RE: [Declude.JunkMail] Our filter fromfiles.
Title: Message This is great for sharing and thank you.Is anyoneinterested in sharingtheir global.cfgand white/black list files and strategies that are working well for them. I feel overwhelmed these days keeping up the spam battle as mail server admin and all the other daily chores I am responsible. We handle a lot of religious and family oriented sites and cannot slack on our Spam control. A few days ago, I finally bit the bullet and subscribed to sortmonster's sniffer. Hoping the$300/yr will decrease my Spam review time spent each day. I thought I was doing a pretty good job of eliminating spam - until I put a hold for reviewon all caught bythe sniffer filter.Basically Idiscovered thatwe are onlystopping about1/2 of the Spam hitting our server.Some confirmed Spam I reviewed failed no other tests other than sniffer. Now I am trying to figure outhow to revise my weighting so I do not have so much to review in the hold folder.We have weight of 20 for hold and 30 for delete. We run about 18 filters all weighted. I want more deletes and less to review in the hold folder daily! Sniffer is picking up a lot of false positives too and I know I need to get reporting with them and taking advantage of their custom config files for my license. I use Tom's updated list ongoing for our blacklist from file and it is a big help. Is anyone willing to share their global.cfg who areusing sniffer, weighting, and their effective black and white lists that is workingout well for them? You can e-mail me off list [EMAIL PROTECTED]. Thanks. Don SchreinerCompBiz, Inc.www.compbiz.net407-322-8654800-408-3688 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kami RazvanSent: Tuesday, January 21, 2003 6:47 PMTo: JunkMail ListSubject: [Declude.JunkMail] Our filter fromfiles. Hi; In case you are interested, we have created a simple Access database that contains all of our entries in for our fromfile and filter files. Since it is all in the database we thought we can simply replicate it with the web site and provide it to all to use or consider. You may want to visit: http://www.ClickandPledge.com/Support/Mail The categories are all separated since we have a different file for each filter type. Just for the records: We hold on weight 20 so all weights are based on this weight. FreeeMail list - should not be used as a blacklist but a weight list. We add 5 to this list. This list does not contain Hotmail.com or Yahoo.com. It has other (Yahoo.com.tw) domains. Hope it helps... Regards, Kami
[Declude.JunkMail] Filter tests info in log
Title: Filter tests info in log I wanted to see if anyone new what the number meant behind the Filter test failures when listed in the log file. For example: message failed Filter_test (5) We are trying to figure out which line in our filter test actually failed. We have logging set to LOW I know if our test fails a fromfile test it lists in the header. Thanks for any aid. ___ Keith Johnson, MCP Network Engineer Network Advocates, Inc. Tel: 502.412.1050 Fax: 502.412.1058 Email: [EMAIL PROTECTED] Good pings come in small packets
Re: [Declude.JunkMail] Filter tests info in log
I wanted to see if anyone new what the number meant behind the Filter test failures when listed in the log file. For example: message failed Filter_test (5) We are trying to figure out which line in our filter test actually failed. We have logging set to LOW I know if our test fails a fromfile test it lists in the header. Thanks for any aid. The number in the parentheses is the line number that caused the E-mail to fail the filter. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Filter tests info in log
The (5) refers to the line number of the test in the filter file that failed. Stu At 12:05 PM 01/22/2003 -0500, you wrote: I wanted to see if anyone new what the number meant behind the Filter test failures when listed in the log file. For example: message failed Filter_test (5) We are trying to figure out which line in our filter test actually failed. We have logging set to LOW I know if our test fails a fromfile test it lists in the header. Thanks for any aid. ___ Keith Johnson, MCP Network Engineer Network Advocates, Inc. Tel: 502.412.1050 Fax: 502.412.1058 Email: [EMAIL PROTECTED] Good pings come in small packets !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 3.2//EN HTML HEAD META HTTP-EQUIV=Content-Type CONTENT=text/html; charset=us-ascii META NAME=Generator CONTENT=MS Exchange Server version 6.0.5770.91 TITLEFilter tests info in log/TITLE /HEAD BODY !-- Converted from text/rtf format -- PFONT SIZE=2 FACE=ArialI wanted to see if anyone new what the number meant behind the Filter test failures when listed in the log file.nbsp; For example: message failed Filter_test (5)nbsp;nbsp; We are trying to figure out which line in our filter test actually failed.nbsp; We have logging set to LOWnbsp; I know if our test fails a fromfile test it lists in the header.nbsp; Thanks for any aid./FONT/P PFONT COLOR=#80 SIZE=2 FACE=Arial___/FONT /P PBIFONT COLOR=#80 SIZE=2 FACE=ArialKeith Johnson, MCP/FONT/I/BI/I BRFONT SIZE=2 FACE=ArialNetwork Engineer/FONT BRFONT SIZE=2 FACE=ArialNetwork Advocates, Inc./FONT BRFONT SIZE=2 FACE=ArialTel:nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; 502.412.1050/FONT BRFONT SIZE=2 FACE=ArialFax:nbsp;nbsp;nbsp;nbsp;nbsp; 502.412.1058/FONT BRFONT SIZE=2 FACE=ArialEmail:nbsp; [EMAIL PROTECTED]/FONT /P PFONT SIZE=2 FACE=Arialquot;Good pings come in small packetsquot;/FONT /P BR /BODY /HTML - CSOnline Technical Support hours - Monday thru Saturday 7am - 1am CSOnline Technical Support Numbers Seneca814-677-2447 Clarion 814-227-3638 Meadville 814-425-1696 Parker724-399-1158 http://www.csonline.net http://www.cshowcase.com http://www.learncenter.com - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Hello
Hi all, I am new to list and am hoping that you can help me with a problem I am having: We have several hundred employees all over the USA. Some of these people use various means of connecting to the internet, some ISDN, Cable, DSL, dialup. Everyonce in a while, I get a call from on of these employees stating that when they send email through our server, our mail server is not forwarding on the message to the recipient. I have discovered in several cases that the IP address they are using is in a spam database. My Question is this: Is there a way to ignore the Spam Weighting if they have an account on the system? Thanks. Jay
Re: [Declude.JunkMail] Hello
I have discovered in several cases that the IP address they are using is in a spam database. My Question is this: Is there a way to ignore the Spam Weighting if they have an account on the system? No. However, in this case, you may want to re-consider the settings for outgoing E-mail (in the global.cfg file). For example, if you are blocking outgoing E-mail based on the total weight (such as the WEIGHT10 test), you may want to change it to a higher value (blocking based on the WEIGHT20 test, for example). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Ideas on a way to use the AUTOWHITELIST option to allow spamto come through?
The AUTOWHITELIST option that we are adding to Declude JunkMail will automatically check incoming E-mail against a user's address book, and whitelist E-mail if the return address is listed in the address book. It would be nice for some of our customers to allow users to add an entry to their address book that would allow all spam to come through, for those people that don't want any spam protection. Someone suggested using [EMAIL PROTECTED] to whitelist all incoming E-mail, but all.com is a valid domain name, and we would prefer not to use it for this purpose. Would [EMAIL PROTECTED] work well for this (so that a user could add [EMAIL PROTECTED] to their address book to allow spam through), or would a different address be better ([EMAIL PROTECTED]), or perhaps a name instead (Send Spam [EMAIL PROTECTED])? -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] NOPOSTMASTER:Re:F-Prot Error
Hi Scott, Have you ever seen this error message. It now pops out occasionally in my server. I'm running the latest F-Prot software. C:\Progra~1\FSI\F-Prot\F-Prot.exe x#=0D, CS=01CD IP=5703. The NTVDM CPU has encountered an unhandled exception. Choose 'Close' to terminate the application. Thanks, Tito --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Re:F-Prot Error
Have you ever seen this error message. It now pops out occasionally in my server. I'm running the latest F-Prot software. C:\Progra~1\FSI\F-Prot\F-Prot.exe x#=0D, CS=01CD IP=5703. The NTVDM CPU has encountered an unhandled exception. Choose 'Close' to terminate the application. A few people have reported seeing that -- I would recommend using the fpcmd.exe file instead (which is part of the Windows version of F-Prot), as it is a 32-bit program that avoids NTVDM. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Limit on filter file name?
Title: Message Scott: Is there a limit on the filename size for Declude JM? I have a feeling that a long filename is not being read. I will do more debugging but here is the filename for one filter file. IMail_Filter_URLinBody.txt Just curious.. Regards, Kami
[Declude.JunkMail] Weight is Integer ..
Title: Message Sorry.. the last post about the filename was not the issue causing the problem. It seems like if the weight is put as a real number (20.00) the system somehow passes over it and does not detect the rest. The database output was creating: MAILFROM 20.00 CONTAINS inkjet apparently that causes big big problems. Oh well... it is fixed. Regards, Kami
Re: [Declude.JunkMail] Limit on filter file name?
Is there a limit on the filename size for Declude JM? I have a feeling that a long filename is not being read. I will do more debugging but here is the filename for one filter file. IMail_Filter_URLinBody.txt Are those actually underscores, or could they be spaces (which might be an issue)? There shouldn't be a noticeable limit as to the file size. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Ideas on a way to use the AUTOWHITELIST option to allow spam to come through?
It would be nice for some of our customers to allow users to add an entry to their address book that would allow all spam to come through... We use *@example.com (everyone at one domain) and * (everyone at all domains) in our custom app, which uses aliases.txt as a whitelist. (Yes, IMail will allow these values to be saved from the web interface.) -Sandy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Limit on filter file name?
Title: Message Wrong Person. I asked : Hi there, We seem to be having a problem with the current configuration of the Declude Junk Mail filter. If one of our employees sends an email from his whereever he has a routable ip address that is on one of the Blacklists by no fault of his own. Declude marks it as spam and doesn't send it. Is there a way that if the sender is a recognized user of our mail system to ignore all spam filters? Thanks, Jay Calvert Canspec Group,Inc. - Original Message - From: Kami Razvan To: JunkMail List Sent: Wednesday, January 22, 2003 2:27 PM Subject: [Declude.JunkMail] Limit on filter file name? Scott: Is there a limit on the filename size for Declude JM? I have a feeling that a long filename is not being read. I will do more debugging but here is the filename for one filter file. IMail_Filter_URLinBody.txt Just curious.. Regards, Kami
Re[2]: [Declude.JunkMail] Hello
Descriptive Subject lines will get you much better answers, but Scott's already gotten back to you. Is there a way that if the sender is a recognized user of our mail system to ignore all spam filters? You mean if the sender impersonates a recognized user (like so many spammers do)? As Scott said, adjust your weights, or (a) if you know the particular IP address, and it's just one host on a Class C or something like that, whitelist it; (b) if he's getting roaming access from a blacklisted ISP, tell him to get a new ISP. -Sandy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Debugging a filter file with the Pro version
Scenario: Current filter file has several hits on a given e-mail message, and as a result with other tests, the HOLD weight is reached. On examining the held message and the Declude log (LogLevel MID), the total weight reached for the filter file is too high to match any single entry. The Declude log entry only shows the line number of the last test that matched (a hit). After editing the message and/or the filter file and cranking up the loglevel to watch what happens, how can I replay Declude JunkMail on this message? I've tried excerpting all the previous headers inserted by JunkMail, then moving the correct D*.smd and Q*.smd files from \imail\spool\spam to \imail\spool and then telling the IMail administrator program to Send One. JunkMail fires off, and the message gets delivered right away, but the message is not analyzed again, it is simply delivered. Much obliged, Andrew 8) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Debugging a filter file with the Proversion
After editing the message and/or the filter file and cranking up the loglevel to watch what happens, how can I replay Declude JunkMail on this message? I've tried excerpting all the previous headers inserted by JunkMail, then moving the correct D*.smd and Q*.smd files from \imail\spool\spam to \imail\spool and then telling the IMail administrator program to Send One. JunkMail fires off, and the message gets delivered right away, but the message is not analyzed again, it is simply delivered. The problem here is that Declude will only scan E-mail as it arrives, to prevent the possibility of scanning the same message multiple times (which also allows delivery of held messages, for example). In order to have Declude scan it again, you would need to send the E-mail via SMTP again. In this case, it might be easiest to cut and paste the body of the E-mail into a mail client, which could then send the E-mail. It wouldn't have the original headers, but if you are mostly filtering on the body of the E-mail, it should work. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Declude Gone Wild
Today I had an instance where all my mail started being held as SPAM. 99% of it was legit mail. At first I thought it may be a sniffer problem as that was installed within the last week. Attached is a snippet of logs that shows declude over and over testing a peice of mail I disabled Sniffer at approximatly 2:30pm today. Reviewing the logs now seems to show that declude is still repeating the behavior below *substantially* less though. I am running Declude 1.63 Any thoughts? //INITIAL PROBLEM 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed OSRELAY (This entry was last confirmed open on 1/4/2003). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SPAMCOP (Blocked - see http://spamcop.net/bl.shtml?202.105.130.36). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed DSBL (http://dsbl.org/listing.php?202.105.130.36). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed NJABL (relay tested -- 1007947419). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed BADHEADERS (This E-mail was sent from a broken mail client [804f].). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed REVDNS (This E-mail was sent from a MUA/MTA 202.105.130.36 with no reverse DNS entry.). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SNIFFER (Message failed SNIFFER: 63.). Action=HOLD. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed WEIGHT10 (Weight of 32 reaches or exceeds the limit of 10.). Action=BOUNCE. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed OSRELAY (This entry was last confirmed open on 1/4/2003). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SPAMCOP (Blocked - see http://spamcop.net/bl.shtml?202.105.130.36). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed DSBL (http://dsbl.org/listing.php?202.105.130.36). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed NJABL (relay tested -- 1007947419). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed BADHEADERS (This E-mail was sent from a broken mail client [804f].). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed REVDNS (This E-mail was sent from a MUA/MTA 202.105.130.36 with no reverse DNS entry.). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SNIFFER (Message failed SNIFFER: 63.). Action=HOLD. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed WEIGHT10 (Weight of 32 reaches or exceeds the limit of 10.). Action=BOUNCE. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed OSRELAY (This entry was last confirmed open on 1/4/2003). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SPAMCOP (Blocked - see http://spamcop.net/bl.shtml?202.105.130.36). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed DSBL (http://dsbl.org/listing.php?202.105.130.36). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed NJABL (relay tested -- 1007947419). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed BADHEADERS (This E-mail was sent from a broken mail client [804f].). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed REVDNS (This E-mail was sent from a MUA/MTA 202.105.130.36 with no reverse DNS entry.). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SNIFFER (Message failed SNIFFER: 63.). Action=HOLD. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed WEIGHT10 (Weight of 32 reaches or exceeds the limit of 10.). Action=BOUNCE. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed OSRELAY (This entry was last confirmed open on 1/4/2003). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SPAMCOP (Blocked - see http://spamcop.net/bl.shtml?202.105.130.36). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed DSBL (http://dsbl.org/listing.php?202.105.130.36). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed NJABL (relay tested -- 1007947419). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed BADHEADERS (This E-mail was sent from a broken mail client [804f].). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed REVDNS (This E-mail was sent from a MUA/MTA 202.105.130.36 with no reverse DNS entry.). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SNIFFER (Message failed SNIFFER: 63.). Action=HOLD. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed WEIGHT10 (Weight of 32 reaches or exceeds the limit of 10.). Action=BOUNCE. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed OSRELAY (This entry was last confirmed open on 1/4/2003). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SPAMCOP (Blocked - see http://spamcop.net/bl.shtml?202.105.130.36). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed DSBL (http://dsbl.org/listing.php?202.105.130.36). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed NJABL (relay tested -- 1007947419). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed BADHEADERS (This E-mail was sent from a broken mail
[Declude.JunkMail] NOPOSTMASTER:Log Files
Hi Scott, Feature request: instead of dec.log, can the log file name be more configurable like decMMDDHH.log. When I do a debug, the log files get very big and it is too cumbersome to open. if the 'HH' is included, at least the log files are broken down to hourly logs. Thanks, Tito --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
