Here's the text from the spamattach email.
I would recommend trying to latest interim release, from
http://www.declude.com/release/176i/declude.exe . There have been several
changes in the interim release that may affect how this situation is handled.
If it continues with the latest interim
Hello paul,
try this:
http://spamreview.argolink.net/software/declude.htm
i'm using it, and it works ok.
Tuesday, November 4, 2003, 12:20:22 PM, you wrote:
p I was just wondering if anyone here has ever thought of, or worked on, a
p Declude log analyzer that can, similar to Scott's AWESOME
OK, I did what John said last nite (with the logs set to 'high' and the
spool name on) and what Scott said (use the interim release) this
morning.
Here's the log entry. I picked something going to me so I could say for
sure it showed up in my inbox (it did, and it most definitely was spam).
Set
Look at last action, Ignore. Is there a White list anywhere that could
affect that?
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of Matt Robertson
Sent: Wednesday,
I do have an external whitelist, but it consists of stuff like
WHITELIST FROM @amazon.com
WHITELIST FROM @ebay.com
WHITELIST FROM @expedia.com
And is a total of 22 entries long.
Then I have AUTOWHITELIST ON so my users can make their own white lists.
There are only two entries in my book
Scott,
I have the system working with Imail and Declude JM, But when I
configured Declude Virus with f-prot the processor goes to 100% and sets
there then the spool starts to build. I can see anywhere from 5 to 150
NTVDM and Declude in the task manager. When I shut off Declude Virus the
Matt:
Not related to your question but...
I highly recommend that you reconsider your WHITELIST FROM entries.
We have the following instead.
WHITELIST REVDNS .amazon.com
WHITELIST REVDNS .ebay.com
WHITELIST REVDNS .expedia.com
As has been
The first thing to do is to switch from F-Prot.exe (16-bit) to fpcmd.exe
(32-bit), as quite a few servers have serious troubles when there are too
many 16-bit processes (for no apparent reason).
What is the setting in the virus.cfg for fpcmd.exe
How many E-mails do you send/receive per day
Fred,
No we are running the f-prot.exe with the switches
Lenny Bauman
LRBCG.COM, Inc.
Phone 419-621-5770
Toll Free 1-800-NET-ACCESS (638-2223)
E-mail [EMAIL PROTECTED]
- Original Message -
From: Frederick Samarelli [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, November 05,
Lenny:
This is what we have:
SCANFILEC:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM
/ARCHIVE /NOBOOT /DUMB /REPORT=report.txt
VIRUSCODE 3
VIRUSCODE 6
REPORT Infection:
Regards,
Kami
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
The first thing to do is to switch from F-Prot.exe (16-bit) to fpcmd.exe
(32-bit), as quite a few servers have serious troubles when there are too
many 16-bit processes (for no apparent reason).
What is the setting in the virus.cfg for fpcmd.exe
It's in the manual. :)
It's the same as with
At that volume, you may have to go to some great lengths to get everything
running smoothly on one server.
One other thing that you should make sure of is that you are using PRESCAN
ON in the \IMail\Declude\virus.cfg file (assuming you are running Declude
Virus Pro, which you should if you are
Change it to the setting I sent.
- Original Message -
From: Lenny Bauman [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, November 05, 2003 12:42 PM
Subject: Re: [Declude.JunkMail] Still working on Spool overflow
Fred,
No we are running the f-prot.exe with the switches
I'm finding that it's incredibly common that dialup/dsl/cable clients are
sending spam directly. It is widely assumed that they are running a trojan
or are set up as an open relay following the six iterations of the SoBig
worm. This isn't new, but the scale of the available resources to the
Yes, a description is here for an existing suite of viruses that use that
text:
http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED]
html
Dunno if it's the official name, but this description matches and claims to
be brand new, so maybe there is a new variant that still uses
Processor is now running at 7 to 45% ...
OK, that means that the CPU usage is now under control.
... and the spool and overflow is fill fast
1200 plus in each but when I go into the queue it shows only 30 messages
being queued
Most likely, that is due to a Declude JunkMail test that died a long
John wrote:
Where was the message sent from?
Various spammers all over the planet. Since this morning Scott and I have been
trading detailed debug logs, and doing stuff to try to track this down. I had to sit
back for a bit while a client of mine did a big mailer to their membership (I
Just got a reading and am passing it off to Scott. I did find that I had
catchallmails enabled, although it wasn't actually doing anything. That
may have been the problem.
Gotcha. I just got back from a client and had not seen any update.
BTW, the catchallmails has called other problems
John wrote:
BTW, the catchallmails has called other problems before.
I'm not surprised. I had no idea I was running it. Must've del'd the comment by
accident as I've never used the thing. Easy to fix. Unfortunately a short time after
I received more of the same, so that wasn't it. :-(
--
Hi. My company recently set up a firewall which we put all our servers
behind, including our mail server running declude.
As soon as we did this, declude stopped working. From what I understood in
the log, it looked like declude wasn't able to get out and check spam
databases. There were a lot
Ok, here you go... discounts are only available on multiple server
installations. Single server installations are always the same price for
everyone.
You can download the latest version of Alligate anytime at:
http://www.alligate.com/downloads.asp
Here are your Alligate activation codes:
Hi all,
I've asked a couple of times over the past couple of weeks, but thought I'd
ask one more time...
I get a lot of spam with return addresses that start with b.
ie: [EMAIL PROTECTED]
Is there anyway to filter that in declude or in the Imail kill list?
Thanks, Andy
---
[This E-mail was
Filter file.
MAILFROM(weighttoadd) STARTSWITH b.
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of andyb
Sent: Wednesday, November 05, 2003 2:53 PM
To:
to be sure, the syntax would be:
in Global.cfg:
MYFILTER filter C:\IMail\Declude\myfilter.txt x x 5 0
In myfilter.txt:
MAILFROM5STARTSWITH b.
Isn't this adding the weight of 5 twice? I'd like it to only be added once.
Upon reading the on-line junk mail manual, this point isn't clear.
to be sure, the syntax would be:
in Global.cfg:
MYFILTER filter C:\IMail\Declude\myfilter.txt x x 5 0
In myfilter.txt:
MAILFROM5STARTSWITH b.
That would work fine.
Isn't this adding the weight of 5 twice? I'd like it to only be added once.
Yes, that would add the weight twice. The
If you wanted to add 5 to any message caught by anything in the filter, you
would add five in the test definition in the Global.cfg.
However, if you want to add weight to each line in the filter, you would
leave the weight on the test itself to 0 and put the weight value in the
second column in
I had seen the problem with a beta install of Outlook 2003 and had hoped
that the release version would have that worked out. I soon found that
to not be the case. Of course, I've seen other programs (Goldmine is a
notable example) that trip the spamheaders test. Forms from webpages
fail it as
So, the line
MYFILTER filter C:\IMail\Declude\myfilter.txt x x 5 0
should have 2 x's because of the 2 tiered weighting system I'm using?
Thanks,
Andy
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, November 05, 2003 7:13 PM
Subject:
MYFILTER filter C:\IMail\Declude\myfilter.txt x x 5 0
should have 2 x's because of the 2 tiered weighting system I'm using?
No. That will give E-mails that do NOT fail the test a weight of 5.
Test name, test type, 2 pieces of test-specific information, standard
weight, negative (pass) weight.
Andy,
I tried sending this twice, but I think Scott's server blocked it
because of the content in the headers, so the headers are attached as a
zip this time. Your global.cfg would have something like the following
and the adjusted filter file is in the original reply pasted below
(name the
BTW, actually two of those three headers are from the same company.
You can also easily identify this spam company with a filter for the
following unique code which might be safer than the other technique
(though, only slightly more so):
HEADERS 0 CONTAINS X-JLH:
Be sure to include a space
Here is the format:
TESTNAME testtype 1stparameter 2ndparameter failweight passweight
Here are the various types:
WEIGHT weight notused notused triggerweightfail
WEIGHTRANGE weightrange notused notused triggerweightstart triggerweightend
DNSTEST ip4r testaddress returncode(ifneeded) failweight
32 matches
Mail list logo
