I actually miss the twice annual entertaining discussions on the
Imail forum
between Scott and Len with Sandy added for spice.
It almost happened a couple weeks ago, on a BIND newsgroup, where I
brought something up and Len jumped into the conversation. It was a
moderated newsgroup,
I used to know what sleep is. But a couple years ago Scott convinced
me it
is a four letter word so I stopped getting so much, keeping it to a bare
minimum.
Hey wait a minute, isn't he getting more of that four letter word now?
If I said yes, would you really believe me? :)
Could anyone tell me why these test would be skipped?
That's one of the potentially misleading debug log file entries that I
added. :) The debug mode was originally designed as a troubleshooting
tool for someone with access to the source code, so there are
occasionally comments that could
Contrary to your comments on the use of this forum, it has always
been for all things Declude when Scott
was the sole player he never complained about the conversation
threads. Positive or negative. I think you
could complain if say we were talking about phone systems.
On the other hand, I
Oh and prices were increased from $132 to $295 before they were
dropped back
to $132 for legacy customers, so there was no price cut except in the
sense
of department stores raising prices to have a sale.
FYI, from the time that Service Agreements first came out through
December, 2004 the
You would think that a company that is SPAM control and offer a
product
for SPAM control would look more into who they use for their ISP
and how
they setup their service.
Just for the record, I was the one that chose EasyDNS. And at that
time, I certainly had no knowledge of them making
On NTFS systems, this is most likely app-related such as Explorerer
where they have to deal with
slogging through all the extra files, as noted by another poster.
An App opening a specific file will
see almost no degradation because the NTFS uses a tree structure to
maintain fast access to
Dave Beckstrom wrote:
The problem is that someone using your IP was using a Java program to
access our site
That was more than likely a search engine spider indexing your site.
Not a legitimate one. :) We do have a lot of search engines crawling
our site, some of which we let do so,
That IP is our gateway address. I can get to those sites from any of our
DMZ servers or from home, but not from inside the network. I am the only
person who goes to those sites and I go there very infrequently (2-4
time a
month).
The problem is that someone using your IP was using a Java
The problem is ...
I forgot to mention, your IP is unblocked now. :)
-Scott
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at
How does dnsstuff.com redirect me to their warning web page when I
have to proxy in my settings...that would be a good tool for me to have...
It doesn't.
It would actually be easier to do that; you can just look for several
HTTP headers that indicate that a proxy is being used (such as
I gave up and downgraded to 8.15 now I'm getting:
09:07 15:08 SMTPD(CP) error 3 executing c:\imail\Declude.exe
D:\IMAIL\spool\Q3ab90041008c0e76.SMD
It looks like you set up Declude to run in C:\IMail, but you run IMail
on D:\IMail. :)
-Scott
---
This E-mail came from
Declude as a multi-threaded service sound very promising.
I agree. :)
It is something that I had wanted to see in Declude for a long time, and
was a logical progression for Declude, that will take care of many
issues. It should increase performance, and at the same time allow
E-mails that
RSP ...allow E-mails that are being processed to communicate with one
another
Curious. How do emails communicate with each other?
Just to clarify, it's not the actual E-mails themselves doing the
communicating G, but the code that is processing each E-mail. By
having Declude run as a
I'm just curious when this bug will be fixed. It was reported months
ago.
I've got three more months left on my support contract and don't
think I'm
going to renew if it takes six months for the Declude dev team to fix one
bug. Sorry yall, but my confidence is waning.
I think it might
Whoa! First post in like 4.5 months Scott. Did you have a good vacation?
Are you back to working on Declude?
:)
If so, when do you think there's going to be a new release that will
fix the
overflow issue related to:
[Application popup: Declude.exe - Application Error : The application
I’m not so sure it’s a DNS issue because the Imail spam filters run
perfectly fine,
which I am now using in place of Declude. They do not do as good a
job identifying
spam, but they are better than nothing.
It probably is a DNS issue. It sounds like the problem is that the
E-mails aren't
Agreed on Scott leaving. And what's up with that anyway? There was
news article I noticed on their site a few weeks ago stating something
about Scott leaving because he wanted to spend more time working for the
Red Cross?
Correct. :) The new article was
How can we check with him to see if they will continue to be maintained?
I do plan to keep maintaining both sites. The sites don't require too much
maintenance, but if for some reason I decide not to continue maintaining
them, I will do my best to ensure that the sites don't go away (and that
Is it every version of Outlook that fails the CMDSPACE or is it the mail
server this test is for?
It is for whatever connects to IMail. If you only accept incoming E-mail,
it should be a mailserver. If you also allow outgoing E-mail, it could be
a mailserver or a mail client.
If it for a
I have been looking for an explanation of the RFCSPACE test but I cannot
find one Anybody have a detailed explanation with references?
Do you mean CMDSPACE? That one looks for a space in the SMTP commands,
such as RCPT TO:, that really shouldn't be there (although some people may
try to
We use a Watchguard firewall on our corporate
network. http://www.watchguard.com
FYI, if you use a Watchguard Firebox, make absolutely sure that the DNS
Proxy is *disabled*. There's a serious bug that they have been ignoring
for over a year now that makes it useless when multiple requests
What am I missing - this email failed virtually every test there is G,
it also should have bypassed whitelisting. Yet - at the end it was delivered?
I believe the issue here is that you are using ROUTETO followed by DELETE.
In pre-2.0, the DELETE action deleted the entire E-mail. With v2.0,
The headers say base64
Declude JunkMail will attempt to decode base64-encoded attachments (unless
you have a DECODE OFF line in your global.cfg file, but that means you
don't want Declude JunkMail to do such decoding). If you're running an
older version of Declude (before around 1.75 I
I've send this message over 46 hours ago. It's only me to receive it on
the list so late?
I fear if this happens repeatedly an effective discussion is not more
possible. Back to snail-mail?
Our mailserver received millions of E-mails over the past few days. Once
we detected the problem
We've gone back to 1.82 as well.
We'll wait again until 2.0 is proven stable. Declude hasn't been like what
has been in the past.
Just to let people know a bit about this -- the source of the crash was
identified pretty quickly. And a change could have been made almost as
quickly to prevent
And I have a filter that looks for vicodin
ANYWHERE 2 CONTAINS VICODIN
The filter does not find it. I think it is because the subject line is
encoded. Is there any way to check it with the filters?
Actually, I believe the issue is that ANYWHERE just looks at the subject
and body
If ANYWHERE only gets subject and body...
Sorry, I meant that it covers the headers and body (but not any decoded
parts).
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
Declude Virus: Ultra
Does declude decode messages before using filters?
It does a lot of decoding, yes.
I have a domain in a body filter that keeps getting through?
Have you checked the raw source to see how it is encoded?
-Scott
---
Declude JunkMail: The advanced
Scott. Any response to this.
There should be a new release Monday that covers the issues from this week.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
Declude Virus: Ultra reliable virus detection
I am running the latest version (newly released 2.0) and the subject is
showing =?iso-8859?
The subject shouldn't appear that way in the E-mail itself. For Declude
JunkMail usage, it may appear that way with the Subject starting with a
colon issue, which has been fixed in the latest 2.0.
I working a routing to process the log files for declude. The ultimate
goal is to produce statitics and graphs based on the information from the
log files. I checked the manual and the descripiton for the various log
formats is vague.
Correct. That's because there are somewhere around 1,000
I had the same problem. The declude.exe is about 1/2 of the size as the
one it replaced.
That actually is normal -- the old declude.exe file had quite a bit of
extra (unnecessary) debugging code in it. This smaller version removes
that code, which makes Declude slightly more efficient.
I
so you think something like
filename==?
shouldn't appear in a legal mail?
that would give us the opportunity to filter for camouflaged attachmentnames.
It *should* be illegal in legitimate E-mail, from what I can tell. But it
is possible that legitimate E-mails may be sent out that way for some
There appears to be a problem in version 2.0 where Declude is seeing the
first character after the word subject as the start of the subject line. The
first character is a colon and followed by a space and then the actual
subject line.
You are correct. I'm surprised this didn't get caught during
I'm confused about the release of 2.0. I received 2 emails from Barry
making annoucements and then 2 emails immediately following which recalled
the announcements. (?)
I believe the 2 recalls were both for the first message.
Is 2.0 for IMail ready?
Yes, it is.
we received a new mail, wich contains an attachment. the filename is coded
as follows:
Content-Type: application/octet-stream;
name==?koi8-r?B?NC5wZGYuZXhl?=
we are running a filter that searches for combinations like this, but with
the used encoding, declude seems to be unable to track this
It's 4:30A PST, and I cannot access the 'dnsstuff.com' web site. Is anyone
else having the same problem?
The site was being reset -- normally it's only down for a few seconds, but
this morning it was down for about 10 minutes.
-Scott
---
Is there a command to filter (in a filter file) based on the account the
authenticated the session ?
No; IMail does not store that information (aside from in the log file).
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail
With the official release of version 2 on Jan 31 I would like to know if
the manual will be rev'ed as well or will we still have the old 1.81
manual?
Yes, it will. :)
I want to know more about:
The Virus Pro Event logging. What is it? What can I do with it?
That provides an option to include
If I am using domain $default$.junkmail config files then if I do a
WEIGHT40 DELETE it will delete the mail for everyone in that domain?
In this case, it will work exactly as it had before. Since all users had
DELETE before, the E-mail now will still be deleted.
But if there is a single user
I apologize for asking such a silly question but I'm suffering from a mental
roadblock. What is the difference between the MAILFROM and FROMFILE tests?
I understand the difference from a Declude configuration syntactical
standpoint but I don't understand the intended benefit of having two tests
I'm sorry. I didn't mean the MAILFROM test. I mean the MAILFROM entry that
you put in the filter file, e.g. MAILFROM 50 CONTAINS suspect.
Filters work by looking at a specific piece of information, and comparing
to information you supply. So the line MAILFROM 50 CONTAINS suspect does
Log lines
01/21/2005 03:03:45 Qe18f09a600c0cf70 Using [incoming] CFG file
D:\IMAIL\Declude\$default$.junkmail.
01/21/2005 03:03:45 Qe18f09a600c0cf70 Redirecting [EMAIL PROTECTED]
to file D:\Imail\declude\junkmailfiles\standardabrasives.com.junkmail.
Are there further log file entries?
###
Could you please let me know what condition causes E-mail to be left in
the overflow directory, and exactly how Declude determines how/when to
process such messages.
The short version is that the situation is handled better than if the
overflow directory isn't used (many people don't get
No it is not the last line of the file!
In that case, the next step would be to double-check all settings (such as
making sure that the paths are correct, no typos, etc.).
If that doesn't explain the problem, you can use LOGLEVEL DEBUG, and send
the results to [EMAIL PROTECTED], and we can see
So in the whitelist file for our domain name, I put
a line IP x.x.x.x, where x.x.x.x is my home IP address. However, the
Declude continues to scan messages sent from my home PC for spam, and to act
accordingly.
The problem is that whitelist files don't have an option of IP x.x.x.x.
In this case,
Thanks, Scott. I also thought that whitelist files included all of the same
options as the whitelist commands that go into a global.cfg file.
No:
The D:\IMail\Declude\mywhitelist.txt file would then contain either one
E-mail address ([EMAIL PROTECTED]) or domain (@example.com) or subdomain
You seemed to indicate that service launched processes count against the
threads...meaning that smtp32.exe launches declude.exe, which launches
F-Prot and McAfee. So would this count for 4 threads (not according to
Declude, but Windows/IMail)? What about Sniffer and each external test
that
I have noticed that when a user send a mail message to an address on
another domain, but located on that server Declude does not scan the
messages for viruses or spam.
Is this via web messaging? If so, older versions of IMail may not call
Declude. In this case, though, it is extremely
X-RECIPIENTS: [EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED]
It show the same email address three times?? I would think it would show the
aliases email addresses or or just the alias address. Declude version 1.82
What does the IMail SMTP log file show for the E-mail? Note that if for
The france@ account is the alias and points to one alias and two accounts.
This is a messages that was held and then moved back into the spool folder.
In this case, Declude JunkMail is seeing three recipients (as the alias
points to 3 different addresses). But, it displays the intended
How long is the timeout ?
It currently waits 5 minutes (it used to wait up to an hour, but then when
external programs started hanging, it would cause serious problems with
mail backing up).
-Scott
---
Declude JunkMail: The advanced anti-spam
Just noticed that the SPF logs that were stored in C:\ are gone. Did
they get moved or where they done away with?
They were done away with. They were part of the beta testing of SPF.
-Scott
---
Declude JunkMail: The advanced anti-spam solution
ERROR: External program pictest didn't finish quick enough; terminating.
Does anyone no how to increase the time out for external tests ?
There is no way. An external program should not be taking many minutes to
process an E-mail.
-Scott
---
A message today from Len Conrad at IMGate failed the BADHEADERS and
ROUTING tests.
The error code returned by both tests was the same: a004010f
The lookup on declude.com doesn't know what this means.
That code is a combination of two things.
The first is as John pointed out: Len will often use
It is important to note that you should only have one DNS
server listed in the IMail SMTP settings (IMail has a known
sporadic issue if there are multiple DNS servers listed).
Really?
I've listed 3 DNS for over 4 years now without any problem. Is there any KB
article?
I'm not sure if they have
Do you have do you have any further information about this statement - what
type of errors, etc.
It is important to note that you should only have one DNS server listed in
the IMail SMTP settings (IMail has a known sporadic issue if there are
multiple DNS servers listed).
The issue I am aware of
To prevent Declude JM from scanning outbound mail I know I can whitelist IP
ranges. Can they be anywhere in the global.cfg or do they need to be at the
top.
In general, any configuration options can go anywhere in the config files,
with the exception of test actions in the global.cfg file (which
I'm writing my own external program to compare domain names.
I need to pass the %REVDNS% parameter with quotes around it due to
possible spaces in it.
Is this possible?
No, it is not possible, since the entire command line needs to be quoted.
However, as Kevin pointed out, reverse DNS entries
Has there been a change in the cfg files lately, or something?
I've seen a few domains/IPs that Spamcop does have listed,
yet, they don't appear to have failed the spamcop test.
This is the line I have in my cfg file:
SPAMCOP ip4r bl.spamcop.net 127.0.0.2 5 0
Is there something I should notice
Just commenting about the semantics of what constitutes a release. I'm
not sure that 1.82 fixes this since it was targeted at the SPAMDOMAINS
issue (could have, but it isn't documented), but the latest beta release
was definitely reported to have fixed it.
Correct.
1.82 is just 1.81 with a
http://www.eweek.com/article2/0,1759,1749328,00.asp\http://www.eweek.com/article2/0,1759,1749328,00.asp\
One troublesome technique finding favor with spammers involves sending
mass mailings in the middle of the night from a domain that has not yet
been registered. After the mailings go out, the
SNIFFER external nonzero sniffer.exe authcode 1 0
SNIFFER-SCAMS external 053 sniffer.exe authcode 2 0
SNIFFER-PORN external 054 sniffer.exe authcode 2 0
SNIFFER-MALWARE external 055 sniffer.exe authcode 3 0
SNIFFER-OBFUSC external 062 sniffer.exe authcode 2 0
Actually,
Is there a way to keep email that is sent to old non-existant email
accounts on my server from being processed by Declude. I have noticed that
a lot of the spam in spamreview is to email addresses that are no longer
there..
If you have IMail reject those E-mails, Declude won't scan
them.
However, I'm having a problem with Declude triggering on reporting emails
that are generated directly ON the gateway itself:
That's because the gateway is running an MTA that adds very poor Received:
headers.
- Declude parses IP Address 0.0.0.0
- Declude parses HELO string of userid
Here is
Remember, Declude JunkMail looks at the HELO/EHLO of the remote
mailserver, based on IPBYPASS/HOP
Uh - that's the answer. Thanks for clearing this up.
So the HELO is not necessarily taken from the HELO, but from the HEADER.
Both, actually. Declude JunkMail gets the HELO from the real HELO/EHLO
Can you remind me, what additional messages/log lines I will see if
#LOG_OK NONE
is commented out?
With v1.82, it will add back the Message OK line(s) and the Tests
Failed line(s).
Please note the subject:
I AM running 1.82 (the SpamHeader fix!)
Yes, I am aware of that.
It's only
An explanation of this file... it's purpose and how it gets there.. would
be very beneficial. Is supposed to be there, or is it part of the beta
testing? Will it re-create itself if deleted?
One of the things that often happens in betas (and the old interims) is
that files will be created for
I have not upgraded to fix the 2005 spamheaders test as of yet. Our CPU has
been maxed out and the server bogged down since my return after the New
Year. I have commented out the spamheaders test and the CPU is still maxed.
I went into IMAIL and changed the delivery application from declude.exe
Sorted by CPU the system process is first and second is a toss up between
declude, smtpd32, and queuemgr followed by as many as 16 simultaneous
instances of declude with cpu between 1 and 4.
That normal indicates an above average volume of mail (or, in other words,
the system is at full
I have pro and my filters work, yet ISBLANK, IS BLANK, IS, and IS , all pass
mail with blank subjects through. White listing plays no part. Do you know
if that is supposed to work for sure?
Are you creating a filter test for it? The SUBJECT 10 ISBLANK line
should work with the latest version
I have upgraded to the new Declude.exe v1.82. Within a matter of minutes of
doing this upgrade I've noticed that my mail server has started to bog down.
Were you running v1.81 before, or a different version?
-Scott
---
Declude JunkMail: The
Just to let everyone know, we have identified the issue with the
SPAMHEADERS test. As most people realized, most E-mails sent with a date
involving a year after 2004 were failing the SPAMHEADERS test.
For those that are interested in the details, if the SPAMHEADERS code
matches the bitmask
The urgent list you are referring to was for urgent virus
notices, of which since inception there was only one use.
I've considered this list not virus- or junkmail-specific. Maybe my mistake.
It wasn't even specific to Declude Virus. The reason for the list was that
there was a rash of new
I also agree it would have been nice to have a warning announcement about
the Spam
Header test being broken officially from Declude, more timely, and along
with advice what to do in the interim. This is not the same Declude
operation to me as in years past!
FWIW, it was handled very similarly to
1. An acknowledgement on the list from someone that they knew about the
problem - it WAS a holiday and I think people should have lives - but just a
hey we know within 24 hours would've been nice.
Yes, that would have been nice. It did take a bit more than 24 hours for
an official response on
On another note... has anyone seen any sort of (cascading?) effect from
the SpamHeaders glitch?
There aren't any, designed effects.
Specifically, all the SPAMHEADERS issue does is causes E-mails to fail the
SPAMHEADERS test. That adds weight to the E-mail, and if any actions are
performed on
What does this mean?
X-Note: Reverse DNS IP: pop.gmx.net [213.165.64.20]
X-Note: Country Chain: 'EU' [corrupt RIPE data]-GERMANY-destination
This has triggered ROUTING test and I am just wondering if the all-dat
file is corrupt or needs adjustment or ...
That means that RIPE (the organization
I know this is a sore issue with you - but this is not a mistake. It is a
policy (that you don't agree with).
Without knowing that there *is* a policy, I cannot agree (or disagree!)
with it. :)
A) ISO has recognized that strict interpretation of the definitions of ISO
3166 prevent inclusion
Sent this previous email a couple of days back but since it is a beta I
guess email support is not supported.
FYI, we have no record of any support requests from you.
So declude team, app does not work yet on SmarterMail.
It does, but apparently not on your server. :)
No logs generated, so
We curently own Declude Virus Pro, JMPro, and Hijack, and our support
contract is up to date
If we decide to move from Imail to Smarter mail, do we have to pay any
(declude) upgrade fee ?
No, there is no upgrade fee. :)
Also, I think it is ironic that, after most of us decided to stay with Imail
Where can I download version 2.0?
If you go to http://www.declude.com and log on to your account there, you
can download it.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
Declude Virus: Ultra
http://www.dnsstuff.com/tools/netgeo.ch?ip=81.15.216.130http://www.dnsstuff.com/tools/netgeo.ch?ip=81.15.216.130
and any other IP
Thanks for pointing that out -- it's fixed now. NetGeo hits were a major
part of the DDoS attack that www.dnsstuff.com has been undergoing for a few
months now,
Any thought on this.
I upgraded to 2.0b and now get Failed to get temporary file name: 267 in
the log file.
That's something we are still working on.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
Just ran through the 2.0b installation, get an error almost at completion
Unable to copy file to target directory. After clicking OK a dozen or
so times, it completes. I then dropped to a DOS prompt and ran declude to
confirm the version, and got this:
Declude v1.79 has already been
I am noticing some emails with this in the header. The problem is Declude
is analyzing it as the subject when is should be using the one later in
the email. See below. Any thoughts.
This is fixed in v2.0b. :)
-Scott
---
Declude JunkMail: The
I did recive this spam in my inbox this morning.
As you can see it does not have any declude info and no Imail spam info
either.
What do the IMail and Declude log files show for the E-mail?What
version of IMail are you running? What version of Declude are you running?
I did search the declude log file for [EMAIL PROTECTED]
but could not find anything..
If you use the XSPOOLNAME ON option in the \IMail\Declude\global.cfg
file, it will be easy to find the entries for the E-mail in the log file.
If you do not use the XSPOOLNAME ON option, you may need to look
Here is 2 messages that did fail weight350 and did get saved in the
weight350 directory.
This is working correctly, expect there are no declude headers for the
messages.
Below each message is the lines from the declude log file:
The only time that I have seen this happen (an E-mail that didn't
When the _{message_ID}.~MD messages appear, if I stop the queue service
and restart then they turn into Q{message_ID}.RMD files
In that case, it appears that the IMail queue service, when started, will
automatically unlock any locked E-mails. That is OK if they are at least 1
hour old, or a
What is the max number of declude processes that will kick off if there
are lots of Q*.SMD messages in the overflow directory? Is there an
internal limit or is it based on some option?
There is no limit, if you want to be technical.
Specifically, Declude counts the total number of service-started
How does Imail know if Declude has run on these files?
It doesn't know. But since it doesn't keep track, it has to start
Declude. Scanning an E-mail twice won't hurt (except for CPU usage), but
not scanning it will hurt (it can cause Evil E-mails to come through).
Ipswitch says that the
Can we use @domain.com in our webmail adress book to whitelist all mail
from specific domain ?
No, IMail won't allow that, but you can add [EMAIL PROTECTED]. The all@
indicates that every E-mail address at the domain should be whitelisted.
also, if one of the recepient has the sender in his
I have this line in my config.
MTLDB ip4rmtldb.declude.com* 8 0
One of my IP numbers is failing this test.
How can I find out why.
If you go to http://www.mtldb.org/ it should have the information there.
-Scott
---
I have commented out sniffer, ipnotinmx and nolegitcontent as those are my
suspects... Everything else is how the configuration was when I became
aware I had problems.
#IPNOTINMX ipnotinmx x x 0 -3
#NOLEGITCONTENT nolegitcontent x x 0 -5
#SNIFFER
Does Declude support Domain Keys or is there a DomainKeys external test
available?
No, it does not.
When we last researched Domain Keys, it appeared to be quite complex, and
not very popular. It does seem to be gaining some popularity, so we may do
some more research about it in the near
I've got a whitelist filter file where I use the action STOPALLTESTS:
MAILFROMSTOPALLTESTSCONTAINS@netrends.com
This rule is defined as the first rule in my global.cfg (above all of the
IP4r, Catchall, externals, etc.)
If it trips the WHITELIST filter, why do the other tests
IF the log file is locked and declude tried to write to it, what happens if
declude can't?
The log file entry won't be saved. Declude will continue to function as it
normally would, except with one (or more) less log file entries.
-Scott
---
I have a user that was sent a 10mb attachment. They report that it was
kicked back to the sender saying max message size exceeded. This domain
doesn't have a max message size set, nor does the particular user, nor does
he have a max MAILBOX size.
In the logs, I am seeing something very strange:
1 - 100 of 3770 matches
Mail list logo
