on 4/21/04 2:35 PM, ISPHuset Nordic wrote:
And how do you can the spam if it's a legitime user?
We delete it. Spam is spam no matter who sends it.
Later,
Greg
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail
I got this message in one of my main accounts. It first came
through our sec mail server, but then nothing appears to have been flagged
by Declude. Weird thing is, I'm running SPAMDOMAINS. So shouldn't this
message have failed at least SPAMDOMAINS?
This is why:
X-Note: This E-mail was
Hello,
I got this message in one of my main accounts. It first came
through our sec mail server, but then nothing appears to have been flagged
by Declude. Weird thing is, I'm running SPAMDOMAINS. So shouldn't this
message have failed at least SPAMDOMAINS?
I have IPBYPASS
Hi,
I am new to the declude world and inherited a network that utilizes all 3 of
the declude solutions. I am using Imail 7.5 and declude 1.75.
I have received several complaints from customers stating that email has not
arrived to certain recipients. When researching this I found that the
Ok.. Thanks.. I'll have to look into this more..
Sorry to be a pain, but most of the messages that got through (14 of them
between 12am and 5am) last night were caused by this problem. Thanks
again..
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R.
Hi Jeffrey,
You'll need to provide a little more information than that. All that log
snippet shows is that domain.com isn't local, which in itself is not an
issue or a reason to not deliver an email (providing you are allowing
relay for the sender).
Declude HiJack will only block emails based on
Has anyone else noticed over the last day or so that some of the hotmail
messages are coming from servers without revdns.. This is a snag cause they
are failing both revdns and spamdomains.. Any thoughts?
Received: from hotmail.com [207.68.164.107] by mail2.gannett-tv.com with
ESMTP
Thank you Bill and Roger for sharing your excellent work.
[EMAIL PROTECTED]
The scripts run under both Windows NT 4 and Windows 2000. They are
pure Windows command scripts and therefore not as fast as some of the
other log analysis tools. The analyses below took about one minute
each
Since my weights are all so close I could make them the same.
Is there a way to combined these 8 tests into 1 to determine if it failed
any if the tests? That is, IF NOT 127.0.0.0, or what ever their OK response
is? Does it really matter?
Paul Fuhrmeister
[EMAIL PROTECTED]
If the following is
ditto!
--
Roger Heath
[EMAIL PROTECTED]
www.rleeheath.com
- Copy of Original Message(s): -
PF Thank you Bill and Roger for sharing your excellent work.
PF [EMAIL PROTECTED]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came
An email is from [EMAIL PROTECTED] [24.5.121.88]
AND was received from cib.co.za (c-24-5-121-88.client.comcast.net
[24.5.121.88]
Is there a way to add weight when
- received from client.comcast.net BUT sender is not @comcast.net
Here are example headers:
Received: from cib.co.za
Since my weights are all so close I could make them the same.
Is there a way to combined these 8 tests into 1 to determine if it failed
any if the tests? That is, IF NOT 127.0.0.0, or what ever their OK response
is? Does it really matter?
You could, by using something like SORBS-ALL ip4r
Using 1.78+ Pro, you can use the following in a custom filter
MAILFROM END ENDSWITH @comcast.net
REVDNS 5 ENDSWITH client.comcast.net
You could probably throw a list of END statements for various domains in
there as long as you know the naming convention for the REVDNS
Hello,
Yeah, I too have notice A LOT of spam originating from ComCast
networks lately.
You could implement SPAMDOMAINS that would check the from and
where the message came from to add weight to the message. Seems to work
well when you don't get DNS timeouts (which I have been
Yes, I too have noticed an unusually high number of DNS timeouts
recently. I was hit hard with a flood of spam starting yesterday
afternoon and continuing all night. In every instance, the DNS timed
out.
Shayne
Hello,
Yeah, I too have notice A LOT of spam originating from
ComCast
I have SPAM-DOMAINS setup, my spamdomains.txt file contains
.comcast.
@comcast. .comcast.
The messages (headers below) did not fail this test.
That's because:
X-Declude-Sender: [EMAIL PROTECTED] [24.5.121.88]
The sender is not an @comcast.com address, so it was not considered for
this test.
OK, I understand.
SPAMDOMAINS would fail if they said they were [EMAIL PROTECTED] and
sent through a tvp.ndo.co.uk mail server,
But does not fail if they say they are [EMAIL PROTECTED] and send
through a comcast.net server.
So, I need to looks at Matt's filter. I am using 1.78+ Pro, but do
There has been a few posting about this over the last week. I began
noticing it last Friday in my logs. Test messages I have sent from my
hotmail account are now coming through without failing the REVDNS test. It
looks like they are finally correcting this issue. It's about time!
Jeffrey Di
I am looking at the Processing Order from the JunkMail manual
1. IMail's Control Access file (to block IPs)
2. IMail's Kill List (to block return addresses)
3. IMail v8 anti-spam (most tests)
4. Declude Virus
5. Declude Hijack
6. Declude JunkMail
7. IMail's filters and extra IMail v8
I am looking at the Processing Order from the JunkMail manual
1. IMail's Control Access file (to block IPs)
2. IMail's Kill List (to block return addresses)
3. IMail v8 anti-spam (most tests)
4. Declude Virus
5. Declude Hijack
6. Declude JunkMail
7. IMail's filters and extra IMail v8
To make sure I wasn't introducing a typo, I used my text editor to find the
filter file, so the file name is exactly what the computer found. Among the
results I get when I run -diag is ... Declude JunkMail Status: PRO version
registered. I've made sure each file involved in this process has the
With the increase in people trying to fight spam, nameservers are getting
bombarded with lookup request. Recently I understand that ATT has taken
steps to not allow lookups of most of the blacklists using their network.
The easy answer to this is to use your own DNS servers -- if you do (and
Chuck,
Your most efficient option would be to run your own DNS server. Then
YOU control the query volumes, and no longer rely on ATT.
Jason
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick
Sent: Thursday, April 22, 2004 11:16 AM
To:
To make sure I wasn't introducing a typo, I used my text editor to find the
filter file, so the file name is exactly what the computer found. Among the
results I get when I run -diag is ... Declude JunkMail Status: PRO version
registered. I've made sure each file involved in this process has the
Hello,
I was wondering what exactly the CMDSPACE test is. I wasn't able to
find anything about it in the Junkmail manual..
Thanks.. -Jeff
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing
I was wondering what exactly the CMDSPACE test is. I wasn't able to
find anything about it in the Junkmail manual..
It's part of the latest beta, which means that it is currently only covered
in the release notes ( http://www.declude.com/relnotes.htm ) and on the
mailing list.
I guess I was not clear. I do not use ATT (for anything) but we have seen
the load increase so much on our own name servers that we are adding more.
I only use ATT as a reference point - they must have decided the load was
too much to take such drastic action. Many desktop Spam filters are now
I guess I was not clear. I do not use ATT (for anything) but we have seen
the load increase so much on our own name servers that we are adding more.
How many E-mails do you send/receive per day? How many spam databases do
you query for each E-mail?
At 100,000 E-mails/day and 20 DNS queries
At 12:16 PM 4/22/2004, you wrote:
With the increase in people trying to fight spam, nameservers are getting
bombarded with lookup request. Recently I understand that ATT has taken
steps to not allow lookups of most of the blacklists using their network.
It seems that we are seeing more and more
Hi, Markus,
Thanks for responding.
Well I went ahead and did it. I've rescaled
everything to have 100 points be my HOLD weight. It was pretty easy
because my previous HOLD weight was 5 so I just had to multiply everything by 20
to keep thingsrelative.
Now, that I have it there I would like
Somehow one of my guys have deleted our spamdomains file.
I was wondering if someone could provide us with one that is working well
for them.
Anyone can send it directly to [EMAIL PROTECTED]
Thanks in advance.
gb
---
[This E-mail was scanned for viruses by Declude Virus
I working on trapping more Nigerian Scams.
Is there any way to limit a filter a minimum weight. If the Nigerian filter gets
tripped for at least 3 points, I would like for it to be implemented. If it is less
than 3 points, I'd like to ignore the filter.
Can I do this with minweight
Scott
Is there any way to limit a filter a minimum weight. If the Nigerian
filter gets tripped for at least 3 points, I would like for it to be
implemented. If it is less than 3 points, I'd like to ignore the filter.
Declude JunkMail doesn't have an option to do that. However, someone here
might be
If a test false positived 37% of the time, I certainly wouldn't be weighing it that
high.
Scott Fisher
Director of IT
Farm Progress Companies
[EMAIL PROTECTED] 04/22/04 12:57PM
Hi, Markus,
Thanks for responding.
Well I went ahead and did it. I've rescaled everything to have 100 points be
According to a note I found in the archives, CMDSPACE needs Imail v8, with
SMTP-Authentication, and AUTOWHITELIST ON in global.cfg to work correctly.
Otherwise, you get false positives from Outlook clients.
As we are not on Imail v8, I ran into that problem. I handled it by reduced
the weight on
I did exactly this when we added SPAMCHK as a test last year. I
believe they recommended this range because spamchk would add a lot of
small weights and a 1-10 scale is too narrow. It also allows us to
create filters with words that are more common in non-spam, but more
likely to be spam in
Some very good ideas here. Thanks, Pete.
Darin.
- Original Message -
From: Pete McNeil [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, April 22, 2004 1:49 PM
Subject: Re: [Declude.JunkMail] Nameserver issues and Spam fighting
At 12:16 PM 4/22/2004, you wrote:
With the
Hi, Scott,
Thanks for the feedback. The more I thought about it after sending the
e-mail a few minutes ago the more certain I was that my logic was not. in
fact not even remotely close to being sound. It really has to be thought of
as a factor of multiple tests and not just one, so I understand
Dan,
Individual tests do not false positive (unless they are poorly conceived).
The term False Positive in relation to spam filtering means a message that
was tagged as spam (with Declude this usually results from failure of
multiple tests), but is in reality a legitimate email that needs to be
I'd like to request an alternative to the SUBJECT action where we
could have it placed at the end rather than the beginning of the
existing subject.
I would like to place the score in the subject and it will not allow me
to sort by subject cleanly when using SpamReview.
WEIGHTHOLDSUBJSUBJECT
You guys are correct, I should have I shouldn't have said false positive with regards
to the test.
I just kept seeing the mostly good 37% of the mail 73% toward failing and false
positives kept ringing in my head.
Scott Fisher
Director of IT
Farm Progress Companies
[EMAIL PROTECTED] 04/22/04
I'd like to request an alternative to the SUBJECT action where we
could have it placed at the end rather than the beginning of the
existing subject.
I would like to place the score in the subject and it will not allow me
to sort by subject cleanly when using SpamReview.
WEIGHTHOLDSUBJSUBJECT
It would be useful with SpamReview...perhaps by truncating the subject at N
characters and appending the SUBJECT message after that.
If we get our hands on Tom's code, or write a spam review utility ourselves,
we'll probably have separate grid columns for some of the common header
addtions, like
We will consider this. The problem, though, is that a lot of subjects
are
longer than will fit on the line in the mail client -- so with the
spam
appearing at the end of the subject, it likely would often not be
seen.
My current settings in Declude and Spamcheck usually take care of such
I call them false positives, big whoop. I think people know what you
mean :)
Whatever you do though, don't mention women and spam in the same
sentence!!!
Matt
Scott Fisher wrote:
You guys are correct, I should have I shouldn't have said false positive with regards to the test.
I just
Guess we can't sing Monty Python songs then, can
we?
Darin.
- Original Message -
From: Matt
To: [EMAIL PROTECTED]
Sent: Thursday, April 22, 2004 3:58 PM
Subject: Re: [Declude.JunkMail] Scaling Up The Declude Weighting
System
I call them false positives, big whoop. I think people
I
think it's not possible to calculate the weight of an individual test strictly
from his catch/failure rate.
On http://www.zcom.it/spamtest/you
can see what we generate from our daily logfiles.
In my opinion it's not enough to count wrong or right
results.
Theoretically there are 5
Title: Message
This
is the weighting that I use:
Hold
Weight = 10
Delete
Weight = 20
9:
SNIFFER2
8:
BADHEADERS
7:
BLITZEDALL
SBL
SPAMCOP
COMMENTS
6:
SPAM-DOMAINS
AHBL
DSBL
5:
ORDB
SORBS-HTTP
SORBS-SOCKS
SORBS-MISC
SORBS-SMTP
SORBS-SPAM
SORBS-WEB
SORBS-ZOMBIE
No -- that determines a weight at which filter processing will stop. But
it sounds like you want the filter to only return a weight if multiple
lines match.
That would be great. When can we expect it??? :')
---
[This E-mail was scanned for viruses by Declude Virus
Hi,
Thanks for the response. I was able to take a quick look at the Imail logs
today and I have an R for the message received but that is where it stops, I
never receive the D for delivery. I do not have hold1 or hold2 Directories,
I am assuming these are auto created and deleted, if not then it
Regarding the bug with subject filter that Matt reported Thursday with his
gibberishsub filter.
I too have noticed some oddities with the Gibberishsub filter results.
Matt said it was happening at the end of the subject.
I believe it may also be happening at the beginning of the subject. Also
Scott,
I working on trapping more Nigerian Scams.
What would you do in a filter? Search the body for phrases that are
found in these types of e-mails?
Goran
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail
Scott,
The easy answer to this is to use your own DNS servers -- if you do
(and
they are decent DNS servers; BIND is preferred), you won't be subject
to
the restrictions of ATT, Sprint, and others that block spam database
lookups.
Since we are running IMail (ie Windows) what is the
Nigeria filtering
Have a look at the spam assassin files. They have a very good Nigerian spam
filter so you should be able to find the search strings in there. Search for
Nigerian and you will find it in these files:
20_head_tests.cf
20_meta_tests.cf
20_phrases.cf
50_scores.cf
Good Luck
Cheers
54 matches
Mail list logo