RE: [Declude.JunkMail] Imail blacklist, phrase list converter
Matt- Isn't the Imail URL Blacklist a list of url's that appear in spam email? You reference it in (2.) below as a sender blacklist. Thanks for clarification, MB -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Robertson Sent: Monday, November 17, 2003 5:05 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Imail blacklist, phrase list converter OK, I've completed what I suppose you could call the first version of my Imail-to-Declude black- and phrase-list converter. Get it here: http://foohbar.com/declude_importer.zip It turned into a complete ColdFusion application. The system will 1. Retrieve source files from ftp.ipswitch.com 2. Convert the url blacklist into a Declude sender blacklist (skipping any entries you have placed in a separate skip list) 3. Convert the phrase list into a Declude filter file. Filters will be created for matches in subject and body. 4. FTP the newly minted files to the location you specify. NOTES: a. All settings are made in application.cfm, including filter weights. b. You can use the browser interface (index.cfm) to run all tests in sequence automatically, or individually. c. Since they can be run individually, you can opt to schedule the files to run automatically. d. You have to set up global.cfg and $default$.junkmail to use the new tests and files. e. With these tests in place, all mail tests take about 250ms per email tested. However, this is on MY server with MY configuration. Your mileage may vary. f. On a very fast server (dual 2ghz xeon with gobs of ram, super-duper scsi) the download/conversion/upload process takes just under three minutes. Most of this is the processing of the 17,000-entry url blacklist. On a slow server, it takes a lot longer. External dependencies: 1. The app uses the pkzip Command Line tool to unzip the Imail source files. You can alter the batch file and import01.cfm to use whatever command line unzip program you use. 2. cf_ProgressMeter is used to display a progress bar. This is a $5 tool I *highly* recommend. If you don't own it or don't want to buy it just go in and remove the calls to it in import02.cfm and import03.cfm. I'm in the process of rolling out a new web site in the next couple of days. I'll add this and anything else useful I can think of in the spamfighting section. If anyone has improvements to this, please pass 'em on! Cheers, -- --- Matt Robertson, [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- -- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] SpamAssassin SPAMC/SPAMD and Declude working for me...I think!
All, I believe I've gotten one of our sites up and running with SPAMD under Cygwin (server implementation of SpamAssassin that's much, much faster than native Win32/ActivePerl SA, even running under Cygwin shell) and a customized SPAMC (SPAMD client) for Win32 plugged in to Declude. Since I'm far from a Cygwin expert, I leave setting that part up to you, but if anyone's interested in the Declude-compatible client EXE, post back and let me know. -Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude Updater
Yep. I installed it on my XP Pro (SP1+) workstation, created a zero-length declude.exe in the Imail directory, and got the same results. I figured that this may have been because I didn't actually have Imail on the machine, so I repeated the process on a Imail Express box (W2K SP4+). Same results. If there is no declude.exe in the destination folder will it be copied from the DU/release/175 folder? Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SpamAssassin SPAMC/SPAMD and Declude working for me...I think!
Sandy, tis 3:30 AM there. Go to sleep. ;) John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Sanford Whiteman Sent: Tuesday, November 18, 2003 12:26 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] SpamAssassin SPAMC/SPAMD and Declude working for me...I think! All, I believe I've gotten one of our sites up and running with SPAMD under Cygwin (server implementation of SpamAssassin that's much, much faster than native Win32/ActivePerl SA, even running under Cygwin shell) and a customized SPAMC (SPAMD client) for Win32 plugged in to Declude. Since I'm far from a Cygwin expert, I leave setting that part up to you, but if anyone's interested in the Declude-compatible client EXE, post back and let me know. -Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SpamAssassin SPAMC/SPAMD and Declude working for me...I think!
Sandy, tis 3:30 AM there. Go to sleep. Looks like Sandy is not the only one working at this time. |-) M. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamAssassin SPAMC/SPAMD and Declude working for me...I think!
Yep. Tuesday, November 18, 2003, 2:48:36 AM, Markus Gufler [EMAIL PROTECTED] wrote: Sandy, tis 3:30 AM there. Go to sleep. MG Looks like Sandy is not the only one working at this time. |-) MG M. MG --- MG [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] MG --- MG This E-mail came from the Declude.JunkMail mailing list. To MG unsubscribe, just send an E-mail to [EMAIL PROTECTED], and MG type unsubscribe Declude.JunkMail. The archives can be found MG at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049 Providing Internet Solutions Worldwide - An eDataWeb Affiliate --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Best Way to block the below message ??
What would be the best way (i know best is subjective) to block a message like the one below ? Would adding microsoft.com to my SPAMDOMAINS file work ?? Thank you. Jeff Received: from av3.stonline.sk [213.81.152.34] by updatenyc.com with ESMTP (SMTPD32-8.04) id A1CA33F0062; Tue, 18 Nov 2003 03:01:14 -0500Received: from smtp.stonline.sk ([192.168.4.53])by av3.stonline.sk (8.12.10/8.11.6) with ESMTP id hAI7wHJi029648for [EMAIL PROTECTED]; Tue, 18 Nov 2003 08:58:17 +0100Received: from rwos (telecom-213-161-129.telecom.sk [213.81.161.129])by smtp1.stonline.sk (STOnline ESMTP Server)with SMTP id [EMAIL PROTECTED] for [EMAIL PROTECTED];Tue, 18 Nov 2003 08:58:17 +0100 (MET)Date: Tue, 18 Nov 2003 08:57:50 +0100 (MET)Date-warning: Date header was inserted by smtp1.stonline.skFrom: Microsoft Corporation Network Security Center[EMAIL PROTECTED]Subject: Network Security UpdateTo: Commercial User [EMAIL PROTECTED]Message-id: [EMAIL PROTECTED]MIME-version: 1.0Content-type: multipart/mixed; boundary="Boundary_(ID_P1VN7aaL239Vja+tPXlFZw)"X-RAVMilter-Version: 8.4.3(snapshot 20030212) (av3.stonline.sk)X-Declude-Sender: [EMAIL PROTECTED] [213.81.152.34]X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam.X-Spam-Tests-Failed: IPNOTINMX [0]X-Note: Total spam weight of this E-mail is 0.X-Country-Chain: X-Note: This E-mail was sent from av3.stonline.sk ([213.81.152.34]).X-RCPT-TO: [EMAIL PROTECTED]Status: UX-UIDL: 349464161
Re: [Declude.JunkMail] unknown (HELO localhost)
I notice a lot of unknown (HELO localhost) in the second received line. Would this ever be legit or could I filter on it? Unfortunately, that could be legit. Some mailservers will add that if a mail client uses HELO localhost, which is fairly common (I believe the Pegasus mail client does that). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Best Way to block the below message ??
What would be the best way (i know best is subjective) to block a message like the one below ? Would adding microsoft.com to my SPAMDOMAINS file work ?? No, that wouldn't work -- the E-mail was sent with a return address of mailto:[EMAIL PROTECTED][EMAIL PROTECTED] However, this one appears to be a virus -- Received: from av3.stonline.sk [213.81.152.34] by updatenyc.com with ESMTP (SMTPD32-8.04) id A1CA33F0062; Tue, 18 Nov 2003 03:01:14 -0500 Received: from smtp.stonline.sk ([192.168.4.53]) by av3.stonline.sk (8.12.10/8.11.6) with ESMTP id hAI7wHJi029648 for mailto:[EMAIL PROTECTED][EMAIL PROTECTED]; Tue, 18 Nov 2003 08:58:17 +0100 Received: from rwos (telecom-213-161-129.telecom.sk [213.81.161.129]) by smtp1.stonline.sk (STOnline ESMTP Server) with SMTP id mailto:[EMAIL PROTECTED][EMAIL PROTECTED] for mailto:[EMAIL PROTECTED][EMAIL PROTECTED]; Tue, 18 Nov 2003 08:58:17 +0100 (MET) It looks like it came from a good mailserver that received it from a dialup client, and: Date: Tue, 18 Nov 2003 08:57:50 +0100 (MET) Date-warning: Date header was inserted by smtp1.stonline.sk It was originally missing a Date: header (thank smtp1.stonline.sk for fixing up the E-mail to make it less likely to be blocked!). From: Microsoft Corporation Network Security Center mailto:[EMAIL PROTECTED][EMAIL PROTECTED] Subject: Network Security Update To: Commercial User mailto:[EMAIL PROTECTED][EMAIL PROTECTED] ... and uses virus-like From:/Subject:/To: headers. Message-id: mailto:[EMAIL PROTECTED][EMAIL PROTECTED] Good old stonline.sk -- had they not altered the headers, this E-mail would have failed both the BADHEADERS and SPAMHEADERS tests. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SpamAssassin SPAMC/SPAMD and Declude working for me...I think!
Sandy, I am definitely interested! -Nick Hayer All, I believe I've gotten one of our sites up and running with SPAMD under Cygwin (server implementation of SpamAssassin that's much, much faster than native Win32/ActivePerl SA, even running under Cygwin shell) and a customized SPAMC (SPAMD client) for Win32 plugged in to Declude. Since I'm far from a Cygwin expert, I leave setting that part up to you, but if anyone's interested in the Declude-compatible client EXE, post back and let me know. -Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Imail blacklist, phrase list converter
Mark wrote: Isn't the Imail URL Blacklist a list of url's that appear in spam email? You reference it in (2.) below as a sender blacklist. Yes. This converts those urls to a sender blacklist. So if the domain 'buymystuff.com' is in the Imail blacklist, the program converts that to '@buymystuff.com' and blocks mail coming from it. Its not perfect for obvious reasons, but so far my logs show it to be working surprisingly well. The phrase list is going like gangbusters as a filter file. Many more hits than the blacklist. The next thing I'm going to try is making the blacklist into a filter file, where if the domain is in the body of the message it gets dinged. This will be essentially the same behavior as Imail, I believe. Processing time will be the issue to watch on that one. I wonder, though, if I'm really losing any speed. I was doing this in Imail. Now I'm not, so have I just shifted load from something I couldn't effectively measure (Imail) to something I can (Declude)? Matt Robertson [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Strange Anomaly
Title: Re: [Declude.JunkMail] Strange Anomaly I'm just wondering can you have a normal anomaly??? Sorry- I couldn't help it -Original Message-From: Keith Johnson [mailto:[EMAIL PROTECTED]On Behalf Of Keith JohnsonSent: Monday, November 17, 2003 11:03 PMTo: [EMAIL PROTECTED]Subject: RE: [Declude.JunkMail] Strange Anomaly Does the Declude JunkMail log file show any information about theE-mail? There have been unconfirmed reports of IMail v8 skipping Decludeprocessing that we are investigating I have a few emails saved that passed through Declude unscanned if they would be helpful. We are starting to see this every now and then. I'll look in the Declude log for the id. Thanks, Keith attachment: winmail.dat
[Declude.JunkMail] Whitelisted
Hello, One of our clients has been forwarding e-mails that have made it through the cracks and found something interesting. I have our network whitelisted, and have the secdns entry so that it checks the ip of the originating server when it comes through the sec mail server. But today, I noticed something (I don't have the original message or headers; but printed out the message). The IP of our secondary mail server is 67.17.218.70. I received a message that had its IP put in as the hostname. So Declude saw this IP and whitelisted. I'll type a couple lines of the headers: Received: from secmail.crescentdigital.com [67.17.218.70] by mail.crescentdigital.com with ESMTP (SMTPD32-6.06) id ADFD3B007E; Fri, 14 Nov 2003 08:51:57 -0500 Received: from 67.17.218.70 ([211.219.196.240]) by secmail.crescentdigital.com (8.12.8/8.12.5) with SMTP id hAEEpdwo012904; Fri, 14 Nov 2003 09:51:41 -0500 Received: from [135.4.188.96] by 67.17.218.70 SMTP id 1fYH8RwA83HJQ7; Wed, 19 Nov 2003 19:45:46 -0700 X-Mailer: AOL 7.0 for Windows US sub 118 X-Spam-Tests-Failed: Whitelisted I have Declude Standard (one of the latest version, but not the latest). Is there anyway to fix this? The 211.219 IP is a Korean IP and the 135.4 is Lucent (?). Thanks.. Jeff --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Cardscan.net Opinions?
I'm tempted to block this as I'm not sure I like this kinda info in other people's hands. I'm updating my address book. Would you please take a moment to review your contact information? Your updates help to keep me current, as well as other people like me who already have your email address. To update your contact information, please visit the following link: https://www.cardscan.net --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Cardscan.net Opinions?
i've gotten quite a few of these too... but from people i know that is... - Original Message - From: Marc Catuogno [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 18, 2003 11:04 AM Subject: [Declude.JunkMail] Cardscan.net Opinions? I'm tempted to block this as I'm not sure I like this kinda info in other people's hands. I'm updating my address book. Would you please take a moment to review your contact information? Your updates help to keep me current, as well as other people like me who already have your email address. To update your contact information, please visit the following link: https://www.cardscan.net --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. 4_1_105.gif
RE: [Declude.JunkMail] Cardscan.net Opinions?
I use Plaxo. Wonderful little program. Craig. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Webmaster Oilfield Directory Sent: Tuesday, November 18, 2003 4:29 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Cardscan.net Opinions? i've gotten quite a few of these too... but from people i know that is... - Original Message - From: Marc Catuogno [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 18, 2003 11:04 AM Subject: [Declude.JunkMail] Cardscan.net Opinions? I'm tempted to block this as I'm not sure I like this kinda info in other people's hands. I'm updating my address book. Would you please take a moment to review your contact information? Your updates help to keep me current, as well as other people like me who already have your email address. To update your contact information, please visit the following link: https://www.cardscan.net --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Best Way to block the below message ??
SPAMDOMAINS wouldn't work on this message because the MAILFROM is not microsoft.com. It appears to be a virus, in which case Declude Virus would be the best method of blocking it. If you don't want to run that, then I also believe that this message uses extensions like PIF and SCR, in which case a body filter for .pif and .scr would probably pick it up (use the quotes accordingly). If you are running Declude JunkMail Pro (needed for the above as well), then my FORIEGN/TLD filter set would have added 3 points to the message (depends on how you score it though). You can get that filter set at http://www.mailpure.com/software/decludefilters/ There might well be other filters that would also add points to the body content. I wouldn't know though because Declude Virus is blocking all of this stuff. Matt Jeff Pereira wrote: What would be the best way (i know best is subjective) to block a message like the one below ? Would adding microsoft.com to my SPAMDOMAINS file work ?? Thank you. Jeff Received: from av3.stonline.sk [213.81.152.34] by updatenyc.com with ESMTP (SMTPD32-8.04) id A1CA33F0062; Tue, 18 Nov 2003 03:01:14 -0500 Received: from smtp.stonline.sk ([192.168.4.53]) by av3.stonline.sk (8.12.10/8.11.6) with ESMTP id hAI7wHJi029648 for [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]; Tue, 18 Nov 2003 08:58:17 +0100 Received: from rwos (telecom-213-161-129.telecom.sk [213.81.161.129]) by smtp1.stonline.sk (STOnline ESMTP Server) with SMTP id [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] for [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]; Tue, 18 Nov 2003 08:58:17 +0100 (MET) Date: Tue, 18 Nov 2003 08:57:50 +0100 (MET) Date-warning: Date header was inserted by smtp1.stonline.sk From: Microsoft Corporation Network Security Center [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Subject: Network Security Update To: Commercial User [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Message-id: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] MIME-version: 1.0 Content-type: multipart/mixed; boundary=Boundary_(ID_P1VN7aaL239Vja+tPXlFZw) X-RAVMilter-Version: 8.4.3(snapshot 20030212) (av3.stonline.sk) X-Declude-Sender: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [213.81.152.34] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com http://www.declude.com) for spam. X-Spam-Tests-Failed: IPNOTINMX [0] X-Note: Total spam weight of this E-mail is 0. X-Country-Chain: X-Note: This E-mail was sent from av3.stonline.sk ([213.81.152.34]). X-RCPT-TO: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Status: U X-UIDL: 349464161 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Best Way to block the below message ??
Thanks. Upon further inspection, I found that the original attachment was replaces with a text file indicating that the original attachment had in fact been dangerous and had been deleted which explains why Declude Virus let it through. I'm going to go look at your FORIEGN/TLD filter set now. Thank you. Jeff - Original Message - From: Matthew Bramble [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 18, 2003 3:10 PM Subject: Re: [Declude.JunkMail] Best Way to block the below message ?? SPAMDOMAINS wouldn't work on this message because the MAILFROM is not microsoft.com. It appears to be a virus, in which case Declude Virus would be the best method of blocking it. If you don't want to run that, then I also believe that this message uses extensions like PIF and SCR, in which case a body filter for .pif and .scr would probably pick it up (use the quotes accordingly). If you are running Declude JunkMail Pro (needed for the above as well), then my FORIEGN/TLD filter set would have added 3 points to the message (depends on how you score it though). You can get that filter set at http://www.mailpure.com/software/decludefilters/ There might well be other filters that would also add points to the body content. I wouldn't know though because Declude Virus is blocking all of this stuff. Matt Jeff Pereira wrote: What would be the best way (i know best is subjective) to block a message like the one below ? Would adding microsoft.com to my SPAMDOMAINS file work ?? Thank you. Jeff Received: from av3.stonline.sk [213.81.152.34] by updatenyc.com with ESMTP (SMTPD32-8.04) id A1CA33F0062; Tue, 18 Nov 2003 03:01:14 -0500 Received: from smtp.stonline.sk ([192.168.4.53]) by av3.stonline.sk (8.12.10/8.11.6) with ESMTP id hAI7wHJi029648 for [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]; Tue, 18 Nov 2003 08:58:17 +0100 Received: from rwos (telecom-213-161-129.telecom.sk [213.81.161.129]) by smtp1.stonline.sk (STOnline ESMTP Server) with SMTP id [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] for [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]; Tue, 18 Nov 2003 08:58:17 +0100 (MET) Date: Tue, 18 Nov 2003 08:57:50 +0100 (MET) Date-warning: Date header was inserted by smtp1.stonline.sk From: Microsoft Corporation Network Security Center [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Subject: Network Security Update To: Commercial User [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Message-id: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] MIME-version: 1.0 Content-type: multipart/mixed; boundary=Boundary_(ID_P1VN7aaL239Vja+tPXlFZw) X-RAVMilter-Version: 8.4.3(snapshot 20030212) (av3.stonline.sk) X-Declude-Sender: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [213.81.152.34] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com http://www.declude.com) for spam. X-Spam-Tests-Failed: IPNOTINMX [0] X-Note: Total spam weight of this E-mail is 0. X-Country-Chain: X-Note: This E-mail was sent from av3.stonline.sk ([213.81.152.34]). X-RCPT-TO: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Status: U X-UIDL: 349464161 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Imail Forwarding and Declude
We have a domain with user-specific declude config files. I want to confirm declude behavior on something: [EMAIL PROTECTED] -- imail forwards to [EMAIL PROTECTED] user1.junkmail file exists user2.junkmail file exists $default$.junkmail exists for domain1.com If a message comes in addressed to [EMAIL PROTECTED], which junkmail file is used? I suspect it is using user1's... which is not what the customer is expecting. Is it any different if user1 was an alias instead of a mailbox with forwarding on it? Thanks, -- Scot --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Imail Forwarding and Declude
-- Scot It is indeed user1. That's because the E-mail for user1 needs to be handled, since it is an actual user account. But I can do a redirect correct? In user1.junkmail: REDIRECT[EMAIL PROTECTED]x:\imail\declude\domain1.com\user2.junkmail Or, if user1.junkmail does not exist, it will bump over to \domain1.com\$default$.junkmail, correct? Thanks, Scot Is it any different if user1 was an alias instead of a mailbox with forwarding on it? Yes. In this case, the E-mail will be scanned according to the address that the alias points to. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Imail Forwarding and Declude
It is indeed user1. That's because the E-mail for user1 needs to be handled, since it is an actual user account. But I can do a redirect correct? In user1.junkmail: REDIRECT[EMAIL PROTECTED]x:\imail\declude\domain1.com\user2.junkmail Yes, that would work -- in this case, E-mail addressed to [EMAIL PROTECTED] will use the x:\imail\declude\domain1.com\user2.junkmail file. Or, if user1.junkmail does not exist, it will bump over to \domain1.com\$default$.junkmail, correct? Correct. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] How do you handle held messages??
We are an ISP and we host a lot of domains so our mail volume is healthy. We hold at 10 and delete at 20. We also have our in-house blacklist that automatically deletes any mail from certain domains. Of the incoming spam messages we are deleting about 80% but that still leaves several thousand messages per day that are held. Presently we go through the held messages using spamreview - returning the false positives to the spool. As the spam has been going up - so have the messages in the held folder so this is starting to become labor intensive. I just wanted to query the list to see if I am missing something that would streamline the process. And yes we are tweaking to reduce the false positives. Chuck Schick Warp 8, Inc. 303-421-5140 www.warp8.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SpamAssassin SPAMC/SPAMD and Declude worki ng for me...I think!
Now, Sandy, don't go demonizing spamassassin... oh wait, daemonizing, that's different. Yes, me too! I am interested in the same thing; there are a lot of very cool logical tests in spamassassin that would be great to implement in my Windows(tm) world. Andrew 8) -Original Message- From: Sanford Whiteman [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2003 12:26 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] SpamAssassin SPAMC/SPAMD and Declude working for me...I think! All, I believe I've gotten one of our sites up and running with SPAMD under Cygwin (server implementation of SpamAssassin that's much, much faster snip --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] How do you handle held messages??
Chuck, I recently moved to using Attach for spam that hasn't gotten to a delete weight yet. Sender is 'you have spam' and subject is the spam sender's address. This lets the user skim the mail and delete from the list without individual mailpiece scanning. Coupled to that are instructions that tell them how to move mail to folders inside of Outlook, Messenger etc. I thought I'd get complaints, but only a smattering so far. Within a couple of weeks I'll have time to set up an action to route to a specific mailbox, and charge a couple of bucks to set it up. I'm not fond of it but I've had specific requests for that. -- --- Matt Robertson, [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- -- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamAssassin SPAMC/SPAMD and Declude worki ng for me...I think!
I would be very interested to hear how this all works out for those that try it. Please post to the list after you break it in a little. It would be very nice if someone could port the whole thing over to an EXE and run it like Message Sniffer. Maybe that sounds stupid...I just don't know :) Thanks, Matt Colbeck, Andrew wrote: Now, Sandy, don't go demonizing spamassassin... oh wait, daemonizing, that's different. Yes, me too! I am interested in the same thing; there are a lot of very cool logical tests in spamassassin that would be great to implement in my Windows(tm) world. Andrew 8) -Original Message- From: Sanford Whiteman [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2003 12:26 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] SpamAssassin SPAMC/SPAMD and Declude working for me...I think! All, I believe I've gotten one of our sites up and running with SPAMD under Cygwin (server implementation of SpamAssassin that's much, much faster snip --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] How do you handle held messages??
I notice an increase in held E-mail whenever the crud spammers are more active. It's hard to score these guys very high when a campaign first starts. I would try finding their URL's and black list those, but only when attached to crud spam, and since they are short-lived, you can delete the entries after only a few months. The problem here is that they tend to switch out URL's every few days with this type of spam (pills, patches, etc.) This stuff comes from zombie machines and while it's somewhat easy to catch with generic filters, it's difficult to score high if they find a clean IP that hasn't been listed in SpamCop and others. Another issue is that the spammers with static IP's will move around to different blocks and even when the spammer is listed in SBL, they will have plenty of addresses that aren't and can score low or even get past filters. Knowing the address space of this type of spammer is useful. Check your held E-mail for the following blocks of IP's for instance: 64.124.165.0/25 [64.124.165.0] - [64.124.165.127] 64.124.165.128/26 [64.124.165.128] - [64.124.165.191] 64.124.165.192/27 [64.124.165.192] - [64.124.165.223] 64.125.181.0/24 [64.125.181.0] - [64.125.181.255] 208.184.54.0/25 [208.184.54.0] - [208.184.54.127] 208.184.58.0/25 [208.184.58.0] - [208.184.58.127] 209.249.21.128/25 [209.249.21.128] - [209.249.21.255] 209.249.55.128/25 [209.249.55.128] - [209.249.55.255] 216.200.60.16/28 [216.200.60.16] - [216.200.60.31] 216.200.60.32/27 [216.200.60.32] - [216.200.60.63] 216.200.60.64/26 [216.200.60.64] - [216.200.60.127] This is all one guy, and it's probably only half of his IP space if that. It would be nice if someday we could come up with a trusted system to gather this information and share it among admins, but limit it to only clear and obvious static IP addresses that are used by spam gangs (the SBL type). In the meantime, you might be able to greatly lessen your workload by targeting this stuff with specific filters. The stuff above is quite safe to delete, at least for the time being. Matt Chuck Schick wrote: We are an ISP and we host a lot of domains so our mail volume is healthy. We hold at 10 and delete at 20. We also have our in-house blacklist that automatically deletes any mail from certain domains. Of the incoming spam messages we are deleting about 80% but that still leaves several thousand messages per day that are held. Presently we go through the held messages using spamreview - returning the false positives to the spool. As the spam has been going up - so have the messages in the held folder so this is starting to become labor intensive. I just wanted to query the list to see if I am missing something that would streamline the process. And yes we are tweaking to reduce the false positives. Chuck Schick Warp 8, Inc. 303-421-5140 www.warp8.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] SpamAssassin SPAMC/SPAMD and Declude worki ng for me...I think!
It would be very nice if someone could port the whole thing over to an EXE and run it like Message Sniffer. Maybe that sounds stupid...I just don't know :) Actually, that's exactly what you DON'T want to do, if you can avoid it. SPAMD is a multi-process (forking) daemon--a traditionally accepted architecture on *nix, while Win32 types usually lean toward multithreading, with IMail an interesting hybrid--which benefits strongly from the preloading of the Perl and SA modules. Loading everything from scratch for every message, though it works surprisingly well for Declude and many of its plug-ins, adds considerable overhead relative to an ideal client/server architecture. SPAMC and SPAMD are definitely headed in the right design direction; the only thing better would be a native Win32 SPAMD, which would get rid of the Cygwin layer. -Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] SPAMC32 (SpamAssassin SPAMD client for IMail/Declude) available for download
All, I have posted for download SPAMC32, my adaptation of Freddy Tarasevicius' WinSpamC with tweaks for IMail/Declude integration. http://www.mailmage.com/download/software/freeutils/SPAMC32/0.5.53/spamc32-0.5.53.zip Use at your own risk, needless to say, and note GPL/PAL inherited from original code. If you have suggestions for SPAMC32, let me know and I can merge them in and post new releases. At some point this will all go back to SourceForge, but let's pound on it a little first. And if anybody (Scott?) thinks this needs its own list, that can be done. Check out SPAMC32 -? for all the help you need to get this working with Declude, which is easy. The hard part for most of you will be setting up SPAMD; CYGWIN.TXT has some good pointers. -Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamAssassin SPAMC/SPAMD and Declude worki ng for me...I think!
I tinkered with SA on windows when I was evaluating Declude. I successfully got all of the Perl scripts changed for windows. I could run an email message on disk through the spamassassin batch file (which calls perl, etc), and it would output the message score back to the batch file. However, for the life of me, I could not get the return code back into declude. Something weird with the way the batch file was returning the result code. I gave up on it. Didn't even think of the cygwin angle... Would be nice to see this all put together for inclusion as a Declude test. -- Scot - Original Message - From: Matthew Bramble [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 18, 2003 6:24 PM Subject: Re: [Declude.JunkMail] SpamAssassin SPAMC/SPAMD and Declude worki ng for me...I think! I would be very interested to hear how this all works out for those that try it. Please post to the list after you break it in a little. It would be very nice if someone could port the whole thing over to an EXE and run it like Message Sniffer. Maybe that sounds stupid...I just don't know :) Thanks, Matt Colbeck, Andrew wrote: Now, Sandy, don't go demonizing spamassassin... oh wait, daemonizing, that's different. Yes, me too! I am interested in the same thing; there are a lot of very cool logical tests in spamassassin that would be great to implement in my Windows(tm) world. Andrew 8) -Original Message- From: Sanford Whiteman [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2003 12:26 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] SpamAssassin SPAMC/SPAMD and Declude working for me...I think! All, I believe I've gotten one of our sites up and running with SPAMD under Cygwin (server implementation of SpamAssassin that's much, much faster snip --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] SpamAssassin SPAMC/SPAMD and Declude worki ng for me...I think!
Would be nice to see this all put together for inclusion as a Declude test. Well, that's what I've done, methinks. :) Since you can run SPAMD anywhere, even on a separate *nix machine, there's little reason to have that be part of any turnkey setup, but SPAMC32 is Declude-ready, exit code and all. -Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Imail blacklist, phrase list converter
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Robertson Sent: Tuesday, November 18, 2003 7:44 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Imail blacklist, phrase list converter The next thing I'm going to try is making the blacklist into a filter file, where if the domain is in the body of the message it gets dinged. This will be essentially the same behavior as Imail, I believe. Processing time will be the issue to watch on that one. I tried this. It was VERY detrimental to the processing speed of emails. Was averaging 10-15 seconds PER email. Let me know if you get the same results. This is a P4 XEON with 1G Memory too. :) Mark --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
