[Declude.JunkMail] More more !--UserID--
Title: Message Hi; There has to be something that can be done about detecting this... == Prev!--info--ent Prema!--info--ture Agin!--info--!--info--g and DiseasebrB!--info--uild Lea!--info--ner Mus!--info--cle Mas!--info--sbrRe!--info--duce Bo!--info--dy Fa!--info--t and St!--info--res!--info--sbrIn!--info--crease Ener!--info--gy Le!--info--vels and Se!--info--xual St!--info--aminabr == This is becoming almost a regular occurance and more more spammers are doing this. As if a software is recently introduced that does this and now everyone is buying it. No longer filters can work on this except if we start filters that are set for every UserID in the system with the html comment brackets around it. Regards, Kami
[Declude.JunkMail] How does Declude detect this?
Title: Message
Hi;
I am just curious
as to how Declude read this - is the word Whateversomething.com a continous word
or a broken word?
In email bodies
text shows as broken in multiple lines. I am just curious as to when a
word is broken (at least as it appears when we look at the source) - is the word
detected as "whatev" "ersomething" or Declude is smart enough to attach
them.
=
script
language=3Djavascriptdocument.write('a href=""
href="">http://www.whatev=ersomething.com"/a')/script
=
Regards,Kami
RE: [Declude.JunkMail] More more !--UserID--
Title: Nachricht Hi Kami SpamChk takes care of this. There is a parameter "FakedHTMLComments" that searches for repeated html-comments like !--xyz-- where "xyz" is even the same. This should not trigger html-comments in certain newsletters. Additional SpamChk removes all HTML-Tags before the Keyword-search begin. Markus -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kami RazvanSent: Thursday, January 16, 2003 10:58 AMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] More more !--UserID-- Hi; There has to be something that can be done about detecting this... == Prev!--info--ent Prema!--info--ture Agin!--info--!--info--g and DiseasebrB!--info--uild Lea!--info--ner Mus!--info--cle Mas!--info--sbrRe!--info--duce Bo!--info--dy Fa!--info--t and St!--info--res!--info--sbrIn!--info--crease Ener!--info--gy Le!--info--vels and Se!--info--xual St!--info--aminabr == This is becoming almost a regular occurance and more more spammers are doing this. As if a software is recently introduced that does this and now everyone is buying it. No longer filters can work on this except if we start filters that are set for every UserID in the system with the html comment brackets around it. Regards, Kami
[Declude.JunkMail] Total weight as X-header
Is it possible to add an X-HEADER that shows the total weight of the email without using a zero weighted action? For instance if a WARN action is applied then the total weight range is shown: X-RBL-Warning: SPAM-NONE: Total weight between 0 and 4. If a SUBJECT action is used only test failures are listed: X-Note: SPAM tests failed:[SPAMCOP, REVDNS, SPAM-MID] I have an action of WEIGHT0 that gives a result of: X-RBL-Warning: WEIGHT0: Weight of 5 reaches or exceeds the limit of 0. My aim is to give clients the option of filtering locally using a total weight as well as the defined weight ranges we use. WEIGHT0 weight x x 0 0 SPAM-NONE weightrange x x 0 4 SPAM-VLOW weightrange x x 5 9 SPAM-LOWweightrange x x 10 14 SPAM-MIDweightrange x x 15 19 SPAM-HIGH weightrange x x 20 29 SPAM-VHIGH weight x x 30 0 A total weight header would be useful that didn't involve creating a weight test and setting the action to WARN. Unless I've missed something that does this. David WiSS Limited --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] How does Declude detect this?
I am just curious as to how Declude read this - is the word
Whateversomething.com a continous word or a broken word?
In email bodies text shows as broken in multiple lines. I am just curious
as to when a word is broken (at least as it appears when we look at the
source) - is the word detected as whatev ersomething or Declude is
smart enough to attach them.
=
script language=3Djavascriptdocument.write('a
href=3Dhttp://www.whatevhttp://www.whatev=
ersomething.com/a')/script
=
In this case, Declude will see whatev= and ersomething.
We are looking into doing some basic decoding and removal of carriage
returns and linefeeds, though.
-Scott
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
Re: [Declude.JunkMail] Total weight as X-header
Is it possible to add an X-HEADER that shows the total weight of the email without using a zero weighted action? I think what you are looking for is a variation on: XINHEADER X-Spam-Tests-Failed: %TESTSFAILED% [%WEIGHT%] You could change this to something like: XINHEADER X-Spam-Weight: %WEIGHT%. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Exclude Local Users from the Wordfilter test
Is it possible to exclude local users from the Wordfilter test. I have some users that are trying to send out group messages but some of the content is being caught in the wordfilter and they have a legitimate reason to use some of these words. Thanks, Greg Foulks, MCP NewFound Technologies, Inc. http://www.nfti.com Email: [EMAIL PROTECTED] Voice: 614.318.5036 Fax: 614.318.5005
RE: [Declude.JunkMail] Total weight as X-header
Scott, Thanks just the ticket, I couldn't see the wood for the trees. David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: 16 January 2003 13:14 To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Total weight as X-header Is it possible to add an X-HEADER that shows the total weight of the email without using a zero weighted action? I think what you are looking for is a variation on: XINHEADER X-Spam-Tests-Failed: %TESTSFAILED% [%WEIGHT%] You could change this to something like: XINHEADER X-Spam-Weight: %WEIGHT%. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] How obscene is Basement?
Title: Message Scott... Hopefully in one of the future releases we can come up with a filter that works with before and after space.. After all how obscene is the word basement? Drawings were being sent to me for our office that were not reaching me! Why? the filter: SUBJECT12 CONTAINSsemen Oh well... its weight was taken down... Lesson learned.. Regards, Kami
RE: [Declude.JunkMail] How obscene is Basement?
Declude does allow spaces. So, thy this: Current: SUBJECT 12 CONTAINS s_e_m_e_n (without the quotes and underscores) New: SUBJECT 12 CONTAINS s_e_m_e_n (without quotes and underscores) John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] How obscene is Basement?
Title: Nachricht in SpamChk you can set #semen#=15 ;-) Markus -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kami RazvanSent: Thursday, January 16, 2003 4:31 PMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] How obscene is Basement? Scott... Hopefully in one of the future releases we can come up with a filter that works with before and after space.. After all how obscene is the word basement? Drawings were being sent to me for our office that were not reaching me! Why? the filter: SUBJECT12 CONTAINSsemen Oh well... its weight was taken down... Lesson learned.. Regards, Kami
Re: [Declude.JunkMail] Exclude Local Users from the Wordfiltertest
Is it possible to exclude local users from the Wordfilter test. I have some users that are trying to send out group messages but some of the content is being caught in the wordfilter and they have a legitimate reason to use some of these words. One option would be to whitelist the users that are sending the E-mail (although that could increase spam to them a bit, as it would whitelist E-mail from spammers who use the recipient's address as a return address). Alternatively, you could add something to the filter to help out, such as: BODY-10 CONTAINSThis is some text that appears in the group messages. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] How obscene is Basement?
Title: Message Oh, this is all sementics. :-) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kami RazvanSent: Thursday, January 16, 2003 10:31 AMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] How obscene is Basement? Scott... Hopefully in one of the future releases we can come up with a filter that works with before and after space.. After all how obscene is the word basement? Drawings were being sent to me for our office that were not reaching me! Why? the filter: SUBJECT12 CONTAINSsemen Oh well... its weight was taken down... Lesson learned.. Regards, Kami
RE: [Declude.JunkMail] How obscene is Basement?
John, I don't think that a space before the word does anything (unless support for this has been added to JunkMail recently), but a space after the word in the filter file would prevent basement from being flagged by the work semen . Bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Tolmachoff Sent: Thursday, January 16, 2003 7:45 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] How obscene is Basement? Declude does allow spaces. So, thy this: Current: SUBJECT 12 CONTAINS s_e_m_e_n (without the quotes and underscores) New: SUBJECT 12 CONTAINS s_e_m_e_n (without quotes and underscores) John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This e-mail was scanned for viruses by Pointshare's Virus Scanning Service] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Exclude Local Users from the Wordfilter test
Here is an idea for you. The word filter tests are in one file as one test. Create a new test as a fromfile and list the from addresses of your uses and use a negative fail weight equal to or more than the wordfilter test. Example: WORDFILTER1 filter C:\imail\declude\wordfilter1.txt x 20 0 LOCALUSER fromfile C:\imail\declude\localuser.txt x -20 0 John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] How obscene is Basement?
John, I don't think that a space before the word does anything (unless support for this has been added to JunkMail recently), but a space after the word in the filter file would prevent basement from being flagged by the work semen . Bill, good point. I forgot about that. Scott, clarification please? John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Exclude Local Users from the Wordfilter test
John, Good point. Questions though about the order that test are run. If adding a fromfile test how would that effect spam that is sent to in to our mail server with an internal user as the return address? Thanks, Greg Foulks, MCP NewFound Technologies, Inc. http://www.nfti.com Email: [EMAIL PROTECTED] Voice: 614.318.5036 Fax: 614.318.5005 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of John Tolmachoff Sent: Thursday, January 16, 2003 10:50 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Exclude Local Users from the Wordfilter test Here is an idea for you. The word filter tests are in one file as one test. Create a new test as a fromfile and list the from addresses of your uses and use a negative fail weight equal to or more than the wordfilter test. Example: WORDFILTER1 filter C:\imail\declude\wordfilter1.txt x 20 0 LOCALUSER fromfile C:\imail\declude\localuser.txt x -20 0 John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Exclude Local Users from the Wordfilter test
Good point. Questions though about the order that test are run. If adding a fromfile test how would that effect spam that is sent to in to our mail server with an internal user as the return address? Greg, do you mean an e-mail sent to your local users which has the return or from address the same as the to address? John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Filter Questions/Suggestions
Kami, Just had a few questions on your lists, first, this entry: .247mail.com 38 What's the 38? The # of times you've caught this name? How many others use this method? I don't, which is why I ask, I have all I can do just plowing through all this stuff. But if it helps you to see trends, I may look into it. Next, The following: .123winners.com ID-20030110-03 What's the ID? Again I feel like I'm missing something obvious here. Finally, to all, in regards to comments in tests, what's the BEST way? A or B? A 12.14.27.5description B 12.14.27.5 #description Is there a difference? besides extra lines? I use B to comment where the IP originates at the time of listing. And with A you don't need the # symbol correct? Thanks! Paul --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] How obscene is Basement?
Declude Virus looks for the first non-whitespace character after CONTAINS to see where to start the filter text. So any spaces/tabs that appear at the beginning will be ignored, but they will be used if they appear after the first character of the filter text. Thanks. I am sure you mean Declude Junkmail though. :)) John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Exclude Local Users from the Wordfilter test
Just like what Scott said. What if I create this fromfile and add a negative weight of 20 and a Spam message comes in with a From or Return address that matches one of the address in the fromfile. Won't it then take 20 points away from the weight of the message? I guess the other part of the question was What is the order of tests that are executed? is it... -Global -Blacklist -wordfilter -fromfile -ipfilter or some other order? I ask this because it will determine how I assign the values of the weights. Greg Foulks, MCP NewFound Technologies, Inc. http://www.nfti.com Email: [EMAIL PROTECTED] Voice: 614.318.5036 Fax: 614.318.5005 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of John Tolmachoff Sent: Thursday, January 16, 2003 11:44 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Exclude Local Users from the Wordfilter test Good point. Questions though about the order that test are run. If adding a fromfile test how would that effect spam that is sent to in to our mail server with an internal user as the return address? Greg, do you mean an e-mail sent to your local users which has the return or from address the same as the to address? John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter Questions/Suggestions
Hi; Those numbers are nothing - for all practical purposes. They are reference numbers that help us find it. The same goes with Tom's list. The number is internally made allowing them to monitor it. Beside that it really does not nothing in Declude. About our number -- that is simply the primary key of the database item that this listing is in. We have an Access database that all these are entered in with date and then we simply look at the last six or 8 months. One way to keep the list current is when we get new items we add it to the database so then the date is always moving forward. The reason we started separating our list to 3 different lists was for this reason. Spammers are businesses and their names don't change. Porn sites are the same. But the other spammers come and go and for a period of time they are live then they die and reappear with new names. So we broke our list to different parts. The Spammer Porn list is always as is and 100% deleted. The Blacklist - date sorted and changes... We complement this with Tom's list and hold on the occurrence of his list. Hope this helps. Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of paul Sent: Thursday, January 16, 2003 11:50 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Filter Questions/Suggestions Kami, Just had a few questions on your lists, first, this entry: .247mail.com 38 What's the 38? The # of times you've caught this name? How many others use this method? I don't, which is why I ask, I have all I can do just plowing through all this stuff. But if it helps you to see trends, I may look into it. Next, The following: .123winners.com ID-20030110-03 What's the ID? Again I feel like I'm missing something obvious here. Finally, to all, in regards to comments in tests, what's the BEST way? A or B? A 12.14.27.5description B 12.14.27.5 #description Is there a difference? besides extra lines? I use B to comment where the IP originates at the time of listing. And with A you don't need the # symbol correct? Thanks! Paul --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Exclude Local Users from the Wordfilter test
Just like what Scott said. What if I create this fromfile and add a negative weight of 20 and a Spam message comes in with a From or Return address that matches one of the address in the fromfile. Won't it then take 20 points away from the weight of the message? Yes it would. Welcome to the art of Spam fighting. :(( John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] More more !--UserID--
SpamChk takes care of this. There is a parameter FakedHTMLComments that searches for repeated html-comments like !--xyz-- where xyz is even the same. This should not trigger html-comments in certain newsletters. Caught this late, what is SpamChk...? Additional SpamChk removes all HTML-Tags before the Keyword-search begin. I would think a simple stripping of all HTML comments from mail before JunkMail processing would take care of this. Is this something that has been considered? I realize the load it may make on heavier traffic systems. BTW, thanks Scott for Declude products. Just filled out the credit card for another year's service agreement. So far, had only one occasion to email for support, but you're worth the money. Besides, our budget got lopped for all kinds of other stuff, if we don't spend what we *do* have allocated we won't get it next year... :) Jeff --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] More more !--UserID--
I would think a simple stripping of all HTML comments from mail before JunkMail processing would take care of this. Is this something that has been considered? I realize the load it may make on heavier traffic systems. It has been considered, but like other similar ideas (such as decoding base64 MIME segments and filtering using wildcards), it could use up a lot of CPU time if not handled carefully. Something that we are also considering is a test that checks for more than X HTML comments in an E-mail (preferably just counting ones in the middle of words, such as unsub!-- user --scribe, rather than to !-- user -- unsubscribe, as the former prevents filtering whereas the latter does not). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Is a BASE64 attachment considered body?
All, Would this command below catch APPLE if it was in a BASE64 attachment? Are Attachments considered part of the body. BODY 15 CONTAINS APPLE Thanks --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Is a BASE64 attachment considered body?
Would this command below catch APPLE if it was in a BASE64 attachment? Are Attachments considered part of the body. BODY 15 CONTAINS APPLE Yes and no. :) A base64 attachment is part of the body of the E-mail (Declude JunkMail scans the entire body, attachments and all). So yes, it will be scanned. However, base64 encodes the text (which is why spammers use it), so APPLE may appear as qexxrt, for example. We are planning to add basic base64 decoding to an upcoming release, though, so it can't hurt to add the BODY 15 CONTAINS APPLE line(s) now. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Is a BASE64 attachment considered body?
Thanks Scott, my concern is text that is BASE64 encoded to APPLE being caught by the check. Thanks again. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry Sent: Thursday, January 16, 2003 11:36 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Is a BASE64 attachment considered body? Would this command below catch APPLE if it was in a BASE64 attachment? Are Attachments considered part of the body. BODY 15 CONTAINS APPLE Yes and no. :) A base64 attachment is part of the body of the E-mail (Declude JunkMail scans the entire body, attachments and all). So yes, it will be scanned. However, base64 encodes the text (which is why spammers use it), so APPLE may appear as qexxrt, for example. We are planning to add basic base64 decoding to an upcoming release, though, so it can't hurt to add the BODY 15 CONTAINS APPLE line(s) now. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] More more !--UserID--
]Something that we are also considering is a test that checks for more than ]X HTML comments in an E-mail (preferably just counting ones in the middle ]of words, such as unsub!-- user --scribe, rather than to !-- ]user -- ]unsubscribe, as the former prevents filtering whereas the latter ]does not). Based on our research this should be a very good test. In fact Message Sniffer rule #18545 is the 11th strongest rule in the system! (That's just one slot out of the top 10). Testing for html comments with non whitespace on each side is key. Testing the number of html comments in general DOES NOT work. Much html email is generated automatically these days with many comments emitted for debugging purposes etc. _M --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] WhiteList Per User or Domain?
I know this question must have been asked about Declude, but thought I'd ask again anyway as I do not recall if there is a method possible. Is it possible to make a Declude domain or user setting that enables a whitelist of email sender addresses in the Pro version whereby all emails are rejected or bounced accept a whitelist of senders? In other words reject or bounce all senders accept those that the user wishes to communicate with. Could this be done with weights...sending an eml to bounced mails? This way the Global.Cfg would not be used with its limitations. Thanks, -- Roger Heath [EMAIL PROTECTED] www.rleeheath.com -- ActivatorMail(tm) ver.122102 Scanned for all viruses by www.activatormail.com intelligent anti-virus anti-spam service --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] WhiteList Per User or Domain?
Is it possible to make a Declude domain or user setting that enables a whitelist of email sender addresses in the Pro version whereby all emails are rejected or bounced accept a whitelist of senders? In other words reject or bounce all senders accept those that the user wishes to communicate with. Could this be done with weights...sending an eml to bounced mails? This way the Global.Cfg would not be used with its limitations. This isn't currently possible as a designed feature, but you should be able to accomplish it with the next release. To do so, you would set up a per-domain or per-user configuration of CATCHALLMAILS HOLD or something similar, and then have a whitelist file for that user with all the addresses that should be accepted. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] WhiteList Per User or Domain?
Reply to: R. Scott Perry Re: [Declude.JunkMail] WhiteList Per User or Domain? on Thursday 3:13:03 PM Thanks. But a catchall is exactly what I don't want. What I want is a bounce so the sender knows his mail was not accepted... maybe a catchall if cannot deliver to sender... There are whitelist email providers showing up and usually the sender gets sent a message that his mail was not delivered. Usually there is a process to inform the destination user if he wants to add the sender to his or her whitelist. Maybe this is not feasible with Declude, but it would be most certainly nice to have. The lead ZDNet editor David Berlind and I have a dialog going and he is really down on blacklists and more or less endorsing the whitelist concept. So I am shooting for a way to manage this in Declude. I was thinking I could put high weights on all other emails with a bounce by default but give a white list negative counter-weights to let those through. Not sure his would work? -- Roger Heath [EMAIL PROTECTED] www.rleeheath.com - Copy of Original Message(s): - Is it possible to make a Declude domain or user setting that enables a whitelist of email sender addresses in the Pro version whereby all emails are rejected or bounced accept a whitelist of senders? In other words reject or bounce all senders accept those that the user wishes to communicate with. Could this be done with weights...sending an eml to bounced mails? This way the Global.Cfg would not be used with its limitations. R This isn't currently possible as a designed feature, but you should be able R to accomplish it with the next release. To do so, you would set up a R per-domain or per-user configuration of CATCHALLMAILS HOLD or something R similar, and then have a whitelist file for that user with all the R addresses that should be accepted. R-Scott R --- R [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] R --- R This E-mail came from the Declude.JunkMail mailing list. To R unsubscribe, just send an E-mail to [EMAIL PROTECTED], and R type unsubscribe Declude.JunkMail. The archives can be found R at http://www.mail-archive.com. R -- R ActivatorMail(tm) ver.122102 Scanned for all viruses by R www.activatormail.com intelligent anti-virus anti-spam service -- ActivatorMail(tm) ver.122102 Scanned for all viruses by www.activatormail.com intelligent anti-virus anti-spam service --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] WhiteList Per User or Domain?
Is it possible to make a Declude domain or user setting that enables a whitelist of email sender addresses in the Pro version whereby all emails are rejected or bounced accept a whitelist of senders? In other words reject or bounce all senders accept those that the user wishes to communicate with. Could this be done with weights...sending an eml to bounced mails? This way the Global.Cfg would not be used with its limitations. One way is through our match program combined with CATCHALLMAILS. CATCHALLMAILS catchallmails x x 20 0 MATCH external1 string-20 0 All messages are weighted with 20. Then any message failing MATCH would receive a negative 20, giving an effective weight of 0. Match works by comparing the sender with a list of domains or e-mail address in a from.txt file for a match AND comparing the recipient with a list of domains or e-mail addresses in a to.txt file for a match and if both exist, returns a fail code to Declude. John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Is a BASE64 attachment considered body?
Given the huge rise in BASE64 encoded message text I've seen, matching BODY on decoded message text would be welcome indeed. Likewise, I've seen a few (rare) false positives when BODY matched text within an attachment. Not that I'm trying to re-invent Declude Virus, but what I found was that: BODY 0 CONTAINS name=dwarf_4_you.exe Was clearly preferable to: BODY 0 CONTAINS dwarf_4_you.exe To catch one possible Hybris manifestation. (I've inserted the underscores, as usual...) Andrew 8) -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 11:36 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Is a BASE64 attachment considered body? snip We are planning to add basic base64 decoding to an upcoming release, though, so it can't hurt to add the BODY 15 CONTAINS APPLE line(s) now.snip --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] More more !--UserID--
... what is SpamChk...? It's an external test for declude and makes content based tests. At the moment it's in beta phase by some users on this list and on the declude spamtrap (www.declude.com/spamtrap.htm) We're preparing a website where everyone can read more about and download it for free... Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[3]: [Declude.JunkMail] WhiteList Per User or Domain?
I think I mentioned this to you earlier, Scott; If you could have the user edit their addressbook in Imail web mail as a whitelist, and Declude used this, then the user could manage their own whitelist. This is something that we are also giving some serious thought to (perhaps an AUTOWHITELIST ON option that if enabled would let Declude JunkMail know to check for address books, and if present, would whitelist any address in them). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: Re[3]: [Declude.JunkMail] WhiteList Per User or Domain?
I think I mentioned this to you earlier, Scott; If you could have the user edit their addressbook in Imail web mail as a whitelist, and Declude used this, then the user could manage their own whitelist. Try the Personal SPAManager Whitelist page at http://209.227.3.6 (user demo, password blue) for an example of how we do the same thing with more granular control (we don't believe in fully whitelisting by address alone, as you will see). -Sandy -- Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. mailto:[EMAIL PROTECTED] -- --- [This E-mail scanned by Declude Anti-Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[4]: [Declude.JunkMail] WhiteList Per User or Domain?
Reply to: R. Scott Perry Re: [Declude.JunkMail] WhiteList Per User or Domain? on Thursday 5:57:27 PM Scott, the only thing that would concern me is that I use multiple disk drives for my users accounts, for example: activatormail.com d:\actmail techknow.com c:\Imail\techknow wyndows.comc:\Imail\wyndows If you do such a feature I would need to be able to point to an exact path for each domain... I think this would be a great feature for Declude and I hope you do it. -- Roger Heath [EMAIL PROTECTED] www.rleeheath.com - Copy of Original Message(s): - I think I mentioned this to you earlier, Scott; If you could have the user edit their addressbook in Imail web mail as a whitelist, and Declude used this, then the user could manage their own whitelist. R This is something that we are also giving some serious thought to (perhaps R an AUTOWHITELIST ON option that if enabled would let Declude JunkMail R know to check for address books, and if present, would whitelist any R address in them). R -Scott R --- R [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] R --- R This E-mail came from the Declude.JunkMail mailing list. To R unsubscribe, just send an E-mail to [EMAIL PROTECTED], and R type unsubscribe Declude.JunkMail. The archives can be found R at http://www.mail-archive.com. R -- R ActivatorMail(tm) ver.122102 Scanned for all viruses by R www.activatormail.com intelligent anti-virus anti-spam service -- ActivatorMail(tm) ver.122102 Scanned for all viruses by www.activatormail.com intelligent anti-virus anti-spam service --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
