[Declude.JunkMail] Update to GibberishSUB
I have added the following to both GibberishSUB and AntiGibberishSUB files: SUBJECT 0 CONTAINS asr# This has shown up in a few messages going to a financial company. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] one more try...
Attached are a couple of scripts (and sample output) that can be used, if using log level MID or higher, tooutput the "From" e-mail address and sending IP address (first script), or output just the sending IP addresses, listed by count (second script). HTH, Bill - Original Message - From: Matthew Bramble To: [EMAIL PROTECTED] Sent: Wednesday, November 05, 2003 6:21 PM Subject: Re: [Declude.JunkMail] one more try... Andy,I tried sending this twice, but I think Scott's server blocked it because of the content in the headers, so the headers are attached as a zip this time. Your global.cfg would have something like the following and the adjusted filter file is in the original reply pasted below (name the filter whatever you wish).[EMAIL PROTECTED] filter C:\IMail\Declude\Filters\[EMAIL PROTECTED] x 5 0Then the original reply (adjusted a little)...MattActually, I think this one is in the format of [EMAIL PROTECTED], so the filter would need to be:MAILFROM 0 CONTAINS [EMAIL PROTECTED]MAILFROM 0 CONTAINS [EMAIL PROTECTED]MAILFROM 0 CONTAINS [EMAIL PROTECTED]MAILFROM 0 CONTAINS [EMAIL PROTECTED]MAILFROM 0 CONTAINS [EMAIL PROTECTED]MAILFROM 0 CONTAINS [EMAIL PROTECTED]MAILFROM 0 CONTAINS [EMAIL PROTECTED]MAILFROM 0 CONTAINS [EMAIL PROTECTED]MAILFROM 0 CONTAINS [EMAIL PROTECTED]MAILFROM 0 CONTAINS [EMAIL PROTECTED]I put a number before the domain because it appears that this spammer uses VERP and the pattern always has a number before the "@b." so this will help protect from false positives. I just wouldn't necessaarily kill it for just this one thing, and I don't think you have to because this stuff isn't getting through my server, so it's picking up points from RBL's and other things.I've seen this stuff coming through my own machine and noted it because of the question earlier. I fear that the pattern is only temporary, but if I'm not mistaken, this is from one of the contest type of spammers with a set group of IP's that they send out from. You could more effectively search for hits and take the IP addresses out and then filter for those as long-term prevention in the event that this pattern fails (which I expect it will). Bill could probably grep that info from his logs in seconds :) Be sure to share if you do. I wouldn't bother with the domain names because they seem to be very temporary.Here are three such headers from this spammer, and all of the domain names were registered recently through pairNIC.com, http://whois.pairnic.com/Mattandyb wrote: So, the line MYFILTER filter C:\IMail\Declude\myfilter.txt x x 5 0 should have 2 x's because of the 2 tiered weighting system I'm using? Thanks, Andy - Original Message - From: "R. Scott Perry" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 05, 2003 7:13 PM Subject: Re: [Declude.JunkMail] one more try... to be sure, the syntax would be: in Global.cfg: MYFILTER filter C:\IMail\Declude\myfilter.txt x x 5 0 In myfilter.txt: MAILFROM5STARTSWITH b. That would work fine. Isn't this adding the weight of 5 twice? I'd like it to only be added once. Yes, that would add the weight twice. The total weight for the test is a combination of the general weight for the test (the "5" in the "MYFILTER filter" line) plus the weight for each line that matches (the "MAILFROM 5" line). In this case, you might instead want to use: MAILFROM0STARTSWITH b. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- === Matthew S. Bramble President and Technical Coordinator iGaia Incorporated, Operator of NYcars.com --- Office Phone: (518) 862-9042 Cellular: (518) 229-3375 Fax: (518) 862-9044 E-mail: [EMAIL PROTECTED] or [EMAIL PROTECTED] === grep.zip Description: Zip compressed data
Re: [Declude.JunkMail] Update to GibberishSUB
Thanks John. I marked it up along with two other recently reported catches, more importantly, the addition of VIN numbers to the exclusions. I put a space after the vin and nwq entries. I'll update the file on my site after a little more time passes. - GIBBERISHSUB and ANTI-GIBBERISHSUB - SUBJECT0CONTAINSasr# SUBJECT0CONTAINSasr num SUBJECT0CONTAINSvin SUBJECT0CONTAINSvin: SUBJECT0CONTAINSvin# - ANTI-GIBBERISHSUB file only - SUBJECT0CONTAINSnwq SUBJECT0CONTAINSnwq.com - GIBBERISH and ANTI-GIBBERISH - BODY0CONTAINSasr# BODY0CONTAINSasr num BODY0CONTAINSvin BODY0CONTAINSvin: BODY0CONTAINSvin# - ANTI-GIBBERISH file only - BODY0CONTAINSnwq BODY0CONTAINSnwq.com John Tolmachoff (Lists) wrote: I have added the following to both GibberishSUB and AntiGibberishSUB files: SUBJECT 0 CONTAINS asr# This has shown up in a few messages going to a financial company. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- === Matthew S. Bramble President and Technical Coordinator iGaia Incorporated, Operator of NYcars.com --- Office Phone: (518) 862-9042 Cellular: (518) 229-3375 Fax: (518) 862-9044 E-mail: [EMAIL PROTECTED] or [EMAIL PROTECTED] === --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] one more try...
Very interesting. Looks like the @b. thing is a standard in some piece of VERP software. BTW, unless you (generally) are extremely agressive (sans FiveTen), this would be a very bad idea to implement as a filter. So please ignore my initial filter submission...but I've got something bulletproof to replace it. This spammer that we were trying to identify with that string was probably Douglas Fields of Pexicom, Inc. His old network is in SBL (SBL5185), but it appears that he went out and registered some new blocks of addresses, and got others through Above.net, from which he also get's bandwidth. If anyone knows how to report him to SBL, it might help a lot of people. I couldn't figure out how to report during a cursory search of their site. With the help of your file, a bunch of data from past spam captures, that header clue that exposed his software, and a little DNS work...I came up with 9 new blocks not in SBL with reverse DNS names with 9 addresses each (ns1, ns2, www and mail1 through mail6). I won't assume for a second that is all, but it's a lot and considering the age of many of the domains, he hasn't yet exposed all of his servers to the RBL's (less than 1/4 were in a multi-week 150 MB capture that found all of this stuff). If he wasn't failing BADHEADERS, some of this would have gotten through on my server, so I wrote it as a filter just for this one guy and attached it to this note. Implement safely with the following line, and kill the filter after SBL picks it up. - Global.cfg - PEXICOM filter C:\IMail\Declude\Filters\Pexicom.txt x 25 0 My guess is that this guy was approaching 1% of my total E-mail volume, which is pretty serious, though one of the crud spammers is currently doing about 5% I think. Hopefully he'll stay put for a while seing as how ARIN has him on record: Matt Bill Landry wrote: Attached are a couple of scripts (and sample output) that can be used, if using log level MID or higher, tooutput the "From" e-mail address and sending IP address (first script), or output just the sending IP addresses, listed by count (second script). HTH, Bill - Original Message - From: Matthew Bramble To: [EMAIL PROTECTED] Sent: Wednesday, November 05, 2003 6:21 PM Subject: Re: [Declude.JunkMail] one more try... Andy, I tried sending this twice, but I think Scott's server blocked it because of the content in the headers, so the headers are attached as a zip this time. Your global.cfg would have something like the following and the adjusted filter file is in the original reply pasted below (name the filter whatever you wish). [EMAIL PROTECTED] filter C:\IMail\Declude\Filters\[EMAIL PROTECTED] x 5 0 Then the original reply (adjusted a little)... Matt Actually, I think this one is in the format of [EMAIL PROTECTED], so the filter would need to be: MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] I put a number before the domain because it appears that this spammer uses VERP and the pattern always has a number before the "@b." so this will help protect from false positives. I just wouldn't necessaarily kill it for just this one thing, and I don't think you have to because this stuff isn't getting through my server, so it's picking up points from RBL's and other things. I've seen this stuff coming through my own machine and noted it because of the question earlier. I fear that the pattern is only temporary, but if I'm not mistaken, this is from one of the contest type of spammers with a set group of IP's that they send out from. You could more effectively search for hits and take the IP addresses out and then filter for those as long-term prevention in the event that this pattern fails (which I expect it will). Bill could probably grep that info from his logs in seconds :) Be sure to share if you do. I wouldn't bother with the domain names because they seem to be very temporary. Here are three such headers from this spammer, and all of the domain names were registered recently through pairNIC.com, http://whois.pairnic.com/ Matt andyb wrote: So, the line MYFILTER filter C:\IMail\Declude\myfilter.txt x x 5 0 should have 2 x's because of the 2 tiered weighting system I'm using? Thanks, Andy - Original Message - From: "R. Scott Perry" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 05, 2003 7:13 PM Subject: Re: [Declude.JunkMail] one more try... to be sure, the syntax would be: in Global.cfg: MYFILTER filter
[Declude.JunkMail] High Traffic Windows tweaks
For those out there who run a high traffic mailserver I just found this article: http://www.stalker.com/CommuniGatePro/Scalability.html#TimeWait Summary: - It is recommended to change the TCP TIME_WAIT time in the windows registry from 180 seconds to 20-30 seconds . - The Windows system limits the maximum number port number assigned to outgoing connections. By default this value is 5000. You may want to increase that value to 20,000 or more, by adding the MaxUserPort DWORD-type value to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, key. Please let me (and the list) know if you experience a performance increase. Cheers Adrian --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude\$default$.junkmail Question
If I only have 1 domain, and a per domain.junkmail file setup shouldn't the domain.junkmail file be used at all time? At 06:14 PM 11/5/2003, you wrote: Under what circumstances does Declude use the \Declude\$default$.junkmail file? The global.cfg file is used for all global settings, and for actions on outgoing mail. The $default$.JunkMail file is used for actions on incoming mail. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] -- Burzin Sumariwalla Phone: (314) 994-9411 x291 [EMAIL PROTECTED] Fax: (314) 997-7615 Pager: (314) 407-3345 Networking and Telecommunications Manager Information Technology Services St. Louis County Library District 1640 S. Lindbergh Blvd. St. Louis, MO 63131 --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude\$default$.junkmail Question
If I only have 1 domain, and a per domain.junkmail file setup shouldn't the domain.junkmail file be used at all time? Yes, for all incoming E-mail (the global.cfg file would still be used for outgoing E-mail). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] one more try...
Thanks everyone, I have it working. It was also necessary to go to the $defualt$.junkmail config file and add MYFILTER WARN so I could see the results in spam review. Thanks, Andy
[Declude.JunkMail] False Email Address on Spam
A user of mine has recently started receiving postmaster rejection notices (mailbox full, no such user, etc.) on Spam messages that he did not send out. Someone has used his email address as the return. Is there anything that can be done about this short of finding the offending person and chopping off his/her fingers? Does anyone have any suggestions? I don't want out server reported to the spam gods because of this. Thanks. Hank --- [This E-mail has been scanned for viruses.] [MGT of America, Inc.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Opinions on web interface
Hello Scot, this program looks very good! i've been messing around with this same idea for a little while, but using ASP instead. could i by any chance get a copy of your script? thanks in advance for your time! ken Thursday, November 6, 2003, 1:27:49 PM, you wrote: SD I just finished throwing together a web interface to allow our customers to SD self-maintain their spam thresholds, whitelists and declude actions. It's SD very simple, but does everything we need. Written in ColdFusion, SQL SD database to store settings, with a custom tag that writes the text files to SD disk for Declude to read. The only thing that would be nice would be to have SD it sync the password with the IMAIL password. I suppose one of these days I SD will convert all of my domains to SQL for IMAIL password storage, which SD would solve the problem. SD Your comments are welcomed: SD http://spamwatch.njaccess.com SD demo login SD user name: [EMAIL PROTECTED] SD pw: spam SD Feel free to play around. It's not a live account. SD Thanks, SD -- SD Scot SD - Original Message - SD From: R. Scott Perry [EMAIL PROTECTED] SD To: [EMAIL PROTECTED] SD Sent: Monday, November 03, 2003 4:30 PM SD Subject: Re: [Declude.JunkMail] WhiteList option questions Just upgrading Declude after a fair amount of time. The docs say that SD the white list file should go into $default$.junkmail. Just wanted to SD confirm it goes there and not global.cfg. That is correct. The WHITELISTFILE option is designed for incoming mail only, and only applies to the \IMail\Declude\$default$.JunkMail and per-user/per-domain files. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus SD (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. SD --- SD [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] SD --- SD This E-mail came from the Declude.JunkMail mailing list. To SD unsubscribe, just send an E-mail to [EMAIL PROTECTED], and SD type unsubscribe Declude.JunkMail. The archives can be found SD at http://www.mail-archive.com. SD --- SD [This E-mail scanned for viruses by Declude Virus] -- Best regards, Administrationmailto:[EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Opinions on web interface
I am not able to login with the demo username and password. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scot Desort Sent: Thursday, November 06, 2003 10:28 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Opinions on web interface I just finished throwing together a web interface to allow our customers to self-maintain their spam thresholds, whitelists and declude actions. It's very simple, but does everything we need. Written in ColdFusion, SQL database to store settings, with a custom tag that writes the text files to disk for Declude to read. The only thing that would be nice would be to have it sync the password with the IMAIL password. I suppose one of these days I will convert all of my domains to SQL for IMAIL password storage, which would solve the problem. Your comments are welcomed: http://spamwatch.njaccess.com demo login user name: [EMAIL PROTECTED] pw: spam Feel free to play around. It's not a live account. Thanks, -- Scot - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 03, 2003 4:30 PM Subject: Re: [Declude.JunkMail] WhiteList option questions Just upgrading Declude after a fair amount of time. The docs say that the white list file should go into $default$.junkmail. Just wanted to confirm it goes there and not global.cfg. That is correct. The WHITELISTFILE option is designed for incoming mail only, and only applies to the \IMail\Declude\$default$.JunkMail and per-user/per-domain files. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Pexicom - was one more try...
I did a little more checking around those IP blocks and found that I only had a small portion of this guy's network tagged. He has about 600 IP's and over 30 domains spread across 5 concurrent blocks of addresses. Naturally this isn't necessarily all of it, but you can identify more blocks by searching the headers of a spam capture for occurrences of "X-JLH:" in the headers, which is unique to this guy at the moment. This is what I have thus far: 208.184.54.0/25 208.184.58.0/25 209.249.21.128/25 209.249.55.128/25 216.200.60.16/28 216.200.60.32/27 216.200.60.64/26 I also listed the domains that come up in reverse DNS as comments in the filter file, though you probably don't need to be filtering for them. I rewrote the filter to work as an "ipfile" in Declude, which means that it will work on Standard as well as Pro versions. This one block of addresses sends a piece of spam to my server once every 10 minutes or less on a volume of about 4,000 a day currently. This means that he is responsible for about 3.6% of my total mail volume, and of course, 3.6% of my mail filtering processing power. He also isn't listed consistently on any RBL's with these addresses and only fails most of the time on my server because he also has a problem with BADHEADERS. So I think it definitely makes sense to add the attached filter (note the slight configuration change to reflect the "ipfile" type instead of "filter" type). It should be very easy on resources, but kill it when SBL picks up the block. Considering the volume of spam from this one guy, and SBL's claim for instance that 90% of the spam is sent from a core group of 200 spammers (which this guy doesn't yet belong to), I think it makes sense to maybe start blocking either at the router, or at IMail's Access Control configuration option. You would get the rejection logged in IMail with the second choice, and it would hardly use any resources to do so. For servers handling many tens of thousands of messages a day, this might make a lot of sense to do, and maybe use SBL as a reference for what's block worthy at a given space in time (I don't think they change much). Matt Matthew Bramble wrote: Very interesting. Looks like the @b. thing is a standard in some piece of VERP software. BTW, unless you (generally) are extremely agressive (sans FiveTen), this would be a very bad idea to implement as a filter. So please ignore my initial filter submission...but I've got something bulletproof to replace it. This spammer that we were trying to identify with that string was probably Douglas Fields of Pexicom, Inc. His old network is in SBL (SBL5185), but it appears that he went out and registered some new blocks of addresses, and got others through Above.net, from which he also get's bandwidth. If anyone knows how to report him to SBL, it might help a lot of people. I couldn't figure out how to report during a cursory search of their site. With the help of your file, a bunch of data from past spam captures, that header clue that exposed his software, and a little DNS work...I came up with 9 new blocks not in SBL with reverse DNS names with 9 addresses each (ns1, ns2, www and mail1 through mail6). I won't assume for a second that is all, but it's a lot and considering the age of many of the domains, he hasn't yet exposed all of his servers to the RBL's (less than 1/4 were in a multi-week 150 MB capture that found all of this stuff). If he wasn't failing BADHEADERS, some of this would have gotten through on my server, so I wrote it as a filter just for this one guy and attached it to this note. Implement safely with the following line, and kill the filter after SBL picks it up. - Global.cfg - PEXICOM filter C:\IMail\Declude\Filters\Pexicom.txt x 25 0 My guess is that this guy was approaching 1% of my total E-mail volume, which is pretty serious, though one of the crud spammers is currently doing about 5% I think. Hopefully he'll stay put for a while seing as how ARIN has him on record: Matt Bill Landry wrote: Attached are a couple of scripts (and sample output) that can be used, if using log level MID or higher, tooutput the "From" e-mail address and sending IP address (first script), or output just the sending IP addresses, listed by count (second script). HTH, Bill - Original Message - From: Matthew Bramble To: [EMAIL PROTECTED] Sent: Wednesday, November 05, 2003 6:21 PM Subject: Re: [Declude.JunkMail] one more try... Andy, I tried sending this twice, but I think Scott's server blocked it because of the content in the headers, so the headers are attached as a zip this time. Your global.cfg would have something like the following and the adjusted filter file is in the original reply pasted below (name the filter whatever you wish). [EMAIL PROTECTED] filter
RE: [Declude.JunkMail] Opinions on web interface
Have you thought of giving users more control over the process? As in a db tie-in to tests, weights and actions? I use CF as well and I'm figuring on doing something that will allow enablement of a particular test, or its disablement, coupled to setting the test weight and action performed. Should be fairly simple to use cffile to write out a Declude file with the dangerous stuff hardcoded into it. Probably 30 days away from having the time to finally do it. I get customization requests daily from this or that user. Nobody wants the same thing. Frankly I'm sick of hearing it and am ready to turn the process over to the user and let them have at it if they want to be the antispam genius. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Opinions on web interface
OK, someone changed the password in the demo. I have reset it back to 'spam'. Folks, if you do visit the demo page, please don't change the password... You can change anything else. http://spamwatch.njaccess.com [EMAIL PROTECTED] Pw=spam -- Scot -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Brody Sent: Thursday, November 06, 2003 3:10 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Opinions on web interface I am not able to login with the demo username and password. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scot Desort Sent: Thursday, November 06, 2003 10:28 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Opinions on web interface I just finished throwing together a web interface to allow our customers to self-maintain their spam thresholds, whitelists and declude actions. It's very simple, but does everything we need. Written in ColdFusion, SQL database to store settings, with a custom tag that writes the text files to disk for Declude to read. The only thing that would be nice would be to have it sync the password with the IMAIL password. I suppose one of these days I will convert all of my domains to SQL for IMAIL password storage, which would solve the problem. Your comments are welcomed: http://spamwatch.njaccess.com demo login user name: [EMAIL PROTECTED] pw: spam Feel free to play around. It's not a live account. Thanks, -- Scot - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 03, 2003 4:30 PM Subject: Re: [Declude.JunkMail] WhiteList option questions Just upgrading Declude after a fair amount of time. The docs say that the white list file should go into $default$.junkmail. Just wanted to confirm it goes there and not global.cfg. That is correct. The WHITELISTFILE option is designed for incoming mail only, and only applies to the \IMail\Declude\$default$.JunkMail and per-user/per-domain files. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Opinions on web interface
HA! Preach on my brother!lol.. I am also an admin for an ISP, and i too am extremely suck of hearing people complain about spam! like they could do a better job. :-P Ken Thursday, November 6, 2003, 3:34:19 PM, you wrote: MR Have you thought of giving users more control over the process? As in MR a db tie-in to tests, weights and actions? I use CF as well and I'm MR figuring on doing something that will allow enablement of a particular test, MR or its disablement, coupled to setting the test weight and action performed. MR Should be fairly simple to use cffile to write out a Declude file with the MR dangerous stuff hardcoded into it. Probably 30 days away from having the MR time to finally do it. MR I get customization requests daily from this or that user. Nobody MR wants the same thing. Frankly I'm sick of hearing it and am ready to turn MR the process over to the user and let them have at it if they want to be the MR antispam genius. MR --- MR [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] MR --- MR This E-mail came from the Declude.JunkMail mailing list. To MR unsubscribe, just send an E-mail to [EMAIL PROTECTED], and MR type unsubscribe Declude.JunkMail. The archives can be found MR at http://www.mail-archive.com. MR --- MR [This E-mail scanned for viruses by Declude Virus] -- Best regards, Administrationmailto:[EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Opinions on web interface
Well, we use a weighting system with declude. All of the tests and their associated weights are hard-coded into global.cfg, with the weightrange tests. Then, each user has a .junkmail file that basically only contains the spam control level they have chosen (WEIGHT3 for medium on my web interface), followed by the chosen action. All of the individual RBL and filter tests defined in global.cfg are not present in the users .junkmail file. Only the cumulative WEIGHT test. Therefore, I don't see how I could give them more control, since everything else is handled in the global.cfg file, and I'm sure as hell not going to allow them to mess with that file. If I was running a simpler config where each test stood on it's own, and it was up to the user to do client side filtering on individual tests and total declude weight, I guess I could then let them manipulate the inclusion or exclusion of specific tests in the .junkmail file. However, the majority of my users want nothing to do with that level of control. When someone signs up for spam control, we set them up in the db, with declude set to off for them (no action). This FORCES them to go into the web interface and setup their account for the first time, become familiar with the controls, and this way WE cannot be blamed for setting their spam control to high or too low. In the future, I might even consider having different actions for different weights. But even that might be too confusing for them. On a side note, I am not using CFFILE for writing my files to disk. I am using a tag that reads a text file into a variable line by line. I can then search, LINE BY LINE, for individual text (aka TEST names), replace that SINGLE line of text, then write the entire file back out to disk with that single line changed. Tto do this with CFFILE, you would have to do some looping through the file, looking for carriage returns, etc. This tag removes the complexity and does it for you. Thanks for the input... -- Scot -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Robertson Sent: Thursday, November 06, 2003 3:34 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Opinions on web interface Have you thought of giving users more control over the process? As in a db tie-in to tests, weights and actions? I use CF as well and I'm figuring on doing something that will allow enablement of a particular test, or its disablement, coupled to setting the test weight and action performed. Should be fairly simple to use cffile to write out a Declude file with the dangerous stuff hardcoded into it. Probably 30 days away from having the time to finally do it. I get customization requests daily from this or that user. Nobody wants the same thing. Frankly I'm sick of hearing it and am ready to turn the process over to the user and let them have at it if they want to be the antispam genius. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] AOL - EARTHLINK
I'm still seeing mail bounced back for the above domains. It's not consistent but I do see this message in my SMTP logs. 11:06 12:35 SMTP-(1E00) 220-America Online (AOL) and its affiliated companies do not 11:06 12:35 SMTP-(1E00) 220- authorize the use of its proprietary computers and computer 11:06 12:35 SMTP-(1E00) 220- networks to accept, transmit, or distribute unsolicited bulk 11:06 12:35 SMTP-(1E00) 220- e-mail sent from the internet. Effective immediately: AOL 11:06 12:35 SMTP-(1E00) 220- may no longer accept connections from IP addresses which 11:06 12:35 SMTP-(1E00) 220 have no reverse-DNS (PTR record) assigned. I did a reverse DNS check from DNSSTUFF.com with success. Terry --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Opinions on web interface
Scot, Nice job! BTW, IMail managed passwords could be modified by way of a script. There's a tool out there which will decrypt the passwords from your registry, and I would imagine that you could sync that with your database without having to convert IMail over to SQL, and hand off new passwords by way of the built in IMail programs which are also used by the Web mail products. Try the following tool and run it with the command "c:\path\extractUsers.exe -f c:\extractusers" http://dev.myownemail.com/Imail/ExtractUsers.htm In the very least, you could parse the output files, or probably redirect the output to your database at regular intervals or after every password change??? Matt Scot Desort wrote: I just finished throwing together a web interface to allow our customers to self-maintain their spam thresholds, whitelists and declude actions. It's very simple, but does everything we need. Written in ColdFusion, SQL database to store settings, with a custom tag that writes the text files to disk for Declude to read. The only thing that would be nice would be to have it sync the password with the IMAIL password. I suppose one of these days I will convert all of my domains to SQL for IMAIL password storage, which would solve the problem. Your comments are welcomed: http://spamwatch.njaccess.com demo login user name: [EMAIL PROTECTED] pw: spam Feel free to play around. It's not a live account. Thanks, -- Scot - Original Message - From: "R. Scott Perry" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 03, 2003 4:30 PM Subject: Re: [Declude.JunkMail] WhiteList option questions Just upgrading Declude after a fair amount of time. The docs say that the white list file should go into $default$.junkmail. Just wanted to confirm it goes there and not global.cfg. That is correct. The WHITELISTFILE option is designed for incoming mail only, and only applies to the \IMail\Declude\$default$.JunkMail and per-user/per-domain files. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] AOL - EARTHLINK
I'm still seeing mail bounced back for the above domains. It's not consistent but I do see this message in my SMTP logs. 11:06 12:35 SMTP-(1E00) 220-America Online (AOL) and its affiliated companies do not 11:06 12:35 SMTP-(1E00) 220- authorize the use of its proprietary computers and computer 11:06 12:35 SMTP-(1E00) 220- networks to accept, transmit, or distribute unsolicited bulk 11:06 12:35 SMTP-(1E00) 220- e-mail sent from the internet That message is a standard message that they send to everyone who tries sending mail to AOL. I did a reverse DNS check from DNSSTUFF.com with success. What do the further log file entries show? Are there any errors in the further log file entries? It may be that they are accepting the E-mail, but then later deleting it (AOL is known to do this). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Opinions on web interface
Thanks Matt. Geez, one time last year I searched the net endlessly for something like that util. I came up with tons of stuff to extract users and domain lists, and even old security exploits in Imail 4.x and 5.x that allowed you to easily go into the registry and pull passwords out. But this util could be the answer for me since it pulls passwords. I really didn't want to force users to use 2 passwords, but I didn't want to hold up the interface being released. And let's face it, many of them can't remember their email password anyway since everything is autosaved. But I will look at this util. Thanks again, Scot -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Thursday, November 06, 2003 3:53 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Opinions on web interface Scot, Nice job! BTW, IMail managed passwords could be modified by way of a script. There's a tool out there which will decrypt the passwords from your registry, and I would imagine that you could sync that with your database without having to convert IMail over to SQL, and hand off new passwords by way of the built in IMail programs which are also used by the Web mail products. Try the following tool and run it with the command c:\path\extractUsers.exe -f c:\extractusers http://dev.myownemail.com/Imail/ExtractUsers.htm In the very least, you could parse the output files, or probably redirect the output to your database at regular intervals or after every password change??? Matt Scot Desort wrote: I just finished throwing together a web interface to allow our customers to self-maintain their spam thresholds, whitelists and declude actions. It's very simple, but does everything we need. Written in ColdFusion, SQL database to store settings, with a custom tag that writes the text files to disk for Declude to read. The only thing that would be nice would be to have it sync the password with the IMAIL password. I suppose one of these days I will convert all of my domains to SQL for IMAIL password storage, which would solve the problem. Your comments are welcomed: http://spamwatch.njaccess.com demo login user name: [EMAIL PROTECTED] pw: spam Feel free to play around. It's not a live account. Thanks, -- Scot - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 03, 2003 4:30 PM Subject: Re: [Declude.JunkMail] WhiteList option questions Just upgrading Declude after a fair amount of time. The docs say that the white list file should go into $default$.junkmail. Just wanted to confirm it goes there and not global.cfg. That is correct. The WHITELISTFILE option is designed for incoming mail only, and only applies to the \IMail\Declude\$default$.JunkMail and per-user/per-domain files. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: Re[2]: [Declude.JunkMail] Opinions on web interface
HA! Preach on my brother!lol.. I am also an admin for an ISP, and i too am extremely suck of hearing people complain about spam! like they could do a better job. :-P Well, similar spot here, BUT I'm VERY leary of giving them any means to mess up their mail. I'd probably spend more time troubleshooting their mistakes than in what I do now. I don't need that added pain. You KNOW it would happen. I didn't know adding that to my filters would kill all my mail, can you go in and fix it? Paul --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: Do you use ColdFusion?
I have about 15...why? Robert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason (by way of R. Scott Perry [EMAIL PROTECTED]) Sent: Thursday, November 06, 2003 4:43 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] OT: Do you use ColdFusion? I was just wondering how many people here have a ColdFusion server at their disposal. Jason Wolfe Lead Developer Netcomm, Inc. http://www.netcomm.com (859) 224-4124 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Non-alpha-numeric subject filter
Hi. I've composed a
simple but effective subject filter for non-alpha-num characters that are
intended to obfuscate words and phrases. It is catching a lot more junk than
before. My hold weight is 25 and delete is 35. Forgive me if this is an old
idea. Here it is:
SUBJECT 6 CONTAINS
~SUBJECT 4 CONTAINS `SUBJECT 2 CONTAINS !SUBJECT 4 CONTAINS
@SUBJECT 4 CONTAINS #SUBJECT 6 CONTAINS $SUBJECT 6 CONTAINS
%SUBJECT 6 CONTAINS ^SUBJECT 2 CONTAINS SUBJECT 4 CONTAINS
*SUBJECT 2 CONTAINS (SUBJECT 2 CONTAINS )SUBJECT 2 CONTAINS
-SUBJECT 6 CONTAINS _SUBJECT 2 CONTAINS +SUBJECT 2 CONTAINS
=SUBJECT 6 CONTAINS |SUBJECT 6 CONTAINS \SUBJECT 2 CONTAINS
{SUBJECT 2 CONTAINS }SUBJECT 2 CONTAINS [SUBJECT 2 CONTAINS
]SUBJECT 2 CONTAINS :SUBJECT 4 CONTAINS ;SUBJECT 2 CONTAINS
"SUBJECT 4 CONTAINS 'SUBJECT 6 CONTAINS SUBJECT 6 CONTAINS
SUBJECT 2 CONTAINS ,SUBJECT 2 CONTAINS .SUBJECT 2 CONTAINS
?SUBJECT 4 CONTAINS /
Re: [Declude.JunkMail] OT: Do you use ColdFusion?
I've got one, but don't really use it. I much prefer ASP, if just for the integration and stability. Matt Jason (by way of R. Scott Perry ) wrote: I was just wondering how many people here have a ColdFusion server at their disposal. Jason Wolfe Lead Developer Netcomm, Inc. http://www.netcomm.com (859) 224-4124 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: Do you use ColdFusion?
Me. Keith Purtell, Web/Network Administrator VantageMed Operations (Kansas City) Email: [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jason (by way of R. Scott Perry [EMAIL PROTECTED]) Sent: Thursday, November 06, 2003 3:43 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] OT: Do you use ColdFusion? I was just wondering how many people here have a ColdFusion server at their disposal. Jason Wolfe Lead Developer Netcomm, Inc. http://www.netcomm.com (859) 224-4124 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Pexicom - was one more try...
Great work Matthew! Have seen this type of messages from the IP block 207.251.96.201 ... 204 in the last 10 days. So I've added 207.251.96.200/29 [207.251.96.200] - [207.251.96.207] # mckinseyquarterly.com to your pexicom-ipfile. Anyone knows www.mckinseyquarterly.com ? Looks legit... ? Looks like this guy has invested a lot to create a big spam-engine Maybe some Declude Pro users should set up a filter file to identify the X-JLH. So we could create gradually a more complete picture of this distributed spam processing tecnique. PEXICOM-HEADER filter C:\IMail\Declude\filters\pexicom_header.txt x 5 0 And in the pexicom_header.txt file HEADERS 0 CONTAINS X-JLH --- Gufler Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Opinions on web interface
Scot, The web interface looks good. I created something similar using ASP and a custom COM object I wrote. I uses Imail rules instead of the individual junkmail files to process the mail based on weight test. I implemented it about a month ago and so far we have over a thousand users using it and all of them are thrilled about it. I don't have a demo set up, but I have a screenshot of it if you want to see. http://www.kimbanet.com/junkmail.jpg Daniel --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Non-alpha-numeric subject filter
It is catching a lot more junk than before. Checked your FPs lately? SUBJECT 2 CONTAINS - I get countless legit e-mails with hyphens in the Subject. SUBJECT 2 CONTAINS [ SUBJECT 2 CONTAINS ] Mailing list e-mails very often use brackets in the Subject, so you're giving more weight to an area that's already dangerous. SUBJECT 2 CONTAINS : 'Re:' gets a demerit? SUBJECT 4 CONTAINS ; A perfectly legitimate punctuation mark. SUBJECT 2 CONTAINS We can't use quotation marks anymore? SUBJECT 2 CONTAINS , NO COMMAS??? SUBJECT 2 CONTAINS ? NO QUESTION MARKS??? I place approximately zero stock in tests this general. YMMV, I suppose. Or perhaps you're not mentioning the aggregate threshold you're going for before actual points are assigned. -Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Non-alpha-numeric subject filter
Title: Message
Scott,
A good add-on test might be a count of punctuation characters in the
subject. That would be very close to this suggestion but might be easier to use
and require less processing.
In particular the drug "member augmentation" folks are on a tear
lately obfuscating subjects this way. In general a legit subject line seldom (if
ever) has more than 3 punctuation marks. Obfuscated subjects can have higher
than 20 and frequently have higher than 7.
Just a thought.
_M
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Mike GableSent: Thursday, November 06, 2003
4:53 PMTo: Declude (E-mail 2)Subject: [Declude.JunkMail]
Non-alpha-numeric subject filter
Hi. I've composed
a simple but effective subject filter for non-alpha-num characters that are
intended to obfuscate words and phrases. It is catching a lot more junk than
before. My hold weight is 25 and delete is 35. Forgive me if this is an old
idea. Here it is:
SUBJECT 6 CONTAINS
~SUBJECT 4 CONTAINS `SUBJECT 2 CONTAINS !SUBJECT 4 CONTAINS
@SUBJECT 4 CONTAINS #SUBJECT 6 CONTAINS $SUBJECT 6 CONTAINS
%SUBJECT 6 CONTAINS ^SUBJECT 2 CONTAINS SUBJECT 4 CONTAINS
*SUBJECT 2 CONTAINS (SUBJECT 2 CONTAINS )SUBJECT 2 CONTAINS
-SUBJECT 6 CONTAINS _SUBJECT 2 CONTAINS +SUBJECT 2 CONTAINS
=SUBJECT 6 CONTAINS |SUBJECT 6 CONTAINS \SUBJECT 2 CONTAINS
{SUBJECT 2 CONTAINS }SUBJECT 2 CONTAINS [SUBJECT 2 CONTAINS
]SUBJECT 2 CONTAINS :SUBJECT 4 CONTAINS ;SUBJECT 2 CONTAINS
"SUBJECT 4 CONTAINS 'SUBJECT 6 CONTAINS SUBJECT 6 CONTAINS
SUBJECT 2 CONTAINS ,SUBJECT 2 CONTAINS .SUBJECT 2 CONTAINS
?SUBJECT 4 CONTAINS /
RE: [Declude.JunkMail] Non-alpha-numeric subject filter
Some of those are going to have a large FP
rate.
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Gable
Sent: Thursday,
November 06, 2003 1:53 PM
To: Declude (E-mail 2)
Subject: [Declude.JunkMail]
Non-alpha-numeric subject filter
Hi. I've composed a simple but effective subject filter for
non-alpha-num characters that are intended to obfuscate words and phrases. It
is catching a lot more junk than before. My hold weight is 25 and delete is 35.
Forgive me if this is an old idea. Here it is:
SUBJECT 6 CONTAINS ~
SUBJECT 4 CONTAINS `
SUBJECT 2 CONTAINS !
SUBJECT 4 CONTAINS @
SUBJECT 4 CONTAINS #
SUBJECT 6 CONTAINS $
SUBJECT 6 CONTAINS %
SUBJECT 6 CONTAINS ^
SUBJECT 2 CONTAINS
SUBJECT 4 CONTAINS *
SUBJECT 2 CONTAINS (
SUBJECT 2 CONTAINS )
SUBJECT 2 CONTAINS -
SUBJECT 6 CONTAINS _
SUBJECT 2 CONTAINS +
SUBJECT 2 CONTAINS =
SUBJECT 6 CONTAINS |
SUBJECT 6 CONTAINS \
SUBJECT 2 CONTAINS {
SUBJECT 2 CONTAINS }
SUBJECT 2 CONTAINS [
SUBJECT 2 CONTAINS ]
SUBJECT 2 CONTAINS :
SUBJECT 4 CONTAINS ;
SUBJECT 2 CONTAINS
SUBJECT 4 CONTAINS '
SUBJECT 6 CONTAINS
SUBJECT 6 CONTAINS
SUBJECT 2 CONTAINS ,
SUBJECT 2 CONTAINS .
SUBJECT 2 CONTAINS ?
SUBJECT 4 CONTAINS /
RE: [Declude.JunkMail] Opinions on web interface
Would you be interested in sharing this. It looks great! Thanks! Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Grotjan Sent: Thursday, November 06, 2003 4:02 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Opinions on web interface Scot, The web interface looks good. I created something similar using ASP and a custom COM object I wrote. I uses Imail rules instead of the individual junkmail files to process the mail based on weight test. I implemented it about a month ago and so far we have over a thousand users using it and all of them are thrilled about it. I don't have a demo set up, but I have a screenshot of it if you want to see. http://www.kimbanet.com/junkmail.jpg Daniel --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: Do you use ColdFusion?
Me to :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederick Samarelli Sent: 6. november 2003 23:02 To: [EMAIL PROTECTED] I do. Fred - Original Message - From: Jason (by way of R. Scott Perry [EMAIL PROTECTED]) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, November 06, 2003 4:42 PM Subject: [Declude.JunkMail] OT: Do you use ColdFusion? I was just wondering how many people here have a ColdFusion server at their disposal. Jason Wolfe Lead Developer Netcomm, Inc. http://www.netcomm.com (859) 224-4124 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Opinions on web interface
Very Nice. Burzin At 12:27 PM 11/6/2003, you wrote: I just finished throwing together a web interface to allow our customers to self-maintain their spam thresholds, whitelists and declude actions. It's very simple, but does everything we need. Written in ColdFusion, SQL database to store settings, with a custom tag that writes the text files to disk for Declude to read. The only thing that would be nice would be to have it sync the password with the IMAIL password. I suppose one of these days I will convert all of my domains to SQL for IMAIL password storage, which would solve the problem. Your comments are welcomed: http://spamwatch.njaccess.com demo login user name: [EMAIL PROTECTED] pw: spam Feel free to play around. It's not a live account. Thanks, -- Scot - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 03, 2003 4:30 PM Subject: Re: [Declude.JunkMail] WhiteList option questions Just upgrading Declude after a fair amount of time. The docs say that the white list file should go into $default$.junkmail. Just wanted to confirm it goes there and not global.cfg. That is correct. The WHITELISTFILE option is designed for incoming mail only, and only applies to the \IMail\Declude\$default$.JunkMail and per-user/per-domain files. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] -- Burzin Sumariwalla Phone: (314) 994-9411 x291 [EMAIL PROTECTED] Fax: (314) 997-7615 Pager: (314) 407-3345 Networking and Telecommunications Manager Information Technology Services St. Louis County Library District 1640 S. Lindbergh Blvd. St. Louis, MO 63131 --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Non-alpha-numeric subject filter
We have similar tests set up, less the {}[]
We set a weight of 1 for each mark; expect o have many emails that will
fail one or two instances of this test - no problem; it's the latest
craze with subjects like
m'ake my d#ay b:etter by b+locking my$ e*mail
That get caught with this, as they should...
Sincerely,
Randy Armbrecht
Global Web SolutionsR, Inc.
804-346-5300 ext. 1
877-800-GLOBAL (4562) ext. 1
http://globalweb.net
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sanford
Whiteman
Sent: Thursday, November 06, 2003 5:16 PM
To: Mike Gable
Subject: Re: [Declude.JunkMail] Non-alpha-numeric subject filter
It is catching a lot more junk than before.
Checked your FPs lately?
SUBJECT 2 CONTAINS -
I get countless legit e-mails with hyphens in the Subject.
SUBJECT 2 CONTAINS [
SUBJECT 2 CONTAINS ]
Mailing list e-mails very often use brackets in the Subject, so you're
giving more weight to an area that's already dangerous.
SUBJECT 2 CONTAINS :
'Re:' gets a demerit?
SUBJECT 4 CONTAINS ;
A perfectly legitimate punctuation mark.
SUBJECT 2 CONTAINS
We can't use quotation marks anymore?
SUBJECT 2 CONTAINS ,
NO COMMAS???
SUBJECT 2 CONTAINS ?
NO QUESTION MARKS???
I place approximately zero stock in tests this general. YMMV, I
suppose. Or perhaps you're not mentioning the aggregate threshold
you're going for before actual points are assigned.
-Sandy
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
e-mail: [EMAIL PROTECTED]
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
unsubscribe Declude.JunkMail. The archives can be found at
http://www.mail-archive.com.
---
[This message was Virus Scanned by GlobalWeb.net]
---
[This message was Virus Scanned by GlobalWeb.net]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
Re: [Declude.JunkMail] Pexicom - was one more try...
Gufler, I think you actually identified Cheetah Mail with that block. Here's what SenderBase has for that range: http://www.senderbase.org/search?searchString=207.251.96.200whichOthers=%2F24 I would highly advise not blocking Cheetah Mail, at least indiscriminately. They do have a pretty good opt-in policy for their member companies, and they serve only the largest such companies. Although one of the companies using their services might have opted users in inappropriately, that typically isn't the case with them. Same goes for Dart Mail and a few others. The header search for that X-JLH: string though did expose another large block of addresses for Pexicom, one in fact that I had been collecting IP's for blocking outside of this hunt. Now that I am giving this stuff so much weight, and deleting at those weights, the remaining stuff that comes through is easy to identify. So I've added the following blocks. You will probably recognize the domains listed in the updated file (at the top). 64.124.165.0/25 [64.124.165.0] - [64.124.165.127] 64.124.165.128/26 [64.124.165.128] - [64.124.165.191] 64.124.165.192/27 [64.124.165.192] - [64.124.165.223] 64.125.181.0/24 [64.125.181.0] - [64.125.181.255] It seems that both ranges, especially the class C, are used without reverse DNS sometimes, and the names seem to change. The class C is also the range that they have listed on SBL, and it's not by any means defunct. This guy has about 1,000 IP's at his disposal to spam from, and he consistantly makes use of a lot of them to send out what I term contest spam. Note that after the CIDR range, those are effectively comments in an IPFILE, and they will show up in your logs or headers if you use WARN (no need to add a # symbol). I've attached a new version of the filter. Some might want to block at the router or IMail to save on processing. He's probably up to 5% of my mail volume with these additions. Matt Gufler Markus wrote: Great work Matthew! Have seen this type of messages from the IP block 207.251.96.201 ... 204 in the last 10 days. So I've added 207.251.96.200/29 [207.251.96.200] - [207.251.96.207] # mckinseyquarterly.com to your pexicom-ipfile. Anyone knows www.mckinseyquarterly.com ? Looks legit... ? Looks like this guy has invested a lot to create a big spam-engine Maybe some Declude Pro users should set up a filter file to identify the X-JLH. So we could create gradually a more complete picture of this distributed spam processing tecnique. PEXICOM-HEADER filter C:\IMail\Declude\filters\pexicom_header.txt x 5 0 And in the pexicom_header.txt file HEADERS 0 CONTAINS X-JLH --- Gufler Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- === Matthew S. Bramble President and Technical Coordinator iGaia Incorporated, Operator of NYcars.com --- Office Phone: (518) 862-9042 Cellular: (518) 229-3375 Fax: (518) 862-9044 E-mail: [EMAIL PROTECTED] or [EMAIL PROTECTED] === Pexicom.zip Description: Zip compressed data
RE: [Declude.JunkMail] Non-alpha-numeric subject filter
Title: Message
SpamCheck already does that.
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
Sent: Thursday,
November 06, 2003 2:28 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail]
Non-alpha-numeric subject filter
Scott,
A good add-on
test might be a count of punctuation characters in the subject. That would be
very close to this suggestion but might be easier to use and require less
processing.
In particular the
drug member augmentation folks are on a tear lately
obfuscating subjects this way. In general a legit subject line seldom (if ever)
has more than 3 punctuation marks. Obfuscated subjects can have higher than 20
and frequently have higher than 7.
Just a thought.
_M
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Mike Gable
Sent: Thursday,
November 06, 2003 4:53 PM
To: Declude (E-mail 2)
Subject: [Declude.JunkMail]
Non-alpha-numeric subject filter
Hi. I've composed a simple but effective subject filter for
non-alpha-num characters that are intended to obfuscate words and phrases. It
is catching a lot more junk than before. My hold weight is 25 and delete is 35.
Forgive me if this is an old idea. Here it is:
SUBJECT 6 CONTAINS ~
SUBJECT 4 CONTAINS `
SUBJECT 2 CONTAINS !
SUBJECT 4 CONTAINS @
SUBJECT 4 CONTAINS #
SUBJECT 6 CONTAINS $
SUBJECT 6 CONTAINS %
SUBJECT 6 CONTAINS ^
SUBJECT 2 CONTAINS
SUBJECT 4 CONTAINS *
SUBJECT 2 CONTAINS (
SUBJECT 2 CONTAINS )
SUBJECT 2 CONTAINS -
SUBJECT 6 CONTAINS _
SUBJECT 2 CONTAINS +
SUBJECT 2 CONTAINS =
SUBJECT 6 CONTAINS |
SUBJECT 6 CONTAINS \
SUBJECT 2 CONTAINS {
SUBJECT 2 CONTAINS }
SUBJECT 2 CONTAINS [
SUBJECT 2 CONTAINS ]
SUBJECT 2 CONTAINS :
SUBJECT 4 CONTAINS ;
SUBJECT 2 CONTAINS
SUBJECT 4 CONTAINS '
SUBJECT 6 CONTAINS
SUBJECT 6 CONTAINS
SUBJECT 2 CONTAINS ,
SUBJECT 2 CONTAINS .
SUBJECT 2 CONTAINS ?
SUBJECT 4 CONTAINS /
[Declude.JunkMail] FORGEDHELO-FQDN
Wouldn't it be better to use ENDSWITH rather than IS? Example, if the office domain is mail.123domain.com, IS would not catch a HELO of 123domain.com. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: Do you use ColdFusion? - Java?
Title: Message I question the importance tomake the interface "cross platform" - when the tool that you are managing (Imail and Declude) are Windows specific? I'd personally rather use the web server that is already optimized for that environment and offers me plenty of control: IIS. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeilSent: Thursday, November 06, 2003 05:35 PMTo: [EMAIL PROTECTED]Subject: RE: [Declude.JunkMail] OT: Do you use ColdFusion? - Java? OT - sort of. We do most of our heavy web work in Java/JSP.We've tossed around the idea of building a Java app that would accept HTTP connections (perhaps on an alternate port) and provide an interface to Declude other spam management tools for users admins. Our development schedule is _very_ full, but if there is a significant interest in this I couldexplore shifting some effort in that direction. As a dedicated Java app it would be cross-platform compatible (in theory), relatively secure, lightweight,and could be configured to run along side any web services that might be present (such as KWM). In an IMail environment we could even present a postini-like interface for users to "release" their held spam - and generate accurate false positive reporting in the process, etc... (these are the ideas we have anyway...) Thoughts? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew BrambleSent: Thursday, November 06, 2003 4:46 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] OT: Do you use ColdFusion?I've got one, but don't really use it. I much prefer ASP, if just for the integration and stability.Matt
Re: [Declude.JunkMail] OT: Do you use ColdFusion? - Java?
I'm not sure that I totally followed you, however I think I know where you are going with that. FP reporting is important to your product, and anything that could make the process easier would benefit all of your users, even if some didn't use it. Speaking for myself and from my perception of what I have seen, I think my approach to management of such things, while not totally out of the ordinary, is unique, and I have the same perception of most here. While I have Web-mail (KWM), I don't use it except for spam reviewing, and my users hardly use it at all. Over time I expect to be doing a lot more gateway spam blocking, in which case a setup for managing such domains would need to be quite different since they aren't locally hosted, but locally managed. The real usefulness might be in single domain installations. Maybe I'm not following what you are getting at though. It might be real nice though to come up with a plug-in for reporting spam and false positives in the mail client, or at least the Web-mail client. If I chose to report spam from a Web mail client for instance, it will munge the HTML stuff and you could lose some important data for processing. Having the original header information would also be quite useful for a dual match with the body URL for your filtering (this has given me some issues in my trial and forces me to score low in the event of forwarded content from legit users). Don't get me wrong though, by in large, I'm very impressed with your architecture after three days of trialing your product. Matt Pete McNeil wrote: Message OT - sort of. We do most of our heavy web work in Java/JSP.We've tossed around the idea of building a Java app that would accept HTTP connections (perhaps on an alternate port) and provide an interface to Declude other spam management tools for users admins. Our development schedule is _very_ full, but if there is a significant interest in this I couldexplore shifting some effort in that direction. As a dedicated Java app it would be cross-platform compatible (in theory), relatively secure, lightweight,and could be configured to run along side any web services that might be present (such as KWM). In an IMail environment we could even present a postini-like interface for users to "release" their held spam - and generate accurate false positive reporting in the process, etc... (these are the ideas we have anyway...) Thoughts? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matthew Bramble Sent: Thursday, November 06, 2003 4:46 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] OT: Do you use ColdFusion? I've got one, but don't really use it. I much prefer ASP, if just for the integration and stability. Matt Jason (by way of R. Scott Perry ) wrote: I was just wondering how many people here have a ColdFusion server at their disposal. Jason Wolfe Lead Developer Netcomm, Inc. http://www.netcomm.com (859) 224-4124 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- === Matthew S. Bramble President and Technical Coordinator iGaia Incorporated, Operator of NYcars.com --- Office Phone: (518) 862-9042 Cellular: (518) 229-3375 Fax: (518) 862-9044 E-mail: [EMAIL PROTECTED] or [EMAIL PROTECTED] === --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Non-alpha-numeric subject filter
Sandy, I think you're missing the point. My weighting system has enough slop in it to allow for some points to be given to legitimate senders. Even the Declude JunkMail list now gets 4 points for having [ and ] in the subject, but it still comes through fine. If we try to prevent all false positives we get a lot of junk in our inboxes. I don't need this filter to have most list emails held for review. The shoot-first-ask-questions-later RBLs do an excellent job of flagging legitimate email as SPAM all by themselves. My weights are low enough to make little or no difference with legitimate emails. It's these that will get held: What is G.E.N.ERIC VI.A.G.R.A? (16 points) [EMAIL PROTECTED] -- 75% D1SC0UNT!! nisbabct jvvjhgyxmk (22 points) Helpful suggestions are appreciated, but ridicule is not. Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Sanford Whiteman Sent: Thursday, November 06, 2003 2:16 PM To: Mike Gable Subject: Re: [Declude.JunkMail] Non-alpha-numeric subject filter It is catching a lot more junk than before. Checked your FPs lately? SUBJECT 2 CONTAINS - I get countless legit e-mails with hyphens in the Subject. SUBJECT 2 CONTAINS [ SUBJECT 2 CONTAINS ] Mailing list e-mails very often use brackets in the Subject, so you're giving more weight to an area that's already dangerous. SUBJECT 2 CONTAINS : 'Re:' gets a demerit? SUBJECT 4 CONTAINS ; A perfectly legitimate punctuation mark. SUBJECT 2 CONTAINS We can't use quotation marks anymore? SUBJECT 2 CONTAINS , NO COMMAS??? SUBJECT 2 CONTAINS ? NO QUESTION MARKS??? I place approximately zero stock in tests this general. YMMV, I suppose. Or perhaps you're not mentioning the aggregate threshold you're going for before actual points are assigned. -Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] What test?
Hi, Is there a test I can implement that will pick this up . X-Note: This E-mail was sent from (timeout) ([68.37.149.251]) _ Glen Harvy Aquarius Communications for all your Internet Needs. Phone 9977 3788 Fax 9977 3844 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Non-alpha-numeric subject filter
FYI, I have seen too many false positives with filters that can
increment scores on multiple matches for me to feel comfortable with
them. It would be nice if Declude would allow for an upper limit to
scoring such things, but in this event, I might suggest changing to a
fixed score for the filter. This was certainly the biggest issue with
the filter that was shared originally with the thread.
Matt
GlobalWeb.net Webmaster wrote:
We have similar tests set up, less the {}[]
We set a weight of 1 for each mark; expect o have many emails that will
fail one or two instances of this test - no problem; it's the latest
craze with subjects like
m'ake my d#ay b:etter by b+locking my$ e*mail
That get caught with this, as they should...
Sincerely,
Randy Armbrecht
Global Web SolutionsR, Inc.
804-346-5300 ext. 1
877-800-GLOBAL (4562) ext. 1
http://globalweb.net
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Sanford
Whiteman
Sent: Thursday, November 06, 2003 5:16 PM
To: Mike Gable
Subject: Re: [Declude.JunkMail] Non-alpha-numeric subject filter
It is catching a lot more junk than before.
Checked your FPs lately?
SUBJECT 2 CONTAINS -
I get countless legit e-mails with hyphens in the Subject.
SUBJECT 2 CONTAINS [
SUBJECT 2 CONTAINS ]
Mailing list e-mails very often use brackets in the Subject, so you're
giving more weight to an area that's already dangerous.
SUBJECT 2 CONTAINS :
'Re:' gets a demerit?
SUBJECT 4 CONTAINS ;
A perfectly legitimate punctuation mark.
SUBJECT 2 CONTAINS "
We can't use quotation marks anymore?
SUBJECT 2 CONTAINS ,
NO COMMAS???
SUBJECT 2 CONTAINS ?
NO QUESTION MARKS???
I place approximately zero stock in tests this general. YMMV, I
suppose. Or perhaps you're not mentioning the aggregate threshold
you're going for before actual points are assigned.
-Sandy
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
e-mail: [EMAIL PROTECTED]
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail". The archives can be found at
http://www.mail-archive.com.
---
[This message was Virus Scanned by GlobalWeb.net]
---
[This message was Virus Scanned by GlobalWeb.net]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
--
===
Matthew S. Bramble
President and Technical Coordinator
iGaia Incorporated, Operator of NYcars.com
---
Office Phone: (518) 862-9042
Cellular: (518) 229-3375
Fax: (518) 862-9044
E-mail: [EMAIL PROTECTED] or [EMAIL PROTECTED]
===
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: Do you use ColdFusion?
Us too! John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robert Forsyth Sent: Thursday, November 06, 2003 3:49 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] OT: Do you use ColdFusion? I have about 15...why? Robert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason (by way of R. Scott Perry [EMAIL PROTECTED]) Sent: Thursday, November 06, 2003 4:43 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] OT: Do you use ColdFusion? I was just wondering how many people here have a ColdFusion server at their disposal. Jason Wolfe Lead Developer Netcomm, Inc. http://www.netcomm.com (859) 224-4124 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Non-alpha-numeric subject filter
Looks like the first try to send was also blocked, so this time the
offensive content is going in a zip. Here's the repost:
I collected a list representing examples of this obfuscation
technique. The first set is all from one spammer (the pill guy that
has a huge volume of crud spam hitting everyone, and sometimes it does
get through based on how clean his IP is):
(see zip file)
The second set is from other randomized crap spam. There are various
techniques used here:
(see zip file)
I would hate to target just one spammer with a heavy filter
(necessary
in order to help protect from FP's), and certainly you can't tag all of
this stuff. One of my thoughts would be to just look for non-english
characters, and strings with a letter then only certain special
characters and then another letter, and score low. The only problem is
that 26 x 26 = 676 combinations for just one special character three
character combo. So some system of limiting the letter choices would
be wise, for instance, you could limit the strings to just the 15 most
popular letters and eliminate doubles, which would be only 225
combinations per special character, and then choose just 5 or so
special characters. On a subject search, that should be doable. Any
volunteers for finding the 15 most popular letters? I'll be happy to
code it up with a little help.
BTW, spammers using the first type of word obfuscation are also quite
likely to use other types, and fail tests like GIBBERISH, GIBBERISHSUB,
OBFUSCATION, DYNAMIC, FOREIGN, Y!DIRECTED, etc. Very little of this
stuff gets through our filters because these filters do such a good job
at crud detection.
Matt
Kami Razvan wrote:
Hi;
We tried this idea with words but it became way too long..
Perhaps this can be used with an ANTI approach like Matt's
filters.
Something like:
SUBJECT -2 ENDSWITH !
SUBJECT -4 CONTAINS 's
So the filters could be cancelled for correct usage. But
again this will have high FP's.
Regards,
Kami
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of John
Tolmachoff (Lists)
Sent: Thursday, November 06, 2003 5:40 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Non-alpha-numeric subject
filter
Some of
those are going to have a large FP rate.
John
Tolmachoff
Engineer/Consultant/Owner
eServices
For You
-Original
Message-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Mike Gable
Sent: Thursday, November 06,
2003 1:53 PM
To: Declude (E-mail 2)
Subject:
[Declude.JunkMail] Non-alpha-numeric subject filter
Hi. I've composed a
simple but effective subject filter for non-alpha-num characters that
are intended to obfuscate words and phrases. It is catching a lot more
junk than before. My hold weight is 25 and delete is 35. Forgive me if
this is an old idea. Here it is:
SUBJECT 6 CONTAINS ~
SUBJECT 4 CONTAINS `
SUBJECT 2 CONTAINS !
SUBJECT 4 CONTAINS @
SUBJECT 4 CONTAINS #
SUBJECT 6 CONTAINS $
SUBJECT 6 CONTAINS %
SUBJECT 6 CONTAINS ^
SUBJECT 2 CONTAINS
SUBJECT 4 CONTAINS *
SUBJECT 2 CONTAINS (
SUBJECT 2 CONTAINS )
SUBJECT 2 CONTAINS -
SUBJECT 6 CONTAINS _
SUBJECT 2 CONTAINS +
SUBJECT 2 CONTAINS =
SUBJECT 6 CONTAINS |
SUBJECT 6 CONTAINS \
SUBJECT 2 CONTAINS {
SUBJECT 2 CONTAINS }
SUBJECT 2 CONTAINS [
SUBJECT 2 CONTAINS ]
SUBJECT 2 CONTAINS :
SUBJECT 4 CONTAINS ;
SUBJECT 2 CONTAINS "
SUBJECT 4 CONTAINS '
SUBJECT 6 CONTAINS
SUBJECT 6 CONTAINS
SUBJECT 2 CONTAINS ,
SUBJECT 2 CONTAINS .
SUBJECT 2 CONTAINS ?
SUBJECT 4 CONTAINS /
Subject_Randomization.zip
Description: Zip compressed data
Re: [Declude.JunkMail] FORGEDHELO-FQDN
Sometimes you have domains where the external admins will set up scripts and other SMTP capable devices to send out from your domain, to which you have no control over. Since IMail will only accept the configured domain and listed aliases, I make my lists up to be exclusive to this, knowing that I won't FP on customer specified settings in their devices. If there is no possibility of this sort of thing happening, then ENDSWITH would be easier, absolutely, but the more precise, the less chance for an FP, and I haven't seen any examples where the spammer will forge your domain in HELO with a sub-domain in front of it (though I'm sure that is possible). FYI for others, this is a discussion related to the attached filter that hasn't been published except on this list. I have very good results with this as well as another one that scores E-mails reporting themselves to be named with your IP addresses in HELO (customize for your own domains) which is clearly spam. Matt John Tolmachoff (Lists) wrote: Wouldn't it be better to use ENDSWITH rather than IS? Example, if the office domain is mail.123domain.com, IS would not catch a HELO of 123domain.com. John Tolmachoff Engineer/Consultant/Owner eServices For You # FORGEDHELO-FQDN # Last Update: 09/23/2003 # # Description: # This filter is designed to detect senders that forge the Fully Qualified Domain Name (FQDN) in # use on the mail server. # # Usage: # Based on a fail weight of 10. # # -Global.cfg- # FORGEDHELO-FQDN filter C:\IMail\Declude\ForgedHELO-FQDN.txt x 7 0 # # False Positives: # Scoring false positives will primarily come from hardware or software with built-in SMTP # capabilities for sending automated notifications which are configured either by default # or by configuration to use the name of the mail host. Mail clients on computers using # the FQDN of the mail server as their computer name can also produce false positives. # Counterbalances: # Negative weighting is applied for Netscape and Mozilla mail clients which use the domain name # listed in the From address. Counterbalancing is not necessary if all local users are # configured to use SMTP AUTH, and Declude is configured for WHITELIST AUTH (v1.76+) in # combinationwith IMail 8+. # # Test Exclusions: # Messages containing the Netscape/Mozilla marker in the headers. HEADERS -7 CONTAINSmozilla # Filter Matches: # Looks for FQDN's configured on the server. Domains should be listed as they appear in E-mail # addresses as well as how they appear in MX records. Explicit matching (IS) should be used in # order to prevent false positives. # # A good tool for generating a list of domains that you serve is ExtractUsers which is found at # http://dev.myownemail.com/Imail/ExtractUsers.htm , placed in c:\extractusers\ directory, and # run from the command line with c:\extractUsers\extractUsers.exe -f c:\extractusers. This will # output a file called Domains.txt among other things which can be used to create a list of # domains for use in this filter. #HELO 0 IS example.com #HELO 0 IS mail.example.com# FORGEDHELO-IP # Last Update: 09/23/2003 # # Description: # This filter is designed to detect senders that forge the receiving mail server's IP in # the HELO as the name of the sending server. There are no valid reasons to forge a local # IP, and therefore this test should be scored for automatic rejection. # # Usage: # Based on a fail weight of 10. # # -Global.cfg- # FORGEDHELO-IP filter C:\IMail\Declude\ForgedHELO-IP.txt x 15 0 # # False Positives: # Intra-network software configured improperly to use the IP as the hostname in HELO. Dimac # JMail and MIME::Lite have shown this behavior. # Counterbalances: # Negative weighting is applied for intra-network devices, software or Web sites that by # default use or are configured to use an IP in a ranges defined in this filter. # # Test Exclusions: # None by default. #HELO -15 CONTAINSx.x.x.x # Filter Matches: # IP addresses that are configured for use on the mail server. CIDR ranges may not be used # as this filter is designed to detect text strings and not actual addresses. Class C ranges # can be specified by leaving off the trailing octet. The reserved localhost address is also # included. #HELO 0 CONTAINSx.x.x. (whole Class C) #HELO 0 CONTAINSx.x.x.x (single addresses)
Re: [Declude.JunkMail] OT: Do you use ColdFusion? - Java?
I am not a programmer by any stretch of the word! Bit I would love to see a user interface and a domain interface for Declude Junkmail that works from the KWM menus. I have tossed around this idea before but always get distracted with other projects. I do not remember who (I could search my email...) I talked to this past spring, but someone was working on this I think. I never heard anything more so I never followed up (my own fault). We host about 150 domains on our Imail server. There are about 5000 mailboxes on it. I spend a couple hours per day tweaking settings answering Spam related email and tracking down FP's. If I could offload some of this on the users in a way that would be easy for them, I would love it! The Auto Whitelist is OK, but we have had several people put [EMAIL PROTECTED] and then complain they are getting tons of Spam. I did like Scot's interface, as it was simple and clean but having user remember another password would not be a good option. And since our KWM sees a lot of use, having the menus there would be easy for users to find it. Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] High Traffic Windows tweaks
The TCP TIME_WAIT adjustment works great. - Original Message - From: Adrian Hauri [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, November 06, 2003 9:57 AM Subject: [Declude.JunkMail] High Traffic Windows tweaks For those out there who run a high traffic mailserver I just found this article: http://www.stalker.com/CommuniGatePro/Scalability.html#TimeWait Summary: - It is recommended to change the TCP TIME_WAIT time in the windows registry from 180 seconds to 20-30 seconds . - The Windows system limits the maximum number port number assigned to outgoing connections. By default this value is 5000. You may want to increase that value to 20,000 or more, by adding the MaxUserPort DWORD-type value to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, key. Please let me (and the list) know if you experience a performance increase. Cheers Adrian --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Do you use ColdFusion? - Java?
If I read you right, you might be interested in a java applet that can be tied into KWM or even built into a web page you develop... perhaps using page based JS to gather message details to feed to the applet... It sounds like a lot of complexity but it's worth looking in that direction. The applet would be able to make specialized HTTP calls back to the same server (security restrictions) - and that server could respond using IIS, CF, or whatever was handy. We do http tunneling like this all the time - so the question then would be, if a toolbox applet like this existed, with a well published API, then what tools should/would it contain? (This is getting far, far off topic unless it quickly leads to a list of Declude centric adjustments that might be supported in the applet provided UI... sorry for the ot - Please feel free to contact me off list if it heads further ot.) _M At 06:08 PM 11/6/2003, you wrote: I'm not sure that I totally followed you, however I think I know where you are going with that. FP reporting is important to your product, and anything that could make the process easier would benefit all of your users, even if some didn't use it. Speaking for myself and from my perception of what I have seen, I think my approach to management of such things, while not totally out of the ordinary, is unique, and I have the same perception of most here. While I have Web-mail (KWM), I don't use it except for spam reviewing, and my users hardly use it at all. Over time I expect to be doing a lot more gateway spam blocking, in which case a setup for managing such domains would need to be quite different since they aren't locally hosted, but locally managed. The real usefulness might be in single domain installations. Maybe I'm not following what you are getting at though. It might be real nice though to come up with a plug-in for reporting spam and false positives in the mail client, or at least the Web-mail client. If I chose to report spam from a Web mail client for instance, it will munge the HTML stuff and you could lose some important data for processing. Having the original header information would also be quite useful for a dual match with the body URL for your filtering (this has given me some issues in my trial and forces me to score low in the event of forwarded content from legit users). Don't get me wrong though, by in large, I'm very impressed with your architecture after three days of trialing your product. Matt Pete McNeil wrote: OT - sort of. We do most of our heavy web work in Java/JSP. We've tossed around the idea of building a Java app that would accept HTTP connections (perhaps on an alternate port) and provide an interface to Declude other spam management tools for users admins. Our development schedule is _very_ full, but if there is a significant interest in this I could explore shifting some effort in that direction. As a dedicated Java app it would be cross-platform compatible (in theory), relatively secure, lightweight, and could be configured to run along side any web services that might be present (such as KWM). In an IMail environment we could even present a postini-like interface for users to release their held spam - and generate accurate false positive reporting in the process, etc... (these are the ideas we have anyway...) Thoughts? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matthew Bramble Sent: Thursday, November 06, 2003 4:46 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] OT: Do you use ColdFusion? I've got one, but don't really use it. I much prefer ASP, if just for the integration and stability. Matt Jason (by way of R. Scott Perry ) wrote: I was just wondering how many people here have a ColdFusion server at their disposal. Jason Wolfe Lead Developer Netcomm, Inc. http://www.netcomm.com (859) 224-4124 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- === Matthew S. Bramble President and Technical Coordinator iGaia Incorporated, Operator of NYcars.com --- Office Phone: (518) 862-9042 Cellular: (518) 229-3375 Fax: (518) 862-9044 E-mail: [EMAIL PROTECTED] or [EMAIL PROTECTED] === --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Not scanning outgoing
Just as a test, I'd like to make sure we're not scanning outgoing messages (temporarily). Besides commenting out the tests on outgoing, is there something else to do? That's all you need to do. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] IPBYPASSing IP range?
Is there any way to list entire IP ranges for IPBYPASS? No. Only single IPs can be listed currently. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Do you use ColdFusion? - Java?
At 07:16 PM 11/6/2003, you wrote: As a dedicated Java app it would be cross-platform compatible (in theory), relatively secure, lightweight, and could be configured to run along side any web services that might be present (such as KWM). In an IMail environment we could even present a postini-like interface for users to release their held spam - and generate accurate false positive reporting in the process, etc... (these are the ideas we have anyway...) Thoughts? How much and when will it be ready? ;-) :-) ... now where did I put that magic wand, and then I've got to find the money tree, give that a shake,... eye of newt... --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Do you use ColdFusion? - Java?
Well, on that topic... I've taken note of your FP reporting procedure and it doesn't mesh well with my environment since I capture to accounts that I only access through Web mail (and so do a lot of people here). Your system requires that users send reports from their registered addresses. Now, being a trial user, I'm not certain about the details since it's not available to me. Even if I was to download messages to my client, I use Netscape Mail, and replies and forwards don't include the header information, and my thought is that this is important for your system to track. I noted a false positive recently in my capture account for an opt-in members dieting newsletter and I forwarded it to the intended recipient to ask if it was in fact wanted/requested, and it was, but even on my forward, Message Sniffer tagged it because of the URL in the body. I think that this exposes a weakness of just simply tagging URL's as a one-to-one match, and maybe that weakness is related to how you gather information from your customers, or rather the limitations of how you gather. Having the headers would allow matching senders to URL's on a lot of spam and avoid many false positives, and simplify tagging of some static spammers by just doing IP's and avoiding the content. Because URL content alone can trigger your system, I must weight it lower than Declude's default settings, but in my environment it is still effective enough to have a noticeable impact, but I expect to see a few more FP's as a result. Declude's WHITELIST AUTH should stop the FP's on intra-server traffic when I upgrade to IMail 8, but there will still be some coming from individuals forwarding banned content from other servers. I'm not a SpamCop member, but someone here referenced a plug-in for Outlook which makes reporting spam to them just a simple press of a button. I would imagine that they can capture the full message that way and not just the body, and because it's simpler to do, they probably get a lot more submissions. That was the basis for that part of my original comments. One thing that I have been exploring on my service is to embed something in the messages, headers or otherwise, which gives a reporting mechanism with some details of the message, though this would be limited to just some header information in this environment. I would need to set it up so that only certain users could access this functionality, and if I could do it HTTP based, I could create a non-published domain which would need to be configured on a local DNS server or in the Windows host file so that resolution would work. I could also If I wanted to, send non-customers to a different version of the site, which would be effective for bounce messages for instance. I suppose that embedding a script by way of a URL might be a way to go, displaying some buttons in the event that DNS resolution works on these specially configured networks and machines. I'm just tossing that out in case it inspires you in any way. The gist of what you were floating originally though seemed to be remote management of Declude, and I just don't know that an app such as Declude, which is so customizable, and changes so frequently, has a realistic opportunity for full admin functionality without Scott providing the framework, and per user settings seem to be best done by way of an interface to IMail's rules and tagging the headers with Declude, which is a kludge with no standardization (though it most definitely works and it overcomes the multiple recipient shortcomings of the environment). Maybe I'm still misunderstanding you though, so if there was some specific feedback that you were after, feel free to ask again :) Thanks, Matt Pete McNeil wrote: If I read you right, you might be interested in a java applet that can be tied into KWM or even built into a web page you develop... perhaps using page based JS to gather message details to feed to the applet... It sounds like a lot of complexity but it's worth looking in that direction. The applet would be able to make specialized HTTP calls back to the same server (security restrictions) - and that server could respond using IIS, CF, or whatever was handy. We do http tunneling like this all the time - so the question then would be, if a toolbox applet like this existed, with a well published API, then what tools should/would it contain? (This is getting far, far off topic unless it quickly leads to a list of Declude centric adjustments that might be supported in the applet provided UI... sorry for the ot - Please feel free to contact me off list if it heads further ot.) _M At 06:08 PM 11/6/2003, you wrote: I'm not sure that I totally followed you, however I think I know where you are going with that. FP reporting is important to your product, and anything that could make the process easier would benefit all of your users, even if some didn't use it. Speaking for myself and from my perception of what I have seen, I
[Declude.JunkMail] Not doing sender actions: 0
I just implemented a new configuration for a client and am seeing that line for each message in the JM log. I have not seen that one before. Log is in MID. Correct actions are being taken. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Do you use ColdFusion? - Java?
I've thought about the idea of building a digest notification app for Declude which allows users to retrieve held messages, change notification intervals, whitelist senders (and manage them), and allow for users to set their individual spam blocking level. Again though, the last two parts requires some integration with IMail rules, and exceptions can be messy (how to handle messages to aliases that were held), and they wouldn't work in the same regard for gatewayed E-mail. I'm throwing this out here because if I ever get to this, it will probably be a long time and difficult to support as a for-sale application. It would be absolutely killer though, and it would dramatically reduce the need for administrators to do monitoring. It also would remind the customer of how much spam we are blocking, and give them some control without messing up our Declude setup with endless customizations. I'd gladly pay for something that worked. Matt Pete McNeil wrote: One piece of what I had in mind was a gadget to look through the spam folder, and pull out a list of the messages held for a given user. If the user decides they want that message (based on from subject) then the utility would send it back into the spool for delivery and make an appropriate (and detailed) fp report - perhaps also taking some automated tuning actions. (The cross - platform part means that messages held on a Postfix box could also be handled this way - with a few under-the-cover tweaks. This would be seamless to the end user and might also work for other platforms if it's done in a clean modular way.) Other parts of the utility would put a pretty face on global, domain, user specific settings in Declude (if any). Again, in a modular way - probably switched on and off based on the user that is logged in. Here again, some modular design might make the tool portable to other environments... but that's a secondary concern. Does that sound like something in line with your thinking? Anyway it's a non-trivial project, so it's going to take some pushing to move it forward. Strong interest (if it appears) would help. _M At 07:14 PM 11/6/2003, you wrote: I am not a programmer by any stretch of the word! Bit I would love to see a user interface and a domain interface for Declude Junkmail that works from the KWM menus. I have tossed around this idea before but always get distracted with other projects. I do not remember who (I could search my email...) I talked to this past spring, but someone was working on this I think. I never heard anything more so I never followed up (my own fault). We host about 150 domains on our Imail server. There are about 5000 mailboxes on it. I spend a couple hours per day tweaking settings answering Spam related email and tracking down FP's. If I could offload some of this on the users in a way that would be easy for them, I would love it! The Auto Whitelist is OK, but we have had several people put [EMAIL PROTECTED] and then complain they are getting tons of Spam. I did like Scot's interface, as it was simple and clean but having user remember another password would not be a good option. And since our KWM sees a lot of use, having the menus there would be easy for users to find it. Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Non-alpha-numeric subject filter
Sandy, I think you're missing the point. I don't think so. A Subject with a pair of [square brackets] in it is alone, practically speaking, a 0% indicator of spam, unless your mail traffic is separately insured against such incidents (which I doubt it is). As such, it should comprise 0% of your spam weight. In the same fashion, just having a Subject that ends with a question mark is probably a .0001% indicator of spam, so you cannot reliably assign more than .0001% ~= 0% of your spam weight to it. What you need to make most of your single character filter effective is a threshold above which a fixed or computed aggregate weight is assigned, and below which NO weight is assigned. Declude does not presently allow for this, though it's been in the suggestion box for some time. I'm not saying that there aren't *some* single characters that deserve some weight--note that I only quoted about half of your message in mine. Even the Declude JunkMail list now gets 4 points for having [ and ] in the subject, but it still comes through fine. And what number of spam messages are you really catching with that part of the filter? What happens when one of your users subscribes to a listserv that has a few other marks against it (REVDNS, et al.), and then those four points push it over the top, while not really having any real effect in the other direction? If we try to prevent all false positives we get a lot of junk in our inboxes. I do not approve of any false positives that prevent message delivery. Individual components in a weighted system like Declude's that have high sensitivity are not false positives in their own right. But when the components are disproportionately insensitive to legitimate mail, they will inevitably lead to FPs in final weighting. I don't need this filter to have most list emails held for review. *Most* list e-mails? We don't have this issue, and if we did, none of our clients would retain us. It's unacceptable for us to assume that mass dispatches are not business-critical simply because they are not person-to-person. Your site's mileage, I note again, may vary; I guess you're right that if you're already HOLDing list e-mails as a normal thing, holding with a higher weight won't mean much. My weights are low enough to make little or no difference with legitimate emails. Doesn't look that way to me. The only weights we assign are those that have a statistically significant chance of being spam. While some of your single-character filters are just fine, the ones I commented on do not, in my estimation. It's these that will get held: What is G.E.N.ERIC VI.A.G.R.A? (16 points) [EMAIL PROTECTED] -- 75% D1SC0UNT!! nisbabct jvvjhgyxmk (22 points) Well, yes, if you're using your single-character obfuscation test as your ONLY Declude test, that's true. But I was not assuming that you'd chosen such a limited implementation. I state again that what most sites need--maybe not yours, by a stroke of luck--is an all-in-one test with intelligently computed weight, such as SPAMCHK or SNIFFER, and not trying to make Declude's FILTER test more sensitive than it's designed to be. -Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Processing time
At what log level does Declude record the total processing time? Or how can I otherwise find out the processing time per message? John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Do you use ColdFusion? - Java?
I'd gladly pay for something that worked. I did not expect it for free. I have the KWM price in mind as a point I could get my partners to go for. Any higher than this and it would be a very hard sell for me. So this means a lot of people need to be interested in it! Our local competition uses Postini. And I have lost a few customers over to them as people do seem to like that interface. However, I have thrown out the security thing to muddy the waters ;-) We do not send their email out to someone else's servers... I let them draw their own wrong conclusions... But if I could lighten my own load and give users an easy to use interface, I would be extremely happy! Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Processing time
Debug. We currently log with high and that information is not present in the logs. However, it is with DEBUG. Darrell John Tolmachoff (Lists) writes: At what log level does Declude record the total processing time? Or how can I otherwise find out the processing time per message? John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. Check Out DLAnalyzer a comprehensive reporting tool for Declude Junkmail Logs - http://www.dlanalyzer.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Opinions on web interface
No. This code runs on a separate server. But it must have access to the /imail/declude folder on the target server via network shares, etc. It needs to write the declude junkmail files to disk. -- Scot - Original Message - From: ISPhuset Nordic / Benny Samuelsen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, November 06, 2003 5:43 PM Subject: RE: [Declude.JunkMail] Opinions on web interface Do you hav e to run it on the same server as the mail server is running ? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scot Desort Sent: 6. november 2003 22:44 To: [EMAIL PROTECTED] Thanks Keith. A bunch of folks have asked about the code. I have no problem sharing it. I want to clean it up a bit, add comments, and put together a db schema for reference, then I will post a URL for download to the list. Scott can then place a link on his add-on page if he wants. I am not a professional CF programmer, so some of the code will be a little rough. But it's such a small piece of code, there's probably only a few things that could be done to tune it up. -- Scot -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Purtell Sent: Thursday, November 06, 2003 2:12 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Opinions on web interface That's very well done. We use ColdFusion here, would you be willing to send a copy of your code? Or is this more of a $ item? Keith Purtell, Web/Network Administrator VantageMed Operations (Kansas City) Email: [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Scot Desort Sent: Thursday, November 06, 2003 12:28 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Opinions on web interface I just finished throwing together a web interface to allow our customers to self-maintain their spam thresholds, whitelists and declude actions. It's very simple, but does everything we need. Written in ColdFusion, SQL database to store settings, with a custom tag that writes the text files to disk for Declude to read. The only thing that would be nice would be to have it sync the password with the IMAIL password. I suppose one of these days I will convert all of my domains to SQL for IMAIL password storage, which would solve the problem. Your comments are welcomed: http://spamwatch.njaccess.com demo login user name: [EMAIL PROTECTED] pw: spam Feel free to play around. It's not a live account. Thanks, -- Scot - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 03, 2003 4:30 PM Subject: Re: [Declude.JunkMail] WhiteList option questions Just upgrading Declude after a fair amount of time. The docs say that the white list file should go into $default$.junkmail. Just wanted to confirm it goes there and not global.cfg. That is correct. The WHITELISTFILE option is designed for incoming mail only, and only applies to the \IMail\Declude\$default$.JunkMail and per-user/per-domain files. -Scott --- --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
Re: [Declude.JunkMail] Opinions on web interface
Jason- I will be posting a link to download the code once I clean it up and document it. The code is very rough, but it's small and runs fast because there really isn't much processing going on. You'll be able to tweak it to suit your needs. -- Scot - Original Message - From: Jason Newland [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, November 06, 2003 5:43 PM Subject: RE: [Declude.JunkMail] Opinions on web interface Would you be interested in sharing this. It looks great! Thanks! Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Grotjan Sent: Thursday, November 06, 2003 4:02 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Opinions on web interface Scot, The web interface looks good. I created something similar using ASP and a custom COM object I wrote. I uses Imail rules instead of the individual junkmail files to process the mail based on weight test. I implemented it about a month ago and so far we have over a thousand users using it and all of them are thrilled about it. I don't have a demo set up, but I have a screenshot of it if you want to see. http://www.kimbanet.com/junkmail.jpg Daniel --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Opinions on web interface
Very nice Daniel. I had not thought about doing it that way. I could certainly have CF modify the rules.ima file instead of the junkmail file. But you lose the ability to offer a SUBJECT action, and a lot of my users seem to like that. I like the idea of integrating it into the imail web interface. But I have so many users who have never used the imail web product because, quite frankly, it's one of the worst webmail interfaces out there as far as stability and user friendliness goes (and I tend to agree with my users). I have thought about implementing SquirrelMail on a separate box for a long time now, after getting so frustrated with Imail Webmail. But losing the tight integration with imail has always stopped me (not being able to change passwords, set vacation processing, etc). How are you handling the auto-deletion of expired messages in the junkmail folder? -- Scot - Original Message - From: Daniel Grotjan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, November 06, 2003 5:02 PM Subject: RE: [Declude.JunkMail] Opinions on web interface Scot, The web interface looks good. I created something similar using ASP and a custom COM object I wrote. I uses Imail rules instead of the individual junkmail files to process the mail based on weight test. I implemented it about a month ago and so far we have over a thousand users using it and all of them are thrilled about it. I don't have a demo set up, but I have a screenshot of it if you want to see. http://www.kimbanet.com/junkmail.jpg Daniel --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Do you use ColdFusion? - Java?
Now I understand what Postini is, the original question makes more sense. I just read a review of their service from PC Magazine (linked from their site). They have a 1.4% false positive rate, and a 15.1% false negative rate. For a comparison, our first gateway customer (fairly small client) in the last three days has seen a 0.12% false positive rate, and a 0.61% false negative rate. The only FP was an ad from JCrew and was the result of just having installed Message Sniffer and needing to build up my whitelist for them. This account averages about 13.7 spams per day per account, though over 90% of it goes to just 15% of their users. I'd call that a good selling point :) I must confess though, their traffic was easy, but the majority of the false negatives will be gone after I block two more static spammers. Read about the results from that article for them and other companies at this link: http://www.postini.com/services/Postini_PC_Mag_11_2003.pdf Decent interface...very questionable results. Matt Sheldon Koehler wrote: I'd gladly pay for something that worked. I did not expect it for free. I have the KWM price in mind as a point I could get my partners to go for. Any higher than this and it would be a very hard sell for me. So this means a lot of people need to be interested in it! Our local competition uses Postini. And I have lost a few customers over to them as people do seem to like that interface. However, I have thrown out the "security" thing to muddy the waters ;-) We do not send their email "out" to someone else's servers... I let them draw their own wrong conclusions... But if I could lighten my own load and give users an easy to use interface, I would be extremely happy! Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! "Whenever you find yourself on the side of the majority, it's time to pause and reflect." Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Domain Folders for Custom $default$ file
I'm sure I'm missing something, but that doesn't seem to be working. In my D:\Imail\Declude\$default$.junkmail, I have: REDIRECT @domain.com d:\Imail\Declude\templates\group1.cfg and, in that group1.cfg file, I have copied the file that used to work in: d:\imail\declude\domain.com. I removed the domain.com folder, so that the REDIRECT statement would work. Any suggestions on what I'm overlooking? At 01:26 PM 10/31/2003, you wrote: hmm.. I was under the impression that was per-user. So I would stick these in the root $default$? : REDIRECT domain.com c:\blah\template-1.cfg REDIRECT domain2.com c:\blah\template-1.cfg It should actually be: REDIRECT @domain.com c:\blah\template-1.cfg REDIRECT @domain2.com c:\blah\template-1.cfg If those lines are in the \IMail\Declude\$default$.JunkMail file, E-mail to @domain.com and @domain2.com will use the c:\blah\template-1.cfg file (unless there are per-domain or per-user config files, which would take priority -- so you should remove the existing per-domain config files). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: Do you use ColdFusion?
Ditto here. Solid as a rock if left in capable hands. Matt Robertson [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
