Hi All,
I was wondering if someone can has experienced a error in helobogus. For
some weird reason, I consistantly get a error with helobogus like
hotmail.com with the msg failed. For some reason cs.com does not resolve
either.
11/19/2002 00:05:07 Q0cd19bfb002cf91d HELOBOGUS:8 REVDNS:4 .
Hi everybody,
My UNIX systems (two different machines using two different MTAs:
sendmail and postfix) send a HELO using localhost. From what I can tell,
this is common practice because administrators want to hide security
details from other mail servers. However, JunkMail marks this as a
problem.
Hi
I have just setup our system and although it catches some messages others
get through even though the headers indicate that Declude has scanned them.
The headers from the mail below indicate that the mail has failed a lot of
the tests including WEIGHT10 (which should append a warning to the
The sneaky buggers are at it again. I've been getting more
and more emails that don't fail any tests at all, but should be caught as
spam due to multiple wordfilter hits. I had a look at the message (HTML)
source, and found this:
Hum!--nnbvmx--an Gr!--d--owth Hor!--fjkg--mone
Th!--sdkf--erapy
Title: Message
We have seen quite
a lot. It is happening more and more. If HTML comments could be
ignored it would be a great addition. I wonder what would be the downfall
of the idea?
I also think
another filter that can be considered is the routing type filter. I don't
know if bad
I was wondering if someone can has experienced a error in helobogus. For
some weird reason, I consistantly get a error with helobogus like
hotmail.com with the msg failed. For some reason cs.com does not resolve
either.
11/19/2002 00:05:07 Q0cd19bfb002cf91d Msg failed HELOBOGUS (Domain
[EMAIL
My UNIX systems (two different machines using two different MTAs:
sendmail and postfix) send a HELO using localhost. From what I can tell,
this is common practice because administrators want to hide security
details from other mail servers. However, JunkMail marks this as a
problem.
If it is a
The sneaky buggers are at it again. I've been getting more and more emails
that don't fail any tests at all, but should be caught as spam due to
multiple wordfilter hits. I had a look at the message (HTML) source, and
found this:
Hum!--nnbvmx--an Gr!--d--owth Hor!--fjkg--mone
I guess one way to combat this is if the Country filter is additive. For
example the weight of each country detected is added to the total
weight. Does the filter do this?
Yes, it does. :)
-Scott
---
[This E-mail was scanned for viruses by Declude Virus
I have just setup our system and although it catches some messages others
get through even though the headers indicate that Declude has scanned them.
The headers from the mail below indicate that the mail has failed a lot of
the tests including WEIGHT10 (which should append a warning to the
Title: Nachricht
If you
can wait for some weeks we can provide an external test-program that make some
content-based tests.
At the
moment we have ready the first tests wich tries to identify things like
HTML-only mails, subject with spaces (yes, the same as Decludes
spamheaders-test) and
We attempted implementing a test that counts the number of html comments
and found that it was impractical as it consistently captured a large
number of legitimate services. (Scott, you indicated that it might catch
some - our experience has been that it captures so many we had to drop
it.) I
Do you have any per-user or per-domain settings? That is the most likely
problem (IE you have WEIGHT10/WEIGHT20 set to IGNORE in the file that
Declude JunkMail is using).
There is a per domain setting but it is for the domain that the spam was
addressed to and other spams to that domain to get
We attempted implementing a test that counts the number of html comments
and found that it was impractical as it consistently captured a large
number of legitimate services. (Scott, you indicated that it might catch
some - our experience has been that it captures so many we had to drop
it.) I
R.,
Tuesday, November 19, 2002 you wrote:
RSP I can understand an HTML E-mail having one or two comments in it,
RSP but 10 or 20 is just a waste of bandwidth. That is information
RSP the recipient will never see.
Lots of the content management systems are heavily commented so I
see a
Do you have any per-user or per-domain settings? That is the most likely
problem (IE you have WEIGHT10/WEIGHT20 set to IGNORE in the file that
Declude JunkMail is using).
There is a per domain setting but it is for the domain that the spam was
addressed to and other spams to that domain to get
Lots of the content management systems are heavily commented so I
see a lot of comments in html messages to subscribers.
However, they are not commented between words but that's a
difficult parse I think.
Aha... that could be the key!
A spammer will use something like
I have one user who is getting absolutely hammered by spam. Last night I
went through her mailbox and added many of the domains that she was getting
spam from to my blacklist.txt file. The action have configured for that
test is delete. It currently works as I can scan through the log and find
The BASE64 test will be triggered when E-mail contains a text or HTML MIME
segment that is base64 encoded -- there is no reason for such segments to be
base64 encoded, but spammers commonly use the base64 encoding to try to
bypass filters.
Follow-up question: Is there any good or allowed reason
Not when they are the text portions of the message. If you look at a complex
raw email message, there may be several message parts. These can be BASE64
encoded files of any type. All the message parts are essentially contained in
the message body. It is up to the client application to separate
Customer is getting virus notifications but the
virus is listed as unknown.
Is this a known issue and how do I turn of
notification for unknown virus.
He is clean.
H.
Please, DO NOT respond to this e-mail. This is an automated e-mail
messagesent to alert you that you attempted to send a
The BASE64 test will be triggered when E-mail contains a text or HTML MIME
segment that is base64 encoded -- there is no reason for such segments to be
base64 encoded...
Follow-up question: Is there any good or allowed reason to have BASE64
encoding in a message?
It is *very* common to use
Customer is getting virus notifications but the virus is listed as unknown.
Hmm... that doesn't sound like a Declude JunkMail issue. :)
Is this a known issue and how do I turn of notification for unknown virus.
Unknown Virus appears when the virus scanner can't report to Declude
Virus
Customer is getting virus notifications but the virus is listed as unknown.
Is this a known issue and how do I turn of notification for unknown virus.
He is clean.
H.
This question really belongs on the declude.virus list. :-)
From the Declude Virus Manual:
Declude Virus (v1.53 and higher) can
Can you post a virus log snippet?
It is possible an error was returned by the virus scanner. The logs will
show this.
John Tolmachoff MCSE, CSSA
IT Manager, Network Engineer
RelianceSoft, Inc.
Fullerton, CA 92835
www.reliancesoft.com
-Original Message-
From: [EMAIL PROTECTED]
Scott:
We have seen that the Base64 test is also triggered for International
languages. We used to have a high weight assigned to it but we noticed
when people write each other using Unicode or foreign (non-English)
characters the test is triggered.
Is this known?
Regards,
Kami
-Original
Scott,
After reprinting the Junkmail manual I see why am only having partial
success. I have been using the from domains in the format
@emailoffers.com (occasionally using the format deals-central.com - to catch
10.dealscentral as well as 20.dealscentral). So I suppose since the from
and or
Hi folks,
I recently re-installed IMail Declude after upgrading our mail server
and immediately noticed a drop in JunkMail's accuracy. I now realize
that in nine days, NONE of the IP4R tests or RHSBL tests have logged a
single hit. What might cause this?
The re-installation should have
What DNS servers do you have Imail and Declude configured to use?
John Tolmachoff MCSE, CSSA
IT Manager, Network Engineer
RelianceSoft, Inc.
Fullerton, CA 92835
www.reliancesoft.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of David Delbridge
Sent:
After reprinting the Junkmail manual I see why am only having partial
success. I have been using the from domains in the format
@emailoffers.com (occasionally using the format deals-central.com - to catch
10.dealscentral as well as 20.dealscentral). So I suppose since the from
and or reply to
I recently re-installed IMail Declude after upgrading our mail server
and immediately noticed a drop in JunkMail's accuracy. I now realize
that in nine days, NONE of the IP4R tests or RHSBL tests have logged a
single hit. What might cause this?
That will happen if your DNS server isn't
So I suppose since the from
and or reply to addresses are often going to be different than the
X-declude sender (which I don't see in the e-mail headers? I'd have to dig
through the I-mail logs to find this?)
From the Declude Junkmail Manual:
If you want to record the name of the sender
Patrick,
Thanks. I found where that was #XSENDER OFF, took out the pound sign and
changed it to ON. Now if I can get the people who get spam to copy and
forward me the header info...
Marc
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Patrick
flailing a deceased equine...
Crap. Running through the Imail log analyzer I found some of the host names
I was looking for preceded by mail1 or some other name. I added these to
the kill list in the hopes that this is actually the MAIL FROM in the SMTP
envelope that is being reported. I also
They seemed to be originating from 216.39.115.66
(81,68,55) so I also added 216.39.115.0/24 to bannedip.txt. Would this work
just as well, better or faster if I put these IPs in the SMTP control access
list? Though I didn't see an easy way to block an entire class C.
The 216.39.115.0/24 is
Thank you for the replies,
The DNS servers appear to be working fine. NSLOOKUP from a DOS prompt
on the mail server to either of the DNS servers specified in IMail's
SMTP service settings answers all of my queries, authoritative and
recursive. Is there another test I might perform?
Speaking of
What am I doing wrong here?
This is the E-mail header:
Message-Id: [EMAIL PROTECTED]
X-RBL-Warning: OSSOFT: http://spamhaus.org/SBL/sbl.lasso?query=SBL5031
X-RBL-Warning: SPAMCOP: Blocked - see
http://spamcop.net/bl.shtml?64.49.243.105
X-RBL-Warning: SPAMHEADERS: This E-mail has headers
|
| However, that's the way spam control is heading. As more and
| more people
| get fed up with spam, more and more of the bozos that are
| doing things the
| wrong way will need to fix their problems.
|
| I can understand an HTML E-mail having one or two comments in
| it, but 10 or
| 20
That's a good point. Perhaps we'll do some testing in the new version
for comments bounded by nonwhitespace.
_M
| -Original Message-
| From: [EMAIL PROTECTED]
| [mailto:[EMAIL PROTECTED]] On Behalf Of R.
| Scott Perry
| Sent: Tuesday, November 19, 2002 10:21 AM
| To: [EMAIL PROTECTED]
IPBLACKLISTfromfile D:\bannedips.txt x 5 0
I think it needs to be ipfile instead of fromfile.
IPBLACKLIST ipfile D:\bannedips.txtx 5 0
John Tolmachoff MCSE, CSSA
IT Manager, Network Engineer
RelianceSoft, Inc.
Fullerton, CA 92835
Changed it to ipfile - lets see if that does it. I knew I was missing
something
Thanks - Marc
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of John Tolmachoff
Sent: Tuesday, November 19, 2002 9:11 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail]
41 matches
Mail list logo
