFKGIwJhKUjwV4wNnw1wLdarF7SE=
;Message-ID: [EMAIL PROTECTED]Received:
from [64.124.117.139] by web51806.mail.yahoo.com via HTTP; Wed, 13 Apr 2005
12:34:12 PDTDate: Wed, 13 Apr 2005 12:34:12 -0700 (PDT)From:
Frederick Samarelli [EMAIL PROTECTED]Subject:
test10To: [EMAIL PROTECTED]MIME-Version:
1.0Content-Type: text/plain; charset=us-asciiX-RBL-Warning:
SNIFFERZERO: Message failed SNIFFERZERO: 0.X-Declude-Sender: [EMAIL PROTECTED]
[206.190.38.237]X-Declude-Spoolname: D741100040470EC67.SMDX-Note:
Total spam weight of this E-mail is 0.X-RBL-Warning: Total weight:
0X-Note: This E-mail was scanned filtered by TCB [2.0.6] for SPAM
virus.X-Spam-Tests-Failed: SNIFFERZERO
Message Body (should only be the word test10)
X-Spam-Tests-Failed Weight: SNIFFERZERO
[0]X-Spam-Time:15:33:42X-Weight: 0X-Mailfrom:
samarelli.yahoo.comX-Note: Sent from: [EMAIL PROTECTED]X-Note:
Sent from Reverse DNS: web51806.mail.yahoo.com
([206.190.38.237])X-Hello: web51806.mail.yahoo.comX-Note:
Recipient(s): [EMAIL PROTECTED]X-Country-Chain: UNITED
STATES-destinationX-AOL-IP:
64.124.117.196X-AOL-SCOLL-SCORE:0:0:0:X-AOL-SCOLL-URL_COUNT:0test10
Culprit:
XINHEADERX-Spam-Tests-Failed
Weight:
%TESTSFAILEDWITHWEIGHTS%
RE: [Declude.JunkMail] Something new with v 2.0.6
Title: Message Well - NONE of those have an embedded space in the Header name!? X-Note: X-RBL-Warning: vs. X-Spam-Tests-Failed Weight: Have you TRIED what I suggested? Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederick SamarelliSent: Wednesday, April 13, 2005 04:28 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Something new with v 2.0.6 Good Thought but I have these others without problem. Thanks. XINHEADER X-Note: Total spam weight of this E-mail is %WEIGHT%.XINHEADERX-RBL-Warning: Total weight: %WEIGHT%XINHEADERX-Note: This E-mail was scanned filtered by TCB [%VERSION%] for SPAM virus.XINHEADERX-Note: Sent from: %MAILFROM%XINHEADERX-Note: Sent from Reverse DNS: %REVDNS% ([%REMOTEIP%])XINHEADERX-Note: Recipient(s): %REALRECIPS%
Re: [Declude.JunkMail] Something new with v 2.0.6
Title: Message
It may be an issue with having a space before the
first colon. I seem to remember something like that in the past.
Worth a try anyway...
Darin.
- Original Message -
From: Frederick Samarelli
To: Declude.JunkMail@declude.com
Sent: Wednesday, April 13, 2005 4:27 PM
Subject: Re: [Declude.JunkMail] Something new with v
2.0.6
Good Thought but I have these others without
problem. Thanks.
XINHEADER X-Note: Total spam weight of
this E-mail is %WEIGHT%.XINHEADERX-RBL-Warning: Total
weight: %WEIGHT%XINHEADERX-Note: This E-mail was scanned
filtered by TCB [%VERSION%] for SPAM
virus.XINHEADERX-Note: Sent from:
%MAILFROM%XINHEADERX-Note: Sent from Reverse DNS: %REVDNS%
([%REMOTEIP%])XINHEADERX-Note: Recipient(s):
%REALRECIPS%- Original Message -
From:
Andy Schmidt
To: Declude.JunkMail@declude.com
Sent: Wednesday, April 13, 2005 4:02
PM
Subject: RE: [Declude.JunkMail] Something
new with v 2.0.6
Hi
Frederick:
I
don't know if this has been asked/suggested already and I don't have time to
go back to the RFCs to see if embedded spaces are permitted in the header
name. But have you ever tried eliminating that space:
XINHEADERX-Spam-Tests-Failed Weight:
%TESTSFAILEDWITHWEIGHTS%
replace with:
XINHEADERX-Spam-Tests-Failed-Weight:
%TESTSFAILEDWITHWEIGHTS%
May
be the problem is that there is a CR/LF followed by a line that contains no
header name(due to the embedded space) following by another CR/LF.
May be those two CR/LF without valid header information inbetween are
interpreted as "start of message body" by some
entities?
Best
RegardsAndy SchmidtPhone: +1 201 934-3414 x20
(Business)Fax: +1 201 934-9206
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Frederick
SamarelliSent: Wednesday, April 13, 2005 03:42 PMTo:
Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail]
Something new with v 2.0.6
Mike/Matt (thanks for your help) You
should be able to duplicated by just forwarding an email to an outside
account using the problem line at the bottom.
As not to confuse things I simplified
the process.
Send an email from [EMAIL PROTECTED]= [EMAIL PROTECTED](forwarded to)
= [EMAIL PROTECTED]
This run through only one server on my
network.
Header from My AOL
account.
Return-Path: [EMAIL PROTECTED]Received:
from rly-xm04.mx.aol.com (rly-xm04.mail.aol.com [172.20.83.105]) by
air-xm03.mail.aol.com (v105.26) with ESMTP id MAILINXM31-606425d743d132;
Wed, 13 Apr 2005 15:34:25 -0400Received: from bks.tcbinc.com
(bks.tcbinc.com [64.124.117.196]) by rly-xm04.mx.aol.com (v105.26) with
ESMTP id MAILRELAYINXM42-606425d743d132; Wed, 13 Apr 2005 15:34:21
-0400Received: from SMTP32-FWD by bks.tcbinc.com (SMTP32) id
A741100040470EC67; Wed, 13 Apr 2005 15:33:42 Received: from
web51806.mail.yahoo.com [206.190.38.237] by bks.tcbinc.com
(SMTPD32-8.15) id A41140470; Wed, 13 Apr 2005 15:33:37 -0400Received:
(qmail 50369 invoked by uid 60001); 13 Apr 2005 19:34:12 -Comment:
DomainKeys? See http://antispam.yahoo.com/domainkeysDomainKey-Signature:
a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com;
b=M12dWrk8x99pS4FhLTVJbfbgIc60YrjkjS/Vi2yiCoare5X2fk5F+zDzAA2XuOKAyAuKoj3EEGBHc6gPlwybZ/TMSShXoJtIypUpKUZZrm7SoU0rx30hedmPe9IecDArBynamRJFf8HjmCsGFKGIwJhKUjwV4wNnw1wLdarF7SE=
;Message-ID: [EMAIL PROTECTED]Received:
from [64.124.117.139] by web51806.mail.yahoo.com via HTTP; Wed, 13 Apr 2005
12:34:12 PDTDate: Wed, 13 Apr 2005 12:34:12 -0700 (PDT)From:
Frederick Samarelli [EMAIL PROTECTED]Subject:
test10To: [EMAIL PROTECTED]MIME-Version:
1.0Content-Type: text/plain; charset=us-asciiX-RBL-Warning:
SNIFFERZERO: Message failed SNIFFERZERO: 0.X-Declude-Sender: [EMAIL PROTECTED]
[206.190.38.237]X-Declude-Spoolname: D741100040470EC67.SMDX-Note:
Total spam weight of this E-mail is 0.X-RBL-Warning: Total weight:
0X-Note: This E-mail was scanned filtered by TCB [2.0.6] for SPAM
virus.X-Spam-Tests-Failed: SNIFFERZERO
Message Body (should only be the word test10)
X-Spam-Tests-Failed Weight: SNIFFERZERO
[0]X-Spam-Time:15:33:42X-Weight: 0X-Mailfrom:
samarelli.yahoo.comX-Note: Sent from: [EMAIL PROTECTED]X-Note:
Sent from Reverse DNS: web51806.mail.yahoo.com
([206.190.38.237])X-Hello: web51806.mail.yahoo.comX-Note:
Recipient(s): [EMAIL PROTECTED]X-Country-Chain: UNITED
STATES-destinationX-AOL-IP:
64.124.117.196X-AOL-SCOLL-SCORE:0:0:0:X-AOL-SCOLL-URL_COUNT:0test10
Culprit:
XINHEADERX-Spam-Tests-Failed
Weight:
%TESTSFAILEDWITHWEIGHTS%
RE: [Declude.JunkMail] Something new with v 2.0.6
Title: Message
Fredrick,
But with these there are no spaces in the x line: but with
this one X-Spam-Tests-Failed-Weight:
there is a space.
David B
www.declude.com
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Frederick
SamarelliSent: Wednesday, April 13, 2005 4:28 PMTo:
Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Something
new with v 2.0.6
Good Thought but I have these others without
problem. Thanks.
XINHEADER X-Note: Total spam weight of
this E-mail is %WEIGHT%.XINHEADERX-RBL-Warning: Total
weight: %WEIGHT%XINHEADERX-Note: This E-mail was scanned
filtered by TCB [%VERSION%] for SPAM
virus.XINHEADERX-Note: Sent from:
%MAILFROM%XINHEADERX-Note: Sent from Reverse DNS: %REVDNS%
([%REMOTEIP%])XINHEADERX-Note: Recipient(s):
%REALRECIPS%- Original Message -
From:
Andy Schmidt
To: Declude.JunkMail@declude.com
Sent: Wednesday, April 13, 2005 4:02
PM
Subject: RE: [Declude.JunkMail] Something
new with v 2.0.6
Hi
Frederick:
I
don't know if this has been asked/suggested already and I don't have time to
go back to the RFCs to see if embedded spaces are permitted in the header
name. But have you ever tried eliminating that space:
XINHEADERX-Spam-Tests-Failed Weight:
%TESTSFAILEDWITHWEIGHTS%
replace with:
XINHEADERX-Spam-Tests-Failed-Weight:
%TESTSFAILEDWITHWEIGHTS%
May
be the problem is that there is a CR/LF followed by a line that contains no
header name(due to the embedded space) following by another CR/LF.
May be those two CR/LF without valid header information inbetween are
interpreted as "start of message body" by some
entities?
Best
RegardsAndy SchmidtPhone: +1 201 934-3414 x20
(Business)Fax: +1 201 934-9206
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Frederick
SamarelliSent: Wednesday, April 13, 2005 03:42 PMTo:
Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail]
Something new with v 2.0.6
Mike/Matt (thanks for your help) You
should be able to duplicated by just forwarding an email to an outside
account using the problem line at the bottom.
As not to confuse things I simplified
the process.
Send an email from [EMAIL PROTECTED]= [EMAIL PROTECTED](forwarded to)
= [EMAIL PROTECTED]
This run through only one server on my
network.
Header from My AOL
account.
Return-Path: [EMAIL PROTECTED]Received:
from rly-xm04.mx.aol.com (rly-xm04.mail.aol.com [172.20.83.105]) by
air-xm03.mail.aol.com (v105.26) with ESMTP id MAILINXM31-606425d743d132;
Wed, 13 Apr 2005 15:34:25 -0400Received: from bks.tcbinc.com
(bks.tcbinc.com [64.124.117.196]) by rly-xm04.mx.aol.com (v105.26) with
ESMTP id MAILRELAYINXM42-606425d743d132; Wed, 13 Apr 2005 15:34:21
-0400Received: from SMTP32-FWD by bks.tcbinc.com (SMTP32) id
A741100040470EC67; Wed, 13 Apr 2005 15:33:42 Received: from
web51806.mail.yahoo.com [206.190.38.237] by bks.tcbinc.com
(SMTPD32-8.15) id A41140470; Wed, 13 Apr 2005 15:33:37 -0400Received:
(qmail 50369 invoked by uid 60001); 13 Apr 2005 19:34:12 -Comment:
DomainKeys? See http://antispam.yahoo.com/domainkeysDomainKey-Signature:
a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com;
b=M12dWrk8x99pS4FhLTVJbfbgIc60YrjkjS/Vi2yiCoare5X2fk5F+zDzAA2XuOKAyAuKoj3EEGBHc6gPlwybZ/TMSShXoJtIypUpKUZZrm7SoU0rx30hedmPe9IecDArBynamRJFf8HjmCsGFKGIwJhKUjwV4wNnw1wLdarF7SE=
;Message-ID: [EMAIL PROTECTED]Received:
from [64.124.117.139] by web51806.mail.yahoo.com via HTTP; Wed, 13 Apr 2005
12:34:12 PDTDate: Wed, 13 Apr 2005 12:34:12 -0700 (PDT)From:
Frederick Samarelli [EMAIL PROTECTED]Subject:
test10To: [EMAIL PROTECTED]MIME-Version:
1.0Content-Type: text/plain; charset=us-asciiX-RBL-Warning:
SNIFFERZERO: Message failed SNIFFERZERO: 0.X-Declude-Sender: [EMAIL PROTECTED]
[206.190.38.237]X-Declude-Spoolname: D741100040470EC67.SMDX-Note:
Total spam weight of this E-mail is 0.X-RBL-Warning: Total weight:
0X-Note: This E-mail was scanned filtered by TCB [2.0.6] for SPAM
virus.X-Spam-Tests-Failed: SNIFFERZERO
Message Body (should only be the word test10)
X-Spam-Tests-Failed Weight: SNIFFERZERO
[0]X-Spam-Time:15:33:42X-Weight: 0X-Mailfrom:
samarelli.yahoo.comX-Note: Sent from: [EMAIL PROTECTED]X-Note:
Sent from Reverse DNS: web51806.mail.yahoo.com
([206.190.38.237])X-Hello: web51806.mail.yahoo.comX-Note:
Recipient(s): [EMAIL PROTECTED]X-Country-Chain: UNITED
STATES-destinationX-AOL-IP:
64.124.117.196X-AOL-SCOLL-SCORE:0:0:0:X-AOL-SCOLL-URL_COUNT:0test10
Culprit:
XINHEADERX-Spam-Tests-Failed
Weight:
%TESTSFAILEDWITHWEIGHTS%__
NOD32 1.1059 (20050412) Information __This message was checked
by NOD32 antivirus system.http:/
Re: [Declude.JunkMail] Something new with v 2.0.6
Title: Message Fred, Those are all legit. Andy has keen eyes and I suspect that he may have identified the trigger, though it would be a bug in Declude to behave in this way, but a minor one. The examples that you gave all have no spaces prior to the first colon, and that is compliant. The one that Andy gave was clearly not, and it is the one that is also causing you problems. Matt Frederick Samarelli wrote: Good Thought but I have these others without problem. Thanks. XINHEADER X-Note: Total spam weight of this E-mail is %WEIGHT%. XINHEADERX-RBL-Warning: Total weight: %WEIGHT% XINHEADERX-Note: This E-mail was scanned filtered by TCB [%VERSION%] for SPAM virus. XINHEADERX-Note: Sent from: %MAILFROM% XINHEADERX-Note: Sent from Reverse DNS: %REVDNS% ([%REMOTEIP%]) XINHEADERX-Note: Recipient(s): %REALRECIPS% - Original Message - From: Andy Schmidt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 4:02 PM Subject: RE: [Declude.JunkMail] Something new with v 2.0.6 Hi Frederick: I don't know if this has been asked/suggested already and I don't have time to go back to the RFCs to see if embedded spaces are permitted in the header name. But have you ever tried eliminating that space: XINHEADERX-Spam-Tests-Failed Weight: %TESTSFAILEDWITHWEIGHTS% replace with: XINHEADERX-Spam-Tests-Failed-Weight: %TESTSFAILEDWITHWEIGHTS% May be the problem is that there is a CR/LF followed by a line that contains no header name(due to the embedded space) following by another CR/LF. May be those two CR/LF without valid header information inbetween are interpreted as "start of message body" by some entities? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Frederick Samarelli Sent: Wednesday, April 13, 2005 03:42 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Mike/Matt (thanks for your help) You should be able to duplicated by just forwarding an email to an outside account using the problem line at the bottom. As not to confuse things I simplified the process. Send an email from [EMAIL PROTECTED]= [EMAIL PROTECTED](forwarded to) = [EMAIL PROTECTED] This run through only one server on my network. Header from My AOL account. Return-Path: [EMAIL PROTECTED] Received: from rly-xm04.mx.aol.com (rly-xm04.mail.aol.com [172.20.83.105]) by air-xm03.mail.aol.com (v105.26) with ESMTP id MAILINXM31-606425d743d132; Wed, 13 Apr 2005 15:34:25 -0400 Received: from bks.tcbinc.com (bks.tcbinc.com [64.124.117.196]) by rly-xm04.mx.aol.com (v105.26) with ESMTP id MAILRELAYINXM42-606425d743d132; Wed, 13 Apr 2005 15:34:21 -0400 Received: from SMTP32-FWD by bks.tcbinc.com (SMTP32) id A741100040470EC67; Wed, 13 Apr 2005 15:33:42 Received: from web51806.mail.yahoo.com [206.190.38.237] by bks.tcbinc.com (SMTPD32-8.15) id A41140470; Wed, 13 Apr 2005 15:33:37 -0400 Received: (qmail 50369 invoked by uid 60001); 13 Apr 2005 19:34:12 - Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=M12dWrk8x99pS4FhLTVJbfbgIc60YrjkjS/Vi2yiCoare5X2fk5F+zDzAA2XuOKAyAuKoj3EEGBHc6gPlwybZ/TMSShXoJtIypUpKUZZrm7SoU0rx30hedmPe9IecDArBynamRJFf8HjmCsGFKGIwJhKUjwV4wNnw1wLdarF7SE= ; Message-ID: [EMAIL PROTECTED] Received: from [64.124.117.139] by web51806.mail.yahoo.com via HTTP; Wed, 13 Apr 2005 12:34:12 PDT Date: Wed, 13 Apr 2005 12:34:12 -0700 (PDT) From: Frederick Samarelli [EMAIL PROTECTED] Subject: test10 To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0. X-Declude-Sender: [EMAIL PROTECTED] [206.190.38.237] X-Declude-Spoolname: D741100040470EC67.SMD X-Note: Total spam weight of this E-mail is 0. X-RBL-Warning: Total weight: 0 X-Note: This E-mail was scanned filtered by TCB [2.0.6] for SPAM virus. X-Spam-Tests-Failed: SNIFFERZERO Message Body (should only be the word test10) X-Spam-Tests-Failed Weight: SNIFFERZERO [0] X-Spam-Time:15:33:42 X-Weight: 0 X-Mailfrom: samarelli.yahoo.com X-Note: Sent from: [EMAIL PROTECTED] X-Note: Sent from Reverse DNS: web51806.mail.yahoo.com ([206.190.38.237]) X-Hello: web51806.mail.yahoo.com X-Note: Recipient(s): [EMAIL PROTECTED] X-Country-Chain: UNITED STATES-destination X-AOL-IP: 64.124.117.196 X-AOL-SCOLL-SCORE:0:0:0: X-AOL-SCOLL-URL_COUNT:0 test10 Culprit: XINHEADERX-Spam-Tests-Failed Weight: %TESTSFAILEDWITHWEIGHTS% -- = MailPure custom filters for Declude JunkMail
RE: [Declude.JunkMail] Something new with v 2.0.6
Title: Message
Okay,
let me try it this way...
RFC
822 states:
3.1.2. STRUCTURE OF HEADER
FIELDS Once a field has been
unfolded, it may be viewed as being
com- posed of a field-name followed by a colon (":"), followed by
a field-body, and
terminated by a
carriage-return/line-feed. The field-name must be composed
of printable ASCII characters
(i.e., characters that have values between 33.
and 126., decimal, except
colon). The field-body may be composed of
any ASCII characters, except CR or
LF. (While CR and/or LF may
be present in the actual
text, they are removed by the action
of unfolding the
field.)
My
reading of the RFC is, that 0x20 (32) is NOT permitted as a header field name!
Thus:
X-Spam-Tests-Failed Weight:
is NOT to be
interpreted as a valid header!
Best
RegardsAndy SchmidtPhone: +1 201 934-3414 x20
(Business)Fax: +1 201 934-9206
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Frederick SamarelliSent: Wednesday, April 13,
2005 04:28 PMTo: Declude.JunkMail@declude.comSubject:
Re: [Declude.JunkMail] Something new with v 2.0.6
Good Thought but I have these others without
problem. Thanks.
XINHEADER X-Note: Total spam weight
of this E-mail is %WEIGHT%.XINHEADERX-RBL-Warning: Total
weight: %WEIGHT%XINHEADERX-Note: This E-mail was scanned
filtered by TCB [%VERSION%] for SPAM
virus.XINHEADERX-Note: Sent from:
%MAILFROM%XINHEADERX-Note: Sent from Reverse DNS:
%REVDNS% ([%REMOTEIP%])XINHEADERX-Note: Recipient(s):
%REALRECIPS%- Original Message -
From:
Andy Schmidt
To: Declude.JunkMail@declude.com
Sent: Wednesday, April 13, 2005 4:02
PM
Subject: RE: [Declude.JunkMail]
Something new with v 2.0.6
Hi
Frederick:
I
don't know if this has been asked/suggested already and I don't have time to
go back to the RFCs to see if embedded spaces are permitted in the header
name. But have you ever tried eliminating that space:
XINHEADERX-Spam-Tests-Failed
Weight: %TESTSFAILEDWITHWEIGHTS%
replace with:
XINHEADERX-Spam-Tests-Failed-Weight:
%TESTSFAILEDWITHWEIGHTS%
May be the problem is that there is a CR/LF followed by a line that
contains no header name(due to the embedded space) following by
another CR/LF. May be those two CR/LF without valid header information
inbetween are interpreted as "start of message body" by some
entities?
Best
RegardsAndy SchmidtPhone: +1 201 934-3414 x20
(Business)Fax: +1 201 934-9206
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Frederick
SamarelliSent: Wednesday, April 13, 2005 03:42 PMTo:
Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail]
Something new with v 2.0.6
Mike/Matt (thanks for your help) You
should be able to duplicated by just forwarding an email to an outside
account using the problem line at the bottom.
As not to confuse things I simplified
the process.
Send an email from [EMAIL PROTECTED]= [EMAIL PROTECTED](forwarded to)
= [EMAIL PROTECTED]
This run through only one server on
my network.
Header from My AOL
account.
Return-Path: [EMAIL PROTECTED]Received:
from rly-xm04.mx.aol.com (rly-xm04.mail.aol.com [172.20.83.105]) by
air-xm03.mail.aol.com (v105.26) with ESMTP id MAILINXM31-606425d743d132;
Wed, 13 Apr 2005 15:34:25 -0400Received: from bks.tcbinc.com
(bks.tcbinc.com [64.124.117.196]) by rly-xm04.mx.aol.com (v105.26) with
ESMTP id MAILRELAYINXM42-606425d743d132; Wed, 13 Apr 2005 15:34:21
-0400Received: from SMTP32-FWD by bks.tcbinc.com (SMTP32) id
A741100040470EC67; Wed, 13 Apr 2005 15:33:42 Received: from
web51806.mail.yahoo.com [206.190.38.237] by bks.tcbinc.com
(SMTPD32-8.15) id A41140470; Wed, 13 Apr 2005 15:33:37 -0400Received:
(qmail 50369 invoked by uid 60001); 13 Apr 2005 19:34:12 -Comment:
DomainKeys? See http://antispam.yahoo.com/domainkeysDomainKey-Signature:
a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com;
b=M12dWrk8x99pS4FhLTVJbfbgIc60YrjkjS/Vi2yiCoare5X2fk5F+zDzAA2XuOKAyAuKoj3EEGBHc6gPlwybZ/TMSShXoJtIypUpKUZZrm7SoU0rx30hedmPe9IecDArBynamRJFf8HjmCsGFKGIwJhKUjwV4wNnw1wLdarF7SE=
;Message-ID: [EMAIL PROTECTED]Received:
from [64.124.117.139] by web51806.mail.yahoo.com via HTTP; Wed, 13 Apr
2005 12:34:12 PDTDate: Wed, 13 Apr 2005 12:34:12 -0700 (PDT)From:
Frederick Samarelli [EMAIL PROTECTED]Subject:
test10To: [EMAIL PROTECTED]MIME-Version:
1.0Content-Type: text/plain; charset=us-asciiX-RBL-Warning:
SNIFFERZERO: Message failed SNIFFERZERO: 0.X-Declude-Sender: [EMAIL PROTECTED]
[206.
RE: [Declude.JunkMail] Something new with v 2.0.6
On 13 Apr 2005 at 16:44, Andy Schmidt wrote: Very well done Andy.. -Nick Okay, let me try it this way... RFC 822 states: 3.1.2. STRUCTURE OF HEADER FIELDS Once a field has been unfolded, it may be viewed as being com- posed of a field-name followed by a colon (:), followed by a field-body, and terminated by a carriage-return/line-feed. The field-name must be composed of printable ASCII characters (i.e., characters that have values between 33. and 126., decimal, except colon). The field-body may be composed of any ASCII characters, except CR or LF. (While CR and/or LF may be present in the actual text, they are removed by the action of unfolding the field.) My reading of the RFC is, that 0x20 (32) is NOT permitted as a header field name! Thus: X-Spam-Tests-Failed Weight: is NOT to be interpreted as a valid header! Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Frederick Samarelli Sent: Wednesday, April 13, 2005 04:28 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Good Thought but I have these others without problem. Thanks. XINHEADER X-Note: Total spam weight of this E-mail is %WEIGHT%. XINHEADERX-RBL-Warning: Total weight: %WEIGHT% XINHEADERX-Note: This E-mail was scanned filtered by TCB [%VERSION%] for SPAM virus. XINHEADERX-Note: Sent from: %MAILFROM% XINHEADERX-Note: Sent from Reverse DNS: %REVDNS% ([%REMOTEIP%]) XINHEADERX-Note: Recipient(s): %REALRECIPS% - Original Message - From: Andy Schmidt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 4:02 PM Subject: RE: [Declude.JunkMail] Something new with v 2.0.6 Hi Frederick: I don't know if this has been asked/suggested already and I don't have time to go back to the RFCs to see if embedded spaces are permitted in the header name. But have you ever tried eliminating that space: XINHEADERX-Spam-Tests-Failed Weight: %TESTSFAILEDWITHWEIGHTS% replace with: XINHEADERX-Spam-Tests-Failed-Weight: %TESTSFAILEDWITHWEIGHTS% May be the problem is that there is a CR/LF followed by a line that contains no header name(due to the embedded space) following by another CR/LF. May be those two CR/LF without valid header information inbetween are interpreted as start of message body by some entities? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Frederick Samarelli Sent: Wednesday, April 13, 2005 03:42 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Mike/Matt (thanks for your help) You should be able to duplicated by just forwarding an email to an outside account using the problem line at the bottom. As not to confuse things I simplified the process. Send an email from [EMAIL PROTECTED] [EMAIL PROTECTED](forwarded to) = [EMAIL PROTECTED] This run through only one server on my network. Header from My AOL account. Return-Path: [EMAIL PROTECTED] Received: from rly-xm04.mx.aol.com (rly-xm04.mail.aol.com [172.20.83.105]) by air-xm03.mail.aol.com (v105.26) with ESMTP id MAILINXM31-606425d743d132; Wed, 13 Apr 2005 15:34:25 -0400 Received: from bks.tcbinc.com (bks.tcbinc.com [64.124.117.196]) by rly-xm04.mx.aol.com (v105.26) with ESMTP id MAILRELAYINXM42- 606425d743d132; Wed, 13 Apr 2005 15:34:21 -0400 Received: from SMTP32-FWD by bks.tcbinc.com (SMTP32) id A741100040470EC67; Wed, 13 Apr 2005 15:33:42 Received: from web51806.mail.yahoo.com [206.190.38.237] by bks.tcbinc.com (SMTPD32-8.15) id A41140470; Wed, 13 Apr 2005 15:33:37 -0400 Received: (qmail 50369 invoked by uid 60001); 13 Apr 2005 19:34:12 - Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=M12dWrk8x99pS4FhLTVJbfbgIc60YrjkjS/Vi2yiCoare5X2fk5F+zDzAA2XuOKAyAuK oj3EEGBHc6gPlwybZ/TMSShXoJtIypUpKUZZrm7SoU0rx30hedmPe9IecDArBynamRJFf8 HjmCsGFKGIwJhKUjwV4wNnw1wLdarF7SE= ; Message-ID: [EMAIL PROTECTED] Received: from [64.124.117.139] by web51806.mail.yahoo.com via HTTP; Wed, 13 Apr 2005 12:34:12 PDT Date: Wed, 13 Apr 2005 12:34:12 -0700 (PDT) From: Frederick Samarelli [EMAIL PROTECTED] Subject: test10 To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0. X-Declude-Sender: [EMAIL PROTECTED] [206.190.38.237] X-Declude-Spoolname: D741100040470EC67.SMD X-Note: Total spam weight of this E-mail is 0. X-RBL-Warning: Total weight: 0 X-Note: This E-mail was scanned filtered by TCB [2.0.6] for SPAM virus. X-Spam-Tests-Failed: SNIFFERZERO Message Body (should only be the word test10
Re: [Declude.JunkMail] Something new with v 2.0.6
Title: Message
Andy,
Knowing Scott, I could see him adding a double line break when the
header name was invalid so as to not write an invalid header. I
suppose that could be seen as a form of error handling, though it's not
the way that I would tend to approach the same issue if in fact the
case. I also suppose that it is possible that his E-mail client is
adding the double line breaks to the interpreted output that he is
viewing and it might in fact all appear without line breaks in the
uninterpreted source.
Either way, I'm sure that this fixed the issue.
Matt
Andy Schmidt wrote:
Dear Matt:
it would be a bug in Declude to behave
in this way
You may be right - but I'm not that certain
about that being a bug (unless you expect Declude to perform a "syntax
check" ofthese user headers).
RFC822 states:
3.1.1. LONG HEADER FIELDS
Each header field can be viewed as a single, logical line of
ASCII characters, comprising a field-name and a field-body.
For convenience, the field-body portion of this conceptual
entity can be split into a multiple-line representation; this
is called "folding". The general rule is that wherever there
may be linear-white-space (NOT simply LWSP-chars), a CRLF
immediately followed by AT LEAST one LWSP-char may
instead be
inserted.
In other words, as long as CRLF is followed by a
SPACE in the new line, the line
X-Spam-Tests-Failed
Weight
would have to be treated as a conintuation of
the PRIORheader field.
However, in the absence of:
a) a leading space,
b) a valid header field name
it might actually be PROPER to err on the side
of safety and consider this the "end" of the headers.
After all, we don't want to create a
vulnerability where someone could insert "data"into the header that
Outlook might skip...
Best Regards
Andy Schmidt
Phone: +1 201 934-3414 x20
(Business)
Fax: +1 201 934-9206
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Matt
Sent: Wednesday, April 13, 2005 04:37 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Something new with v 2.0.6
Fred,
Those are all legit. Andy has keen eyes and I suspect that he may have
identified the trigger, though it would be a bug in Declude to behave
in this way, but a minor one.
The examples that you gave all have no spaces prior to the first colon,
and that is compliant. The one that Andy gave was clearly not, and it
is the one that is also causing you problems.
Matt
Frederick Samarelli wrote:
Good Thought but I have these
others without problem. Thanks.
XINHEADER X-Note: Total spam
weight of this E-mail is %WEIGHT%.
XINHEADERX-RBL-Warning: Total weight: %WEIGHT%
XINHEADERX-Note: This E-mail was scanned filtered by TCB
[%VERSION%] for SPAM virus.
XINHEADERX-Note: Sent from: %MAILFROM%
XINHEADERX-Note: Sent from Reverse DNS: %REVDNS% ([%REMOTEIP%])
XINHEADERX-Note: Recipient(s): %REALRECIPS%
- Original Message -
From:
Andy Schmidt
To:
Declude.JunkMail@declude.com
Sent:
Wednesday, April 13, 2005 4:02 PM
Subject:
RE: [Declude.JunkMail] Something new with v 2.0.6
Hi Frederick:
I don't know if this has been asked/suggested
already and I don't have time to go back to the RFCs to see if embedded
spaces are permitted in the header name. But have you ever tried
eliminating that space:
XINHEADERX-Spam-Tests-Failed
Weight: %TESTSFAILEDWITHWEIGHTS%
replace with:
XINHEADERX-Spam-Tests-Failed-Weight:
%TESTSFAILEDWITHWEIGHTS%
May be the problem is that there is a CR/LF
followed by a line that contains no header name(due to the embedded
space) following by another CR/LF. May be those two CR/LF without
valid header information inbetween are interpreted as "start of message
body" by some entities?
Best Regards
Andy Schmidt
Phone: +1 201 934-3414
x20 (Business)
Fax: +1 201 934-9206
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Frederick Samarelli
Sent: Wednesday, April 13, 2005 03:42 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Something new with v
2.0.6
Mike/Matt (thanks
for your help) You should be able to duplicated by just forwarding an
email to an outside account using the problem line at the bottom.
As not to confuse
things I simplified the process.
Send an email from [EMAIL PROTECTED]=
[EMAIL PROTECTED](forwarded
to) = [EMAIL PROTECTED]
