that should work to give zero weight from the backup servers (if done by IP
and not by name).
Karen Oland
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of John Tolmachoff
> (Lists)
> Sent: Thursday, September 25, 2003 5:57 PM
> To: [EMAIL PROTECTED]
> S
Mike,
That issue with PayPal is a scripting error on their part, and it is an
invalid link in HTML. I have only seen one semi-legit outfit using
obfuscation in URL's, but this was a contest opt-in site that would then
turn around and sell your address (that was their business) so I don't
care
Ok. This spam is scary. It has my actual home address and phone
number. I'm guessing they cropped it from WHOIS maybe... but that
wouldn't make sense since many WHOIS contacts are technical people that
wouldn't fall for this.
They did get it from WHOIS -- the "123 123 1234" gives it away. It
John,
DLAnalyzer has the capabilities you are looking for in the enterprise
version and much more. With the advanced reporting capabilities it can get
even more granular than what you are requesting..
Check it out at http://www.dlanalyzer.com and make sure you request the
unrestricted trial
Ok. This spam is scary. It has my actual home address and phone number. I'm guessing they cropped it from WHOIS maybe... but that wouldn't make sense since many WHOIS contacts are technical people that wouldn't fall for this. Anyone else get this variation of the typical financial fraud with your
I've been filtering on supposed HTTP links that start with something like
this:
HTTP://%W%/
But I understand now that there is some encoding going on, but I don't know
why anyone would use such a URL, so I block it.
However, I notice companies like PayPal and eBay have links like this in the
bod
Dave Marchette wrote:
>Sawmill seems enthusiastic
I use Sawmill to analyze both Imail and Declude logs. The author, Greg Ferrar, is
very responsive to adding log formats. I'm not sure how he is about custom test
types, though. Can't hurt to ask. Especially if a lot of us are users and appro
Sawmill seems enthusiastic to make custom changes to their Imail log module, based on
customer's needs. They have indicated this on both the Declude and Imail log modules.
-Original Message-
From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED]
Sent: Thursday, September 25, 2003 5
> Everybody's experiences with spam test, including DNS based tests, are
going
> to be different. Why be so hesitant to try a test to see how it works for
> you. Simply setup the test in your global.cfg and set the action to
IGNORE
> or LOG, that way you can evaluate the test results without impa
Everybody's experiences with spam test, including DNS based tests, are going
to be different. Why be so hesitant to try a test to see how it works for
you. Simply setup the test in your global.cfg and set the action to IGNORE
or LOG, that way you can evaluate the test results without impacting yo
John:
You actually are using some I was not so thanks for posting that. About the
only one that I am using that you are not is NJABL (see entry below). It
does not catch very many per day - about the same amount as ORDB.
NJABL ip4rdnsbl.njabl.org 127.0.0.2 5
Scott,
If I have a REVDNS, HELO line in a filter does it honor the HOP and IPBYPASS
setings? If it does not then that would be confusing for setting up filters
because they would be using different information that the DNS based tests.
Kevin Bilbee
> -Original Message-
> From: [EMAIL PR
If I have a REVDNS, HELO line in a filter does it honor the HOP and IPBYPASS
setings? If it does not then that would be confusing for setting up filters
because they would be using different information that the DNS based tests.
The REVDNS and HELO filter types look at just the reverse DNS entry a
John,
Just to clarify, the division is related to circumstance and experiences
rather than what is best globally. There is no global answer that is
the best answer in every circumstance. I use IS because it is more
conservative and I have already seen about 4 such violators in the last
year
The IPBYPASS and HOP settings are for the DNS based tests, not for filters.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> [EMAIL PROTECTED] On Behalf Of Kevin Bilbee
> Sen
If you use IPBYPASS and HOP settings then why do you need to use a negative
weight for you own IP addresses they should never be seen by the test.
Or am I missing something??
Kevin Bilbee
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of John Tolmacho
> Just an idea. In addition to negative scoring in NOLEGITCONTENT and
IPNOTINMX not failing (and crediting points in many configurations), could
it be possible that you have some negative weight tests in your WORDFILTER
file? Declude will only mark one instance of a filter line in the logs even
i
It appears there is a division, those that fee CONTAINS or ENDSWITH should
be used, and those that fee IS should be used.
I am going to try using ENDSWITH while subtracting weight for my backup MX.
I do not whitelist that IP, as Scott has before recommended not doing that,
and I agree. Rather, I
conversely, I have lots of legit mail that fails it.
K
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Matthew Bramble
Sent: Thursday, September 25, 2003 5:11 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] MPCM?
Scott MacLean wrote:
*sigh* you'
Do you have any lines in wordfilter that use negative weight? Only the last
one that "failed" is usually show in the header (could be more that failed).
Karen
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Scott MacLean
Sent: Thursday, September 25, 2003 4
> If you view the source of the E-mail, are there any HTML comments
> (v1.75 or
> later is needed do filter E-mail with anti-filter HTML comments)?
And if HTML or base64, don't you have to make sure you didn't add DECODE OFF
in the global.cfg?
---
[This E-mail scanned for viruses by Declude Viru
At 05:10 PM 09/25/2003, Matthew Bramble wrote:
Scott MacLean wrote:
*sigh* you're right again, Scott.
Still doesn't explain why it's not catching my previous wordfilter lines.
I'm going to watch this one some more.
Keep checking your math for the other message :)
NOLEGITCONTENT nolegitcontent
Which is why you subtract points for true IP's of your own servers (to
compensate for the other lines catching the domain name)!
K
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of John Tolmachoff
(Lists)
Sent: Thursday, September 25, 2003 3:21 PM
To: [EMAIL P
Scott MacLean wrote:
*sigh* you're right again, Scott. Still doesn't
explain why it's not
catching my previous wordfilter lines. I'm going to watch this one some
more.
Keep checking your math for the other message :)
NOLEGITCONTENT nolegitcontent x x 0 -5
Subtract that from 9 and i
At 04:35 PM 9/25/2003, R. Scott Perry wrote:
No
HTML comments at all.
Are you running Declude JunkMail Pro ("\IMail\Declude -diag"
from a command prompt will show you which version you are running)?
Are you positive there are no HTML comments (can you see HTML codes in
other E-mails that use HTML
Just an idea. In addition to negative scoring in NOLEGITCONTENT and
IPNOTINMX not failing (and crediting points in many configurations),
could it be possible that you have some negative weight tests in your
WORDFILTER file? Declude will only mark one instance of a filter line
in the logs even
Are there any spaces/tabs after "MPCM" on that line? Does the line end
properly (if it is the last line in the file, and you use Notepad, can
the cursor go to the line below it)?
The lines are fine - no spaces/tabs, and they are in the middle of the file.
If you view the source of the E-mail,
At 04:03 PM 9/25/2003, R. Scott Perry wrote:
Are there any spaces/tabs after
"MPCM" on that line? Does the line end properly (if it is
the last line in the file, and you use Notepad, can the cursor go to the
line below it)?
The lines are fine - no spaces/tabs, and they are in the middle of the
fi
Not sure on that one, but you could also use the
SPAMDOMAINS test in declude. It's very handy.
Jason
- Original Message -
From:
Scott MacLean
To: [EMAIL PROTECTED]
Sent: Thursday, September 25, 2003 2:59
PM
Subject: [Declude.JunkMail] MPCM?
I am getting TON
That's definitely something that I will continue to consider if I start
to see it happening. Right now I prefer it without so that it doesn't
tag (but not score) the known exclusions, which at least makes testing
easier for me. It also protects from customers that manage their own
DNS from se
I think I referenced that :)
Bill Landry wrote:
Not necessarily. The [xxx.xxx.xxx.xxx] format is a valid and legit hostname
syntax.
Bill
- Original Message -
From: "Matthew Bramble" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, September 25, 2003 12:24 PM
Subject: Re: [D
I am getting TONS of this crap on my server. All kinds of different
messages, all with the little "MPCM" blurb at the top. I set up two
filters in my Wordfilter test to catch it:
BODY 10 CONTAINS mpcmffa.com
BODY 10 CONTAINS MPCM
Are there any spaces/tabs after "MPCM" on that line? Does the li
Not necessarily. The [xxx.xxx.xxx.xxx] format is a valid and legit hostname
syntax.
Bill
- Original Message -
From: "Matthew Bramble" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, September 25, 2003 12:24 PM
Subject: Re: [Declude.JunkMail] Another very effective filter test
Maybe so, but why exclude yourself to flagging
other forged combinations of your hostname/domain name? I would still
suggest using either CONTAINS or ENDSWITH so that you can catch all of the
various combinations that spammers might use.
Bill
- Original Message -
From:
Mat
John, you should whitelist the IP addresses of you
gateways and backup mail exchangers, since you control those systems and because
it is very difficult to spoof IP addresses. That way you will not run into
problem with blocking mail from your own systems.
The other this to consider is tha
I am getting TONS of this crap on my server. All kinds of
different messages, all with the little "MPCM" blurb at the
top. I set up two filters in my Wordfilter test to catch it:
BODY 10 CONTAINS mpcmffa.com
BODY 10 CONTAINS MPCM
However, it is not catching it - in fact, the only wordfilter entry
You should exclude your backup MX servers. This follows along the
lines of using IS instead of CONTAINS or ENDSWITH. It's better IMO to
have the test not score known exclusions along with spoofers of those
known exclusions rather than just applying a score to anything. I'm
scoring at 70% of
John,
I think you might be confusing what HELO really is, and what the HELO
filter searches. The HELO filter only searches the hostname that is
sending and not the IP address that it is sending from unless it is
configured to use the IP as the hostname (which is rare and will trigger
other te
I am blocking weight 10. I think that is what did it.
Thanks for your help.
-Original Message-
From: R. Scott Perry [mailto:[EMAIL PROTECTED]
Sent: Thursday, September 25, 2003 2:46 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Header Questions - Job Applicant System
Messages
Bill,
The first example is what I did. BTW, I have found from monitoring
that most (all so far) spammers just simply use what appears after the
@ symbol instead of having something lookup the MX every time.
Matt
Bill Landry wrote:
Matt, what the spammers do is use
the names
In this filter test, will using HELO be the same if sending server uses
EHLO, or would we need a line EHLO also?
Declude treats both HELO and EHLO SMTP commands exactly the same. So "HELO
0 CONTAINS .example.com" will catch E-mail from both "HELO
mail.example.com" and "EHLO mail.example.com".
But then that would cause a problem as I
believe Karen had pointed out of when you have a backup MX that sends to the
primary.
Then again, 7 is only about 1/3 of my
hold weight.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
In this filter test, will using HELO be the same if sending server uses
EHLO, or would we need a line EHLO also?
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> [EMAIL PROTE
Matt, what the spammers do is use the names that
are listed as you mx records as their helo name, so if your domain is abc.com,
but you have your mx records setup as mx1.abc.com and mx2.abc.com, then you will
either want to use:
HELO 0
IS mx1.abc.com
HELO 0
IS mx2.abc
Can't the HELO contain both a FQDN and IP address?
No. The HELO/EHLO data can contain either a FQDN or a "domain literal"
(such as a properly formatted IP), but not both. So "HELO example.com",
"EHLO mail.example.com", "HELO [192.0.2.25]" are all OK, but "HELO
192.0.2.25" is not (not properly
Hi Scott.
I am not blocking any of those...that is what is sooo strange.
Here is my .cfg file to prove. So if not "holding", then why did it
block?
Thanks.
Sam
-Original Message-
From: R. Scott Perry [mailto:[EMAIL PROTECTED]
Sent: Thursday, September 25, 2003 2:32 PM
To: [EMAIL PROT
I am not blocking any of those...that is what is sooo strange.
I didn't think you were holding on any of those. :)
Here is my .cfg file to prove. So if not "holding", then why did it
block?
Where did you find the E-mail?
-Scott
---
Declude Jun
Can't the HELO contain both a FQDN and IP address?
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubs
Below are the headers from one of the blocked messages. Why is it
blocking it?
X-Spam-Tests-Failed: IPNOTINMX, REVDNS, SPAMHEADERS [7]
Because it failed the IPNOTINMX, REVDNS, and SPAMHEADERS test -- and you
have one of those set to use the HOLD action.
The IPNOTINMX isn't important -- lots of
John,
I assume that if someone is going to spoof part of my domain, they
won't add fake stuff to the front of it. If they started, I would
change my methods to yours possibly, but I would then need to provide
exceptions for where my domains are validly used on other servers, such
as my MS SMT
Hello All.
Below is are the Headers from a message that was "Held" by declude.
This comes from an in-house system that generates email message
confirmations for job applicants. The system runs on a Web server that
generates the message and sends the message. The job applicant system
uses an addr
It's a limitation in the filtering capabilities. I certainly don't
want to do that, but there is no way around it. You just have to keep
that in mind when scanning the headers after seeing this test tripped.
The way you had it written, it would be tripped just as often, but it
would have cre
> despite the lack of scoring. I'm using some other tweaks such as doing
> an IS instead of CONTAINS for the FQDN, and listing the addresses with
> and without the mail. in front of my domains since my MX records use the
> mail. subdomain.
Acutally, would it not be better to use ENDSWITH rather t
With the loss in the last month of several spam lists, I am reviewing what I
have been using.
This is the current list. Any recommendations on additions?
DSBLip4rlist.dsbl.org *
6 0
ORDBip4rrelays.ordb.org *
> Actually, you want to apply the weight in the Global.cfg, 7 in this
> case, and then all of your positives should be listed as 0 in the filter
> file and the Mozilla exception should be scored as a -7. The way it is
> now, it will credit 7 points to any message claiming to be Mozilla
> generated
It might also be a good idea to remove my domains from your files :) I
thought my mail client would use the version saved at the time attached
instead of grabbing them when I sent the E-mail...
Matt
Matthew Bramble wrote:
Actually,
you want to apply the weight in the Global.cfg, 7 in this
Actually, you want to apply the weight in the Global.cfg, 7 in this
case, and then all of your positives should be listed as 0 in the filter
file and the Mozilla exception should be scored as a -7. The way it is
now, it will credit 7 points to any message claiming to be Mozilla
generated, and
On that same subject, I wonder if the same computers affected with Sobig are
the ones sending out Swen?
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> [EMAIL PROTECTED] On
So, to review, the filter should look like this, correct:
FORGEDHELO-FILTER filter M:\IMail\Declude\ForgedHelo-Filter.txt x 0 0
# To deduct weight for the Netscape issue
HEADERS -7 CONTAINS mozilla
# In case you have mail gateways, deduct equal weight for these hosts
HELO -7 ENDSWITH gw1.yo
It appears the Sobig.F remailer capabilities are being used. I have
received 4 complaints in the last 2 days about spamming from my dial
pool with headers like these:
Return-Path: <[EMAIL PROTECTED]>
Delivered-To: x
Received: (qmail 14974 invoked by uid 88); 24 Sep 2003 03:39:33 -
Received: f
|> There's the root of the problem: spamming works.
|
|
|Well, for me looks like also spam defense works :)
|Calculate it ho you want: Spam defense works!
|The question is how good it works without public available
|spam blacklists.
I think pretty well... (I'm biased).
Scott publishes monthl
> There's the root of the problem: spamming works.
Well, for me looks like also spam defense works :)
We've processed 37347 incomming messages in the last 14 days. 17878 of
them was hold as spam.
Our operators manualy check for false positives and have requeued 15
messages in 14 days.
I don
Yeah, we're aware of that one also. And other than one glitch in receiving
mail, we haven't experienced any problems receiving mail (with one exception
below). Of course, you never know when you don't receive something unless
it was sent by someone important.
The only company that we're aware o
Reply to: Keith Anderson
Re: [SPAM-BADHEADERS][Declude.JunkMail] Five Ten List on Thursday 9:14:19 AM
We used to be on Qwest and had the same problem. Outgoing was not a
problem, but incoming was. The worst we saw of an RBL blocking whole
providers was BLARS which appears to block whole prov
Especially if the mail server is behind any decent firewall.
> The problem here is that E-mail will almost never come from those
> IPs. Spoofing a TCP/IP is extremely difficult to do, and
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail cam
> Do you have over 200 whitelist entries in the global.cfg
> file? There is a
> limit of 200, after which some of the earlier ones will be
> overwritten.
aah, yeah. Many more than 200. Possibly 1500. What is the length limit on
a filter.txt file? Perhaps I can do the dirty work there instead
One of our upstream providers is Qwest, and we have the same problem.
However, everyone seems to be aware of the SPAM-SUPPORT flaw because it has
never prevented us from getting mail to anyone.
> My server is blocked by five-ten because the author doesn't
> like Broadwing? I am immediately going
There's the root of the problem: spamming works. If they didn't make money
from spam, they wouldn't do it. Apparently the 1% that are still ignorant
about spam make it worth while to anger the 99%. (I wonder what the real
ratio is?)
> I tend to forget that to me it's an annoyance and
> that t
My server is blocked by five-ten because the author doesn't like Broadwing? I am
immediately going to quit using the five-ten lists because I don't know who else this
gentleman doesn't like.
The response is:
IP address 67.99.44.6 is listed here as broadwing.net spam-support. Please note that
t
> Do you have over 200 whitelist entries in the global.cfg
> file? There is a
> limit of 200, after which some of the earlier ones will be
> overwritten.
aah, yeah. Many more than 200. Possibly 1500. What is the length limit on
a filter.txt file? Perhaps I can do the dirty work there instead
We upgraded to imail 8.03 yesterday, all was well. I come in this morning,
and try running Delog to scan yesterdays logfile. It can't open. Weird, so I
try to open it in notepad, get "Too large for notepad" The file is 4 GB in
size! What happened? normally 20MB or so, but as of 8PM, last modif
Color me stupid
I deleted the log file for today, and let Declude recreate it. After 5
minutes the file was up to 112K! So, I opened notepad, and waited..
finally opened, and I saw a bunch of lines:
Unknown test type in
ARGH! When I edited out entries in our killfile yesterday, I cr
Running 1.75. Yeah, I did this first, but added the others when this one
didn't work. It doesn't seem to be working on this particular email.
Do you have over 200 whitelist entries in the global.cfg file? There is a
limit of 200, after which some of the earlier ones will be overwritten.
I meant to add I did run DECLUDE.EXE after the install, and stop/start the
smtp service. When I left yesterday, I had checked the log to see that it
was functioning properly, and it was logging just fine. Logging is set to
LOW.
Sorry for the lack of info there, I don't like surprises first thing i
> > >WHITELIST FROM @bbc.reply.tm0.com
> > >WHITELIST FROM @bbs.co.uk
> > >WHITELIST FROM @bbcdailyemail.reply.tm0.com
> > >WHITELIST FROM @bounce.lodo.exactis.com
> > >
> > >yet it still tagged it as spam.
> >
> > > X-Declude-Sender: [EMAIL PROTECTED]
> > [64.210.92.56]
> >
> > The "WHITELIST FRO
Scott, anyone... HELP!
We upgraded to imail 8.03 yesterday, all was well. I come in this morning,
and try running Delog to scan yesterdays logfile. It can't open. Weird, so I
try to open it in notepad, get "Too large for notepad" The file is 4 GB in
size! What happened? normally 20MB or so, bu
> >WHITELIST FROM @bbc.reply.tm0.com
> >WHITELIST FROM @bbs.co.uk
> >WHITELIST FROM @bbcdailyemail.reply.tm0.com
> >WHITELIST FROM @bounce.lodo.exactis.com
> >
> >yet it still tagged it as spam.
>
> > X-Declude-Sender: [EMAIL PROTECTED]
> [64.210.92.56]
>
> The "WHITELIST FROM @bounce.lodo.exact
Exactly what field(s) does WHITELIST FROM work on?
"Note that "WHITELIST FROM" will whitelist a return address (like IMail
does in the Kill List), which may be different from the From: or Reply-To:
addresses. You need to look at the X-Declude-Sender: header (if you use the
XSENDER ON option) or
Scott, I've seen some FP's (or possibly rather just simply legit mail)
tagged for BASE64 coming from AOL 8 (maybe others) when there is an
attachment and no text in the body of the message. I'm wondering if this
is possibly a bug in the BASE64 test, and if so, could/should it be fixed?
It is p
Exactly what field(s) does WHITELIST FROM work on?
The header (at the bottom) is an example of an email that I want to
whitelist.
These are the whitelist commands I've got in my GLOBAL.CFG:
WHITELIST FROM @bbc.reply.tm0.com
WHITELIST FROM @bbs.co.uk
WHITELIST FROM @bbcdailyemail.reply.tm0.com
W
80 matches
Mail list logo