Thanks.
I set up my primary domains. I still have to review client domains to
determine the proper setup for those that are used for emailing.
Best Regards
Andy Schmidt
Phone: +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206
-Original Message-
From: [EMAIL PROTECTED]
Greetings--
Would someone please share a strategy to identify or block junk coming
from spoofed/relayed hotmail addys, while letting legit mail originating
from the real hotmail host(s) through ?
--
==Ron Rushing==
CCNA CCDA
Network Manager- ESC7Net
Region VII Education Service Center
1909
Spamdomains works, and we've been building a list of common sources of spam,
cable modem IP's and such. Bill has a spamdomains list that works pretty
good, if there's an update to it he might read this and post the link to it.
I haven't had a lot of false postives on Spamdomains.
Rich
-
Ron,
The best thing for hotmail is to setup spamdomains. For hotmail we use the
following in our spamdomains file
hotmail.com msn.com
Darrell
Check Out DLAnalyzer a comprehensive reporting tool for
Declude Junkmail Logs -
A 16 digit credit card number was displayed. (x'ed out.)
html
body
PDear ANZ Internet banking client,/P
PWe encountered a billing error when attempting to renew your ANZ New
Zealand
BRonline banking services. This type of error usually indicates that
either
the BRcredit card you have on file
Can someone please share their spamdomains file?
Thanks,
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of DLAnalyzer Support
Sent: Thursday, December 18, 2003 6:53 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] HOTMAIL ?
Ron,
The best thing
I always thought the significant drivers on the IETF were reps of the major
players.
Burzin
Isn't the IETF supposed to be this body?
_M
At 09:14 PM 12/16/2003, you wrote:
I would agree with this type of governing body. One that sets standards
like RDNS entries and what they mean.
I just got one of those yesterday too. Same info displayed.
- Andy
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists)
Sent: Thursday, December 18, 2003 11:14 AM
To: [EMAIL PROTECTED]
Subject:
I don't mind doing so, but I don't want to clog the list with config
files. I have sent them off list upon request.
Burzin
At 05:44 PM 12/17/2003, you wrote:
Hello, All,
Is there anyone on this list besides Kami who makes their Declude JunkMail
files publically viewable as he does?
Just
FYI to all: I am going ahead with my idea of hosting a site where people can
post their files and others can read them. It would have FTP capabilities
for use with scripts and such.
Unfortunately, the flu has invaded my house and so things are behind right
now.
John Tolmachoff
Hi;
It would be great John..
What would be even greater is a site and mirrors that can host filters from
everyone who is willing to share them. This way the network traffic on a
single site is reduced.
I think that can add a lot of value to Declude and reduce coming online by
those that start
Does any one have comments on any of the following:
http://www.computerworld.com/softwaretopics/software/groupware/story/0,10801,80626,00.html
Project Lumos
http://www.camram.org
CANRAM
Burzin
At 09:01 PM 12/15/2003, you wrote:
How about some new suggestions for methods to combat the
I can use the following correct, inside of my filter file?
SUBJECT 2 STARTSWITH ADV:
Thanks,
Kris McElroy
[EMAIL PROTECTED]
Chief Technology Officer
Duracom, INC.
www.duracom.net
I am always doing that which I can not do, in order that I may learn how to
do it.
---
[This
I would be interested in having a mirror, we have plenty of horsepower
to spare!
Aaron
[EMAIL PROTECTED]
www.vantech.net
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan
Sent: Thursday, December 18, 2003 11:01 AM
To: [EMAIL PROTECTED]
Subject:
I can use the following correct, inside of my filter file?
SUBJECT 2 STARTSWITH ADV:
Yes, that would work fine.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses
I would also be interested in this. Is it possible to get these?
Jeff Kratka
*
TymeWyse Internet
P.O.Box 84 - 110 Ecklund St., Canyonville, OR 97417
tel/fax: (541) 839-6027 - [EMAIL PROTECTED]
We will be adding support for SPF (Sender Permitted From, at
http://spf.pobox.com ) to the next beta of Declude JunkMail. This is a
system that lets owners of domains publish information on what mailservers
people can use to send mail from the domain. We expect that this can be
very useful
I haven't updated my spamdomains file for quite some time, but this has been
working well for me, thus far:
altavista. .av.com
amazon.com .forevermail.com
ameritech.net .sbc.com
.aol.com
@aol.com .aol.com
.apple.com
@apple.com .apple.com
.att. .cdpd.airdata.com
@att. .att.
attbi.com
On my home email account, I just received a campaign email from the Wesley
Clark camp. Obviously, at least one candidate is not up on spam issues.
I've included the headers below
Denny Jodeit
Flare Net, Inc.
___
Received: from
The obfuscation exploit for IE that was reported a week ago is now being
seen on my server (2 times yesterday). Both were PayPal scams, and in
both instances, I would have passed the messages if I didn't have this
filter in place because the only other test they failed was FRAUDDOMAINS
(a
Any chance we can seperate fail unknown into two different tests?
via spf we have ?all or -all which are supposed to be treated differently
from what I understand.
I would rather seriously penalize any domain that is configured with a -all
and the sending IP is fails
and would NOT want to
Any chance we can seperate fail unknown into two different tests?
via spf we have ?all or -all which are supposed to be treated differently
from what I understand.
They are treated differently. An SPF lookup can result in PASS, FAIL, or
UNKNOWN. So:
Ideally I would like something like this:
Gotcha, all 3 are already setup :)
I don't really want to penalize for unknown, was just making an example.
( I just setup spf on my postfix box yesterday as well to help get past some
restrictions for pass)
Sounds like you are setting the the spf-guess (which defaults to mx/24 a/24
right?)
Scott -
If you would a little help please w/my Bind to impliment SPF:
In a zone file I would add:
example.com. IN TXT v=spf1 mx ptr ip4:63.170.56.4 -all
mail.example.com. IN TXT v=spf1 a -all
mail2.example.com. IN TXT v=spf1 a -all
Is this correct - one line for the domain and one line for
Yes, I like the idea of reassuring that an unsubscribe site is not used for
harvesting. I recognize that people often report something as spam, because
they feel it's safer than being tricked into unsubscribing. Rather than
getting negative weight du to Spamcop and being blocked, messages could
If anyone wants
BODY4CONTAINSobject
classid=""BODY4CONTAINS.cab#version=BODY4CONTAINSparam
name="
ACTIVEX-FILTERfilterActiveX-filter.txtx40
Seems to work. Anyone got anything
else?
If you would a little help please w/my Bind to impliment SPF:
In a zone file I would add:
example.com. IN TXT v=spf1 mx ptr ip4:63.170.56.4 -all
mail.example.com. IN TXT v=spf1 a -all
mail2.example.com. IN TXT v=spf1 a -all
Is this correct - one line for the domain and one line for each
How exactly do I set up the spamdomains test in my system. I know I need to
create /imail/declude/spamdomains.txt file (I added the domains from below)
but I am unsure of how to set it up in the GLOBAL.CFG file. Could someone
give me a quick how to.
Thanks
Darryl Koster
-Original
What will this filter out...will it filter out
email like MyPoints.com which is not a good idea..
Richard FarrisEthixs Online1.270.247.
Office1.800.548.3877 Tech Support
- Original Message -
From:
Doug Anderson
To: [EMAIL PROTECTED]
Sent: Thursday, December 18,
The parm name entry is used outside of ActiveX, maybe not a good idea to
include it here? Also, your scoring is going to be incremental with 4
for the filter in Global.cfg as well as 4 points for each line of the
filter this hits. I'm not sure if that's what you intended.
While this is
Hi Scott:
A) Is there an %SPFSTATUS% variable for use in the headers (that will show
FAIL/PASS/UNKNOWN)?
B) If not, is there a generic SPF test in the global.cfg, so that I can
use one line to create a WARN action e.g.
SPF spf * x x x
Best Regards
Andy Schmidt
HM
Wow, seeing positive results already! Thanks Scott for
getting this implemented so quickly! Guess I will need to
setup my SPF records now.
I've some questions:
Our situation here is, that we host mailservices for several customers.
We have also our own DNS servers and so we're able to set
Add an entry to your global.cfg like:
SPAM-DOMAINS spamdomains M:\IMail\Declude\SpamDomains.txt x 10 0
setting the weight test to whatever you want (reflected as a weight 10
above).
Bill
- Original Message -
From: Darryl Koster [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday,
Our situation here is, that we host mailservices for several customers.
We have also our own DNS servers and so we're able to set up SPF TXT
records.
But as I understand we can't set up silently this records for all our
domains because we can't be sure that all of our clients send all their
A) Is there an %SPFSTATUS% variable for use in the headers (that will show
FAIL/PASS/UNKNOWN)?
No. But we will look into this.
B) If not, is there a generic SPF test in the global.cfg, so that I can
use one line to create a WARN action e.g.
SPF spf * x x x
I don't
what will it filter out? Anything with ActiveX embedded in the
HTML of the email. From our system that would be ads for "micro shaver", some
miracle bra,a travel "good dealz" ad, and as seen on TV ads.
I'm not familar with mypoints.com adshaven't seen any
yet.
Typically, you'll
One major suggestion: If filters are shared - I really think no negative
filters should be shared. Negative words and filters getting in the hands
of our beloved spammer would hurt everyone. But that is just my 2 cents.
AH, but I am scheming a way to combat that. Of course, not everyone
In global.cfg:
SPAMDOMAINS spamdomains c:\imail\declude\spamdomains.txt
x 7 0
change the weight to suit your needs...change the path to that of your
location on your server
Sincerely,
Randy Armbrecht
Global Web SolutionsR, Inc.
804-346-5300 ext. 1
877-800-GLOBAL (4562)
Wow,
With only a few hundred domains registered, what were the chances that it
would already catch spam:
12/18/2003 16:32:17 Q1cd609ef0252d469 DSBL:5 SPAMCOP:7 NJABLDUL:4
SORBS-DUL:5 CBL:7 SPFFAIL:8 . Total weight = 36.
12/18/2003 16:32:17 Q1cd609ef0252d469 Bypassing whitelisting of E-mail with
I had a similar problem last week. In that case, it turned out to be a
problem with the Sniffer add-on program for declude Junkmail. It was
related to their new wide-release-beta (v2-2b). They have had flurry of
beta releases addressing the problem. The latest is v2-2b6. I have
been running
Hi,
I assume that Form Mail's are a big problem under SPF? If a web site
(greeting card site) inserts the users email address as the from address,
then it will fail SPF, correct?
Or, if we host a web site for a client, the registrations or feedback
form mailers email the input to the client
This will provide positive benefits, without having any
negative benefits.
If you know a domain will only be sending mail through your
mailservers, you can instead use -all at the end (which
gives a FAIL result for E-mail sent from other IPs).
Ok, thank you for this information.
But I
Could you explain to a newbie
what the format is of the C:\Imail\Declude\SpamDomains.txt file is and what the
entries mean? Looking back through the archives, I see some lines with single
entries and others with 2 entries per line. Like:
.aol.com@aol.com
.aol.com
Thx.
-Marc
-
Title: Message
I noticed that local
form mails seem to "PASS" SPF? That's nice - but
how/why?
Example:
12/18/2003 17:21:45 Q28781b8a01d045e5
SPFPASS:-5. Total weight =5.
...12/18/2003 17:21:45 Q28781b8a01d045e5 Msg
failed SPFPASS (SPF returned PASS for this E-mail.).
Action="">12/18/2003
Scott -
I have PREWHITELIST ON however all tests seem to be run on an email
regardless - then when tests are completed the email is whitelisted.
Is this broke or am I misunderstanding PREWHITELIST eg: if switched
ON then testing will be done? -
Thanks!
-Nick Hayer
snip
Title: Message
Hi,
X-Declude: Version
1.77i3; D2acb18b6021e5887.SMD from sccrmhc12.comcast.net
[204.127.202.56]
X-Declude-Date: 12/18/2003 22:37:23
[5]
Is this something I
can turn off, or will it eventually be removed from this
beta/interim?
Best
RegardsAndy SchmidtHM Systems Software,
Andy,
I'm with you on the idea being that this is much like SPAMDOMAINS,
however, I don't think that I will be subtracting any points for E-mails
that pass. I see spam coming through legit servers every day, and
what's to stop a static spammer from adding these records to their own
server?
Hello,
Silly question. I've entered the following action in response to test:
SUBJECT Message Contains Unsafe URL
However, messages get tagged as
Message Contains Unsafe URLSpam ##: test
How do (or can) I prevent the Spam ## from showing up?
Thanks,
Burzin
--
Burzin Sumariwalla
Hello,
1. Does anyone have stats. on false positives v. uncaught spam for various
tests. Am I correct in understanding that
tests with ratios closer to zero are more accurate?
2. Can someone point me to Scott's November Spam Statistics post. I
couldn't find it in the Declude archive.
I would like to try the file listed below for the spamdomains...but I am
nto sure if wrapping has taken place in the mail client. Could someone send
me a attachement of the text file that has been working for them...thanks
in advance...At 04:31 PM 12/18/2003 -0500, you wrote:
altavista.
When we create a form on a server we never send the form using the email
address that the user entered. Toomany times the user enters the address
incorrectly.
We use a from address of the domain we are in and place what the user typed
in the body of the message. This guarentees that we get all
Hello,
Some of my spam that gets caught has a really low weight. This usually
indicates a FP.
I was wondering is it possible to setup a Declude config such that a total
Declude weight of
less than 5 will ignore the normal action of Sniffer.
In other words is it possible to set an action of a
PREWHITELIST ON only tells Declude to not run tests IF an incoming message
meets on of the WHITELIST lines.
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of Nick Hayer
Yes, I understand how it can be done - unfortunately, many form mailer
scripts don't use the reply-to header and greeting card companies seem to
use the from field.
Bottom line - unless web sites are being changed, we cannot define -all,
we have to define ?all since any of our users may be
greeting card sites can do the same thing but they do not. The can
use an address in their own domain to send the email and add a
header for the reply to address as the person who sent the message.
Not just the Reply-To:, but the From: as well. It is not technically
difficult to
In other words is it possible to set an action of a test conditional
upon the total Declude value of the message.
I believe--but this may be outdated info--that you can pass the
%WEIGHT% var to a test (as well as some other in-progress parameters),
so you could set up an external test
Could you explain to a newbie what the format is of the
C:\Imail\Declude\SpamDomains.txt file is and what the entries mean?
Looking back through the archives, I see some lines with single entries
and others with 2 entries per line. Like:
.aol.com
@aol.com .aol.com
The first column is text
X-Declude: Version 1.77i3; D2acb18b6021e5887.SMD from
sccrmhc12.comcast.net [204.127.202.56]
X-Declude-Date: 12/18/2003 22:37:23 [5]
Is this something I can turn off, or will it eventually be removed from
this beta/interim?
This is a feature specific to the interim release, that will not be in
I had pretty much everything correct except the SPAM-DOMAINS (I had
SPAMDOMAINS).
Thank you very much for clearing this up for me, it has truly knocked the
level of spam down significantly in just over an hour.
Darryl Koster
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
But I have to know in any case of all the domains that send out legit
messages trough our server.
No, you do not. You can simply add the v=spf1 +mx ?all to all your domains.
However, if you want to take the time to find ones that only send through
your server, you can change them from v=spf1
I noticed that local form mails seem to PASS SPF? That's nice - but
how/why?
That's because:
12/18/2003 17:21:45 Q28781b8a01d045e5 From:
deletedmailto:[EMAIL PROTECTED]@logan-aluminum.com To:
deletedmailto:[EMAIL PROTECTED]@fmametalfab.org IP: 127.0.0.1 ID:
the IP is 127.0.0.1. The RFC
Silly question. I've entered the following action in response to test:
SUBJECT Message Contains Unsafe URL
However, messages get tagged as
Message Contains Unsafe URLSpam ##: test
How do (or can) I prevent the Spam ## from showing up?
Unfortunately, there isn't a way to do that -- the
1. Does anyone have stats. on false positives v. uncaught spam for
various tests. Am I correct in understanding that
tests with ratios closer to zero are more accurate?
Right now, I believe the best source is:
2. Can someone point me to Scott's November Spam Statistics post. I
couldn't
- Original Message -
From: Matthew Bramble [EMAIL PROTECTED]
I view this as a fail only test, and while I could probably score it at
80% comfortably while it is not in widespread use, I'm only going to
weight it the same as my SPAMDOMAINS test which I believe is at 40% of
my fail
This was my thought, as well. I have already found e-mail that I felt was
spam that had valid SPF records.
I'm curious about this one -- could you let me know the domain?
I think whitelisting E-mail based on an SPF PASS probably isn't a wise
idea, but I'm sure that spammers that do use SPF
Agreed but with any change some code needs to be modified to support new
ways of processing data.
As for the greeting card companies if SPF takes off they will wake up and
change their delivery method. How else will they make their advertising
buck?
There will always be a time of adjustment
As for the greeting card companies if SPF takes off they will wake up and
change their delivery method. How else will they make their advertising
buck?
Actually, the greeting card companies *should* already be doing this. The
return address is used for bounce messages. If they are using the
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
This was my thought, as well. I have already found e-mail that I felt
was
spam that had valid SPF records.
I'm curious about this one -- could you let me know the domain?
I was a little hasty in my statement above. When I
R. Scott Perry wrote:
I think whitelisting E-mail based on an SPF PASS probably isn't a wise
idea, but I'm sure that spammers that do use SPF will be much easier
to catch (they are providing a list of IPs that they may be spamming
from G).
If I was a spammer, I would use this to my advantage.
The most troublesome crud spammer of them all (the p-patch guy) is
currently sending out E-mails with the following line in the headers:
X-Ki: random characters
I'm going to throw in a filter for this as follows:
HEADERS 30CONTAINS X-Ki:
I suspect this pattern may be
Excellent!
Best Regards
Andy Schmidt
Phone: +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Thursday, December 18, 2003 06:47 PM
To: [EMAIL PROTECTED]
Subject: Re:
71 matches
Mail list logo
