RE: [Declude.JunkMail] Question...
Strange. This isn't working. Anyway to debug? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Saturday, July 13, 2002 10:03 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Question... So the syntax is: SNIFFER ROUTETO [EMAIL PROTECTED] That is correct. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail scanned for viruses by F-Proto Virus Scanner] --- [This E-mail scanned for viruses by F-Proto Virus Scanner] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.JunkMail] Question...
SNIFFER ROUTETO [EMAIL PROTECTED] Strange. This isn't working. Anyway to debug? Question #1: Are you running the latest beta version? If not, it won't work. Question #2: What isn't working? Are the E-mails being delivered exactly as before (IE the ROUTETO action isn't being used), or is something else happening (indicating that it is being used, but it isn't working properly)? -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.JunkMail] Question...
SNIFFER ROUTETO [EMAIL PROTECTED] Strange. This isn't working. Anyway to debug? Question #1: Are you running the latest beta version? If not, it won't work. Installed.bin says 1.56 (I'm pretty sure it's the I version) Question #2: What isn't working? Are the E-mails being delivered exactly as before (IE the ROUTETO action isn't being used), or is something else happening (indicating that it is being used, but it isn't working properly)? I have SNIFFER set to use the ROUTETO action. I guess it depends on the priority of the ROUTETO action. What is the current priority order? -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail scanned for viruses by F-Proto Virus Scanner] --- [This E-mail scanned for viruses by F-Proto Virus Scanner] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.JunkMail] Question...
Question #1: Are you running the latest beta version? If not, it won't work. Installed.bin says 1.56 (I'm pretty sure it's the I version) The installed.bin file may or may not contain useful information in it -- you should type \IMail\Declude -diag to determine the version you are running. I have SNIFFER set to use the ROUTETO action. I guess it depends on the priority of the ROUTETO action. What is the current priority order? ROUTETO is just below HOLD, BOUNCE, and DELETE, so those three would take priority over it. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.JunkMail] weight of 63 passed ??
Strangeness. I'm curious how this message manage to get through and be delivered. I have weight20 set to hold and weight30 to delete. This message made weight63. The address it was delievered to is granted located on a unix box but the messages get relayed through imail and obviously declude processed and tagged this message but it got delivered anyways. (below the message is excerp from my declude log) Return-Path: [EMAIL PROTECTED] Received: from imail.fament.com (imail.fament.com [208.189.26.51]) by unicorn.fament.com (8.11.6/8.11.0) with ESMTP id g6FDFf125937 for [EMAIL PROTECTED]; Mon, 15 Jul 2002 08:15:42 -0500 Received: from SPHINX.ftf.sn [213.154.76.114] by imail.fament.com with ESMTP (SMTPD32-7.07) id ABA29C500FE; Mon, 15 Jul 2002 08:18:26 -0500 Received: from smtp0210.mail.yahoo.com ([213.96.125.231]) by SPHINX.ftf.sn with Microsoft SMTPSVC(5.0.2195.2966); Mon, 15 Jul 2002 11:58:12 + Date: Mon, 15 Jul 2002 07:54:45 -0400 From: Virginia Doub[EMAIL PROTECTED] X-Priority: 3 To: [EMAIL PROTECTED] Subject:Free Online Payment Account - Plus a $5.00 Sign Up Bonus Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: [EMAIL PROTECTED] X-OriginalArrivalTime: 15 Jul 2002 11:58:22.0356 (UTC) FILETIME=[EAF35540:01C22BF6] X-RBL-Warning: OSRELAY: This entry was last confirmed open on 4/19/2002 X-RBL-Warning: SPAMCOP: Blocked - see http://spamcop.net/bl.shtml?213.96.125.231 X-RBL-Warning: NOABUSE: Not supporting abuse@domain X-RBL-Warning: NOPOSTMASTER: Not supporting postmaster@domain X-RBL-Warning: REVDNS: This E-mail was sent from a mail server 213.154.76.114 with no reverse DNS entry. X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam [4000100f]. X-RBL-Warning: WEIGHT10: Weight of 63 reaches or exceeds the limit of 10. X-Declude-Sender: [EMAIL PROTECTED] [213.154.76.114] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. Status: 07/15/2002 08:19:29 Qcba209c500fe07cb Msg failed OSRELAY (This entry was last confirmed open on 4/19/2002). 07/15/2002 08:19:29 Qcba209c500fe07cb Msg failed SPAMCOP (Blocked - see http://spamcop.net/bl.shtml?213.96.125.231). 07/15/2002 08:19:29 Qcba209c500fe07cb Msg failed NOABUSE (Not supporting abuse@domain). 07/15/2002 08:19:29 Qcba209c500fe07cb Msg failed NOPOSTMASTER (Not supporting postmaster@domain). 07/15/2002 08:19:29 Qcba209c500fe07cb Msg failed REVDNS (This E-mail was sent from a mail server 213.154.76.114 with no reverse DNS entry.). 07/15/2002 08:19:29 Qcba209c500fe07cb Msg failed SPAMHEADERS (This E-mail has headers consistent with spam [4000100f].). 07/15/2002 08:19:29 Qcba209c500fe07cb Msg failed WEIGHT10 (Weight of 63 reaches or exceeds the limit of 10.). --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.JunkMail] weight of 63 passed ??
Strangeness. I'm curious how this message manage to get through and be delivered. My first question: Do you have a WHITELIST entry that could have let it through? I have weight20 set to hold and weight30 to delete. This message made weight63. The address it was delievered to is granted located on a unix box ... And I should mention here that if the E-mail is being sent to another server (unix box), IMail considers it outgoing mail, so the settings in the \IMail\Declude\global.cfg file. To get around this, you can use per-domain settings for that domain. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.JunkMail] Word Filter?
Title: Message Hi; In the Word Filter we can use a line as such: REVDNS -5 CONTAINS yahoo.com The domain name listed here refers to Yahoo.com specifically or like the BlackList or WhiteListrefers to anything that ends with Yahoo.com? For example does the above also assigns a -5 to SpamYahoo.com? ThanksKami
Re: [Declude.JunkMail] Word Filter?
In the Word Filter we can use a line as such: REVDNS -5 CONTAINS yahoo.com The domain name listed here refers to Yahoo.com specifically or like the BlackList or WhiteList refers to anything that ends with Yahoo.com? The CONTAINS in this case will match any reverse DNS entry that contains yahoo.com in it (mail.yahoo.com, notyahoo.com, yahoo.com.spammer.com, etc.). For example does the above also assigns a -5 to SpamYahoo.com? Yes, it does. You could instead use: REVDNS -5 CONTAINS.yahoo.com since no Yahoo.com mailserver reverse DNS entry should be just yahoo.com. We may later add an ENDSWITH that could be used here, to prevent yahoo.com.spammer.com from matching (but on the other hand, if they did that, they could just as easily use mail.yahoo.com as the reverse DNS entry). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.JunkMail] Watching CC's?
--- This message was by mistake posted to the Declude virus list. 2nd posting. - Hi; Any thoughts on this? At times I notice that I personally receive SPAM where the CC field contains my userid at every single domain out there in the world. For example the one I just received contained Kami@ With a ton of other domains. So a thought that perhaps could limit such ways of SPAMing could be to check the CC TO field and parse the e-Mails (if any) for duplicate userID's with different domains. Naturally I can't imagine why someone would send someone an e-mail to 5 different identical userID's at different domains? Is this part of any tests? If not, could it be considered as a valid test? Regards, Kami --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.JunkMail] Watching CC's?
At times I notice that I personally receive SPAM where the CC field contains my userid at every single domain out there in the world. For example the one I just received contained Kami@ With a ton of other domains. So a thought that perhaps could limit such ways of SPAMing could be to check the CC TO field and parse the e-Mails (if any) for duplicate userID's with different domains. Naturally I can't imagine why someone would send someone an e-mail to 5 different identical userID's at different domains? Is this part of any tests? If not, could it be considered as a valid test? The problem is that a lot of spammers will do something very similar to this, where the usernames are similar, but not always the same. So it might be [EMAIL PROTECTED], [EMAIL PROTECTED], ... While it might not be difficult to detect the identical usernames, it would be difficult to detect the similar ones. Also, it's common to receive E-mail sent to multiple postmaster@ or abuse@ accounts. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
DORKZTL:RE: [Declude.JunkMail] Watching CC's?
I second this. I cannot think of any circumstance where I would receive a legitimate email addressed to my username at more than 2 or 3 domains. This would be a good test to have at our disposal. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jerod M. Bennett Sent: Monday, July 15, 2002 1:45 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Watching CC's? The problem is that a lot of spammers will do something very similar to this, where the usernames are similar, but not always the same. So it might be [EMAIL PROTECTED], [EMAIL PROTECTED], ... While it might not be difficult to detect the identical usernames, it would be difficult to detect the similar ones. Also, it's common to receive E-mail sent to multiple postmaster@ or abuse@ accounts. While this is all true, I still agree that the test would be beneficial as something that could add weight. Jerod M. Bennett Director of Media Production Pixelpushers, Inc. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.JunkMail] DORKZTL:DORKZTL
The DORKZTL is coming from my attbi.com line I use. My servers are not listed (at this time!) Jim Rooth Klotron, Inc. --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.375 / Virus Database: 210 - Release Date: 7/10/2002 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.JunkMail] DORKZTL:DORKZTL
The DORKZTL is coming from my attbi.com line I use. My servers are not listed (at this time!) http://www.dnsstuff.com/tools/ip4r.ch?ip=204.127.202.62 shows that it is listed. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.JunkMail] DORKZTL:Newbie here
New to the Junk Mail side. I have several files in the hold pattern that need to be released. How does one go about that? You need to copy both files (the D*.SMD file with the E-mail body, and the associated Q*.SMD file with the IMail recipient information) from the \IMail\spool\spam directory back to the \IMail\spool directory, and IMail will send it out on the next queue run. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.JunkMail] DORKZTL:Strange
I have another issue that may or may not be germane here. I have a small server running W2K as the OS with Apache and PHP running a webpage. The webpage has an entry to an email user on my Imail server. This morning I noticed my log file hit over 14 Mb in size. How high is it normally? If it is normally 10-12 MB, there may be no problem. If is is normally 1-2 MB, you may have a compromised server that a spammer is using to send out spam. I cleared out over 14,000 bad emails and email in the queue at about 10:00 am today. Ten minutes ago I cleaned out another 15,000 emails from the queue. I also stopped the SMTP service on the server. Does anyone have any idea how or what I need to do to stop this monster? The first step is to identify the monster. To do that, I would open some of those 10,000's of E-mails, and see who they are from/to. If they are all from/to the same user, there may be a mail loop. More likely, a spammer has found a way to send spam through your mailserver. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.JunkMail] DORKZTL:Newbie here
New to the Junk Mail side. I have several files in the hold pattern that need to be released. How does one go about that? Please check this: X-RBL-Warning: POSTFIXGATE: Blackholed by PostfixGate - see http://www.postfixgate.com or do a lookup at http://www.dnsstuff.com/tools/ip4r.ch?ip=204.127.202.62 X-RBL-Warning: XBL: 243.68.238.12.xbl.selwerd.cx. John Tolmachoff IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.JunkMail] DORKZTL:DORKZTL
Yes sir it sure does and a reverse lookup will tell you that it is not a server used by Klotron but one of ATT. I sent them a nasty note as I cannot send purchase orders to a couple of vendors because of them being listed on four or five lists. They said they really were not concerned at this point in time. I'll go you one better...I get a 'page not found now when I go to DNSstuff.com! I swear it is a communist plot... Jim Rooth Klotron, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Monday, July 15, 2002 1:00 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] DORKZTL:DORKZTL The DORKZTL is coming from my attbi.com line I use. My servers are not listed (at this time!) http://www.dnsstuff.com/tools/ip4r.ch?ip=204.127.202.62 shows that it is listed. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.375 / Virus Database: 210 - Release Date: 7/10/2002 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.375 / Virus Database: 210 - Release Date: 7/10/2002 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.JunkMail] DORKZTL:Strange
Normal size is around 1 Mb. Just a small server with around 5K emails a day. All of the emails seem to be coming from the same sender. The weird thing is it is not on my email server...it is on a web server that is not published but used strictly for in house use by a client. I have killed the SMTP service on it in hopes of stopping it for the time being. All the Bad emails and queued emails were on the web server and not the email server. There is no reference of an email on the web server other than a form that sends it through my email server (one form.) I guess that is how it is getting to the email server. Jim Rooth Klotron, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Monday, July 15, 2002 1:08 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] DORKZTL:Strange I have another issue that may or may not be germane here. I have a small server running W2K as the OS with Apache and PHP running a webpage. The webpage has an entry to an email user on my Imail server. This morning I noticed my log file hit over 14 Mb in size. How high is it normally? If it is normally 10-12 MB, there may be no problem. If is is normally 1-2 MB, you may have a compromised server that a spammer is using to send out spam. I cleared out over 14,000 bad emails and email in the queue at about 10:00 am today. Ten minutes ago I cleaned out another 15,000 emails from the queue. I also stopped the SMTP service on the server. Does anyone have any idea how or what I need to do to stop this monster? The first step is to identify the monster. To do that, I would open some of those 10,000's of E-mails, and see who they are from/to. If they are all from/to the same user, there may be a mail loop. More likely, a spammer has found a way to send spam through your mailserver. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.375 / Virus Database: 210 - Release Date: 7/10/2002 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.375 / Virus Database: 210 - Release Date: 7/10/2002 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.JunkMail] Watching CC's?
Just to show an example: The header follows- Yes- there are other tests that catch it. But from what I have seen so far, the tests that have caught this e-Mail are not known to be 100% proof of SPAM. I have seen these tests fail in some legitimate e-Mail. The multiple UserID address test could have been a definite nail on this item because other than [EMAIL PROTECTED] none of those are me! . . . To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] From: [EMAIL PROTECTED] Subject: [SPAM]EXPERT Consultants Available 2510 Date: Wed, 10 Jul 2002 11:35:31 -0400 MIME-Version: 1.0 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Priority: 3 X-MSMail-Priority: Normal Reply-To: [EMAIL PROTECTED] X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [c004400e]. X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam [c004400e]. X-RBL-Warning: HEUR10: Heuristic spam detection level 10 [1.00] X-Declude-Sender: [EMAIL PROTECTED] [207.115.63.103] X-Declude-Spoolname: D544802ed01b8bc24.SMD X-Note: This E-mail was scanned by Declude (www.declude.com) for spam virus. X-Spam-Tests-Failed: BADHEADERS, SPAMHEADERS, WEIGHT15, HEUR10 x-Weight: 19 X-Note: This E-mail was sent from pimout4-ext.prodigy.net. ([207.115.63.103]). X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 326073932 Hope the header helps. Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Monday, July 15, 2002 1:53 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Watching CC's? While this is all true, I still agree that the test would be beneficial as something that could add weight. Checking 10 of the E-mails at our spamtrap, several had multiple Cc:'s. There was one that had 4 usernames that were the same, with about 6 others that were similar. That E-mail also failed 16 spam tests, so adding a multiple usernames test wouldn't have really helped with any of those 10 E-mails. Are people here seeing lots of spam being sent this way -- the exact same username appearing multiple times in a Cc: header -- that isn't getting caught otherwise? -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.JunkMail] DORKZTL:Strange
I can't tell you as I apparently don't have it configured properly yet. The DECCON log told me at 0930 that I had 1536 emails, with 873 Spam. I clicked it close when doing something and it didn't come back on. I started it again an hour ago and I just now checked it and it said 0,0,0,0 so I have another issue as well. Oh, I forgot the one about the boss yelling about how he spent $700 to get an email this morning about an adult porn site! I told him he should invest some time in it and leave me alone so I could figure out how to help his spam situation. Jim Rooth Klotron, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Tolmachoff Sent: Monday, July 15, 2002 1:12 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] DORKZTL:Strange If you have Declude Hijack loaded and configured, what does the Deccon log say? John Tolmachoff IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com I have another issue that may or may not be germane here. I have a small server running W2K as the OS with Apache and PHP running a webpage. The webpage has an entry to an email user on my Imail server. This morning I noticed my log file hit over 14 Mb in size. I just loaded Declude Hijack and Declude Junk Mail on the server Saturday. I have been running Declude Virus for quite some time. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.375 / Virus Database: 210 - Release Date: 7/10/2002 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.375 / Virus Database: 210 - Release Date: 7/10/2002 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.JunkMail] DORKZTL:Strange
Normal size is around 1 Mb. Just a small server with around 5K emails a day. All of the emails seem to be coming from the same sender. The weird thing is it is not on my email server...it is on a web server that is not published but used strictly for in house use by a client. I have killed the SMTP service on it in hopes of stopping it for the time being. Note that the spammers that break into webservers will run their own software on there, not using the Microsoft SMTP service. All the Bad emails and queued emails were on the web server and not the email server. There is no reference of an email on the web server other than a form that sends it through my email server (one form.) I guess that is how it is getting to the email server. Usually the spammers access their spamware through a web form, so that it probably the problem. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.JunkMail] DNSstuff.com WAS: DORKZTL:DORKZTL
I'll go you one better...I get a 'page not found now when I go to DNSstuff.com! I swear it is a communist plot... It was apparently down for about 15 minutes. Works fine now. John Tolmachoff IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.JunkMail] DORKZTL:Strange
Did the Console screen on the server show any mails being held? (It would list by IP address.) John Tolmachoff IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jim Rooth Sent: Monday, July 15, 2002 11:28 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] DORKZTL:Strange I can't tell you as I apparently don't have it configured properly yet. The DECCON log told me at 0930 that I had 1536 emails, with 873 Spam. I clicked it close when doing something and it didn't come back on. I started it again an hour ago and I just now checked it and it said 0,0,0,0 so I have another issue as well. Oh, I forgot the one about the boss yelling about how he spent $700 to get an email this morning about an adult porn site! I told him he should invest some time in it and leave me alone so I could figure out how to help his spam situation. Jim Rooth Klotron, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Tolmachoff Sent: Monday, July 15, 2002 1:12 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] DORKZTL:Strange If you have Declude Hijack loaded and configured, what does the Deccon log say? John Tolmachoff IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com I have another issue that may or may not be germane here. I have a small server running W2K as the OS with Apache and PHP running a webpage. The webpage has an entry to an email user on my Imail server. This morning I noticed my log file hit over 14 Mb in size. I just loaded Declude Hijack and Declude Junk Mail on the server Saturday. I have been running Declude Virus for quite some time. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.375 / Virus Database: 210 - Release Date: 7/10/2002 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.375 / Virus Database: 210 - Release Date: 7/10/2002 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .