[Declude.JunkMail] eBay - scam..
Title: eBay - scam.. Hi; An interesting email was just caught with a barely hold value. It is asking for the recipient to click to update their eBay records. The only URL in the body that is suspicious is: info-update-ebay.com The Whois is anything but eBay. The email has full eBay logo and TRUSTe information - coming with links from eBay. This is the way the email starts.. Your eBay account is in jeopardy! To secure your account please continue by clicking the link below. Secure your eBay account now! = Has anyone else seen this? You may want to filter that URL. Regards, Kami
Re: [Declude.JunkMail] File contention issues?
Scott, recently we have been seeing issues like the following showing up in our JunkMail logs: = 10/01/2003 13:55:49 Q3f1e019100dc64f4 WARNING: Could not unlock M:\IMail\spool\_3f1e019100dc64f4.~MD due to error #32. The error #32 occurs when there is a sharing violation -- some file other than Declude has locked the M:\IMail\spool\_3f1e019100dc64f4.~MD file that Declude is processing. This would normally happen if you have backup software or possible a virus scanner that is scanning the file. 10/01/2003 13:55:28 Q3f1e019100dc64f4 Error 183 creating temp directory M:\IMail\spool\D3f1e019100dc64f4.vir\. This is a stranger one that a couple of people have reported. It should be impossible for this error to occur. The problem is that when Declude Virus goes to create the temporary directory M:\IMail\spool\D3f1e019100dc64f4.vir\, it already exists. This should only be possible if either IMail duplicates filenames (which they say is not possible with versions that use the longer file names), or IMail calls Declude twice for the same E-mail (which shouldn't be possible). It seems to only happen on servers with a very heavy load (close to the maximum that IMail can handle), which is the same situation that caused problems back when IMail could repeat filenames (back when it used the shorter filenames). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] eBay - scam..
Title: eBay - scam.. Yep, been catching this one for quite a while now. It is surprising, however,that E-Bay has not gone after these guys since it is so blatant in its attempt to steal E-Bay user account information. Bill - Original Message - From: Kami Razvan To: [EMAIL PROTECTED] Sent: Thursday, October 02, 2003 1:06 AM Subject: [Declude.JunkMail] eBay - scam.. Hi; An interesting email was just caught with a barely hold value. It is asking for the recipient to click to update their eBay records. The only URL in the body that is suspicious is: info-update-ebay.com The Whois is anything but eBay. The email has full eBay logo and TRUSTe information - coming with links from eBay. This is the way the email starts.. Your eBay account is in jeopardy! To secure your account please continue by clicking the link below. Secure your eBay account now! = Has anyone else seen this? You may want to filter that URL. Regards, Kami
Re: [Declude.JunkMail] File contention issues?
- Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 02, 2003 5:11 AM Subject: Re: [Declude.JunkMail] File contention issues? 10/01/2003 13:55:49 Q3f1e019100dc64f4 WARNING: Could not unlock M:\IMail\spool\_3f1e019100dc64f4.~MD due to error #32. The error #32 occurs when there is a sharing violation -- some file other than Declude has locked the M:\IMail\spool\_3f1e019100dc64f4.~MD file that Declude is processing. This would normally happen if you have backup software or possible a virus scanner that is scanning the file. Nothing else outside of IMail and Declude should be locking the files since we do not virus scan anything in or under the IMail directory, nor do we do back-ups during the day (declude -diag has no problems creating and deleting the eicar virus in the IMail directory). 10/01/2003 13:55:28 Q3f1e019100dc64f4 Error 183 creating temp directory M:\IMail\spool\D3f1e019100dc64f4.vir\. This is a stranger one that a couple of people have reported. It should be impossible for this error to occur. The problem is that when Declude Virus goes to create the temporary directory M:\IMail\spool\D3f1e019100dc64f4.vir\, it already exists. This should only be possible if either IMail duplicates filenames (which they say is not possible with versions that use the longer file names), or IMail calls Declude twice for the same E-mail (which shouldn't be possible). It seems to only happen on servers with a very heavy load (close to the maximum that IMail can handle), which is the same situation that caused problems back when IMail could repeat filenames (back when it used the shorter filenames). This server shouldn't be working all that hard, but we are in the process of setting up a separate IMail/Declude relay server so we can off-load the spam filtering and virus scanning from the IMail server hosting the e-mail domains and accounts. Can the other errors and issues that Declude was reporting simply be ignored? Things like: JunkMail: - ERROR: Could not move spam to hold - Could not open envelope file - Couldn't rename SMD to SM$ - Could not lock Virus: - Error starting scanner - Couldn't open headers datafile - Error opening mime file - Error: 32 opening new datafile Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] eBay - scam..
Title: Message I sent it to [EMAIL PROTECTED] and requested clarifications since we had not seen it before. Here is the response. === Thank you for contacting eBay's Trust and Safety Department about email solicitations that are falsely made to appear to have come from eBay. These emails, commonly referred to as "spoof" messages, are sent in an attempt to collect sensitive personal information from recipients who reply to the message or click on a link to a Web page requesting this information. The email you reported did not originate from, nor is it endorsed by, eBay. We are very concerned about this problem and are working diligently to address the situation. We have investigated the source of this email and have taken appropriate action. You may rest assured that your account standing has not changed and that your listings have not been affected. We advise you to be very cautious of email messages that ask you to submit information such as your credit card number or your email password. eBay will never ask you for sensitive personal information such as passwords, bank account or credit card numbers, Personal Identification Numbers (PINs), or Social Security numbers in an email itself. If you ever need to provide information to eBay please open a new Web browser, type www.ebay.com, and click on the "site map" link located at the top the page to access the eBay page you need.If you have any doubt about whether an email message is from eBay, please forward it immediately to [EMAIL PROTECTED] and do not respond to itor click on any of the links in the email message. Please do not change the subject line or forward the email as an attachment. So I guess they have filters that picked up that URL in their autoresponse. Regards, Kami -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill LandrySent: Thursday, October 02, 2003 9:06 AMTo: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] eBay - scam.. Yep, been catching this one for quite a while now. It is surprising, however,that E-Bay has not gone after these guys since it is so blatant in its attempt to steal E-Bay user account information. Bill - Original Message - From: Kami Razvan To: [EMAIL PROTECTED] Sent: Thursday, October 02, 2003 1:06 AM Subject: [Declude.JunkMail] eBay - scam.. Hi; An interesting email was just caught with a barely hold value. It is asking for the recipient to click to update their eBay records. The only URL in the body that is suspicious is: info-update-ebay.com The Whois is anything but eBay. The email has full eBay logo and TRUSTe information - coming with links from eBay. This is the way the email starts.. Your eBay account is in jeopardy! To secure your account please continue by clicking the link below. Secure your eBay account now! = Has anyone else seen this? You may want to filter that URL. Regards, Kami
Re: [Declude.JunkMail] File contention issues?
Can the other errors and issues that Declude was reporting simply be ignored? Things like: JunkMail: - ERROR: Could not move spam to hold - Could not open envelope file - Couldn't rename SMD to SM$ - Could not lock ... What usually happens here is that there is one problem that cascades into others. For example, if a key file gets locked, then you may see an error as Declude JunkMail tries renaming it, and another as it tries moving it. It seems that there may be an issue with IMail v8 that is causing these problems to crop up when a large volume of E-mail is processed, which we are going to be investigating in depth. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] File contention issues?
- Original Message - From: R. Scott Perry [EMAIL PROTECTED] It seems that there may be an issue with IMail v8 that is causing these problems to crop up when a large volume of E-mail is processed, which we are going to be investigating in depth. Great, please keep us posted on your progress as I am very concerned about potential e-mail corruption and possible e-mail loss. Thanks, Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] eBay - scam..
Title: Message WOW - Thanks for the info. I put a block on this website at the firewall so just in case I have that one user that falls for it at least they are protected while at work. Greg -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Kami RazvanSent: Thursday, October 02, 2003 9:16 AMTo: [EMAIL PROTECTED]Subject: RE: [Declude.JunkMail] eBay - scam.. I sent it to [EMAIL PROTECTED] and requested clarifications since we had not seen it before. Here is the response. === Thank you for contacting eBay's Trust and Safety Department about email solicitations that are falsely made to appear to have come from eBay. These emails, commonly referred to as "spoof" messages, are sent in an attempt to collect sensitive personal information from recipients who reply to the message or click on a link to a Web page requesting this information. The email you reported did not originate from, nor is it endorsed by, eBay. We are very concerned about this problem and are working diligently to address the situation. We have investigated the source of this email and have taken appropriate action. You may rest assured that your account standing has not changed and that your listings have not been affected. We advise you to be very cautious of email messages that ask you to submit information such as your credit card number or your email password. eBay will never ask you for sensitive personal information such as passwords, bank account or credit card numbers, Personal Identification Numbers (PINs), or Social Security numbers in an email itself. If you ever need to provide information to eBay please open a new Web browser, type www.ebay.com, and click on the "site map" link located at the top the page to access the eBay page you need.If you have any doubt about whether an email message is from eBay, please forward it immediately to [EMAIL PROTECTED] and do not respond to itor click on any of the links in the email message. Please do not change the subject line or forward the email as an attachment. So I guess they have filters that picked up that URL in their autoresponse. Regards, Kami -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill LandrySent: Thursday, October 02, 2003 9:06 AMTo: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] eBay - scam.. Yep, been catching this one for quite a while now. It is surprising, however,that E-Bay has not gone after these guys since it is so blatant in its attempt to steal E-Bay user account information. Bill - Original Message - From: Kami Razvan To: [EMAIL PROTECTED] Sent: Thursday, October 02, 2003 1:06 AM Subject: [Declude.JunkMail] eBay - scam.. Hi; An interesting email was just caught with a barely hold value. It is asking for the recipient to click to update their eBay records. The only URL in the body that is suspicious is: info-update-ebay.com The Whois is anything but eBay. The email has full eBay logo and TRUSTe information - coming with links from eBay. This is the way the email starts.. Your eBay account is in jeopardy! To secure your account please continue by clicking the link below. Secure your eBay account now! = Has anyone else seen this? You may want to filter that URL. Regards, Kami
RE: [Declude.JunkMail] eBay - scam..
Title: Message not to speak of trademark and or copyrightinfringement (which is NOT a civil matter - stakes are higher). These web sites are made to look exactly as the "realthing", using their logo, etc. I have reported many of these emails with all headers to them- and offered logs etc and never got more than an automated reply. Not worth my time. Best RegardsAndy SchmidtHM Systems Software, Inc.600 East Crescent Avenue, Suite 203Upper Saddle River, NJ 07458-1846Phone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206http://www.HM-Software.com/ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill LandrySent: Thursday, October 02, 2003 09:06 AMTo: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] eBay - scam.. Yep, been catching this one for quite a while now. It is surprising, however,that E-Bay has not gone after these guys since it is so blatant in its attempt to steal E-Bay user account information. Bill - Original Message - From: Kami Razvan To: [EMAIL PROTECTED] Sent: Thursday, October 02, 2003 1:06 AM Subject: [Declude.JunkMail] eBay - scam.. Hi; An interesting email was just caught with a barely hold value. It is asking for the recipient to click to update their eBay records. The only URL in the body that is suspicious is: info-update-ebay.com The Whois is anything but eBay. The email has full eBay logo and TRUSTe information - coming with links from eBay. This is the way the email starts.. Your eBay account is in jeopardy! To secure your account please continue by clicking the link below. Secure your eBay account now! = Has anyone else seen this? You may want to filter that URL. Regards, Kami
[Declude.JunkMail] getting bombed?
Title: eBay - scam.. Is everyone getting bombed by spam, or is it just me? CPU usage was at 100%, caused by multiple declude.exe processes running. I rebooted, cleared the queue and it seems to be OK now. Never had any issues until a couple of days ago. Andy - Original Message - From: Kami Razvan To: [EMAIL PROTECTED] Sent: Thursday, October 02, 2003 4:06 AM Subject: [Declude.JunkMail] eBay - scam.. Hi; An interesting email was just caught with a barely hold value. It is asking for the recipient to click to update their eBay records. The only URL in the body that is suspicious is: info-update-ebay.com The Whois is anything but eBay. The email has full eBay logo and TRUSTe information - coming with links from eBay. This is the way the email starts.. Your eBay account is in jeopardy! To secure your account please continue by clicking the link below. Secure your eBay account now! = Has anyone else seen this? You may want to filter that URL. Regards, Kami
[Declude.JunkMail] FW: [Declude.Virus] MS Security Patch Emails
Is there any reason why you can't filter on common virus extensions. This will cutdown on many viruses. It is common practice not to accept exe, com, bat, pif, scr, and the list goes on... I am nabbing the actual attachment that is the virus at the firewall level, however the email itself is still coming in, just minus the attachment. This is working as designed, however the email is DRIVING ME CRAZY. I am still getting like 30 of these a day. Any suggestions on how to get JM to nab that, without running the risk of nabbing legit bulletins from MS? Thanks, Sharyn We are the worldwide producer and marketer of the award winning Cruzan Single Barrel Rum, judged Best in the World at the annual San Francisco Wine and Spirits Championships. For more information, please click (go to) htmla href=http://www.cruzanrums.com;www.cruzanrums.com/a/html --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] eBay - scam..
Title: Message that's funny, i got one too and when i sent it to ebay security "team" they got back to me the same day and thanked me for the report... Sheldon - Original Message - From: Andy Schmidt To: [EMAIL PROTECTED] Sent: Thursday, October 02, 2003 6:34 AM Subject: RE: [Declude.JunkMail] eBay - scam.. not to speak of trademark and or copyrightinfringement (which is NOT a civil matter - stakes are higher). These web sites are made to look exactly as the "realthing", using their logo, etc. I have reported many of these emails with all headers to them- and offered logs etc and never got more than an automated reply. Not worth my time. Best RegardsAndy SchmidtHM Systems Software, Inc.600 East Crescent Avenue, Suite 203Upper Saddle River, NJ 07458-1846Phone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206http://www.HM-Software.com/ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill LandrySent: Thursday, October 02, 2003 09:06 AMTo: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] eBay - scam.. Yep, been catching this one for quite a while now. It is surprising, however,that E-Bay has not gone after these guys since it is so blatant in its attempt to steal E-Bay user account information. Bill - Original Message - From: Kami Razvan To: [EMAIL PROTECTED] Sent: Thursday, October 02, 2003 1:06 AM Subject: [Declude.JunkMail] eBay - scam.. Hi; An interesting email was just caught with a barely hold value. It is asking for the recipient to click to update their eBay records. The only URL in the body that is suspicious is: info-update-ebay.com The Whois is anything but eBay. The email has full eBay logo and TRUSTe information - coming with links from eBay. This is the way the email starts.. Your eBay account is in jeopardy! To secure your account please continue by clicking the link below. Secure your eBay account now! = Has anyone else seen this? You may want to filter that URL. Regards, Kami
[Declude.JunkMail] What Happens with Multiple To addresses.
What rules apply if an email is sent to several users only one of which has custom settings? For example: An email is sent to [EMAIL PROTECTED], [EMAIL PROTECTED] and [EMAIL PROTECTED] The following files exist: c:\Imail\Declude\$default$.junkmail c:\Imail\Declude\example.com\$default$.junkmail (Which is identical to the global file c:\Imail\Declude\$default$.junkmail.) c:\Imail\Declude\example.com\user2.junkmail I want [EMAIL PROTECTED] to get the email. Everyone else should not get it. I tried WHITELIST TO [EMAIL PROTECTED]in global.cfg. That also passed the spam on to everyone else who is listed in the TO: address. Royce Fessenden System Administrator 417 831-9362, ext 142
RE: [Declude.JunkMail] Outbound test
Here's the conclusion to this, I think. Alligate puts in headers in both incoming and outgoing email. Declude runs tests, then ignores results, if whitelist is triggered. So, I added some whitelist entries to Alligate, so it no longer tests the email outgoing from my IPs. Headers still get written, but now they don't shout SPAM at any subsequent MTA / MUA. Thanks. Rob All messages are scanned. Whitelisting prevents any action. As for Alligate, the list has been taken down do to some problems. Have you checked the Alligate log? --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Backup MX / Spam
Hi Some large percentage of the spam we get comes to the backup MX and then is relayed to the primary MX. Using Declude JM Standard, is there some test I can use to add additional weight to any mail routed through my backup MX? Thanks, Rob == Robert N. Grosshandler www.iGive.com Turn shopping into Philanthropy --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] whitelist
How do I white list all of my IP addresses? The line I had in there is not working. thanks, andy
RE: [Declude.JunkMail] Backup MX / Spam
Use the IPBYPASS %sec mx ip% feature within the GLOBAL.CFG file. It will skip the ip address of your secondary mx record and run the check on the ip address of the originating server. IPBYPASSxxx.xxx.xxx.xxx -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Grosshandler Sent: Thursday, October 02, 2003 11:34 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Backup MX / Spam Hi Some large percentage of the spam we get comes to the backup MX and then is relayed to the primary MX. Using Declude JM Standard, is there some test I can use to add additional weight to any mail routed through my backup MX? Thanks, Rob == Robert N. Grosshandler www.iGive.com Turn shopping into Philanthropy --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] whitelist
Whitelisting supports CIDR notation.. I just grabbed this paragraph out of the manual, because it explains it better than I could. To whitelist an IP address, add a line WHITELIST IP 127.0.0.1 to the \IMail\Declude\global.cfg file (replacing 127.0.0.1 with the IP you wish to whitelist). If you wish to whitelist a range of IP addresses, such as 127.0.0.0 through 127.0.0.255, you can do so by adding a line WHITELIST IP 127.0.0. (which will whitelist any E-mails from mail servers with an IP address that contains 127.0.0.). You can also use a CIDR range, such as WHITELIST IP 127.0.0.0/8 or WHITELIST IP 192.0.2.0/24 (see the DNSstuff.com site's CIDR tool for assistance). Darrell Check Out DLAnalyzer a comprehensive reporting tool for Declude Junkmail Logs - http://www.dlanalyzer.com andyb writes: How do I white list all of my IP addresses? The line I had in there is not working. thanks, andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Backup MX / Spam
We do that already and it works fine. However, I know that there is a much higher probability that any mail that passes through the backup MX is spam, so I want to add additional weight just because it comes through the backup MX. Rob Jeff wrote: Use the IPBYPASS %sec mx ip% feature within the GLOBAL.CFG file. It will skip the ip address of your secondary mx record and run the check on the ip address of the originating server. IPBYPASS xxx.xxx.xxx.xxx --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] File contention issues?
Between this problem and those noted on the Imail forum, including the DNS issue with W2K3, seems there are some serious issues with Imail 8.0x. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Thursday, October 02, 2003 6:27 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] File contention issues? Can the other errors and issues that Declude was reporting simply be ignored? Things like: JunkMail: - ERROR: Could not move spam to hold - Could not open envelope file - Couldn't rename SMD to SM$ - Could not lock ... What usually happens here is that there is one problem that cascades into others. For example, if a key file gets locked, then you may see an error as Declude JunkMail tries renaming it, and another as it tries moving it. It seems that there may be an issue with IMail v8 that is causing these problems to crop up when a large volume of E-mail is processed, which we are going to be investigating in depth. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] eBay - scam..
Title: Message Tis the standard e-Bay auto reply. They really care. ;) John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan Sent: Thursday, October 02, 2003 6:16 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] eBay - scam.. I sent it to [EMAIL PROTECTED] and requested clarifications since we had not seen it before. Here is the response. === Thank you for contacting eBay's Trust and Safety Department about email solicitations that are falsely made to appear to have come from eBay. These emails, commonly referred to as spoof messages, are sent in an attempt to collect sensitive personal information from recipients who reply to the message or click on a link to a Web page requesting this information. The email you reported did not originate from, nor is it endorsed by, eBay. We are very concerned about this problem and are working diligently to address the situation. We have investigated the source of this email and have taken appropriate action. You may rest assured that your account standing has not changed and that your listings have not been affected. We advise you to be very cautious of email messages that ask you to submit information such as your credit card number or your email password. eBay will never ask you for sensitive personal information such as passwords, bank account or credit card numbers, Personal Identification Numbers (PINs), or Social Security numbers in an email itself. If you ever need to provide information to eBay please open a new Web browser, type www.ebay.com, and click on the site map link located at the top the page to access the eBay page you need. If you have any doubt about whether an email message is from eBay, please forward it immediately to [EMAIL PROTECTED] and do not respond to it or click on any of the links in the email message. Please do not change the subject line or forward the email as an attachment. So I guess they have filters that picked up that URL in their autoresponse. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Thursday, October 02, 2003 9:06 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] eBay - scam.. Yep, been catching this one for quite a while now. It is surprising, however,that E-Bay has not gone after these guys since it is so blatant in its attempt to steal E-Bay user account information. Bill - Original Message - From: Kami Razvan To: [EMAIL PROTECTED] Sent: Thursday, October 02, 2003 1:06 AM Subject: [Declude.JunkMail] eBay - scam.. Hi; An interesting email was just caught with a barely hold value. It is asking for the recipient to click to update their eBay records. The only URL in the body that is suspicious is: info-update-ebay.com The Whois is anything but eBay. The email has full eBay logo and TRUSTe information - coming with links from eBay. This is the way the email starts.. Your eBay account is in jeopardy! To secure your account please continue by clicking the link below. Secure your eBay account now! = Has anyone else seen this? You may want to filter that URL. Regards, Kami
[Declude.JunkMail] JM handling of Aliases
We have a unique issue in that we have a customer that gets email to user-user (alias) that goes to an account called useruser (without the hyphen), both on our server, within same domain. When a spam email comes in addressed to the alias and other users within the same domain, it gets scanned by JMPro 1.76i2 and all emails but the alias email gets routed to a central spam holding container on the domain. The alias email gets delievered to the useruser main inbox. I have confirmed this in the log file via the ldeliver lines. If you look at the header, it does indeed fail the Weight20 test (we have a single default domain junkmail file listing WEIGHT20 ROUTETO [EMAIL PROTECTED]) Does Declude handle alias spam filtering any different that if it was sent to a main box? This one has me confused. Thanks for the aid. Running: JMPro 1.76i2 O/S: Windows 2000 SP4 Keith --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] What Happens with Multiple To addresses.
What rules apply if an email is sent to several users only one of which has custom settings? Declude JunkMail will combine the settings the best that it can, erring on the side of assuming the E-mail is spam. The idea is that if someone sends legitimate mail to multiple recipients and one doesn't want it, it's up to the sender to take care of the problem (they can just send one at a time, for example). For example: An email is sent to mailto:[EMAIL PROTECTED][EMAIL PROTECTED], mailto:[EMAIL PROTECTED][EMAIL PROTECTED] and mailto:[EMAIL PROTECTED][EMAIL PROTECTED] The following files exist: c:\Imail\Declude\$default$.junkmail c:\Imail\Declude\example.com\$default$.junkmail (Which is identical to the global file c:\Imail\Declude\$default$.junkmail.) c:\Imail\Declude\example.com\user2.junkmail I want mailto:[EMAIL PROTECTED][EMAIL PROTECTED] to get the email. Everyone else should not get it. I tried WHITELIST TO mailto:[EMAIL PROTECTED][EMAIL PROTECTED] in global.cfg. That also passed the spam on to everyone else who is listed in the TO: address. That's correct. The WHITELIST action will make sure that the E-mail is received. If you have a sender that is sending mail that some of your customers want and others do not, they have a serious problem. The best thing to do is get the people who do not want the E-mail to unsubscribe. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Backup MX / Spam
No I don't think that was the intention. I think the intention is that there is no reason for mail to come through the backup MX server during normal operations. The only ones who intentionally contact the backup MX are likely to be viruses and spammers. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Maze - Hostmaster Sent: Thursday, October 02, 2003 11:58 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Backup MX / Spam Use the IPBYPASS %sec mx ip% feature within the GLOBAL.CFG file. It will skip the ip address of your secondary mx record and run the check on the ip address of the originating server. IPBYPASSxxx.xxx.xxx.xxx -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Grosshandler Sent: Thursday, October 02, 2003 11:34 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Backup MX / Spam Hi Some large percentage of the spam we get comes to the backup MX and then is relayed to the primary MX. Using Declude JM Standard, is there some test I can use to add additional weight to any mail routed through my backup MX? Thanks, Rob == Robert N. Grosshandler www.iGive.com Turn shopping into Philanthropy --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Backup MX / Spam
You could write a filter that searches the headers for your backup server's IP address. HEADERS 3 CONTAINS x.x.x.x Matt Robert Grosshandler wrote: We do that already and it works fine. However, I know that there is a much higher probability that any mail that passes through the backup MX is spam, so I want to add additional weight just because it comes through the backup MX. Rob Jeff wrote: Use the IPBYPASS %sec mx ip% feature within the GLOBAL.CFG file. It will skip the ip address of your secondary mx record and run the check on the ip address of the originating server. IPBYPASS xxx.xxx.xxx.xxx
RE: [Declude.JunkMail] Backup MX / Spam
You could write a filter that searches the headers for your backup server's IP address. HEADERS 3 CONTAINS x.x.x.x Matt The problem with this is if your primary does go down (rebooting for a patch for example), these points will be added to *all* email until your primary is back up. I posted just a few days ago asking if it was possible for Declude to check that primary was functional. If so, there could be a test that would add points for any mail sent to the secondary when the primary is functional. I realize that this would require a new version of Declude, but I think it could be really worthwhile. Nobody responded to my last post, so I wasn't sure if there is some reason why this wouldn't work or would be too difficult. Paul Navarre --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Backup MX / Spam
I was just suggesting a method of doing what he wanted to try :) I'm not generally a big proponent of indiscriminately adding points to E-mail, and this one falls in the gray area. If your backup in located at the same site, I would imagine that very few E-mails will get tagged improperly (reboots for instance, but many other examples as well), however if you have an off-site backup through a different bandwidth provider, I could see more legit mail coming through this way, which would seem less wise to do. Your suggestion has some merit, however it doesn't account for off-site seconndaries and I can't see how that could be implemented easily without a separate application. I suppose that someone could write one that Declude hands off to which checks your logs for the reboot times and compares that to the time stamp from your backup server. But again, if there was an issue on the Internet between the sender and your primary, and your backup was off site, this wouldn't be a good qualifier for what should have been delivered directly to your primary. Matt Paul Navarre wrote: You could write a filter that searches the headers for your backup server's IP address. HEADERS 3 CONTAINS x.x.x.x Matt The problem with this is if your primary does go down (rebooting for a patch for example), these points will be added to *all* email until your primary is back up. I posted just a few days ago asking if it was possible for Declude to check that primary was functional. If so, there could be a test that would add points for any mail sent to the secondary when the primary is functional. I realize that this would require a new version of Declude, but I think it could be really worthwhile. Nobody responded to my last post, so I wasn't sure if there is some reason why this wouldn't work or would be too difficult. Paul Navarre --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Backup MX / Spam
Yeah, but. Declude Standard - no filters. Otherwise, it would work. The idea is to add enough weight to bring it over the edge. A problem with the primary down test is that Declude is doing its scanning on the primary, and it would never be down when Declude was scanning! So, Declude would have to have logic for keeping track of when the primary was up and down. Becoming a non-trivial task when you add that nuance. Rob Paul wrote: You could write a filter that searches the headers for your backup server's IP address. HEADERS 3 CONTAINS x.x.x.x Matt The problem with this is if your primary does go down (rebooting for a patch for example), these points will be added to *all* email until your primary is back up. I posted just a few days ago asking if it was possible for Declude to check that primary was functional. If so, there could be a test that would add points for any mail sent to the secondary when the primary is functional. I realize that this would require a new version of Declude, but I think it could be really worthwhile. Nobody responded to my last post, so I wasn't sure if there is some reason why this wouldn't work or would be too difficult. Paul Navarre --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Backup MX / Spam
Another 2 cents... I see all too often that mail comes (and goes out) to hosts pointed to by MX records that are not the lowest. Either some SMTP servers take the value of the MX record as a *suggestion*, or their DNS is broken, and take the first MX listed, regardless of the value. I suspect that the definition of is the primary functional is too hard to nail down, and the test possibly too slow, for the value it brings to spam detection. In particular because declude.exe runs and terminates, runs and terminates for each message, that it makes stateful tests difficult. The only way that I could suggest implementing this is to make it an external test of your own design that simply checks the current time against the last e-mail that came directly through the primary mail server. You would then have to decide how long a window qualifies as primary is down. Andrew. -Original Message- From: Paul Navarre [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 10:59 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Backup MX / Spam You could write a filter that searches the headers for your backup server's IP address. HEADERS 3 CONTAINS x.x.x.x Matt The problem with this is if your primary does go down (rebooting for a patch for example), these points will be added to *all* email until your primary is back up. I posted just a few days ago asking if it was possible for Declude to check that primary was functional. If so, there could be a test that would add points for any mail sent to the secondary when the primary is functional. I realize that this would require a new version of Declude, but I think it could be really worthwhile. Nobody responded to my last post, so I wasn't sure if there is some reason why this wouldn't work or would be too difficult. Paul Navarre --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Backup MX / Spam
Rob, I have recently discovered that the pro version's filter capabilities are a very important tool for tagging spam that otherwise passes through. I would recommend the upgrade highly, though not specifically for this purpose. I've been able to add points to low scoring spam with a very high degree of accuracy, and I have probably halved what was getting through before while reducing false positives by relying less on scoring from places like SpamCop and MailPolice which are unfortunately prone to FP'ing on legit mail blasts. Matt Robert Grosshandler wrote: Yeah, but. Declude Standard - no filters. Otherwise, it would work. The idea is to add enough weight to bring it over the edge. A problem with the primary down test is that Declude is doing its scanning on the primary, and it would never be down when Declude was scanning! So, Declude would have to have logic for keeping track of when the primary was up and down. Becoming a non-trivial task when you add that nuance. Rob Paul wrote: You could write a filter that searches the headers for your backup server's IP address. HEADERS 3 CONTAINS x.x.x.x Matt The problem with this is if your primary does go down (rebooting for a patch for example), these points will be added to *all* email until your primary is back up. I posted just a few days ago asking if it was possible for Declude to check that primary was functional. If so, there could be a test that would add points for any mail sent to the secondary when the primary is functional. I realize that this would require a new version of Declude, but I think it could be really worthwhile. Nobody responded to my last post, so I wasn't sure if there is some reason why this wouldn't work or would be too difficult. Paul Navarre --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Backup MX / Spam
I'm breaking down and getting Declude Pro. In my back of the napkin analysis of the spam that is weighted in the gray area (HOLD), but it is truly spam, some high percentage of it went straight for my backup MX. By adding a little bit of weight, I'm expecting that the total weight will be sufficient to push it over the edge into (DELETE). (We don't actually delete, but our review is much less thorough than e-mail that gets a HOLD weight). Rob --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] whitelist
How do you whitelist IP addresses in different subnets? Should they be listed after each other like this: WHITELIST IP a.b.c.d e.f.g.h Or a new line for each IP address/block? Like this: WHITELIST IP a.b.c.d WHITELIST IP e.f.g.h Similarly, how should whitelisted email addresses be entered? After each other on one line or separate lines? Jonas Fornander - System Administrator Netwood Communications,LLC - www.netwood.net Find out why we're better - 310-442-1530 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DLAnalyzer Support Sent: Thursday, October 02, 2003 9:09 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] whitelist Whitelisting supports CIDR notation.. I just grabbed this paragraph out of the manual, because it explains it better than I could. To whitelist an IP address, add a line WHITELIST IP 127.0.0.1 to the \IMail\Declude\global.cfg file (replacing 127.0.0.1 with the IP you wish to whitelist). If you wish to whitelist a range of IP addresses, such as 127.0.0.0 through 127.0.0.255, you can do so by adding a line WHITELIST IP 127.0.0. (which will whitelist any E-mails from mail servers with an IP address that contains 127.0.0.). You can also use a CIDR range, such as WHITELIST IP 127.0.0.0/8 or WHITELIST IP 192.0.2.0/24 (see the DNSstuff.com site's CIDR tool for assistance). Darrell Check Out DLAnalyzer a comprehensive reporting tool for Declude Junkmail Logs - http://www.dlanalyzer.com andyb writes: How do I white list all of my IP addresses? The line I had in there is not working. thanks, andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] whitelist
Separate lines for any filter is what works. Be careful about whitelisting addresses of local users or popular domains because spammers do forge these addresses. You are probably safe whitelisting problematic addresses from non-local, non-popular domains, just not from places like aol.com. The safer method is to use the Pro version and just subtract a reasonable amount of points so that forging spam still can't pass if it scores very high. Matt Jonas wrote: How do you whitelist IP addresses in different subnets? Should they be listed after each other like this: WHITELIST IP a.b.c.d e.f.g.h Or a new line for each IP address/block? Like this: WHITELIST IP a.b.c.d WHITELIST IP e.f.g.h Similarly, how should whitelisted email addresses be entered? After each other on one line or separate lines? Jonas Fornander - System Administrator Netwood Communications,LLC - www.netwood.net Find out why we're better - 310-442-1530 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of DLAnalyzer Support Sent: Thursday, October 02, 2003 9:09 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] whitelist Whitelisting supports CIDR notation.. I just grabbed this paragraph out of the manual, because it explains it better than I could. To whitelist an IP address, add a line "WHITELIST IP 127.0.0.1" to the \IMail\Declude\global.cfg file (replacing 127.0.0.1 with the IP you wish to whitelist). If you wish to whitelist a range of IP addresses, such as 127.0.0.0 through 127.0.0.255, you can do so by adding a line "WHITELIST IP 127.0.0." (which will whitelist any E-mails from mail servers with an IP address that contains "127.0.0."). You can also use a CIDR range, such as "WHITELIST IP 127.0.0.0/8" or "WHITELIST IP 192.0.2.0/24" (see the DNSstuff.com site's CIDR tool for assistance). Darrell Check Out DLAnalyzer a comprehensive reporting tool for Declude Junkmail Logs - http://www.dlanalyzer.com andyb writes: How do I white list all of my IP addresses? The line I had in there is not working. thanks, andy
RE: [Declude.JunkMail] What Happens with Multiple To addresses.
The problem is I have an executive user who does not understand the flagging at all. They panic when they see any indication that the mail has been scanned and are afraid that important mail is going to be deleted. (I upgraded to the pro version to try and solve this problem by enabling user level controls.) If [EMAIL PROTECTED] has all Actions set to WARN, but the global setting is HEADER will they see the Header text? If so, is there any solution other than passing the spam on with WHITELIST TO [EMAIL PROTECTED] Royce -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Thursday, October 02, 2003 12:17 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] What Happens with Multiple To addresses. What rules apply if an email is sent to several users only one of which has custom settings? Declude JunkMail will combine the settings the best that it can, erring on the side of assuming the E-mail is spam. The idea is that if someone sends legitimate mail to multiple recipients and one doesn't want it, it's up to the sender to take care of the problem (they can just send one at a time, for example). For example: An email is sent to mailto:[EMAIL PROTECTED][EMAIL PROTECTED], mailto:[EMAIL PROTECTED][EMAIL PROTECTED] and mailto:[EMAIL PROTECTED][EMAIL PROTECTED] The following files exist: c:\Imail\Declude\$default$.junkmail c:\Imail\Declude\example.com\$default$.junkmail (Which is identical to the global file c:\Imail\Declude\$default$.junkmail.) c:\Imail\Declude\example.com\user2.junkmail I want mailto:[EMAIL PROTECTED][EMAIL PROTECTED] to get the email. Everyone else should not get it. I tried WHITELIST TO mailto:[EMAIL PROTECTED][EMAIL PROTECTED] in global.cfg. That also passed the spam on to everyone else who is listed in the TO: address. That's correct. The WHITELIST action will make sure that the E-mail is received. If you have a sender that is sending mail that some of your customers want and others do not, they have a serious problem. The best thing to do is get the people who do not want the E-mail to unsubscribe. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] What Happens with Multiple To addresses.
If [EMAIL PROTECTED] has all Actions set to WARN, but the global setting is HEADER will they see the Header text? In this case, both the WARN and HEADER actions will be used. If so, is there any solution other than passing the spam on with WHITELIST TO [EMAIL PROTECTED] That depends on what you mean by solution. :) The only way I can think of to get the E-mail to [EMAIL PROTECTED] without the HEADER action being used would be to whitelist the E-mail. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] JM handling of Aliases
We have a unique issue in that we have a customer that gets email to user-user (alias) that goes to an account called useruser (without the hyphen), both on our server, within same domain. When a spam email comes in addressed to the alias and other users within the same domain, it gets scanned by JMPro 1.76i2 and all emails but the alias email gets routed to a central spam holding container on the domain. The alias email gets delievered to the useruser main inbox. What does the log file show for one of these E-mails? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] JM handling of Aliases
Would you like the Declude Log or the Sys Log from IMail? The Declude log file entries are the most important in this case (as it will show whether the ROUTETO action was used). This domain was setup as mail.domain.com in Imail and there is an alias on it for domain.com (transfer from another vendor Imail server), I have a Declude folder called mail.domain.com, however do I need one called domain.com for the alias side? Thanks, For the alias, you'll need to use the domain that the alias resolves to. If it resolves to the official name of the domain (mail.domain.com), then you can use the same directory. But if you are using a different domain for the alias than the official name of the domain, then you would need to use a different directory (or, change the alias to use the official domain name, to keep things consistent). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] JM handling of Aliases
Scott, Would you like the Declude Log or the Sys Log from IMail? This domain was setup as mail.domain.com in Imail and there is an alias on it for domain.com (transfer from another vendor Imail server), I have a Declude folder called mail.domain.com, however do I need one called domain.com for the alias side? Thanks, Keith -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED] Sent: Thu 10/2/2003 4:26 PM To: [EMAIL PROTECTED] Cc: Subject: Re: [Declude.JunkMail] JM handling of Aliases We have a unique issue in that we have a customer that gets email to user-user (alias) that goes to an account called useruser (without the hyphen), both on our server, within same domain. When a spam email comes in addressed to the alias and other users within the same domain, it gets scanned by JMPro 1.76i2 and all emails but the alias email gets routed to a central spam holding container on the domain. The alias email gets delievered to the useruser main inbox. What does the log file show for one of these E-mails? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. winmail.dat
RE: [Declude.JunkMail] What Happens with Multiple To addresses.
The only thing you could do is find some way to split the messages into one copy per recipient. Imail does not handle them this way, but some MTA's do. You could set up your MX server(s) to be a gateway box that uses an MTA that splits the message to per recipient (note: this still won't help with aliases). I have done some testing with Xmail Server and it does handle each recipient one by one, creating a new copy of the message for each recipient. Downside is, in your example, even if you whitelist user2, Declude will run all tests on twice on essentially the same message. Once for user1 and once for user3. If you didn't whitelist, then it is three times. i.e., if you have a heavy load it will increase it. Thanks, Chuck Frolick ArgoNet, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Royce Fessenden Sent: Thursday, October 02, 2003 3:09 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] What Happens with Multiple To addresses. The problem is I have an executive user who does not understand the flagging at all. They panic when they see any indication that the mail has been scanned and are afraid that important mail is going to be deleted. (I upgraded to the pro version to try and solve this problem by enabling user level controls.) If [EMAIL PROTECTED] has all Actions set to WARN, but the global setting is HEADER will they see the Header text? If so, is there any solution other than passing the spam on with WHITELIST TO [EMAIL PROTECTED] Royce -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Thursday, October 02, 2003 12:17 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] What Happens with Multiple To addresses. What rules apply if an email is sent to several users only one of which has custom settings? Declude JunkMail will combine the settings the best that it can, erring on the side of assuming the E-mail is spam. The idea is that if someone sends legitimate mail to multiple recipients and one doesn't want it, it's up to the sender to take care of the problem (they can just send one at a time, for example). For example: An email is sent to mailto:[EMAIL PROTECTED][EMAIL PROTECTED], mailto:[EMAIL PROTECTED][EMAIL PROTECTED] and mailto:[EMAIL PROTECTED][EMAIL PROTECTED] The following files exist: c:\Imail\Declude\$default$.junkmail c:\Imail\Declude\example.com\$default$.junkmail (Which is identical to the global file c:\Imail\Declude\$default$.junkmail.) c:\Imail\Declude\example.com\user2.junkmail I want mailto:[EMAIL PROTECTED][EMAIL PROTECTED] to get the email. Everyone else should not get it. I tried WHITELIST TO mailto:[EMAIL PROTECTED][EMAIL PROTECTED] in global.cfg. That also passed the spam on to everyone else who is listed in the TO: address. That's correct. The WHITELIST action will make sure that the E-mail is received. If you have a sender that is sending mail that some of your customers want and others do not, they have a serious problem. The best thing to do is get the people who do not want the E-mail to unsubscribe. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Performance
Having just upgraded from JM Standard to Pro, I'm wondering about the best way to approach some of the tests I previously set up. Is there any difference between the following from a performance or maintenance standpoint?: Version A Whitelist anywhere blahblah Or Version B BODY -50 CONTAINS blahblah Thanks Rob === Robert N. Grosshandler www.iGive.com --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] JM handling of Aliases
For the alias, you'll need to use the domain that the alias resolves to. If it resolves to the official name of the domain (mail.domain.com), then you can use the same directory. But if you are using a different domain for the alias than the official name of the domain, then you would need to use a different directory (or, change the alias to use the official domain name, to keep things consistent). The setup is as follows: the official host name is mail.domain.com with an alias domain of domain.com There are numerous aliases and user accounts on this box. One of the aliases is: user-user that has a pointer to user I guess they did this due to the way Imail handles the hyphen on a regular box. An email is sent to the alias: [EMAIL PROTECTED] , which then points over [EMAIL PROTECTED] I have in the Declude folder a folder called mail.domain.com which has been working great since day 1, however this alias issue has just crept up. I see in the header that it failed all the appropriate tests, but got ldelivered to the main inbox of [EMAIL PROTECTED] I just put another folder called domain.com in the Declude folder to see if it will trigger it. However, I'm unsure why it won't work correctly the way it is since the official name is mail.domain.com and the alias domain is domain.com (the same name without the mail.). I'll send you the logs soon. Keith winmail.dat
Re: [Declude.JunkMail] Performance
Is there any difference between the following from a performance or maintenance standpoint?: Version A Whitelist anywhere blahblah Or Version B BODY -50 CONTAINS blahblah Performance-wise, they should both be about the same. However, the global.cfg file only allows 200 WHITELIST entries, which would make the filter a better choice. Also, the filter allows for more flexibility. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] JM handling of Aliases
However, I'm unsure why it won't work correctly the way it is since the official name is mail.domain.com and the alias domain is domain.com (the same name without the mail.). That's exactly where the problem lies -- you're not being consistent. On the one hand, you're telling IMail that the real name of the domain is mail.domain.com, but that it should also accept mail addressed to @domain.com. On the other hand, you're also telling IMail that the E-mail is normally addressed to @domain.com (by having the alias point to @domain.com). In this case, I would recommend switching so that the actual domain name is domain.com (with mail.domain.com as an alias), so there is no confusion. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Performance
(Whups! My bad, whitelist anywhere is right there in black and white in the current online manual.) If you use this directive in your .cfg file: PREWHITELIST ON then you get short-circuit evaluation, and a WHITELISTed message will get processed a little faster than it otherwise would. Without that directive, all tests are performed on the message, because any of them could weight the message enough to change the action performed. In my humble opinion, you should avoid whitelisting; I suggest using counterweights instead as you illustrated in your question. Save whitelisting for things that are unquestionable, like whitelisting the IP of an internal mail server. Andrew 8) -Original Message- From: Robert Grosshandler [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 2:04 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Performance Having just upgraded from JM Standard to Pro, I'm wondering about the best way to approach some of the tests I previously set up. Is there any difference between the following from a performance or maintenance standpoint?: Version A Whitelist anywhere blahblah Or Version B BODY -50 CONTAINS blahblah Thanks Rob === Robert N. Grosshandler www.iGive.com --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Performance
I recommended searching the headers for your backup server because I believe that the REVDNS test is moved to a different hop when you get a hit on IPBYPASS, otherwise that would be the way to go. The ANYWHERE search only works with whitelisting from the Global.cfg file. In filter files you can use BODY, HEADERS, HELO, MAILFROM, REMOTEIP, REVDNS, ALLRECIPS, or SUBJECT. I have filters set up exclusively for BODY and SUBEJCT, and other filters that focus on HELO, MAILFROM and REVDNS. I have a pseudo whitelist that I am using as well, with the filters based on REVDNS. If you are looking to help insure that E-mail from a particular domain gets through, it's better to just subtract points in a filter file rather than whitelisting because of the potential of forging addresses in spam and still desiring some protection (obscure domains are pretty safe though for whitelisting though). I tend to give a negative weight for such things that is equal to my fail weight when those domains occasionally find their way onto SpamCop and MailPolice, or just credit back points for what they regularly fail. I also use the REVDNS test whenever possible since this is the least likely to be forged and there is only a small piece of data which limits multiple hits (as opposed to searching HEADERS). For example, with Yahoo Groups, one would use the following when 5 points are being added regularly due to RBL's and inadvertently by other filters: REVDNS -5 ENDSWITH .grp.scd.yahoo.com This is a good example because Yahoo Groups does fail some tests that I use, but as was pointed out yesterday, spam can be pushed through these groups occasionally and if you are keyword matching for URL's for instance, subtracting points would only level the playing field before additional tests can score it. Matt Robert Grosshandler wrote: Having just upgraded from JM Standard to Pro, I'm wondering about the best way to approach some of the tests I previously set up. Is there any difference between the following from a performance or maintenance standpoint?: Version A Whitelist anywhere blahblah Or Version B BODY -50 CONTAINS blahblah Thanks Rob === Robert N. Grosshandler www.iGive.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Performance
Great points. I'm using your (I think it was your) Gibberish / Anti Gibberish tests already. It was the flexibility of the filter ability that caused me to plunk down more money to the wonderful folks at Computer Horizons. Rob --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] What Happens with Multiple To addresses.
It's all starting to make sense. Guess I'll just have to evaluate the tradeoffs. Royce -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Charles Frolick Sent: Thursday, October 02, 2003 3:52 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] What Happens with Multiple To addresses. The only thing you could do is find some way to split the messages into one copy per recipient. Imail does not handle them this way, but some MTA's do. You could set up your MX server(s) to be a gateway box that uses an MTA that splits the message to per recipient (note: this still won't help with aliases). I have done some testing with Xmail Server and it does handle each recipient one by one, creating a new copy of the message for each recipient. Downside is, in your example, even if you whitelist user2, Declude will run all tests on twice on essentially the same message. Once for user1 and once for user3. If you didn't whitelist, then it is three times. i.e., if you have a heavy load it will increase it. Thanks, Chuck Frolick ArgoNet, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Royce Fessenden Sent: Thursday, October 02, 2003 3:09 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] What Happens with Multiple To addresses. The problem is I have an executive user who does not understand the flagging at all. They panic when they see any indication that the mail has been scanned and are afraid that important mail is going to be deleted. (I upgraded to the pro version to try and solve this problem by enabling user level controls.) If [EMAIL PROTECTED] has all Actions set to WARN, but the global setting is HEADER will they see the Header text? If so, is there any solution other than passing the spam on with WHITELIST TO [EMAIL PROTECTED] Royce -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Thursday, October 02, 2003 12:17 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] What Happens with Multiple To addresses. What rules apply if an email is sent to several users only one of which has custom settings? Declude JunkMail will combine the settings the best that it can, erring on the side of assuming the E-mail is spam. The idea is that if someone sends legitimate mail to multiple recipients and one doesn't want it, it's up to the sender to take care of the problem (they can just send one at a time, for example). For example: An email is sent to mailto:[EMAIL PROTECTED][EMAIL PROTECTED], mailto:[EMAIL PROTECTED][EMAIL PROTECTED] and mailto:[EMAIL PROTECTED][EMAIL PROTECTED] The following files exist: c:\Imail\Declude\$default$.junkmail c:\Imail\Declude\example.com\$default$.junkmail (Which is identical to the global file c:\Imail\Declude\$default$.junkmail.) c:\Imail\Declude\example.com\user2.junkmail I want mailto:[EMAIL PROTECTED][EMAIL PROTECTED] to get the email. Everyone else should not get it. I tried WHITELIST TO mailto:[EMAIL PROTECTED][EMAIL PROTECTED] in global.cfg. That also passed the spam on to everyone else who is listed in the TO: address. That's correct. The WHITELIST action will make sure that the E-mail is received. If you have a sender that is sending mail that some of your customers want and others do not, they have a serious problem. The best thing to do is get the people who do not want the E-mail to unsubscribe. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
