RE: [Declude.JunkMail] Server Gone Wild
Brian, if you have Terminal Services or PCAnywhere installed, contact me off list if you would like me to take a look at what happened. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Brian T Sent: Tuesday, December 02, 2003 10:42 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Server Gone Wild This is Brian Thompson with an update: Mail server appears to be back up and running. Thanks for all the help. Still don't know what the problem was, but my declude log shows no entries from 4:23 pm until 11:58 pm. - Original Message - From: Glen Harvy [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 1:24 AM Subject: RE: [Declude.JunkMail] Server Gone Wild Give him a ring and tell him to uninstall declude. Only takes a second or two. I'd ring him but it would be a very very expensive call :-) _ Glen Harvy Aquarius Communications for all your Internet Needs. Phone 9977 3788 Fax 9977 3844 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Richard Farris Sent: Wednesday, 3 December 2003 17:06 To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Server Gone Wild A friend of mine at Safe-t.net in Mt. Vernon Ohio just called me and said his spool in Imail is loading up and holding all messages..He thinks the Declude has stopped working...Imail tech support not available.. He has rebooted the server several times with no luck.. Declude log is not showing anything... If anyone on this list has an idea what is going on could you please give Brian Thompson a call at 1.888.895.8648 He can't use email as it just goes to the spool and sits Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Server Gone Wild
A friend of mine at Safe-t.net in Mt. Vernon Ohio just called me and said his spool in Imail is loading up and holding all messages..He thinks the Declude has stopped working...Imail tech support not available.. hmmm... very strange. The same thing happend on my server yesterday evening at 11:30 pm (GMT+1) All D*.SMD spoolfiles finished in the spool folder. There was no Q file but a lot of files beginning with _ (instead of Q) When I tried to resend the messages from the IMail queue viewer this _ files disappeared but now I've found all Q-files in decludes overflow folder. I restarted the smtp-service without a result. All incomming messages that should be delivered to local users remained in the spoolfolder. Now I've tried to stop the SMTP-service again and move out all D files from the spool and all Q files from the overflow folder into a temporary folder. I noticed that even with the stopped SMTP service most of the D-files was locked by the OS and not change or moveable. Another observation: There was a lot of new (shortly created) .vir folders in the spool folder. And also both junkmail and virus logfiles showed no new entries. After rebooting the machine all returned to work. I moved the D and Q files from the temporary folder bayk to the queue and nearly all messages was delivered. (some D-files remained without any corresponding Q-file) The only thing I've changed and that I can remember at around 11:30 pm was to add the list of BANNAMES posted from Jeff Kratka. (Nothing against him or his posting! :) I've removed this entries before I've rebooted the server. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Server Gone Wild
Hello, hmmm... very strange. The same thing happend on my server yesterday evening at 11:30 pm (GMT+1) are you running Imail 7.x or 8.x? Alex --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Server Gone Wild
hmmm... very strange. The same thing happend on my server yesterday evening at 11:30 pm (GMT+1) are you running Imail 7.x or 8.x? IMail v7.15 Beside declude's whitelisting for authenticated users working only with v8.x a haven't found any reason to upgrade. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spamchk fine tuning?
A couple of posters offered some help on this, where I don't have the original messages (they're at home and I'm at work). The FP rate is fairly heavy on spamchk so far... including bagging about half of the traffic on this list today. I'm sure its something easily fixed. The best way to fix this is to set the debuglevel to 9 and watch the logfile. Here you can see exactly why spamchk gives certain points based on your ini file. Keep in mind that we consider spamchk not as a simple test but as a group of content based tests that give the determined weight back to declude. So I highly recommend: 1.) use spamchk in a declude weighting system where actions are taken based on determined weights and not on the result of an individual test. 2.) adapt all points in the spamchk.ini-file to your declude weighting system 3.) add your own keywords with a negative weight to your [checkwords] section. (for example: spammers can't know certain local situations like citiy-names and phone prefixes) Keep also in mind that not all parameters in the ini file are points. There are also certain values to configure the number of appearance of certain characters or spam properties. -- Thanks for pointing out a problem with the subscribe link but if I try to use the link on http://www.spamchk.com/modules.php?name=Newsfile=articlesid=2 this seems to work. Can't see any error. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Server Gone Wild
Im running version 6 and have not found a reason to upgrade. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gufler Markus Sent: Wednesday, December 03, 2003 12:09 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Server Gone Wild hmmm... very strange. The same thing happend on my server yesterday evening at 11:30 pm (GMT+1) are you running Imail 7.x or 8.x? IMail v7.15 Beside declude's whitelisting for authenticated users working only with v8.x a haven't found any reason to upgrade. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] What is this about ??
Here is one from lastnight. Received: from maineconnect.net [216.204.154.7] by mail.sslsales.com with ESMTP (SMTPD32-7.14) id A80954B50060; Tue, 02 Dec 2003 22:27:05 -0500 Received: from web1.sslsales.com [216.204.153.96] by maineconnect.net with ESMTP (SMTPD32-8.01) id A9C262450100; Tue, 02 Dec 2003 22:34:26 -0500 Received: from 127.0.0.1 ([127.0.0.1]) by web1.sslsales.com with Microsoft SMTPSVC(5.0.2195.6713); Tue, 2 Dec 2003 22:25:00 -0500 Cc: [EMAIL PROTECTED] Content-type: text/plain Date: Tue, 02 Dec 2003 22:24:16 -0500 From: [EMAIL PROTECTED] Message-id: [EMAIL PROTECTED] Reply-to: [EMAIL PROTECTED] Subject: Customer Copy Order Confirmation - 163 To: [EMAIL PROTECTED] Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 03 Dec 2003 03:25:00.0828 (UTC) FILETIME=[08D4A5C0:01C3B94D] X-RBL-Warning: Declude CAUGHT-NO ABUSE X-RBL-Warning: HELOBOGUS: Domain web1.sslsales.com has no MX or A records. X-Declude-Sender: [EMAIL PROTECTED] [216.204.153.96] X-Declude-Spoolname: D59c262450100c2eb.SMD X-Note: This E-mail was scanned for Spam by Secure Services Inc Organization: Secure Sevices Inc. X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 370123426 - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, December 02, 2003 6:35 PM Subject: Re: [Declude.JunkMail] What is this about ?? Also it seems that declude is claiming that 216.204.154.7 has no MX. DnsStuff.com reports: Actually, that's a server of yours, which you've let Declude JunkMail know about. How do I tell it not to know about it and my web servers as well? So they dont fail the MX test. That's not the problem -- that's a *good* thing that Declude JunkMail knows that the first IP is yours. Otherwise, it would scan that IP, see that it doesn't belong to a spammer, and the spam would go through. It's also a good thing that the E-mail failed the HELOBOGUS test (as it was spam, and legitimate E-mail of yours would not have failed the HELOBOGUS test). This stops some mail from our web servers that use email to the customers email box for order processing. In this case, you'll need to provide the headers for one of the legitimate E-mails that is getting caught. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] What is this about ??
X-RBL-Warning: Declude CAUGHT-NO ABUSE X-RBL-Warning: HELOBOGUS: Domain web1.sslsales.com has no MX or A records. In this case, part of the problem seems to be that your local DNS server isn't able to resolve web1.sslsales.com -- could it be that you have a local DNS server that is resolving sslsales.com domains differently than the way they would be resolved on the Internet? As for the CAUGHT-NO ABUSE, I'm guessing that is the NOABUSE test, in which case you can go to http://www.rfc-ignorant.org to find out why the domain is listed there. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Server Gone Wild
Im running version 6 and have not found a reason to upgrade. MS Patch display problems and KWM templates. Not very much but what new features do you want if already a declude customer? ;-) V8 also provides finally an API but this problem we've already solved with the command line tools available in v7 and v6. Remains the unflexible scalability if you have a lot of web messaging users because this service must run on the same server if you not run an external imap2webmail solution like offered from the horde project. I would like if Imail would work on scalability and basic architecture and not reinvent solutions that are already solved elsewhere much much better. But this is a little bit OT and this list subscribers should know this already. ;-) Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gufler Markus Sent: Wednesday, December 03, 2003 12:09 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Server Gone Wild hmmm... very strange. The same thing happend on my server yesterday evening at 11:30 pm (GMT+1) are you running Imail 7.x or 8.x? IMail v7.15 Beside declude's whitelisting for authenticated users working only with v8.x a haven't found any reason to upgrade. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Server Gone Wild
hmmm... very strange. The same thing happend on my server yesterday evening at 11:30 pm (GMT+1) All D*.SMD spoolfiles finished in the spool folder. There was no Q file but a lot of files beginning with _ (instead of Q) When I tried to resend the messages from the IMail queue viewer this _ files disappeared but now I've found all Q-files in decludes overflow folder. What version of Declude are you running (\IMail\Declude -diag from a command prompt will show you)? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Trying SpamChk...and weights...
Hi all, All of the recent talk about SpamChk has finally prompted me to give it a spin. Per the documentation, I am considering change my weight scale. That is, I normally hold on 10 and delete on 25. Of course, my per-test weights are adjusted accordingly. I am thinking about doing what the spamchk documentation says and going to a hold weight of 100. This makes the changes to my global.cfg file and filter files easy since I just add a zero. And no math! ;-) But since I had a few particular weights before around 50 and my whitelist equivilant is a -100 weight, does anyone see any problems with weights potentially being in the -1000 to 1000+ ranges? Obviously, it's all relative to my tests, but I'm more curious about how JunkMail is designed and if there would be any problems with much larger values. Maybe I'm paranoid, but I'd rather ask a dumb question than find out the hard way! Also, I don't suppose there's a way to set up spamchk so that it does not add any weight...so I can test it first. I know I can zero out everything in the spamchk.ini file, but it would sure be nice to have either a testing parameter that always returns 0 or a way to define it in declude.cfg so that it doesn't use the weight it returns. Thanks for your input. I'm looking forward to seeing how it works for us! --Todd. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Trying SpamChk...and weights...
does anyone see any problems with weights potentially being in the -1000 to 1000+ ranges? Obviously, it's all relative to my tests, but I'm more curious about how JunkMail is designed and if there would be any problems with much larger values. No, there won't be any problems. You should be able to use weights that total up to about 2 billion before any problems occur. We do have some customers that are using very high weights (not as high as 2 billion that I know of, but weights in the 100,000s). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Server Gone Wild
We had same thing happen to us (Spool files started to collect with no delivery processes) immediately after doing an Fprot update last night at 6.15pm; had to uninstall Fprot and reload older version of it (3.14 I believe) to get it back up Sincerely, Randy Armbrecht Global Web SolutionsR, Inc. 804-346-5300 ext. 1 877-800-GLOBAL (4562) ext. 1 http://globalweb.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, December 03, 2003 8:15 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Server Gone Wild hmmm... very strange. The same thing happend on my server yesterday evening at 11:30 pm (GMT+1) All D*.SMD spoolfiles finished in the spool folder. There was no Q file but a lot of files beginning with _ (instead of Q) When I tried to resend the messages from the IMail queue viewer this _ files disappeared but now I've found all Q-files in decludes overflow folder. What version of Declude are you running (\IMail\Declude -diag from a command prompt will show you)? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This message was Virus Scanned by GlobalWeb.net] --- [This message was Virus Scanned by GlobalWeb.net] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Trying SpamChk...and weights...
... does anyone see any problems with weights potentially being in the -1000 to 1000+ ranges? We use the hold-on-100 weighting system and have daily hold spam messages between 100 and 1200 points Also, I don't suppose there's a way to set up spamchk so that it does not add any weight...so I can test it first. I know I can zero out everything in the spamchk.ini file, but it would sure be nice to have either a testing parameter that always returns 0 or a way to define it in declude.cfg so that it doesn't use the weight it returns. You can use MaxPoints=0 MinPoints=0 in the spamchk.ini file. But note that the value 0 means unlimited So maybe it's the best for you if you set MaxPoints=1 MinPoints=-1 by using a hold-on-100 weighting system. This should not have any noticeable effect in you declude weighting system. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Server Gone Wild
We had same thing happen to us (Spool files started to collect with no delivery processes) immediately after doing an Fprot update last night at 6.15pm; had to uninstall Fprot and reload older version of it (3.14 I believe) to get it back up This was also one of my first assumtions. I checked this and have seen: The last f-prot update is from 12/01/2003 Our F-Prot Updater runs every hour at xx:20 o clock. Mail processing stopped at 11:43 pm. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Server Gone Wild
We ran a manual update last night - this is how we new this was the issue... Sincerely, Randy Armbrecht Global Web SolutionsR, Inc. 804-346-5300 ext. 1 877-800-GLOBAL (4562) ext. 1 http://globalweb.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Wednesday, December 03, 2003 9:12 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Server Gone Wild We had same thing happen to us (Spool files started to collect with no delivery processes) immediately after doing an Fprot update last night at 6.15pm; had to uninstall Fprot and reload older version of it (3.14 I believe) to get it back up This was also one of my first assumtions. I checked this and have seen: The last f-prot update is from 12/01/2003 Our F-Prot Updater runs every hour at xx:20 o clock. Mail processing stopped at 11:43 pm. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This message was Virus Scanned by GlobalWeb.net] --- [This message was Virus Scanned by GlobalWeb.net] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Server Gone Wild
Let me also clarify - this was a program update - not a def file update... Sincerely, Randy Armbrecht Global Web SolutionsR, Inc. 804-346-5300 ext. 1 877-800-GLOBAL (4562) ext. 1 http://globalweb.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Wednesday, December 03, 2003 9:12 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Server Gone Wild We had same thing happen to us (Spool files started to collect with no delivery processes) immediately after doing an Fprot update last night at 6.15pm; had to uninstall Fprot and reload older version of it (3.14 I believe) to get it back up This was also one of my first assumtions. I checked this and have seen: The last f-prot update is from 12/01/2003 Our F-Prot Updater runs every hour at xx:20 o clock. Mail processing stopped at 11:43 pm. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This message was Virus Scanned by GlobalWeb.net] --- [This message was Virus Scanned by GlobalWeb.net] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude Virus BANNAME option with v1.76
The problem has been identified; there was a problem with v1.76 (beta) and subsequent interim releases and the BANNAME option. This issue is fixed in a new interim release v1.76i30 at http://www.declude.com/release/176i/declude.exe . Alternatively, you can comment out the BANNAME options by adding a # to the beginning of the lines that they are in. Hmmm, is it after the # of BANNAMEs reaches a certain point? I've had 2 instances of backlogs of mail in the spool in the past 3 months since going to Imail 8, but stopping/restarting SMTP + Queue Manager got mail moving again. We have 7.16 here for Declude, with 1 BANNAME listed - photos.zip. Didn't even realize I was missing the others mentioned.. but I'm not adding them yet. LOL! Paul --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Strange header
Over the past couple of weeks I have found about a dozen messages with this header: X-RBL-Warning: [Unknown Var]TESTNAME[Unknown Var]WARNING The JunkMail log entries for these messages look normal, so I'm not sure what the problem might be. Scott, any ideas? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Strange header
Over the past couple of weeks I have found about a dozen messages with this header: X-RBL-Warning: [Unknown Var]TESTNAME[Unknown Var]WARNING The JunkMail log entries for these messages look normal, so I'm not sure what the problem might be. Scott, any ideas? That will happen if you are using a variable that isn't defined in the version of Declude that you are running. For example, if you use TESTNAME WARN X-RBL-Warning: [%MADEUP%]TESTNAME[%MADEUP%]WARNING, that would happen. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Declude Virus List
How can I get on the Declude Virus scan list --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] WAY OT: Please be careful! (DO NOT REPLY!)
PERSONAL STORY December 3, 1998. 9:03 AM It was a clear crisp day in Fresno, CA. Then, at the hands of 2 inattentive drivers, I nearly lost my life. Driving/Operating a motor vehicle is a responsibility! Please...Treat it with the respect it deserves. Thank you. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Strange header
- Original Message - From: R. Scott Perry [EMAIL PROTECTED] Over the past couple of weeks I have found about a dozen messages with this header: X-RBL-Warning: [Unknown Var]TESTNAME[Unknown Var]WARNING The JunkMail log entries for these messages look normal, so I'm not sure what the problem might be. Scott, any ideas? That will happen if you are using a variable that isn't defined in the version of Declude that you are running. For example, if you use TESTNAME WARN X-RBL-Warning: [%MADEUP%]TESTNAME[%MADEUP%]WARNING, that would happen. I have nothing like that in my global.cfg. Just to make sure, I did a find on TESTNAME, and WARNING and neither were found in my global.cfg file. In fact, these are the only two entries in my global.cfg that use the percent % sign: XOUTHEADER X-Country-Chain: %COUNTRYCHAIN% XOUTHEADER X-Note: Total spam test weight: %WEIGHT% And both of those entries displayed fine in the headers: X-IMAIL-SPAM-VALFROM: (1682505852) X-Alligate-In: FAILED - Score Adult: 0 (Req: 35) Spam: 13 (Req: 50) Tot: 13 (Req: 6) X-Alligate-Tracking: 44ED8B98CFE8B030 X-Alligate-Signature: 1851824272 X-Alligate-SpoolFile: D99336449007c1a28.SMD X-Alligate-Sender: [EMAIL PROTECTED] [64.132.215.104] X-RBL-Warning: SPAMCOP: Blocked - see http://www.spamcop.net/bl.shtml?64.132.215.104 X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected. X-RBL-Warning: ALLIGATE-SPAM-L1: Message failed ALLIGATE-SPAM-L1: 13. X-RBL-Warning: SNIFFER-GENERAL: Message failed SNIFFER-GENERAL: 63. X-RBL-Warning: SPAMCHECK: Message failed SPAMCHECK: 6. X-RBL-Warning: HEADERS-FILTER: Message failed HEADERS-FILTER test (line 56, weight 5) X-RBL-Warning: DYNAMIC-FILTER: Message failed DYNAMIC-FILTER test (line 247, weight 0) X-RBL-Warning: GIBBERISH-FILTER: Message failed GIBBERISH-FILTER test (line 97, weight 0) X-RBL-Warning: BYPASSWHITELIST: X-RBL-Warning: [Unknown Var]TESTNAME[Unknown Var]WARNING X-Declude-Sender: [EMAIL PROTECTED] [64.132.215.104] X-Declude-Spoolname: D99336449007c1a28.SMD X-Country-Chain: [ARIN Unlisted]-UNITED STATES-destination X-Note: This e-mail was scanned for viruses filtered for spam X-Note: Total spam test weight: 34 === X-IMAIL-SPAM-VALFROM: (264831116) X-RBL-Warning: BASE64: A binary encoded text or HTML section was found in this E-mail. X-RBL-Warning: IPNOTINMX: X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected. X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 66.119.222.55 with no reverse DNS entry. X-RBL-Warning: ALLIGATE-PORN-L1: Message failed ALLIGATE-PORN-L1: -28. X-RBL-Warning: ALLIGATE-PORN-L2: Message failed ALLIGATE-PORN-L2: -28. X-RBL-Warning: ALLIGATE-PORN-L3: Message failed ALLIGATE-PORN-L3: -28. X-RBL-Warning: HEADERS-FILTER: Message failed HEADERS-FILTER test (line 56, weight 5) X-RBL-Warning: GIBBERISH-FILTER: Message failed GIBBERISH-FILTER test (line 16, weight -3) (weight capped at -3) X-RBL-Warning: BYPASSWHITELIST: X-RBL-Warning: [Unknown Var]TESTNAME[Unknown Var]WARNING X-Declude-Sender: [EMAIL PROTECTED] [66.119.222.55] X-Declude-Spoolname: Dfd530fc9008c343a.SMD X-Country-Chain: UNITED STATES-destination X-Note: This e-mail was scanned for viruses filtered for spam X-Note: Total spam test weight: 21 Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Strange header
X-RBL-Warning: [Unknown Var]TESTNAME[Unknown Var]WARNING I have nothing like that in my global.cfg. Just to make sure, I did a find on TESTNAME, and WARNING and neither were found in my global.cfg file. In fact, these are the only two entries in my global.cfg that use the percent % sign: What about in your \IMail\Declude\$default$.JunkMail file? In any case, the next release will record some extra information to the log file if this occurs. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Strange header
- Original Message - From: R. Scott Perry [EMAIL PROTECTED] X-RBL-Warning: [Unknown Var]TESTNAME[Unknown Var]WARNING I have nothing like that in my global.cfg. Just to make sure, I did a find on TESTNAME, and WARNING and neither were found in my global.cfg file. In fact, these are the only two entries in my global.cfg that use the percent % sign: What about in your \IMail\Declude\$default$.JunkMail file? In any case, the next release will record some extra information to the log file if this occurs. Ditto for the $default$.JunkMail file. All entries are set to: TESTNAME1WARN TESTNAME2HOLD TESTNAME3DELETE None of the tests are set to use any variables. Also, there are not USER or DOMAIN specific tests defined on this server. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude does not see email
I am now seeing this also. This is disturbing as it is allowing viruses through. The particular message that I am concerned with (containing a virus) does show up in the c:\declude.log file but is not in the virus or hijack log but is seen in this line in the JM log: 12/03/2003 06:11:30 Qeedf08fb02486d2c Could not lock F:\Spool\Qeedf08fb02486d2c.SMD; timed out (j=2). Imail 8.03 Declude 1.76i28 John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude does not see email
I am now seeing this also. This is disturbing as it is allowing viruses through. The particular message that I am concerned with (containing a virus) does show up in the c:\declude.log file but is not in the virus or hijack log but is seen in this line in the JM log: 12/03/2003 06:11:30 Qeedf08fb02486d2c Could not lock F:\Spool\Qeedf08fb02486d2c.SMD; timed out (j=2). This will happen if either the Q*.SMD file disappears, or is locked by another program (presumably IMail). It looks like there are several issues with IMail v8. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spamchk fine tuning?
Thanks Markus. I am using SpamChk with about 70 other tests. One thing that helped solve the fp problem was going to your weight 100 scheme. By adding a zero to every weight it brought spamchk's results into proportion with everything else. I didn't want to mess with the config for precisely the reason you point out; some stuff was clearly threshold values and not weights, but I wasn't 100% on what was what and didn't want to break it. Here are the headers from one of the error messages your list server threw. The mails had no content. Only the subject you see here. I got subscribed just fine with the other link you sent me. It appears that this other link doesn't ask for my name, as that's the only diff I saw between the two links. Received: from mail.spamchk.com [217.199.0.33] by msb1.mysecretbase.net with ESMTP (SMTPD32-8.02) id A58B4050086; Tue, 02 Dec 2003 09:02:03 -0800 Date: Tue, 2 Dec 2003 17:59:15 +0100 Message-Id: [EMAIL PROTECTED] From: [EMAIL PROTECTED] (List Server) To: [EMAIL PROTECTED] Subject: Invalid Syntax! X-RBL-Warning: IPNOTINMX: X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected. X-RBL-Warning: SPAMCHK: Message failed SPAMCHK: 4. X-Declude-Sender: [EMAIL PROTECTED] [217.199.0.33] X-Declude-Spoolname: Dc58b04050086dd14.SMD X-Note: This E-mail was sent from ns1.zcom.it ([217.199.0.33]). X-Note: This E-mail was scanned by MSB Designs Inc. Anti-Spam Services. X-Spam-Tests-Failed: IPNOTINMX, NOLEGITCONTENT, SPAMCHK X-Spam-Message-Weight: 4 X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 369357513 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spamchk fine tuning?
Here are the headers from one of the error messages your list server threw. The mails had no content. Only the subject you see here. I got subscribed just fine with the other link you sent me. It appears that this other link doesn't ask for my name, as that's the only diff I saw between the two links. Yes, you're right. Imails listserver expects a name after the subscribe list command Subscribe [listname] [yourname] in the body should work fine. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude does not see email
To help track this down, it would be helpful to do the following: Compare the number of messages logged in C:\declude.log to the number logged in the virus log in a 24 hour period. Any one know how to do that? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, December 03, 2003 10:01 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Declude does not see email I am now seeing this also. This is disturbing as it is allowing viruses through. The particular message that I am concerned with (containing a virus) does show up in the c:\declude.log file but is not in the virus or hijack log but is seen in this line in the JM log: 12/03/2003 06:11:30 Qeedf08fb02486d2c Could not lock F:\Spool\Qeedf08fb02486d2c.SMD; timed out (j=2). This will happen if either the Q*.SMD file disappears, or is locked by another program (presumably IMail). It looks like there are several issues with IMail v8. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude does not see email
Also another interesting finding. It seems as when this is happening, the Imail Spam statistics header line does not appear either. Any one else confirm this? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 12:35 PM To: '[EMAIL PROTECTED]' Subject: RE: [Declude.JunkMail] Declude does not see email To help track this down, it would be helpful to do the following: Compare the number of messages logged in C:\declude.log to the number logged in the virus log in a 24 hour period. Any one know how to do that? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, December 03, 2003 10:01 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Declude does not see email I am now seeing this also. This is disturbing as it is allowing viruses through. The particular message that I am concerned with (containing a virus) does show up in the c:\declude.log file but is not in the virus or hijack log but is seen in this line in the JM log: 12/03/2003 06:11:30 Qeedf08fb02486d2c Could not lock F:\Spool\Qeedf08fb02486d2c.SMD; timed out (j=2). This will happen if either the Q*.SMD file disappears, or is locked by another program (presumably IMail). It looks like there are several issues with IMail v8. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] F-prot updates
Markus, The last f-prot update is from 12/01/2003 Our F-Prot Updater runs every hour at xx:20 o clock. Mail processing stopped at 11:43 pm. I set up a program alias that the F-Prot notifications email to. That in turn kicks off update.exe [the f-prot update program]. Nothing wrong for sure with scheduling the updates but this alias is kinda neat and it hopefully gets me the updates right off. -Nick Hayer Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Strip the body of an e-Mail
You could use ATTACH to attach the spam to the email so it does not get viewed. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Alejandro Valenzuela Sent: Wednesday, December 03, 2003 12:39 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Strip the body of an e-Mail IS it posible to strip all attachements and body from an e-mail, just keeping the subject, after the message failed a given test... ?? This way, the maybe spam that I still pass to the users, doesn't contains tracing Url's that confirm that the e-mail vas viewed.. Also, it would reduce bandwidth... And if it was a false positive then The user would still have the sender and subject.. Thanks Alex V. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] SpamDomains
Why would this be caught with SPAMDOMAINS when closeout-sale.com is not in the spamdomains.txt file? X-RBL-Warning: SPAMDOMAINS: Spamdomain 'domain.moc' found: Address of [EMAIL PROTECTED] sent from invalid mail.closeout-sale.com. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamDomains
Why would this be caught with SPAMDOMAINS when closeout-sale.com is not in the spamdomains.txt file? X-RBL-Warning: SPAMDOMAINS: Spamdomain 'domain.moc' found: Address of [EMAIL PROTECTED] sent from invalid mail.closeout-sale.com. That's because the SPAMDOMAINS test looks for the domain within the E-mail address, even if it appears in the username. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamDomains
John, If you include an @ symbol before the domain name, it will stop it from tagging this VERP stuff. @domain.moc domain.moc @aol.com .aol.com @yahoo. .yahoo. etc... The only drawback here is that you can only have one match (the second column) because the first column will never produce a match on REVDNS this way. Matt John Tolmachoff (Lists) wrote: Why would this be caught with SPAMDOMAINS when closeout-sale.com is not in the spamdomains.txt file? X-RBL-Warning: SPAMDOMAINS: Spamdomain 'domain.moc' found: Address of [EMAIL PROTECTED] sent from invalid mail.closeout-sale.com. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude does not see email
John, a few weeks ago I sent you a copy of my 1st draft UNIX Utilities Reference Guide I had put together, but heard no response back from you. Had you reviewed it you probably would have been able to figure this out. Anyway, here is what I found on one of my IMail servers: gawk {print $3} dec1202.log | usort | uniq | grep -c Q 25624 gawk {print $3} vir1202.log | usort | uniq | grep -c Q 25625 grep -c 12\/02\/2003 declude.log | gawk {print $4} | usort | uniq | grep -c Q 25612 Hmmm, strange that the number listed in the declude.log file is actually less then what's reported in the JunkMail and Virus log files. Bill - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 12:34 PM Subject: RE: [Declude.JunkMail] Declude does not see email To help track this down, it would be helpful to do the following: Compare the number of messages logged in C:\declude.log to the number logged in the virus log in a 24 hour period. Any one know how to do that? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, December 03, 2003 10:01 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Declude does not see email I am now seeing this also. This is disturbing as it is allowing viruses through. The particular message that I am concerned with (containing a virus) does show up in the c:\declude.log file but is not in the virus or hijack log but is seen in this line in the JM log: 12/03/2003 06:11:30 Qeedf08fb02486d2c Could not lock F:\Spool\Qeedf08fb02486d2c.SMD; timed out (j=2). This will happen if either the Q*.SMD file disappears, or is locked by another program (presumably IMail). It looks like there are several issues with IMail v8. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. .com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Log optimization
Scott, any more thought to optimizing the log files? As I was doing the checking the message counts of the virus, junkmail, and declude.log files, I was astonished to find that some of the messages logged in the JunkMail file had over 500 entries because of the number of recipients. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SpamDomains
That's because the SPAMDOMAINS test looks for the domain within the E-mail address, even if it appears in the username. But wouldn't that create a lot of false positives in such things like newsletters that have the receipients address embedded in the from address as part of the user part? John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Log optimization
Scott, any more thought to optimizing the log files? As I was doing the checking the message counts of the virus, junkmail, and declude.log files, I was astonished to find that some of the messages logged in the JunkMail file had over 500 entries because of the number of recipients. It's something that we are working on. It does get difficult, though, when the number of recipients times the number of failed tests is very high (such as 500). One thing that we may do is have a LOGLEVEL LOW entry that shows all the recipients, with another showing the tests that failed -- and then leave the 500 entries for LOGLEVEL HIGH. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SpamDomains
Question.. SPAMDOMAIN will test the REVDNS only for the domains included in the spamdomains.txt file ?? Any domain not included will not be tested ?? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Wednesday, December 03, 2003 2:42 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SpamDomains John, If you include an @ symbol before the domain name, it will stop it from tagging this VERP stuff. @domain.moc domain.moc @aol.com .aol.com @yahoo. .yahoo. etc... The only drawback here is that you can only have one match (the second column) because the first column will never produce a match on REVDNS this way. Matt John Tolmachoff (Lists) wrote: Why would this be caught with SPAMDOMAINS when closeout-sale.com is not in the spamdomains.txt file? X-RBL-Warning: SPAMDOMAINS: Spamdomain 'domain.moc' found: Address of [EMAIL PROTECTED] sent from invalid mail.closeout-sale.com. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamDomains
That's why making the SPAMDOMAINS test an ENDSWITH instead of CONTAINS type of test would resolve lots of these kinds of questions and headaches. Bill - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 1:29 PM Subject: Re: [Declude.JunkMail] SpamDomains Why would this be caught with SPAMDOMAINS when closeout-sale.com is not in the spamdomains.txt file? X-RBL-Warning: SPAMDOMAINS: Spamdomain 'domain.moc' found: Address of [EMAIL PROTECTED] sent from invalid mail.closeout-sale.com. That's because the SPAMDOMAINS test looks for the domain within the E-mail address, even if it appears in the username. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] What is this about ??
This is interesting. We are happy with the configuration of declude jm so we use the EXACT same setting on our other mail server. I sent a test message from our web server to both with the same exact information and below is what I got. X-OriginalArrivalTime: 03 Dec 2003 14:54:01.0812 (UTC) FILETIME=[49FA3140:01C3B9AD] X-RBL-Warning: HELOBOGUS: Domain web1.sslsales.com has no MX or A records. X-Declude-Sender: [EMAIL PROTECTED] [216.204.153.96] X-Declude-Spoolname: Dfb2c592000fc4ab1.SMD X-Note: This E-mail was scanned for Spam by Secure Services Inc (www.sslsales.com) Organization: Secure Sevices Inc. X-RCPT-TO: [EMAIL PROTECTED] X-OriginalArrivalTime: 03 Dec 2003 14:54:02.0015 (UTC) FILETIME=[4A192AF0:01C3B9AD] X-Declude-Sender: [EMAIL PROTECTED] [216.204.153.96] X-Note: This E-mail was scanned by Maine Coast Connection (www.mainecc.com) for spam. X-Spam-Tests-Failed: None [-2] X-Country-Chain: X-Note: This E-mail was sent from web1.sslsales.com ([216.204.153.96]). X-RCPT-TO: [EMAIL PROTECTED] Is that odd ? Could it be something with the mail server ??? I rebooted it since it has been a long while and still get the failure.. Also checked which dns server they both were resolving to and they are the same. I is running Version 1.76b ( the one with the error ) and the other is running Version 1.76i1 Could that be the cause ? Dave - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 8:13 AM Subject: Re: [Declude.JunkMail] What is this about ?? X-RBL-Warning: Declude CAUGHT-NO ABUSE X-RBL-Warning: HELOBOGUS: Domain web1.sslsales.com has no MX or A records. In this case, part of the problem seems to be that your local DNS server isn't able to resolve web1.sslsales.com -- could it be that you have a local DNS server that is resolving sslsales.com domains differently than the way they would be resolved on the Internet? As for the CAUGHT-NO ABUSE, I'm guessing that is the NOABUSE test, in which case you can go to http://www.rfc-ignorant.org to find out why the domain is listed there. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] What is this about ??
X-RBL-Warning: HELOBOGUS: Domain web1.sslsales.com has no MX or A records. Is that odd ? Could it be something with the mail server ??? My guess is that the two different mailservers are using two different DNS servers, one of which thinks it is authoritative for sslsales.com (and is reporting an invalid answer), and the other does not think it is authoritative (so it gets the correct answer). For example, if one DNS server returns 10.0.0.1 (an internal IP) for www.sslsales.com, and the other reports 192.0.2.80 (an external IP), then it would explain the problem (with the first DNS server needing to have an A record for web1.sslsales.com). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] What is this about ??
Found the issue.. While I was waiting for a response I went back to the non beta of declude version same as the other mail server and the helobogus error is gone. I then reinstalled the beta version and the error is back. Dave - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 5:53 PM Subject: Re: [Declude.JunkMail] What is this about ?? X-RBL-Warning: HELOBOGUS: Domain web1.sslsales.com has no MX or A records. Is that odd ? Could it be something with the mail server ??? My guess is that the two different mailservers are using two different DNS servers, one of which thinks it is authoritative for sslsales.com (and is reporting an invalid answer), and the other does not think it is authoritative (so it gets the correct answer). For example, if one DNS server returns 10.0.0.1 (an internal IP) for www.sslsales.com, and the other reports 192.0.2.80 (an external IP), then it would explain the problem (with the first DNS server needing to have an A record for web1.sslsales.com). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude does not see email
Bill, usort was not included in the files on the unixtools site you posted before, but I was able to find it here: http://www.profsoftware.com/unixdos/ud09.htm However, now when running the command, I am getting an error saying needed dll udbase.dll not found. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Wednesday, December 03, 2003 1:47 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Declude does not see email John, a few weeks ago I sent you a copy of my 1st draft UNIX Utilities Reference Guide I had put together, but heard no response back from you. Had you reviewed it you probably would have been able to figure this out. Anyway, here is what I found on one of my IMail servers: gawk {print $3} dec1202.log | usort | uniq | grep -c Q 25624 gawk {print $3} vir1202.log | usort | uniq | grep -c Q 25625 grep -c 12\/02\/2003 declude.log | gawk {print $4} | usort | uniq | grep -c Q 25612 Hmmm, strange that the number listed in the declude.log file is actually less then what's reported in the JunkMail and Virus log files. Bill - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 12:34 PM Subject: RE: [Declude.JunkMail] Declude does not see email To help track this down, it would be helpful to do the following: Compare the number of messages logged in C:\declude.log to the number logged in the virus log in a 24 hour period. Any one know how to do that? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, December 03, 2003 10:01 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Declude does not see email I am now seeing this also. This is disturbing as it is allowing viruses through. The particular message that I am concerned with (containing a virus) does show up in the c:\declude.log file but is not in the virus or hijack log but is seen in this line in the JM log: 12/03/2003 06:11:30 Qeedf08fb02486d2c Could not lock F:\Spool\Qeedf08fb02486d2c.SMD; timed out (j=2). This will happen if either the Q*.SMD file disappears, or is locked by another program (presumably IMail). It looks like there are several issues with IMail v8. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. .com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude does not see email
Bill, never mind. I just got the reference paper from you and it is listed in there where it is at and such. Works. Thanks. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 3:32 PM To: '[EMAIL PROTECTED]' Subject: RE: [Declude.JunkMail] Declude does not see email Bill, usort was not included in the files on the unixtools site you posted before, but I was able to find it here: http://www.profsoftware.com/unixdos/ud09.htm However, now when running the command, I am getting an error saying needed dll udbase.dll not found. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Wednesday, December 03, 2003 1:47 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Declude does not see email John, a few weeks ago I sent you a copy of my 1st draft UNIX Utilities Reference Guide I had put together, but heard no response back from you. Had you reviewed it you probably would have been able to figure this out. Anyway, here is what I found on one of my IMail servers: gawk {print $3} dec1202.log | usort | uniq | grep -c Q 25624 gawk {print $3} vir1202.log | usort | uniq | grep -c Q 25625 grep -c 12\/02\/2003 declude.log | gawk {print $4} | usort | uniq | grep -c Q 25612 Hmmm, strange that the number listed in the declude.log file is actually less then what's reported in the JunkMail and Virus log files. Bill - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 12:34 PM Subject: RE: [Declude.JunkMail] Declude does not see email To help track this down, it would be helpful to do the following: Compare the number of messages logged in C:\declude.log to the number logged in the virus log in a 24 hour period. Any one know how to do that? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, December 03, 2003 10:01 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Declude does not see email I am now seeing this also. This is disturbing as it is allowing viruses through. The particular message that I am concerned with (containing a virus) does show up in the c:\declude.log file but is not in the virus or hijack log but is seen in this line in the JM log: 12/03/2003 06:11:30 Qeedf08fb02486d2c Could not lock F:\Spool\Qeedf08fb02486d2c.SMD; timed out (j=2). This will happen if either the Q*.SMD file disappears, or is locked by another program (presumably IMail). It looks like there are several issues with IMail v8. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. .com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude does not see email
And for the last 15 minutes I have been trying to figure out what I am doing wrong to where I keep getting a result of 0. ;) John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Wednesday, December 03, 2003 3:48 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Declude does not see email Great. The last script shown below should actually be: grep 12\/02\/2003 declude.log | gawk {print $4} | usort | uniq | grep -c Q Removed -c after the first grep command. Bill - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 3:40 PM Subject: RE: [Declude.JunkMail] Declude does not see email Bill, never mind. I just got the reference paper from you and it is listed in there where it is at and such. Works. Thanks. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 3:32 PM To: '[EMAIL PROTECTED]' Subject: RE: [Declude.JunkMail] Declude does not see email Bill, usort was not included in the files on the unixtools site you posted before, but I was able to find it here: http://www.profsoftware.com/unixdos/ud09.htm However, now when running the command, I am getting an error saying needed dll udbase.dll not found. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Wednesday, December 03, 2003 1:47 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Declude does not see email John, a few weeks ago I sent you a copy of my 1st draft UNIX Utilities Reference Guide I had put together, but heard no response back from you. Had you reviewed it you probably would have been able to figure this out. Anyway, here is what I found on one of my IMail servers: gawk {print $3} dec1202.log | usort | uniq | grep -c Q 25624 gawk {print $3} vir1202.log | usort | uniq | grep -c Q 25625 grep -c 12\/02\/2003 declude.log | gawk {print $4} | usort | uniq | grep -c Q 25612 Hmmm, strange that the number listed in the declude.log file is actually less then what's reported in the JunkMail and Virus log files. Bill - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 12:34 PM Subject: RE: [Declude.JunkMail] Declude does not see email To help track this down, it would be helpful to do the following: Compare the number of messages logged in C:\declude.log to the number logged in the virus log in a 24 hour period. Any one know how to do that? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, December 03, 2003 10:01 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Declude does not see email I am now seeing this also. This is disturbing as it is allowing viruses through. The particular message that I am concerned with (containing a virus) does show up in the c:\declude.log file but is not in the virus or hijack log but is seen in this line in the JM log: 12/03/2003 06:11:30 Qeedf08fb02486d2c Could not lock F:\Spool\Qeedf08fb02486d2c.SMD; timed out (j=2). This will happen if either the Q*.SMD file disappears, or is locked by another program (presumably IMail). It looks like there are several issues with IMail v8. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. .com.
RE: [Declude.JunkMail] Declude does not see email
So back to my original idea, in my case, yesterday 5 messages did not make it to Virus or JunkMail processing. That is barely over 1/10 of 1%. What are others experiences? (I will also do this latter on the other servers I work on.) John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Wednesday, December 03, 2003 3:48 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Declude does not see email Great. The last script shown below should actually be: grep 12\/02\/2003 declude.log | gawk {print $4} | usort | uniq | grep -c Q Removed -c after the first grep command. Bill - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 3:40 PM Subject: RE: [Declude.JunkMail] Declude does not see email Bill, never mind. I just got the reference paper from you and it is listed in there where it is at and such. Works. Thanks. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 3:32 PM To: '[EMAIL PROTECTED]' Subject: RE: [Declude.JunkMail] Declude does not see email Bill, usort was not included in the files on the unixtools site you posted before, but I was able to find it here: http://www.profsoftware.com/unixdos/ud09.htm However, now when running the command, I am getting an error saying needed dll udbase.dll not found. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Wednesday, December 03, 2003 1:47 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Declude does not see email John, a few weeks ago I sent you a copy of my 1st draft UNIX Utilities Reference Guide I had put together, but heard no response back from you. Had you reviewed it you probably would have been able to figure this out. Anyway, here is what I found on one of my IMail servers: gawk {print $3} dec1202.log | usort | uniq | grep -c Q 25624 gawk {print $3} vir1202.log | usort | uniq | grep -c Q 25625 grep -c 12\/02\/2003 declude.log | gawk {print $4} | usort | uniq | grep -c Q 25612 Hmmm, strange that the number listed in the declude.log file is actually less then what's reported in the JunkMail and Virus log files. Bill - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 12:34 PM Subject: RE: [Declude.JunkMail] Declude does not see email To help track this down, it would be helpful to do the following: Compare the number of messages logged in C:\declude.log to the number logged in the virus log in a 24 hour period. Any one know how to do that? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, December 03, 2003 10:01 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Declude does not see email I am now seeing this also. This is disturbing as it is allowing viruses through. The particular message that I am concerned with (containing a virus) does show up in the c:\declude.log file but is not in the virus or hijack log but is seen in this line in the JM log: 12/03/2003 06:11:30 Qeedf08fb02486d2c Could not lock F:\Spool\Qeedf08fb02486d2c.SMD; timed out (j=2). This will happen if either the Q*.SMD file disappears, or is locked by another program (presumably IMail). It looks like there are several issues with IMail v8. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
Re: [Declude.JunkMail] SpamDomains
Bill Landry wrote: That's why making the SPAMDOMAINS test an ENDSWITH instead of CONTAINS type of test would resolve lots of these kinds of questions and headaches. ...and create some others at the same time. No one option is perfect, so if Scott decides to change the functionality of this test, I would prefer a more open format allowing choice, and even other options possibly. something like: ENDSWITH aol.com ENDSWITH aol.com CONTAINS@yahoo. CONTAINS .yahoo. ENDSWITH @mailpure.com ISmail.mailpure.com Opening it up further might look like two separate filter tests that both need to match, i.e. If x and If y Then True, or If x and Not If y Then False. I see no reason to change the SPAMDOMAINS functionality when working around VERP issues is done quite simply with an @ symbol, and I haven't yet found any examples where a domain that I would include in this test could have two REVDNS domains instead of just one which could benefit from matches on both columns. Fixing it to ENDSWITH would make it more difficult to track multi-TLD domains like Yahoo, while making it easier to track multi-sub domains like rr.com, and in the end, it would seem to be a draw. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamDomains
Alejandro, From the Declude JunkMail manual page: This test will catch E-mail that is not coming from a mailserver that it should be coming from. This test will only work if you set up a file listing domains that you wish to be included in this test. Specifically, it will check the return address of the E-mail, and then check to see if the reverse DNS entry of the IP that the E-mail was sent from contains the domain name. If not, the E-mail fails the test. For example, if hotmail.com is listed in the \IMail\Declude\spamdomains.txt file, then an E-mail coming from law2.hotmail.com would not fail the test, but an E-mail from mail.example.ru would fail the test. You can search the archives for some discussions of this. It's hardly foolproof, things like greeting cards and send-a-link sites will often fail the test because they send E-mail with a MAILFROM address of the person sending the note and not the service sending the note. I suggest that you always use the @ symbol in the first column, and you should set up two different files and score them differently. One should be for ISP's and E-mail providers such as AOL, HotMail, Yahoo, etc., and the other should be for businesses that are often spoofed such as Microsoft, PayPal, Symantec/Norton, McAfee. Be careful not to include companies that may use thrid-party mass mailers for newsletters. The second type of test can be scored higher because you are less likely to be getting greeting cards from people with real addresses at these companies than you are from places like AOL. You might also be thinking of including your own domains in this test, but that again should be in a totally different file, and scored very low because even if you are using WHITELIST AUTH functionality, you will most definitely get users sending E-mail with your hosted addresses configured in their E-mail program but are using someone else's mail server, or without WHITELIST AUTH, they will fail when using your own mail server. Matt Alejandro Valenzuela wrote: Question.. SPAMDOMAIN will test the REVDNS only for the domains included in the spamdomains.txt file ?? Any domain not included will not be tested ?? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Wednesday, December 03, 2003 2:42 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SpamDomains John, If you include an @ symbol before the domain name, it will stop it from tagging this VERP stuff. @domain.moc domain.moc @aol.com .aol.com @yahoo. .yahoo. etc... The only drawback here is that you can only have one match (the second column) because the first column will never produce a match on REVDNS this way. Matt John Tolmachoff (Lists) wrote: Why would this be caught with SPAMDOMAINS when closeout-sale.com is not in the spamdomains.txt file? X-RBL-Warning: SPAMDOMAINS: Spamdomain 'domain.moc' found: Address of [EMAIL PROTECTED] sent from invalid mail.closeout-sale.com. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamDomains
I don't know how hard it would be, but what about just adding in a pre filter in the spamdomains test that will bypass the test. Like: Spamdomains.txt: [RDNS excluded from check] ebay.com greetingcardvendor.com [includes] .yahoo.com @msn.com etc, etc This would also allow us to build our list of acceptable excluded addresses together, further improving the tests accuracy. Jason -- Original Message -- From: Matthew Bramble [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 03 Dec 2003 19:38:18 -0500 Alejandro, From the Declude JunkMail manual page: This test will catch E-mail that is not coming from a mailserver that it should be coming from. This test will only work if you set up a file listing domains that you wish to be included in this test. Specifically, it will check the return address of the E-mail, and then check to see if the reverse DNS entry of the IP that the E-mail was sent from contains the domain name. If not, the E-mail fails the test. For example, if hotmail.com is listed in the \IMail\Declude\spamdomains.txt file, then an E-mail coming from law2.hotmail.com would not fail the test, but an E-mail from mail.example.ru would fail the test. You can search the archives for some discussions of this. It's hardly foolproof, things like greeting cards and send-a-link sites will often fail the test because they send E-mail with a MAILFROM address of the person sending the note and not the service sending the note. I suggest that you always use the @ symbol in the first column, and you should set up two different files and score them differently. One should be for ISP's and E-mail providers such as AOL, HotMail, Yahoo, etc., and the other should be for businesses that are often spoofed such as Microsoft, PayPal, Symantec/Norton, McAfee. Be careful not to include companies that may use thrid-party mass mailers for newsletters. The second type of test can be scored higher because you are less likely to be getting greeting cards from people with real addresses at these companies than you are from places like AOL. You might also be thinking of including your own domains in this test, but that again should be in a totally different file, and scored very low because even if you are using WHITELIST AUTH functionality, you will most definitely get users sending E-mail with your hosted addresses configured in their E-mail program but are using someone else's mail server, or without WHITELIST AUTH, they will fail when using your own mail server. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] AOL Slow ?
Hiya All - We're seeing outbound e-mail to AOL.com happening very, very slowly. Our outbound server (64.4.213.165 / 64.4.213.169) appears to be configured correctly (no problems last week, and no changes since then). Anybody else seeing AOL delays today? = Rob www.iGive.com Turn your holiday shopping into cash for your favorite cause. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamDomains
Everything is already excluded from the spamdomains test except that which you specifically included. So I'm not sure I understand what you're asking for here? Bill - Original Message - From: Jason Newland [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 5:29 PM Subject: Re: [Declude.JunkMail] SpamDomains I don't know how hard it would be, but what about just adding in a pre filter in the spamdomains test that will bypass the test. Like: Spamdomains.txt: [RDNS excluded from check] ebay.com greetingcardvendor.com [includes] .yahoo.com @msn.com etc, etc This would also allow us to build our list of acceptable excluded addresses together, further improving the tests accuracy. Jason -- Original Message -- From: Matthew Bramble [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 03 Dec 2003 19:38:18 -0500 Alejandro, From the Declude JunkMail manual page: This test will catch E-mail that is not coming from a mailserver that it should be coming from. This test will only work if you set up a file listing domains that you wish to be included in this test. Specifically, it will check the return address of the E-mail, and then check to see if the reverse DNS entry of the IP that the E-mail was sent from contains the domain name. If not, the E-mail fails the test. For example, if hotmail.com is listed in the \IMail\Declude\spamdomains.txt file, then an E-mail coming from law2.hotmail.com would not fail the test, but an E-mail from mail.example.ru would fail the test. You can search the archives for some discussions of this. It's hardly foolproof, things like greeting cards and send-a-link sites will often fail the test because they send E-mail with a MAILFROM address of the person sending the note and not the service sending the note. I suggest that you always use the @ symbol in the first column, and you should set up two different files and score them differently. One should be for ISP's and E-mail providers such as AOL, HotMail, Yahoo, etc., and the other should be for businesses that are often spoofed such as Microsoft, PayPal, Symantec/Norton, McAfee. Be careful not to include companies that may use thrid-party mass mailers for newsletters. The second type of test can be scored higher because you are less likely to be getting greeting cards from people with real addresses at these companies than you are from places like AOL. You might also be thinking of including your own domains in this test, but that again should be in a totally different file, and scored very low because even if you are using WHITELIST AUTH functionality, you will most definitely get users sending E-mail with your hosted addresses configured in their E-mail program but are using someone else's mail server, or without WHITELIST AUTH, they will fail when using your own mail server. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamDomains
- Original Message - From: Matthew Bramble [EMAIL PROTECTED] That's why making the SPAMDOMAINS test an ENDSWITH instead of CONTAINS type of test would resolve lots of these kinds of questions and headaches. ...and create some others at the same time. No one option is perfect, so if Scott decides to change the functionality of this test, I would prefer a more open format allowing choice, and even other options possibly. something like: ENDSWITH aol.com ENDSWITH aol.com CONTAINS@yahoo. CONTAINS .yahoo. ENDSWITH @mailpure.com ISmail.mailpure.com Opening it up further might look like two separate filter tests that both need to match, i.e. If x and If y Then True, or If x and Not If y Then False. I see no reason to change the SPAMDOMAINS functionality when working around VERP issues is done quite simply with an @ symbol, and I haven't yet found any examples where a domain that I would include in this test could have two REVDNS domains instead of just one which could benefit from matches on both columns. Fixing it to ENDSWITH would make it more difficult to track multi-TLD domains like Yahoo, while making it easier to track multi-sub domains like rr.com, and in the end, it would seem to be a draw. Having the ability to define the test type (*WITH) per line would be nice. However, short of that, how many people would wonder why: sale.com in the spamdomains.txt file would cause this to fail: [EMAIL PROTECTED] versus this in the spamdomains.txt file: domains.com which caused this to fail: [EMAIL PROTECTED] At least ENDSWITH gives you much greater control and understanding of why messages trigger the test. Granted, it may cause you to have to add a few extra rows of domains in your spamdomains.txt file, but I feel that the greater simplicity and greater control it would provide would outweighs the minimal extra effort. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SpamDomains
Say for example I have 10,000 people using MSN.com addresses to spam me with. I add the spamdomains test and enter in @msn.com into it. Now it does well to stop the spammers, but now I am falsely tagging mail from ebay.com [EMAIL PROTECTED] making a bid inquiry. If we could have a spamdomains RDNS whitelist, then anything with a .ebay.com address is whitelisted, or whatever we put in the list. I know we can whitelist in the main .cfg file, but I'm not sure I would want to whitelist ebay from every test, just whitelist from the spamdomains test. Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Wednesday, December 03, 2003 8:20 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SpamDomains Everything is already excluded from the spamdomains test except that which you specifically included. So I'm not sure I understand what you're asking for here? Bill - Original Message - From: Jason Newland [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 5:29 PM Subject: Re: [Declude.JunkMail] SpamDomains I don't know how hard it would be, but what about just adding in a pre filter in the spamdomains test that will bypass the test. Like: Spamdomains.txt: [RDNS excluded from check] ebay.com greetingcardvendor.com [includes] .yahoo.com @msn.com etc, etc This would also allow us to build our list of acceptable excluded addresses together, further improving the tests accuracy. Jason -- Original Message -- From: Matthew Bramble [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 03 Dec 2003 19:38:18 -0500 Alejandro, From the Declude JunkMail manual page: This test will catch E-mail that is not coming from a mailserver that it should be coming from. This test will only work if you set up a file listing domains that you wish to be included in this test. Specifically, it will check the return address of the E-mail, and then check to see if the reverse DNS entry of the IP that the E-mail was sent from contains the domain name. If not, the E-mail fails the test. For example, if hotmail.com is listed in the \IMail\Declude\spamdomains.txt file, then an E-mail coming from law2.hotmail.com would not fail the test, but an E-mail from mail.example.ru would fail the test. You can search the archives for some discussions of this. It's hardly foolproof, things like greeting cards and send-a-link sites will often fail the test because they send E-mail with a MAILFROM address of the person sending the note and not the service sending the note. I suggest that you always use the @ symbol in the first column, and you should set up two different files and score them differently. One should be for ISP's and E-mail providers such as AOL, HotMail, Yahoo, etc., and the other should be for businesses that are often spoofed such as Microsoft, PayPal, Symantec/Norton, McAfee. Be careful not to include companies that may use thrid-party mass mailers for newsletters. The second type of test can be scored higher because you are less likely to be getting greeting cards from people with real addresses at these companies than you are from places like AOL. You might also be thinking of including your own domains in this test, but that again should be in a totally different file, and scored very low because even if you are using WHITELIST AUTH functionality, you will most definitely get users sending E-mail with your hosted addresses configured in their E-mail program but are using someone else's mail server, or without WHITELIST AUTH, they will fail when using your own mail server. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] sniffer
How does Sniffer work? Their web page says: In the best implementations allow you to assign a weight to each possible result code. Declude, mxGuard, and SpamAssassin are all good examples of systems that allow weights to be assigned to the result codes from Message Sniffer. So if Sniffer says an email is porn spam then it gets a weight of 10, but if it's web hosting spam then it's 8? Does the weight differ depending on how confident Sniffer is? What do these rules look like in Global.cfg on $Default$.junkmail? ~Brad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Smith Sent: Tuesday, December 02, 2003 7:54 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] sniffer Sniffer's well worth the $300.00 per year. That breaks down to less than $1.00 per day. It catches content that some RBLs don't catch. Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Anderson Sent: Tuesday, December 02, 2003 10:28 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] sniffer It's not worth paying the subscription fee, in my opinion. I have a client that's paying for it, and it doesn't catch very much that isn't already caught somewhere else. I am considering Maps too. But it's $1500/yr. Anyone using them? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamDomains
Yes, it would be nice if you could add more that just one alternate domain per line in the spamdomains.txt file, like: @msn.com.msn.com .hotmail.com .ebay.com Maybe in a future release (hint, hint)... ;-) Bill - Original Message - From: Jason [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 6:44 PM Subject: RE: [Declude.JunkMail] SpamDomains Say for example I have 10,000 people using MSN.com addresses to spam me with. I add the spamdomains test and enter in @msn.com into it. Now it does well to stop the spammers, but now I am falsely tagging mail from ebay.com [EMAIL PROTECTED] making a bid inquiry. If we could have a spamdomains RDNS whitelist, then anything with a .ebay.com address is whitelisted, or whatever we put in the list. I know we can whitelist in the main .cfg file, but I'm not sure I would want to whitelist ebay from every test, just whitelist from the spamdomains test. Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Wednesday, December 03, 2003 8:20 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SpamDomains Everything is already excluded from the spamdomains test except that which you specifically included. So I'm not sure I understand what you're asking for here? Bill - Original Message - From: Jason Newland [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 5:29 PM Subject: Re: [Declude.JunkMail] SpamDomains I don't know how hard it would be, but what about just adding in a pre filter in the spamdomains test that will bypass the test. Like: Spamdomains.txt: [RDNS excluded from check] ebay.com greetingcardvendor.com [includes] .yahoo.com @msn.com etc, etc This would also allow us to build our list of acceptable excluded addresses together, further improving the tests accuracy. Jason -- Original Message -- From: Matthew Bramble [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 03 Dec 2003 19:38:18 -0500 Alejandro, From the Declude JunkMail manual page: This test will catch E-mail that is not coming from a mailserver that it should be coming from. This test will only work if you set up a file listing domains that you wish to be included in this test. Specifically, it will check the return address of the E-mail, and then check to see if the reverse DNS entry of the IP that the E-mail was sent from contains the domain name. If not, the E-mail fails the test. For example, if hotmail.com is listed in the \IMail\Declude\spamdomains.txt file, then an E-mail coming from law2.hotmail.com would not fail the test, but an E-mail from mail.example.ru would fail the test. You can search the archives for some discussions of this. It's hardly foolproof, things like greeting cards and send-a-link sites will often fail the test because they send E-mail with a MAILFROM address of the person sending the note and not the service sending the note. I suggest that you always use the @ symbol in the first column, and you should set up two different files and score them differently. One should be for ISP's and E-mail providers such as AOL, HotMail, Yahoo, etc., and the other should be for businesses that are often spoofed such as Microsoft, PayPal, Symantec/Norton, McAfee. Be careful not to include companies that may use thrid-party mass mailers for newsletters. The second type of test can be scored higher because you are less likely to be getting greeting cards from people with real addresses at these companies than you are from places like AOL. You might also be thinking of including your own domains in this test, but that again should be in a totally different file, and scored very low because even if you are using WHITELIST AUTH functionality, you will most definitely get users sending E-mail with your hosted addresses configured in their E-mail program but are using someone else's mail server, or without WHITELIST AUTH, they will fail when using your own mail server. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus
Re: [Declude.JunkMail] sniffer
Brad, Sniffer has a rule base that they code based on spam they receive. Depending on the type of spam it is (porn, av, hosting, etc) they place that rule in an appropriate category. When sniffer scans a message it will return a code. The code that is returned is what you will use in your Declude rules. For example if the code returned is the code associated with porn spam I assign it a certain amount of weight. However, if the code returned from sniffer is from their experimental rule category I assign it a much lower weight. I hope this helps. Darrell Check Out DLAnalyzer a comprehensive reporting tool for Declude Junkmail Logs - http://www.dlanalyzer.com T. Bradley Dean writes: How does Sniffer work? Their web page says: In the best implementations allow you to assign a weight to each possible result code. Declude, mxGuard, and SpamAssassin are all good examples of systems that allow weights to be assigned to the result codes from Message Sniffer. So if Sniffer says an email is porn spam then it gets a weight of 10, but if it's web hosting spam then it's 8? Does the weight differ depending on how confident Sniffer is? What do these rules look like in Global.cfg on $Default$.junkmail? ~Brad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Smith Sent: Tuesday, December 02, 2003 7:54 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] sniffer Sniffer's well worth the $300.00 per year. That breaks down to less than $1.00 per day. It catches content that some RBLs don't catch. Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Anderson Sent: Tuesday, December 02, 2003 10:28 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] sniffer It's not worth paying the subscription fee, in my opinion. I have a client that's paying for it, and it doesn't catch very much that isn't already caught somewhere else. I am considering Maps too. But it's $1500/yr. Anyone using them? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamDomains
Jason, I have a separate 'white' filter for that sort of thing :) Matt Jason Newland wrote: I don't know how hard it would be, but what about just adding in a pre filter in the spamdomains test that will bypass the test. Like: Spamdomains.txt: [RDNS excluded from check] ebay.com greetingcardvendor.com [includes] .yahoo.com @msn.com etc, etc This would also allow us to build our list of acceptable excluded addresses together, further improving the tests accuracy. Jason -- Original Message -- From: Matthew Bramble [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 03 Dec 2003 19:38:18 -0500 Alejandro, From the Declude JunkMail manual page: This test will catch E-mail that is not coming from a mailserver that it should be coming from. This test will only work if you set up a file listing domains that you wish to be included in this test. Specifically, it will check the return address of the E-mail, and then check to see if the reverse DNS entry of the IP that the E-mail was sent from contains the domain name. If not, the E-mail fails the test. For example, if hotmail.com is listed in the \IMail\Declude\spamdomains.txt file, then an E-mail coming from law2.hotmail.com would not fail the test, but an E-mail from mail.example.ru would fail the test. You can search the archives for some discussions of this. It's hardly foolproof, things like greeting cards and send-a-link sites will often fail the test because they send E-mail with a MAILFROM address of the person sending the note and not the service sending the note. I suggest that you always use the @ symbol in the first column, and you should set up two different files and score them differently. One should be for ISP's and E-mail providers such as AOL, HotMail, Yahoo, etc., and the other should be for businesses that are often spoofed such as Microsoft, PayPal, Symantec/Norton, McAfee. Be careful not to include companies that may use thrid-party mass mailers for newsletters. The second type of test can be scored higher because you are less likely to be getting greeting cards from people with real addresses at these companies than you are from places like AOL. You might also be thinking of including your own domains in this test, but that again should be in a totally different file, and scored very low because even if you are using WHITELIST AUTH functionality, you will most definitely get users sending E-mail with your hosted addresses configured in their E-mail program but are using someone else's mail server, or without WHITELIST AUTH, they will fail when using your own mail server. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] sniffer
Brad, Sniffer does message based pattern matching (Pete, correct me if I am wrong). If you opt to separate the 20 or so tests that Sniffer currently supports, then you can set whatever weight you want to each individual test. Here is how I currently have the individual Sniffer tests defined in my global.cfg (License ID and Authentication Code obscured): SNIFFER-WHITELIST external 000 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode -5 0 SNIFFER-TRAVEL external 047 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 07 0 SNIFFER-INSURANCE external 048 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-AV-PUSH external 049 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 07 0 SNIFFER-WAREZ external 050 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-SPAMWARE external 051 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-SNAKEOIL external 052 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-SCAMS external 053 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-PORN external 054 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 12 0 SNIFFER-MALWARE external 055 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 12 0 SNIFFER-ADVERTISING external 056 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-SCHEMES external 057 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-CREDIT external 058 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-GAMBLING external 059 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-GREYMAIL external 060 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 07 0 SNIFFER-OBFUSCATION external 061 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 12 0 SNIFFER-SPAM external 062 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 07 0 SNIFFER-GENERAL external 063 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 12 0 You would need to adjust the weights to fit your own needs. However, this will at least give you a starting point. Bill - Original Message - From: T. Bradley Dean [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 6:43 PM Subject: RE: [Declude.JunkMail] sniffer How does Sniffer work? Their web page says: In the best implementations allow you to assign a weight to each possible result code. Declude, mxGuard, and SpamAssassin are all good examples of systems that allow weights to be assigned to the result codes from Message Sniffer. So if Sniffer says an email is porn spam then it gets a weight of 10, but if it's web hosting spam then it's 8? Does the weight differ depending on how confident Sniffer is? What do these rules look like in Global.cfg on $Default$.junkmail? ~Brad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Smith Sent: Tuesday, December 02, 2003 7:54 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] sniffer Sniffer's well worth the $300.00 per year. That breaks down to less than $1.00 per day. It catches content that some RBLs don't catch. Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Anderson Sent: Tuesday, December 02, 2003 10:28 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] sniffer It's not worth paying the subscription fee, in my opinion. I have a client that's paying for it, and it doesn't catch very much that isn't already caught somewhere else. I am considering Maps too. But it's $1500/yr. Anyone using them? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamDomains
Bill Landry wrote: Having the ability to define the test type (*WITH) per line would be nice. However, short of that, how many people would wonder why: sale.com in the spamdomains.txt file would cause this to fail: [EMAIL PROTECTED] versus this in the spamdomains.txt file: domains.com which caused this to fail: [EMAIL PROTECTED] At least ENDSWITH gives you much greater control... Well, IMO, they would be using the test in the wrong way if they were build the file that way :) Always use the @ symbol in the first column, that basically makes the filter act like an ENDSWITH filter since there can only be one @ symbol in an E-mail address. The extra flexibility of a CONTAINS filter on the second column causes no real harm. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SpamDomains
You CAN create your own RDNS whitelist. You can even use your DNS server to maintain it. Not sure if that's what your trying to do? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamDomains
Whitelisting in the traditional sense is also discouraged from where I sit. Build a filter file that just simply deducts some points, but not too many, so that the message could fail a few important filters or RBL's and still pass. There will be limited circumstances where a spammer will have reverse DNS lookups configured to match a domain like yahoo.com or aol.com, and by just crediting a few points, they are by no means guaranteed a free pass. Naturally IP ranges are safer, but harder to get and harder to maintain. BTW, if you add MSN to your file with an @ symbol, you absolutely must have two columns, not just one. @'s require two columns always. @msn.com.hotmail. I've been leaving off the TLD from the second column just in case they ever switch between a .com and .net address, or maybe a ccTLD. I do not believe that MSN sends from reverse DNS entries that are from msn.com. Here's what I'm using currently, however I don't claim by any means that this is anywhere near as complete as I would like it to be. I need to do more work especially at filling in the broadband providers. Also note that this is supposed to be the ISP and free E-mail version of the file and not the corporate version which should be scored higher (amazon.com, microsoft.com, symantec.com, etc.). Matt @yahoo..yahoo. @yahoo-inc.com.yahoo. @hotmail.com.hotmail. @msn.com.hotmail. @aol.com.aol. @earthlink.com.earthlink. @cox.net.cox. @t-online..t-online. @t-dialin.net.t-online. @wanadoo.fr.wanadoo. @netscape.net.aol. @netscape.com.aol. @att.net.att. @att.com.att. @attbi.com.attbi. @bellsouth.net.bellsouth. @charter.net.charter. @juno.com.untd. @verizon.net.verizon. @verizon.com.verizon. @cgocable.ca.cgocable. @rr.com.rr.com @bham.rr.com.rr.com @midsouth.rr.com.rr.com @bak.rr.com.rr.com @san.rr.com.rr.com @socal.rr.com.rr.com @hawaii.rr.com.rr.com @indy.rr.com.rr.com @midsouth.rr.com.rr.com @triad.rr.com.rr.com @sc.rr.com.rr.com @midsouth.rr.com.rr.com @stx.rr.com.rr.com @elp.rr.com.rr.com @satx.rr.com.rr.com @hot.rr.com.rr.com @new.rr.com.rr.com @sw.rr.com.rr.com @dc.rr.com.rr.com @hawaii.rr.com.rr.com @kc.rr.com.rr.com @nycap.rr.com.rr.com @rochester.rr.com.rr.com @neb.rr.com.rr.com @twcny.rr.com.rr.com @cfl.rr.com.rr.com @swfla.rr.com.rr.com @nyroc.rr.com.rr.com @tampabay.rr.com.rr.com @austin.rr.com.rr.com @carolina.rr.com.rr.com @outblaze.com.outblaze. @2die4.com.outblaze. @accountant.com.outblaze. @adexec.com.outblaze. @africamail.com.outblaze. @allergist.com.outblaze. @alumnidirector.com.outblaze. @archaeologist.com.outblaze. @arcticmail.com.outblaze. @artlover.com.outblaze. @asia.com.outblaze. @australiamail.com.outblaze. @berlin.com.outblaze. @bikerider.com.outblaze. @catlover.com.outblaze. @cheerful.com.outblaze. @chemist.com.outblaze. @clerk.com.outblaze. @cliffhanger.com.outblaze. @columnist.com.outblaze. @comic.com.outblaze. @consultant.com.outblaze. @consultant.com.outblaze. @counsellor.com.outblaze. @cutey.com.outblaze. @deliveryman.com.outblaze. @diplomats.com.outblaze. @doctor.com.outblaze. @doglover.com.outblaze. @dr.com.outblaze. @dublin.com.outblaze. @earthling.net.outblaze. @email.com.outblaze. @engineer.com.outblaze. @europe.com.outblaze. @europe.com.outblaze. @execs.com.outblaze. @financier.com.outblaze. @gardener.com.outblaze. @geologist.com.outblaze. @graphic-designer.com.outblaze. @hairdresser.net.outblaze. @hot-shot.com.outblaze. @iname.com.outblaze. @inorbit.com.outblaze. @insurer.com.outblaze. @japan.com.outblaze. @journalist.com.outblaze. @lawyer.com.outblaze. @legislator.com.outblaze. @lobbyist.com.outblaze. @london.com.outblaze. @loveable.com.outblaze. @mad.scientist.com.outblaze. @madrid.com.outblaze. @mail.com.outblaze. @mindless.com.outblaze. @minister.com.outblaze. @moscowmail.com.outblaze. @munich.com.outblaze. @musician.org.outblaze. @myself.com.outblaze. @nycmail.com.outblaze. @optician.com.outblaze. @paris.com.outblaze. @pediatrician.com.outblaze. @playful.com.outblaze. @poetic.com.outblaze. @popstar.com.outblaze. @post.com.outblaze.
RE: [Declude.JunkMail] SpamDomains
Ahh, but us poor folks that have the standard version are out of luck :-( Guess I have a good reason to upgrade now. Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Wednesday, December 03, 2003 9:17 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SpamDomains Jason, I have a separate 'white' filter for that sort of thing :) Matt Jason Newland wrote: I don't know how hard it would be, but what about just adding in a pre filter in the spamdomains test that will bypass the test. Like: Spamdomains.txt: [RDNS excluded from check] ebay.com greetingcardvendor.com [includes] .yahoo.com @msn.com etc, etc This would also allow us to build our list of acceptable excluded addresses together, further improving the tests accuracy. Jason -- Original Message -- From: Matthew Bramble [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 03 Dec 2003 19:38:18 -0500 Alejandro, From the Declude JunkMail manual page: This test will catch E-mail that is not coming from a mailserver that it should be coming from. This test will only work if you set up a file listing domains that you wish to be included in this test. Specifically, it will check the return address of the E-mail, and then check to see if the reverse DNS entry of the IP that the E-mail was sent from contains the domain name. If not, the E-mail fails the test. For example, if hotmail.com is listed in the \IMail\Declude\spamdomains.txt file, then an E-mail coming from law2.hotmail.com would not fail the test, but an E-mail from mail.example.ru would fail the test. You can search the archives for some discussions of this. It's hardly foolproof, things like greeting cards and send-a-link sites will often fail the test because they send E-mail with a MAILFROM address of the person sending the note and not the service sending the note. I suggest that you always use the @ symbol in the first column, and you should set up two different files and score them differently. One should be for ISP's and E-mail providers such as AOL, HotMail, Yahoo, etc., and the other should be for businesses that are often spoofed such as Microsoft, PayPal, Symantec/Norton, McAfee. Be careful not to include companies that may use thrid-party mass mailers for newsletters. The second type of test can be scored higher because you are less likely to be getting greeting cards from people with real addresses at these companies than you are from places like AOL. You might also be thinking of including your own domains in this test, but that again should be in a totally different file, and scored very low because even if you are using WHITELIST AUTH functionality, you will most definitely get users sending E-mail with your hosted addresses configured in their E-mail program but are using someone else's mail server, or without WHITELIST AUTH, they will fail when using your own mail server. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamDomains
- Original Message - From: Matthew Bramble [EMAIL PROTECTED] Having the ability to define the test type (*WITH) per line would be nice. However, short of that, how many people would wonder why: sale.com in the spamdomains.txt file would cause this to fail: [EMAIL PROTECTED] versus this in the spamdomains.txt file: domains.com which caused this to fail: [EMAIL PROTECTED] At least ENDSWITH gives you much greater control... Well, IMO, they would be using the test in the wrong way if they were build the file that way :) Always use the @ symbol in the first column, that basically makes the filter act like an ENDSWITH filter since there can only be one @ symbol in an E-mail address. The extra flexibility of a CONTAINS filter on the second column causes no real harm. If you use the @ symbol in the first column, then you have severely limited yourself to supporting only one RDNS per domain. I use @ whenever I can, however, I cannot do that and support all of the domains that I list that use multiple delivery domains. For example: altavista. .av.com amazon.com .forevermail.com ameritech.net .sbc.com attbi.com .comcast. bellatlantic.net .verizon.net buy.com .dartmail.com compuserve.com .aol.com concentric.com .cnchost.com concentric.net .cnc.net earthlink. .mindspring. ebay.com .emailebay.com excite.com .excitenetwork.com gateway.com .dartmail.net geocities.com .yahoo.com hp.com .compaq.com juno.com .untd.com mindspring. .earthlink. msn.com .hotmail.com netscape. .aol.com netzero. .untd.com prodigy.net .yahoo. psi. .cogentco.com qwest. .uswest. sprint. .sprintlink.net swbell.net .prodigy.net uswest. .qwest. verio. .veriomail.com verizon.com .gte.com verizon.net .bellatlantic. If you need to support delivery of e-mail from [EMAIL PROTECTED] and sometime it comes from a mail server with RDNS of xxx.mindspring.com and sometimes it comes from xxx.earthlink.com, how would you venture to support this in your scenario by starting every domain in the first column with the @ sign? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamDomains
Well that and at least 10 other filters that have been shared on this list or available at my site. It really depends on how tight you want your system of course and how much processing power you can throw at things. The recent beta functionality to limit the processing of filters helps a bunch though. Filters helped me to get my system to over 98% blocking while lowering my FP rate, and of course I'm deleting much more E-mail now that comes in well above my delete weight. I fail at 10, currently delete at 30, but 80% to 90% of the spam is scoring higher than that. Again though, you can do up to maybe 95% with the standard version if you tweak it carefully, which is just fine for many companies. It would be nice if Scott would add REVDNS pseudo-whitelisting by points to the standard version, that's kind of basic IMO. Matt Jason wrote: Ahh, but us poor folks that have the standard version are out of luck :-( Guess I have a good reason to upgrade now. Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Wednesday, December 03, 2003 9:17 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SpamDomains Jason, I have a separate 'white' filter for that sort of thing :) Matt Jason Newland wrote: I don't know how hard it would be, but what about just adding in a pre filter in the spamdomains test that will bypass the test. Like: Spamdomains.txt: [RDNS excluded from check] ebay.com greetingcardvendor.com [includes] .yahoo.com @msn.com etc, etc This would also allow us to build our list of acceptable excluded addresses together, further improving the tests accuracy. Jason -- Original Message -- From: Matthew Bramble [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 03 Dec 2003 19:38:18 -0500 Alejandro, From the Declude JunkMail manual page: This test will catch E-mail that is not coming from a mailserver that it should be coming from. This test will only work if you set up a file listing domains that you wish to be included in this test. Specifically, it will check the return address of the E-mail, and then check to see if the reverse DNS entry of the IP that the E-mail was sent from contains the domain name. If not, the E-mail fails the test. For example, if hotmail.com is listed in the \IMail\Declude\spamdomains.txt file, then an E-mail coming from law2.hotmail.com would not fail the test, but an E-mail from mail.example.ru would fail the test. You can search the archives for some discussions of this. It's hardly foolproof, things like greeting cards and send-a-link sites will often fail the test because they send E-mail with a MAILFROM address of the person sending the note and not the service sending the note. I suggest that you always use the @ symbol in the first column, and you should set up two different files and score them differently. One should be for ISP's and E-mail providers such as AOL, HotMail, Yahoo, etc., and the other should be for businesses that are often spoofed such as Microsoft, PayPal, Symantec/Norton, McAfee. Be careful not to include companies that may use thrid-party mass mailers for newsletters. The second type of test can be scored higher because you are less likely to be getting greeting cards from people with real addresses at these companies than you are from places like AOL. You might also be thinking of including your own domains in this test, but that again should be in a totally different file, and scored very low because even if you are using WHITELIST AUTH functionality, you will most definitely get users sending E-mail with your hosted addresses configured in their E-mail program but are using someone else's mail server, or without WHITELIST AUTH, they will fail when using your own mail server. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] sniffer
Brad, That's right. :-) Heuristics for patterns are grouped by the spam that prompts us to generate them, or by how we created them. Most of the time they are at least close to classifying the type of spam. Each system that uses Message Sniffer is encouraged to specify adjustable weights for each rule group so that the results from the pattern matching tests can be tuned for the greatest accuracy on that system and according to it's unique mix of incoming spam and the users being served. Declude is optimized to run the external test only once and allow the result code to be evaluated for all of the tests that define that external test... so in the example shown below sniffer would be called once and it's result code would be evaluated many times. Message Sniffer will typically match many patterns in a given spam. Currently the voting system that decides the winning pattern match uses the following rule: Chose the first pattern match found with the lowest symbol. Within the standard rulebase, rule groups are loosely grouped so that the least specific patterns have the largest symbols. The combination of these arrangements tends toward selecting the most specific pattern match available for a given message. If anyone has other questions that are specific to sniffer then please feel free to contact us off list at our support@ sortmonster.com address. Thanks, _M At 10:20 PM 12/3/2003, you wrote: Brad, Sniffer does message based pattern matching (Pete, correct me if I am wrong). If you opt to separate the 20 or so tests that Sniffer currently supports, then you can set whatever weight you want to each individual test. Here is how I currently have the individual Sniffer tests defined in my global.cfg (License ID and Authentication Code obscured): SNIFFER-WHITELIST external 000 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode -5 0 SNIFFER-TRAVEL external 047 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 07 0 SNIFFER-INSURANCE external 048 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-AV-PUSH external 049 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 07 0 SNIFFER-WAREZ external 050 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-SPAMWARE external 051 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-SNAKEOIL external 052 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-SCAMS external 053 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-PORN external 054 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 12 0 SNIFFER-MALWARE external 055 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 12 0 SNIFFER-ADVERTISING external 056 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-SCHEMES external 057 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-CREDIT external 058 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-GAMBLING external 059 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-GREYMAIL external 060 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 07 0 SNIFFER-OBFUSCATION external 061 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 12 0 SNIFFER-SPAM external 062 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 07 0 SNIFFER-GENERAL external 063 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 12 0 You would need to adjust the weights to fit your own needs. However, this will at least give you a starting point. Bill - Original Message - From: T. Bradley Dean [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 6:43 PM Subject: RE: [Declude.JunkMail] sniffer How does Sniffer work? Their web page says: In the best implementations allow you to assign a weight to each possible result code. Declude, mxGuard, and SpamAssassin are all good examples of systems that allow weights to be assigned to the result codes from Message Sniffer. So if Sniffer says an email is porn spam then it gets a weight of 10, but if it's web hosting spam then it's 8? Does the weight differ depending on how confident Sniffer is? What do these rules look like in Global.cfg on $Default$.junkmail? ~Brad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Smith Sent: Tuesday, December 02, 2003 7:54 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] sniffer Sniffer's well worth the $300.00 per year. That breaks down to less than $1.00 per day. It catches content that some RBLs don't catch. Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Anderson Sent: Tuesday, December 02, 2003 10:28 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] sniffer It's not worth paying the subscription fee, in my opinion. I have a
Re: [Declude.JunkMail] SpamDomains
Bill Landry wrote: If you use the @ symbol in the first column, then you have severely limited yourself to supporting only one RDNS per domain. I don't feel limited, in fact, I have a lot more confidence in this test not FP'ing on VERP stuff which may be forwarded to an account hosted on my machine, i.e. to [EMAIL PROTECTED] forwarded to [EMAIL PROTECTED] This is especially important if you build a spamdomains file for local domains. If you need to support delivery of e-mail from [EMAIL PROTECTED] and sometime it comes from a mail server with RDNS of xxx.mindspring.com and sometimes it comes from xxx.earthlink.com, how would you venture to support this in your scenario by starting every domain in the first column with the @ sign? If it really mattered to you, you could leave it off for some domains where this is an issue. I've gone through some of the entries that have been shared on this list in the past and found that a lot of these matches don't exist, it seems that someone just guessed that there might be such a possibility, and other things such as your buy.com example where they use a third-party trusted bulk mailer is taken care of with a separate 'white' file on my system. It's much easier to credit points to DartMail across the board rather than keep track of which companies are using them and might be also in a spamdomains file. I've tried it both ways, and I like the idea of separate files with the addition of a white file and using @ symbols. I think that it's critical for instance to have a FRAUDDOMAINS file with listings for Ebay, PayPal, Microsoft, Symantec and McAfee for instance, and a white file for reverse DNS lookups for places like americangreetings.com and ebay.com. Don't knock it until you try it :) Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Declude Virus BANNAME option with v1.76
Several people have reported issues with E-mail not being delivered over the past few days. The problem has been identified; there was a problem with v1.76 (beta) and subsequent interim releases and the BANNAME option. This issue is fixed in a new interim release v1.76i30 at http://www.declude.com/release/176i/declude.exe . Alternatively, you can comment out the BANNAME options by adding a # to the beginning of the lines that they are in. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.