Ill repost here what I posted on
the Imail list. The problem is within Imail, not Declude. Declude does not log
a line using SMTPD, Imail does. The line showing the whitelisting is a Imail
SMTPD line, end of story as far as Declude is concerned.
John Tolmachoff
Hi John,
I think you missed a thread Doug and I
exchanged. He explained that he combined the IMail and Declude logs below
to show everything in regards to the message. The following two lines are
from his Declude logs showing that the message was whitelisted by
Declude:
02/22/2005
Hi,
I am seeing very strange behaviour with one of my body filters.
These are the only three entries with STRICTLY CONFIDENTIAL:
BODY2 CONTAINSSTRICTLY CONFIDENTIAL
BODY20 CONTAINSSTRICTLY CONFIDENTIAL URGENT
BODY20 CONTAINS
So it looks like BOTH Imail (via trusted addresses) and
Declude (via Autowhitelist) were whitelisting this
message.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darin
CoxSent: Friday, February 25, 2005 9:32 AMTo:
Declude.JunkMail@declude.comSubject: Re:
Goran,
1. Do you have a copy of the actual email header ?
2. Is this Qbca31d68008ed51d the only test that failed ?
David B
www.declude.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic
Sent: Friday, February 25, 2005 10:44 AM
To:
Im using Declude v2.05 on Imail 8.15. I see the
below error for each message in the virus log.
02/25/2005 11:05:26 Q4cb81c81018c9f59 Couldn't find console;
starting... (2).
02/25/2005 11:05:26 Q4cb81c81018c9f59 Error starting
deccon.exe: 2
02/25/2005 11:05:28 Q4cb81c81018c9f59
Maybe the filtertest itself have an additional weight of 10?
Then there should be a line like
FILTER-NIGERIAN-SCAM filter c:\declude\nigerian.txt x 10 0
in your global.cfg
Heinrich
---
This E-mail was scanned for viruses by CAD-FEM GmbH
David,
4 e-mails with the same text failed.
This is what came back to me as part of the SpamAttach.eml file. Do you
need anything else?
Subject:RE: Governance Working Group Call
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
From: [EMAIL PROTECTED]
Date: 16
In your global.cfg and/or virus.cfg, you
have CONSOLE ON. Change that to # CONSOLE ON
to comment it out. Also delete hijack.cfg if are not running hijack.
Ralph
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Frantz
Sent: Friday, February 25, 2005
Can you post the line in your global.cfg file FILTER-NIGERIAN-SCAM I am
guessing you may have an extra 10 point being added there that should not
be. Lets have a look.
Thanks
David
www.declude.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Goran
1. In the delcude folder if you are not running
Hijackrename the file hijack.cfg to hijack.bak
2. Open your global.cfg comment out the line CONSOLE
ON
David B
www.declude.com
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jeff
FrantzSent: Friday, February 25, 2005 11:09
Nope sorry,
FILTER-NIGERIAN-SCAMfilter
C:\IMail\Declude\Filters\Kami\Filter_Nigerian.txt X 0 0
Goran Jovanovic
The LAN Shoppe
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of Heinrich Richter
Sent:
Can you post the entire filter?
My copy of Kami's filter shows:
BODY 12 CONTAINS STRICTLY CONFIDENTIAL
- Original Message -
From: Goran Jovanovic [EMAIL PROTECTED]
To: Declude.JunkMail@declude.com
Sent: Friday, February 25, 2005 9:44 AM
Subject: [Declude.JunkMail] Body
Thanks! Deleting the hijack.cfg did it.
-Jeff
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ralph Krausse
Sent: Friday, February 25, 2005
11:20 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail]
Errors in virus log
In your global.cfg
Not sure if I am missing something
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of Goran Jovanovic
Sent: Friday, February 25, 2005 7:44 AM
To:
Yep, Dan is correct. I saw the first
line about whitelist which was a Imail SMTPD line and stopped there.
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Horne
Sent:
Disregard this post, hit the wrong button.
Darn keyboard virus.
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists)
Sent: Friday, February 25, 2005
Could it have been set to body contains 12.. on 2/16 and subsequently
changed to body contains 2.. sometime after the email was processes?
It's the only explanation that I can see...
- Original Message -
From: Goran Jovanovic [EMAIL PROTECTED]
To: Declude.JunkMail@declude.com
Sent:
Scott,
Since I do the editing on the filter files and I do not remember doing
this .
I have been doing a bunch of work on COMBO filters but not on tweaking
that filter. Now it is possible that I did tweak it and I do not
remember doing it but ...
I will ask around the office as well
I sent
Goran and Scott... John probably hit the nail on the head. I was going
to make the same comment, actually.
Since you have the message, turn on HIGH or DEBUG level logging and send
the message to yourself.
I bet that there are other tests in that same filter file that are
triggered, and that the
I use port 2525 to bypass port 25 blocking for my
employees.
I was just checking my logs and I've been receiving
spam on port 2525
Can anyone share the necessary Cisco IOS commands to let the Cisco router
do port translation?
P.S. IOS isn't my primary language...
Has anyone noticed in the past week an increase in casino,
or party poker, etc.. spam?
Kyle
I've seen several kinds of spam increase in the
last day.
- Original Message -
From: Kyle Fisher
To: Declude.JunkMail@declude.com
Sent: Friday, February 25, 2005 4:40 PM
Subject: [Declude.JunkMail] casino spam
Has anyone noticed in the past week
an increase in casino, or party
Kyle,
When willyou stop signing up for those
gambling sites, you know you can't win? :)
No reported increase on our side.
David B
www.declude.com
- Original Message -
From:
Kyle Fisher
To: Declude.JunkMail@declude.com
Sent: Friday, February 25, 2005 5:40
PM
Whats funny is I did sign up for an
account a couple of weeks ago and I still havent won. I did it for the
free set of poker chips.
Thats what I figured. Its
strange everything will be going fine for a few weeks then for some reason we
get a small flood of something. Like casino.
Which can under certain circumstances be correct.
If you had signed up with the websitethen declude is correct in
identifying them as legitimate email. It is possible we could set up some
additional filters to help with a specific type of Spam.
David B
www.declude.com
- Original
Ive actually noticed an increase
specifically in gambling site spam myself.
Paul Navarre
Has anyone noticed in the past week an increase in casino, or
party poker, etc.. spam?
Kyle
On Friday, February 25, 2005, 5:50:45 PM, Glenn wrote:
GW I've seen several kinds of spam increase in the last day.
We're seeing a new porn campaign, a new kiddie porn campaign, a
ramp-up of the current M$ software rip-off (media-theft) spam. We've
seen a bit of a pick-up in the casino stuff
On Friday, February 25, 2005, 6:11:58 PM, David wrote:
DB Which can under certain circumstances be correct. If you had
DB signed up with the website then declude is correct in identifying
DB them as legitimate email. It is possible we could set up some
DB additional filters to help with a
Here's what I am using for a mail server located at 192.168.1.1 for
this example. IMail is configured to listen on port 587, but to the
outside world it appears as both port 25 and 587. Even though one
would think that you didn't have to NAT 587 to 587, in
this case you do because of the other
You can solve this problem by simply blacklisting British Columbia.
Seriously though, it's strange how much of this stuff comes from
there. In the penny stock world, this province also gained quite the
reputation for fraud in the past. I won't mention the strip clubs.
Andrew might be able to
See my thoughts on the Imail forum on
587.
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Friday, February 25, 2005 4:50 PM
To: Declude.JunkMail@declude.com
SMTP AUTH on port 587 isn't required by the RFC...it just simply makes
a whole ton of sense in most setups. Considering that this is a
standard port, and it will most likely find its way through broadband
provider's blocks since it is reserved for this use and likely to be
restricted to
I added this to my ipfile today:
66.154.124.0/2966.154.124.0/29gamingpen.comadded
02-25-05
gamingpen, playerjuice and gamestrek all .com.
Also in kind of a spammy neighborhood with several
SBL entries near:
66.154.111.0/2466.154.111.0/24agooba.comadded
If you do a lookup on ARIN, you will find that this netblock is
delegated by BChosting, which is a subdivision of AssertiveNetworks.
All of their IP space is treated as suspect by our system. You might
also note their address...Vancouver, British Columbia...
I'll forward to my network person. He talks Cisco
much better than I.
- Original Message -
From:
Matt
To: Declude.JunkMail@declude.com
Sent: Friday, February 25, 2005 6:49
PM
Subject: Re: [Declude.JunkMail] Spammed
on port 2525
Here's what I am using for a
I'd picked 2525 before I really knew about
25.
What really irks me is that Imail has made no
provisions to accomodate a port 587. It can't be two hard to accomodate another
SMTP port... most of the code is that same as the port 25 code... This has been
an issue for over a year and no word
gambling, strip clubs, isBC the Nevada of
Canada?
- Original Message -
From:
Matt
To: Declude.JunkMail@declude.com
Sent: Friday, February 25, 2005 8:35
PM
Subject: Re: [Declude.JunkMail] casino
spam
If you do a lookup on ARIN, you will find that this
So its not just me getting it.
I thought maybe it was pay back for not betting enough when I play.
Gamestrek is the
biggest one I am seeing. Thanks
for the info didnt know about British
Columbia.
Scott is the MAILFROM-IP.txt filter ok to
use since you did all the work? If it is do
Kyle,
On a side note gamestrek . com has been getting
caughton SURBL multi for most of the day today. Doing URI lookup's
in the URI RBL'shasbeenvery effectivefor us
incatching a lot of the new spam campaigns.
Darrell
---Check out
40 matches
Mail list logo