Re: [Declude.JunkMail] one more try...
Thanks everyone, I have it working. It was also necessary to go to the $defualt$.junkmail config file and add MYFILTER WARN so I could see the results in spam review. Thanks, Andy
Re: [Declude.JunkMail] one more try...
Very interesting. Looks like the @b. thing is a standard in some piece of VERP software. BTW, unless you (generally) are extremely agressive (sans FiveTen), this would be a very bad idea to implement as a filter. So please ignore my initial filter submission...but I've got something bulletproof to replace it. This spammer that we were trying to identify with that string was probably Douglas Fields of Pexicom, Inc. His old network is in SBL (SBL5185), but it appears that he went out and registered some new blocks of addresses, and got others through Above.net, from which he also get's bandwidth. If anyone knows how to report him to SBL, it might help a lot of people. I couldn't figure out how to report during a cursory search of their site. With the help of your file, a bunch of data from past spam captures, that header clue that exposed his software, and a little DNS work...I came up with 9 new blocks not in SBL with reverse DNS names with 9 addresses each (ns1, ns2, www and mail1 through mail6). I won't assume for a second that is all, but it's a lot and considering the age of many of the domains, he hasn't yet exposed all of his servers to the RBL's (less than 1/4 were in a multi-week 150 MB capture that found all of this stuff). If he wasn't failing BADHEADERS, some of this would have gotten through on my server, so I wrote it as a filter just for this one guy and attached it to this note. Implement safely with the following line, and kill the filter after SBL picks it up. - Global.cfg - PEXICOM filter C:\IMail\Declude\Filters\Pexicom.txt x 25 0 My guess is that this guy was approaching 1% of my total E-mail volume, which is pretty serious, though one of the crud spammers is currently doing about 5% I think. Hopefully he'll stay put for a while seing as how ARIN has him on record: Matt Bill Landry wrote: Attached are a couple of scripts (and sample output) that can be used, if using log level MID or higher, to output the "From" e-mail address and sending IP address (first script), or output just the sending IP addresses, listed by count (second script). HTH, Bill - Original Message - From: Matthew Bramble To: [EMAIL PROTECTED] Sent: Wednesday, November 05, 2003 6:21 PM Subject: Re: [Declude.JunkMail] one more try... Andy, I tried sending this twice, but I think Scott's server blocked it because of the content in the headers, so the headers are attached as a zip this time. Your global.cfg would have something like the following and the adjusted filter file is in the original reply pasted below (name the filter whatever you wish). [EMAIL PROTECTED] filter C:\IMail\Declude\Filters\[EMAIL PROTECTED] x 5 0 Then the original reply (adjusted a little)... Matt Actually, I think this one is in the format of [EMAIL PROTECTED], so the filter would need to be: MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] I put a number before the domain because it appears that this spammer uses VERP and the pattern always has a number before the "@b." so this will help protect from false positives. I just wouldn't necessaarily kill it for just this one thing, and I don't think you have to because this stuff isn't getting through my server, so it's picking up points from RBL's and other things. I've seen this stuff coming through my own machine and noted it because of the question earlier. I fear that the pattern is only temporary, but if I'm not mistaken, this is from one of the contest type of spammers with a set group of IP's that they send out from. You could more effectively search for hits and take the IP addresses out and then filter for those as long-term prevention in the event that this pattern fails (which I expect it will). Bill could probably grep that info from his logs in seconds :) Be sure to share if you do. I wouldn't bother with the domain names because they seem to be very temporary. Here are three such headers from this spammer, and all of the domain names were registered recently through pairNIC.com, http://whois.pairnic.com/ Matt andyb wrote: So, the line MYFILTER filter C:\IMail\Declude\myfilter.txt x x 5 0 should have 2 x's because of the 2 tiered weighting system I'm using? Thanks, Andy - Original Message ----- From: "R. Scott Perry&qu
Re: [Declude.JunkMail] one more try...
Attached are a couple of scripts (and sample output) that can be used, if using log level MID or higher, to output the "From" e-mail address and sending IP address (first script), or output just the sending IP addresses, listed by count (second script). HTH, Bill - Original Message - From: Matthew Bramble To: [EMAIL PROTECTED] Sent: Wednesday, November 05, 2003 6:21 PM Subject: Re: [Declude.JunkMail] one more try... Andy,I tried sending this twice, but I think Scott's server blocked it because of the content in the headers, so the headers are attached as a zip this time. Your global.cfg would have something like the following and the adjusted filter file is in the original reply pasted below (name the filter whatever you wish).[EMAIL PROTECTED] filter C:\IMail\Declude\Filters\[EMAIL PROTECTED] x 5 0Then the original reply (adjusted a little)...MattActually, I think this one is in the format of [EMAIL PROTECTED], so the filter would need to be:MAILFROM 0 CONTAINS [EMAIL PROTECTED]MAILFROM 0 CONTAINS [EMAIL PROTECTED]MAILFROM 0 CONTAINS [EMAIL PROTECTED]MAILFROM 0 CONTAINS [EMAIL PROTECTED]MAILFROM 0 CONTAINS [EMAIL PROTECTED]MAILFROM 0 CONTAINS [EMAIL PROTECTED]MAILFROM 0 CONTAINS [EMAIL PROTECTED]MAILFROM 0 CONTAINS [EMAIL PROTECTED]MAILFROM 0 CONTAINS [EMAIL PROTECTED]MAILFROM 0 CONTAINS [EMAIL PROTECTED]I put a number before the domain because it appears that this spammer uses VERP and the pattern always has a number before the "@b." so this will help protect from false positives. I just wouldn't necessaarily kill it for just this one thing, and I don't think you have to because this stuff isn't getting through my server, so it's picking up points from RBL's and other things.I've seen this stuff coming through my own machine and noted it because of the question earlier. I fear that the pattern is only temporary, but if I'm not mistaken, this is from one of the contest type of spammers with a set group of IP's that they send out from. You could more effectively search for hits and take the IP addresses out and then filter for those as long-term prevention in the event that this pattern fails (which I expect it will). Bill could probably grep that info from his logs in seconds :) Be sure to share if you do. I wouldn't bother with the domain names because they seem to be very temporary.Here are three such headers from this spammer, and all of the domain names were registered recently through pairNIC.com, http://whois.pairnic.com/Mattandyb wrote: So, the line MYFILTER filter C:\IMail\Declude\myfilter.txt x x 5 0 should have 2 x's because of the 2 tiered weighting system I'm using? Thanks, Andy - Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, November 05, 2003 7:13 PM Subject: Re: [Declude.JunkMail] one more try... to be sure, the syntax would be: in Global.cfg: MYFILTER filter C:\IMail\Declude\myfilter.txt x x 5 0 In myfilter.txt: MAILFROM5STARTSWITH b. That would work fine. Isn't this adding the weight of 5 twice? I'd like it to only be added once. Yes, that would add the weight twice. The total weight for the test is a combination of the general weight for the test (the "5" in the "MYFILTER filter" line) plus the weight for each line that matches (the "MAILFROM 5" line). In this case, you might instead want to use: MAILFROM0STARTSWITH b. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- === Matthew S. Bramble President and Technical Coordinator iGaia Incorporated, Operator of NYcars.com
RE: [Declude.JunkMail] one more try...
Here is the format: TESTNAME testtype 1stparameter 2ndparameter failweight passweight Here are the various types: WEIGHT weight notused notused triggerweightfail WEIGHTRANGE weightrange notused notused triggerweightstart triggerweightend DNSTEST ip4r testaddress returncode(ifneeded) failweight passweight DNSTEST rhsbl testaddress returncode(ifneeded) failweight passweight FROMFILE fromfile filelocation notused failweight passweight FILTER filter filelocation notused failweight passweight EXTERNAL external returncode programlocationandswitches failweight passweight > It appears that is because for the MYFILTER test, > c:\Imail\declude\myfilter.txt is used in place of the first x? Yes. John Tolmachoff Engineer/Consultant/Owner eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of andyb > Sent: Wednesday, November 05, 2003 7:06 PM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.JunkMail] one more try... > > I believe my confusion is that all of the other tests are listed as > > x x 5 0 > > And this one only has one X > > > Thanks for the help. > > Andy > > > - Original Message - > From: "R. Scott Perry" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, November 05, 2003 9:20 PM > Subject: Re: [Declude.JunkMail] one more try... > > > > > > >MYFILTER filter C:\IMail\Declude\myfilter.txt x x 5 0 > > > > > >should have 2 x's because of the 2 tiered weighting system I'm using? > > > > No. That will give E-mails that do NOT fail the test a weight of 5. > > > > Test name, test type, 2 pieces of test-specific information, standard > > weight, negative (pass) weight. > > > > -Scott > > --- > > Declude JunkMail: The advanced anti-spam solution for IMail mailservers. > > Declude Virus: Catches known viruses and is the leader in mailserver > > vulnerability detection. > > Find out what you've been missing: Ask about our free 30-day evaluation. > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] one more try...
Hi Matt, I realize catching spam is like trying to hit a moving target...I spend more time dealing with email issues than everything else as an ISP combined. Declude is catching 100's of these daily but only as a HOLD (with a weight of 10) with my current configs. The goal is to add a weight of 5, which would push the total weight above 15, then it would get DELETEd. (and make it so I have a few hundred less email to review for false positives) This should also protect against false positives, because legit email should still stay below 9, and certainly below 15 (say for example if the email was [EMAIL PROTECTED]) When I'm less tired, I'm going to spend some time digesting your listed example. Thanks, andy - Original Message - From: Matthew Bramble To: [EMAIL PROTECTED] Sent: Wednesday, November 05, 2003 9:21 PM Subject: Re: [Declude.JunkMail] one more try... Andy,I tried sending this twice, but I think Scott's server blocked it because of the content in the headers, so the headers are attached as a zip this time. Your global.cfg would have something like the following and the adjusted filter file is in the original reply pasted below (name the filter whatever you wish).[EMAIL PROTECTED] filter C:\IMail\Declude\Filters\[EMAIL PROTECTED] x 5 0Then the original reply (adjusted a little)...MattActually, I think this one is in the format of [EMAIL PROTECTED], so the filter would need to be:MAILFROM 0 CONTAINS [EMAIL PROTECTED]MAILFROM 0 CONTAINS [EMAIL PROTECTED]MAILFROM 0 CONTAINS [EMAIL PROTECTED]MAILFROM 0 CONTAINS [EMAIL PROTECTED]MAILFROM 0 CONTAINS [EMAIL PROTECTED]MAILFROM 0 CONTAINS [EMAIL PROTECTED]MAILFROM 0 CONTAINS [EMAIL PROTECTED]MAILFROM 0 CONTAINS [EMAIL PROTECTED]MAILFROM 0 CONTAINS [EMAIL PROTECTED]MAILFROM 0 CONTAINS [EMAIL PROTECTED]I put a number before the domain because it appears that this spammer uses VERP and the pattern always has a number before the "@b." so this will help protect from false positives. I just wouldn't necessaarily kill it for just this one thing, and I don't think you have to because this stuff isn't getting through my server, so it's picking up points from RBL's and other things.I've seen this stuff coming through my own machine and noted it because of the question earlier. I fear that the pattern is only temporary, but if I'm not mistaken, this is from one of the contest type of spammers with a set group of IP's that they send out from. You could more effectively search for hits and take the IP addresses out and then filter for those as long-term prevention in the event that this pattern fails (which I expect it will). Bill could probably grep that info from his logs in seconds :) Be sure to share if you do. I wouldn't bother with the domain names because they seem to be very temporary.Here are three such headers from this spammer, and all of the domain names were registered recently through pairNIC.com, http://whois.pairnic.com/Mattandyb wrote: So, the line MYFILTER filter C:\IMail\Declude\myfilter.txt x x 5 0 should have 2 x's because of the 2 tiered weighting system I'm using? Thanks, Andy - Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, November 05, 2003 7:13 PM Subject: Re: [Declude.JunkMail] one more try... to be sure, the syntax would be: in Global.cfg: MYFILTER filter C:\IMail\Declude\myfilter.txt x x 5 0 In myfilter.txt: MAILFROM5STARTSWITH b. That would work fine. Isn't this adding the weight of 5 twice? I'd like it to only be added once. Yes, that would add the weight twice. The total weight for the test is a combination of the general weight for the test (the "5" in the "MYFILTER filter" line) plus the weight for each line that matches (the "MAILFROM 5" line). In this case, you might instead want to use: MAILFROM0STARTSWITH b. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude
Re: [Declude.JunkMail] one more try...
I believe my confusion is that all of the other tests are listed as x x 5 0 And this one only has one X It appears that is because for the MYFILTER test, c:\Imail\declude\myfilter.txt is used in place of the first x? Thanks for the help. Andy - Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, November 05, 2003 9:20 PM Subject: Re: [Declude.JunkMail] one more try... > > >MYFILTER filter C:\IMail\Declude\myfilter.txt x x 5 0 > > > >should have 2 x's because of the 2 tiered weighting system I'm using? > > No. That will give E-mails that do NOT fail the test a weight of 5. > > Test name, test type, 2 pieces of test-specific information, standard > weight, negative (pass) weight. > > -Scott > --- > Declude JunkMail: The advanced anti-spam solution for IMail mailservers. > Declude Virus: Catches known viruses and is the leader in mailserver > vulnerability detection. > Find out what you've been missing: Ask about our free 30-day evaluation. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] one more try...
BTW, actually two of those three headers are from the same company. You can also easily identify this spam company with a filter for the following unique code which might be safer than the other technique (though, only slightly more so): HEADERS 0 CONTAINS X-JLH: Be sure to include a space after the colon just to be safe. You might want to pack this together with the others just in case he stops using the @b. technique, but still, knowing the IP's would be the best. Matt Matthew Bramble wrote: Andy, I tried sending this twice, but I think Scott's server blocked it because of the content in the headers, so the headers are attached as a zip this time. Your global.cfg would have something like the following and the adjusted filter file is in the original reply pasted below (name the filter whatever you wish). [EMAIL PROTECTED] filter C:\IMail\Declude\Filters\[EMAIL PROTECTED] x 5 0 Then the original reply (adjusted a little)... Matt Actually, I think this one is in the format of [EMAIL PROTECTED], so the filter would need to be: MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] I put a number before the domain because it appears that this spammer uses VERP and the pattern always has a number before the "@b." so this will help protect from false positives. I just wouldn't necessaarily kill it for just this one thing, and I don't think you have to because this stuff isn't getting through my server, so it's picking up points from RBL's and other things. I've seen this stuff coming through my own machine and noted it because of the question earlier. I fear that the pattern is only temporary, but if I'm not mistaken, this is from one of the contest type of spammers with a set group of IP's that they send out from. You could more effectively search for hits and take the IP addresses out and then filter for those as long-term prevention in the event that this pattern fails (which I expect it will). Bill could probably grep that info from his logs in seconds :) Be sure to share if you do. I wouldn't bother with the domain names because they seem to be very temporary. Here are three such headers from this spammer, and all of the domain names were registered recently through pairNIC.com, http://whois.pairnic.com/ Matt andyb wrote: So, the line MYFILTER filter C:\IMail\Declude\myfilter.txt x x 5 0 should have 2 x's because of the 2 tiered weighting system I'm using? Thanks, Andy - Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, November 05, 2003 7:13 PM Subject: Re: [Declude.JunkMail] one more try... to be sure, the syntax would be: in Global.cfg: MYFILTER filter C:\IMail\Declude\myfilter.txt x x 5 0 In myfilter.txt: MAILFROM5STARTSWITH b. That would work fine. Isn't this adding the weight of 5 twice? I'd like it to only be added once. Yes, that would add the weight twice. The total weight for the test is a combination of the general weight for the test (the "5" in the "MYFILTER filter" line) plus the weight for each line that matches (the "MAILFROM 5" line). In this case, you might instead want to use: MAILFROM0STARTSWITH b. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] one more try...
Andy, I tried sending this twice, but I think Scott's server blocked it because of the content in the headers, so the headers are attached as a zip this time. Your global.cfg would have something like the following and the adjusted filter file is in the original reply pasted below (name the filter whatever you wish). [EMAIL PROTECTED] filter C:\IMail\Declude\Filters\[EMAIL PROTECTED] x 5 0 Then the original reply (adjusted a little)... Matt Actually, I think this one is in the format of [EMAIL PROTECTED], so the filter would need to be: MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] I put a number before the domain because it appears that this spammer uses VERP and the pattern always has a number before the "@b." so this will help protect from false positives. I just wouldn't necessaarily kill it for just this one thing, and I don't think you have to because this stuff isn't getting through my server, so it's picking up points from RBL's and other things. I've seen this stuff coming through my own machine and noted it because of the question earlier. I fear that the pattern is only temporary, but if I'm not mistaken, this is from one of the contest type of spammers with a set group of IP's that they send out from. You could more effectively search for hits and take the IP addresses out and then filter for those as long-term prevention in the event that this pattern fails (which I expect it will). Bill could probably grep that info from his logs in seconds :) Be sure to share if you do. I wouldn't bother with the domain names because they seem to be very temporary. Here are three such headers from this spammer, and all of the domain names were registered recently through pairNIC.com, http://whois.pairnic.com/ Matt andyb wrote: So, the line MYFILTER filter C:\IMail\Declude\myfilter.txt x x 5 0 should have 2 x's because of the 2 tiered weighting system I'm using? Thanks, Andy - Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, November 05, 2003 7:13 PM Subject: Re: [Declude.JunkMail] one more try... to be sure, the syntax would be: in Global.cfg: MYFILTER filter C:\IMail\Declude\myfilter.txt x x 5 0 In myfilter.txt: MAILFROM5STARTSWITH b. That would work fine. Isn't this adding the weight of 5 twice? I'd like it to only be added once. Yes, that would add the weight twice. The total weight for the test is a combination of the general weight for the test (the "5" in the "MYFILTER filter" line) plus the weight for each line that matches (the "MAILFROM 5" line). In this case, you might instead want to use: MAILFROM0STARTSWITH b. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- === Matthew S. Bramble President and Technical Coordinator iGaia Incorporated, Operator of NYcars.com --- Office Phone: (518) 862-9042 Cellular: (518) 229-3375 Fax: (518) 862-9044 E-mail: [EMAIL PROTECTED] or [EMAIL PROTECTED] === headers.zip Description: Zip compressed data
RE: [Declude.JunkMail] one more try...
If you want all the lines in that filter to have the same weight, it should be this: MYFILTER filter C:\imail\declude\myfilter.txt x x 5 0 in the global.cfg MAILFROM 0 STARTSWITH b. in the myfilter.txt file. If you want each line in the filter to have its own weight, it should be this: MYFILTER filter C:\imail\declude\myfilter.txt x x 0 0 in the global.cfg MAILFROM 5 STARTSWITH b. in the myfilter.txt file. John Tolmachoff Engineer/Consultant/Owner eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of andyb > Sent: Wednesday, November 05, 2003 6:06 PM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.JunkMail] one more try... > > So, the line > > MYFILTER filter C:\IMail\Declude\myfilter.txt x x 5 0 > > should have 2 x's because of the 2 tiered weighting system I'm using? > > Thanks, > > Andy > > - Original Message - > From: "R. Scott Perry" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, November 05, 2003 7:13 PM > Subject: Re: [Declude.JunkMail] one more try... > > > > > > >to be sure, the syntax would be: > > > > > >in Global.cfg: > > >MYFILTER filter C:\IMail\Declude\myfilter.txt x x 5 0 > > > > > >In myfilter.txt: > > >MAILFROM5STARTSWITH b. > > > > That would work fine. > > > > >Isn't this adding the weight of 5 twice? I'd like it to only be added > once. > > > > Yes, that would add the weight twice. The total weight for the test is > a > > combination of the general weight for the test (the "5" in the "MYFILTER > > filter" line) plus the weight for each line that matches (the "MAILFROM > 5" > > line). > > > > In this case, you might instead want to use: > > > > MAILFROM0STARTSWITH b. > > > > -Scott > > --- > > Declude JunkMail: The advanced anti-spam solution for IMail mailservers. > > Declude Virus: Catches known viruses and is the leader in mailserver > > vulnerability detection. > > Find out what you've been missing: Ask about our free 30-day evaluation. > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] one more try...
MYFILTER filter C:\IMail\Declude\myfilter.txt x x 5 0 should have 2 x's because of the 2 tiered weighting system I'm using? No. That will give E-mails that do NOT fail the test a weight of 5. Test name, test type, 2 pieces of test-specific information, standard weight, negative (pass) weight. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] one more try...
So, the line MYFILTER filter C:\IMail\Declude\myfilter.txt x x 5 0 should have 2 x's because of the 2 tiered weighting system I'm using? Thanks, Andy - Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, November 05, 2003 7:13 PM Subject: Re: [Declude.JunkMail] one more try... > > >to be sure, the syntax would be: > > > >in Global.cfg: > >MYFILTER filter C:\IMail\Declude\myfilter.txt x x 5 0 > > > >In myfilter.txt: > >MAILFROM5STARTSWITH b. > > That would work fine. > > >Isn't this adding the weight of 5 twice? I'd like it to only be added once. > > Yes, that would add the weight twice. The total weight for the test is a > combination of the general weight for the test (the "5" in the "MYFILTER > filter" line) plus the weight for each line that matches (the "MAILFROM 5" > line). > > In this case, you might instead want to use: > > MAILFROM0STARTSWITH b. > > -Scott > --- > Declude JunkMail: The advanced anti-spam solution for IMail mailservers. > Declude Virus: Catches known viruses and is the leader in mailserver > vulnerability detection. > Find out what you've been missing: Ask about our free 30-day evaluation. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] one more try...
If you wanted to add 5 to any message caught by anything in the filter, you would add five in the test definition in the Global.cfg. However, if you want to add weight to each line in the filter, you would leave the weight on the test itself to 0 and put the weight value in the second column in the filter file. John Tolmachoff Engineer/Consultant/Owner eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of andyb > Sent: Wednesday, November 05, 2003 4:00 PM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.JunkMail] one more try... > > to be sure, the syntax would be: > > in Global.cfg: > MYFILTER filter C:\IMail\Declude\myfilter.txt x x 5 0 > > In myfilter.txt: > MAILFROM5STARTSWITH b. > > Isn't this adding the weight of 5 twice? I'd like it to only be added > once. > Upon reading the on-line junk mail manual, this point isn't clear. > > First time using the filter file. I'm using a dual weight system, 1st > tier > is hold, 2nd tier deletes. > > Thanks, andy > > - Original Message - > From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, November 05, 2003 6:03 PM > Subject: RE: [Declude.JunkMail] one more try... > > > > Filter file. > > > > MAILFROM (weighttoadd) STARTSWITH b. > > > > John Tolmachoff > > Engineer/Consultant/Owner > > eServices For You > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > > > [EMAIL PROTECTED] On Behalf Of andyb > > > Sent: Wednesday, November 05, 2003 2:53 PM > > > To: [EMAIL PROTECTED] > > > Subject: [Declude.JunkMail] one more try... > > > > > > Hi all, > > > > > > I've asked a couple of times over the past couple of weeks, but > thought > > > I'd > > > ask one more time... > > > > > > I get a lot of spam with return addresses that start with b. > > > ie: [EMAIL PROTECTED] > > > > > > Is there anyway to filter that in declude or in the Imail kill list? > > > > > > Thanks, Andy > > > > > > --- > > > [This E-mail was scanned for viruses by Declude Virus > > > (http://www.declude.com)] > > > > > > --- > > > This E-mail came from the Declude.JunkMail mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.JunkMail". The archives can be found > > > at http://www.mail-archive.com. > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] one more try...
to be sure, the syntax would be: in Global.cfg: MYFILTER filter C:\IMail\Declude\myfilter.txt x x 5 0 In myfilter.txt: MAILFROM5STARTSWITH b. That would work fine. Isn't this adding the weight of 5 twice? I'd like it to only be added once. Yes, that would add the weight twice. The total weight for the test is a combination of the general weight for the test (the "5" in the "MYFILTER filter" line) plus the weight for each line that matches (the "MAILFROM 5" line). In this case, you might instead want to use: MAILFROM0STARTSWITH b. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] one more try...
to be sure, the syntax would be: in Global.cfg: MYFILTER filter C:\IMail\Declude\myfilter.txt x x 5 0 In myfilter.txt: MAILFROM5STARTSWITH b. Isn't this adding the weight of 5 twice? I'd like it to only be added once. Upon reading the on-line junk mail manual, this point isn't clear. First time using the filter file. I'm using a dual weight system, 1st tier is hold, 2nd tier deletes. Thanks, andy - Original Message - From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, November 05, 2003 6:03 PM Subject: RE: [Declude.JunkMail] one more try... > Filter file. > > MAILFROM (weighttoadd) STARTSWITH b. > > John Tolmachoff > Engineer/Consultant/Owner > eServices For You > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > > [EMAIL PROTECTED] On Behalf Of andyb > > Sent: Wednesday, November 05, 2003 2:53 PM > > To: [EMAIL PROTECTED] > > Subject: [Declude.JunkMail] one more try... > > > > Hi all, > > > > I've asked a couple of times over the past couple of weeks, but thought > > I'd > > ask one more time... > > > > I get a lot of spam with return addresses that start with b. > > ie: [EMAIL PROTECTED] > > > > Is there anyway to filter that in declude or in the Imail kill list? > > > > Thanks, Andy > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] one more try...
Filter file. MAILFROM(weighttoadd) STARTSWITH b. John Tolmachoff Engineer/Consultant/Owner eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of andyb > Sent: Wednesday, November 05, 2003 2:53 PM > To: [EMAIL PROTECTED] > Subject: [Declude.JunkMail] one more try... > > Hi all, > > I've asked a couple of times over the past couple of weeks, but thought > I'd > ask one more time... > > I get a lot of spam with return addresses that start with b. > ie: [EMAIL PROTECTED] > > Is there anyway to filter that in declude or in the Imail kill list? > > Thanks, Andy > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
