RE: [Declude.JunkMail] Hijack questions
So that makes it unusable for dial up connections. Still can be usefull for our wireless clients, those are assigned fixed IPs. But we will have to hijack white list all the Dial up IPs, correct ? No it still works for dialups - We have dynamic static users and have not had this problem. We run a script (from the declude site) that sends an email when messages hit hold2. Only yesterday Declude stopped 25,000-30,000 spams from going out from a client who had been attacked using SMTP AUTH. Email checked by UKsubnet anti-virus service To prevent email abuse block spam contact [EMAIL PROTECTED] Tel: +44(0)8712360301 Web: www.uksubnet.net Fax: +44(0)8712360300 Powered by UKsubnet Internet Service Provider Business to Business Internet (ISP) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] COPYFILE
What versions of IMail/Declude JunkMail does the COPYFILE option work with? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Tuesday, April 06, 2004 8:12 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] COPYFILE I am having limited success in using this, as the Declude headers are not being added to the copied D file. Is there a way that the process can be changed, whereby the file is copied AFTER all headers are added, not at the moment the test is run? No, there is not (at least not currently), given the current architecture. The problem is that the COPYFILE action is processed immediately, whereas the HOLD action is processed after everything else is done. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] COPYFILE
What versions of IMail/Declude JunkMail does the COPYFILE option work with? It works with all versions of IMail, and Declude JunkMail v1.79 and higher. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] COPYFILE
Which is the correct usage? WEIGHT20HOLD WEIGHT20COPYFILE C:\Imail\spool\weight10\ Or simply WEIGHT20 COPYFILE C:\Imail\spool\weight10\ Thanks, Lukasz -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, April 07, 2004 10:29 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] COPYFILE What versions of IMail/Declude JunkMail does the COPYFILE option work with? It works with all versions of IMail, and Declude JunkMail v1.79 and higher. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] COPYFILE
Which is the correct usage? WEIGHT20HOLD WEIGHT20COPYFILE C:\Imail\spool\weight10\ This won't work as expected, because you can't have multiple actions for a single test (see the Multiple actions per test section of the manual at http://www.declude.com/junkmail/manual.htm for information on how to accomplish this). WEIGHT20 COPYFILE C:\Imail\spool\weight10\ This, however, will work fine. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] No Host or MX records
Scott, I was looking through the Dec.log and one of the messages says 04/06/2004 22:31:23 Q76090ad600e6a9cc Msg failed HELOBOGUS (Domain hounexs.dataprojections.com has no MX or A records.). Action=""> But when I did a lookup it has a Host Record and a MX record, but it is for dataprojections.com does it need to have records for hounexs.dataprojections.com to pass. Kyle Fisher
Re: [Declude.JunkMail] No Host or MX records
I was looking through the Dec.log and one of the messages says 04/06/2004 22:31:23 Q76090ad600e6a9cc Msg failed HELOBOGUS (Domain hounexs.dataprojections.com has no MX or A records.). Action=WARN. But when I did a lookup it has a Host Record and a MX record, but it is for dataprojections.com does it need to have records for hounexs.dataprojections.com to pass. Yes, it must have an MX or A record for hounexs.dataprojections.com to pass. Otherwise, the host does not exist. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Hijack questions
Nope. Don't whitelist dial-up IPs, that totally quashes the point of HiJack, to catch YOUR users sending spam. I've adjusted the threshold parameters, but I still do have instances where a dial-up IP gets caught for a high volume of mail (multiple recipients on those IDIOT mass-forwards of jokes and whatnot), then that user disconnects, another user gets the IP and all his mail gets caught immediately. Not that big a deal. The actual volume of mail is not *that* large, so the Q/D files are easily renamed and moved back to the queue. The few cases of false holds are far outweighed when HiJack does catch a spammer or a user with a security breach. I did have a case a couple days ago with a user who was sending spam. Advertisements for a book he wrote and had published, sent to a list of addresses he pulled from a discussion group(!). HiJack didn't catch him because he was running the messages manually, one at a time, only about 20 every 10 minutes. Two complaints were lodged within three hours. BUSTED! Talk about a ruckus. He admits to pulling the addresses of people he doesn't know from that discussion group, but refuses to believe that he did anything wrong, even when the evidence is shoved right in his face (f***ng spammers!, one of the complaints said). He switched to another service. I looked up their Acceptable Use policy and showed him the no spam section, and wished him luck. Glenn Z. - Original Message - From: serge [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 06, 2004 8:08 PM Subject: Re: [Declude.JunkMail] Hijack questions 1. Hijack is IP based, so IP is time tracked, irregardless of who is behind it. So that makes it unusable for dial up connections. Still can be usefull for our wireless clients, those are assigned fixed IPs. But we will have to hijack white list all the Dial up IPs, correct ? - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, April 07, 2004 1:04 AM Subject: RE: [Declude.JunkMail] Hijack questions 1. Hijack is IP based, so IP is time tracked, irregardless of who is behind it. 2. All 25 will be released at once. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of serge Sent: Tuesday, April 06, 2004 5:52 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Hijak questions Continuing my training in declude hijack; 1- Does hijack work on IP bassis, or mail from basis ? If IP, and a client get to a threshhold, than disconnect, and another client connect to that same modem (IP), the second client will be penalised ? 2- Threshold 1 = 20, Threshold 2 =50 A client send 45 mails, 20 go out, 25 on hold After 10 minutes, Hijack release 25, do they get sent at once, or only 20 are sent and 5 are again on hold ? TIA. - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 06, 2004 11:23 AM Subject: Re: [Declude.JunkMail] Hijak questions 1- A message with 20 recipients, does it count as 1 message or 20 message toward the threshold? It will count as 20 E-mails (since spammers typically operate that way). 2- If a user exeeds therhold 1, and not 2, is there a way to release his hold messages at a certain hour, instead than after x Minutes ? No. 3- Can we set thresholds on size/MB instead of number of messages ? No. And answering another question that came up, Declude Hijack will treat authenticated users the same as non-authenticated users. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be
Re: [Declude.JunkMail] SpamRouting?
This one started in the US, bounced off an Italian server, and arrived here in the US. Why didn't SpamRouting catch this one? Received: from host148-169.pool8249.interbusiness.it [82.49.169.148] by lovt.com (SMTPD32-8.05) id A7BA1160358; Wed, 07 Apr 2004 14:34:18 -0500 Received: from olympicdrinkingteam.com (mail3.surgeweb.com [216.65.64.234]) by host148-169.pool8249.interbusiness.it (Postfix) with ESMTP id F9F1F16538 for [EMAIL PROTECTED]; Wed, 07 Apr 2004 12:31:14 -0700 It went from 216.65.64.234 to 82.49.169.148 to your server. Neither of those IP ranges is recognized as being outside of North America. Remember, the ROUTING test is not very granular, and not exact. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] SpamRouting?
This one started in the US, bounced off an Italian server, and arrived here in the US. Why didn't SpamRouting catch this one? The %countrychain% variable showed the same per the X-Note below. Received: from host148-169.pool8249.interbusiness.it [82.49.169.148] by lovt.com (SMTPD32-8.05) id A7BA1160358; Wed, 07 Apr 2004 14:34:18 -0500 Received: from olympicdrinkingteam.com (mail3.surgeweb.com [216.65.64.234]) by host148-169.pool8249.interbusiness.it (Postfix) with ESMTP id F9F1F16538 for [EMAIL PROTECTED]; Wed, 07 Apr 2004 12:31:14 -0700 Message-ID: [EMAIL PROTECTED] From: Trifle H. Bestowing [EMAIL PROTECTED] To: Postmaster [EMAIL PROTECTED] Subject: [SPAM]Postmaster, Quality medication for you! Date: Wed, 07 Apr 2004 12:31:14 -0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_0030_1BA95A40.03BD390A X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1081 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1081 X-Declude-Sender: [EMAIL PROTECTED] [82.49.169.148] X-Declude-Spoolname: D57ba011603585c69.SMD X-Note: This E-mail was sent from host148-169.pool8249.interbusiness.it ([82.49.169.148]). X-Note: The Server Helo Handshake was host148-169.pool8249.interbusiness.it. X-Note: Mail-From clothing.olympicdrinkingteam.com. X-Note: Mail-From for Spam Reporting is [EMAIL PROTECTED] X-Note: Initial Recipients: [EMAIL PROTECTED], [EMAIL PROTECTED] X-Note: Final Recipients: [EMAIL PROTECTED], [EMAIL PROTECTED] X-Note: Origin Country - UNITED STATES-ITALY-destination. X-Note: Failed: BH-INTERBUS [5], FIVETENSRC [1], IPNOTINMX [1], FILT-COUNTRY [1], FILT-FREEMAIL [2], WEIGHT10 [10]. X-Note: Total Failed Weight: 10. Version: 1.79. X-Note: Checked for SPAM and Viruses by Internet Concepts - http://www.inetconcepts.net. X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 369013728 Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049 Providing Internet Solutions Worldwide - An eDataWeb Affiliate --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Passing weight to Externalplus test
I'm still having one problem with the script to detect message sizes. The %WEIGHT% is supposed to be passed into the script so that it can decide whether or not to fully run or immediately quit, but I can't get it to quit. Although this isn't critical for this one script, it is definitely the main component of the Sniffer bypassed that I would like to also put together. Here's a copy of the call's from Declude as well as the current working version of the VB code. If anyone has any ideas about what I am missing, please chime in. Once this issue is resolved, I'll make a few adjustments and share it with the list fully documented. Also, please chime in about the CScript arguments if you have a better understanding of this. In yesterday's recommendations there were from zero to four arguments recommended, and for now, I have left off the //B and //S, but my experience here is lacking. Note that despite the simplicity of the arrangement, this is a very useful test, not just for adding or subtracting points, but for defeating many filters with extensive BODY searches. Over the last 3 days for instance, I have found that every message held that was over 100 KB was a false positive, though it is possible that some spams that were above my drop weight were this size and not monitored. I have also found that there were no held zombie spams with a size above 30 KB, which is the equivalent of the SIZE-M test shown below. Thanks, Matt - Global.cfg - SIZE-XXSexternal11cscript C:\IMail\Declude\Size.vbs //NoLogo //T:2 %WEIGHT%30 SIZE-XSexternal12cscript C:\IMail\Declude\Size.vbs //NoLogo //T:2 %WEIGHT%20 SIZE-Sexternal13cscript C:\IMail\Declude\Size.vbs //NoLogo //T:2 %WEIGHT%00 SIZE-Mexternal14cscript C:\IMail\Declude\Size.vbs //NoLogo //T:2 %WEIGHT%00 SIZE-Lexternal15cscript C:\IMail\Declude\Size.vbs //NoLogo //T:2 %WEIGHT%-20 SIZE-XLexternal16cscript C:\IMail\Declude\Size.vbs //NoLogo //T:2 %WEIGHT%-30 SIZE-XXLexternal17cscript C:\IMail\Declude\Size.vbs //NoLogo //T:2 %WEIGHT%-50 - Size.vbs - Dim objFSO, objFile If WScript.arguments(0) 27 Then WScript.Quit(0) Else Set objFSO = CreateObject(Scripting.FileSystemObject) Set objFile = objFSO.GetFile(WScript.arguments(1)) If objFile.size 512 Then WScript.Quit(11) 'SIZE-XXS [0 KB - 0.5 KB] ElseIF objFile.size 1024 Then WScript.Quit(12) 'SIZE-XS [0.5 KB - 1 KB] ElseIF objFile.size 30720 Then WScript.Quit(13) 'SIZE-S [1 KB - 30 KB] ElseIF objFile.size 102400 Then WScript.Quit(14) 'SIZE-M [30 KB - 100 KB] ElseIF objFile.size 307200 Then WScript.Quit(15) 'SIZE-L [100 KB - 300 KB] ElseIF objFile.size 1024000 Then WScript.Quit(16) 'SIZE-XL [300 KB - 1,000 KB] Else WScript.Quit(17) 'SIZE-XXL [+1,000 KB] End If Set objFile = nothing Set objFSO = nothing End If -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Passing weight to Externalplus test
The %WEIGHT% is supposed to be passed into the script so that it can decide whether or not to fully run or immediately quit, but I can't get it to quit. Although this isn't critical for this one script, it is definitely the main component of the Sniffer bypassed that I would like to also put together. The problem here is that the %WEIGHT% variable isn't calculated until after all the tests are run. I don't believe there is a way to pass an external program the current weight of the E-mail at the time the test is run. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Habeas win judgment
Just noticed this in the news and didn't see it on this list. http://www.theregister.co.uk/2004/04/07/habeas_spam_lawsuit/ Glad they are doing something about it. Nathan Fouarge AmberWave Communications --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Why is this getting thru????
tried this from two different computers.. one being the mail server which uses my dns server and one that uses an upstream dns server and I get the same response from both C:\Documents and Settings\Administratorping 2.0.0.127.bl.spamcop.net Ping request could not find host 2.0.0.127.bl.spamcop.net. Please check the name and try again. Bennie - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 06, 2004 4:31 PM Subject: Re: [Declude.JunkMail] Why is this getting thru I run my own dns server... Is it listed in the IMail SMTP settings? I would trying running some tests, such as ping 2.0.0.127.bl.spamcop.net to see if it is functioning properly (you should see [127.0.0.2] in response to the ping). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Why is this getting thru????
tried this from two different computers.. one being the mail server which uses my dns server and one that uses an upstream dns server and I get the same response from both C:\Documents and Settings\Administratorping 2.0.0.127.bl.spamcop.net Ping request could not find host 2.0.0.127.bl.spamcop.net. Please check the name and try again. That would definitely be a problem. Your DNS isn't working properly. The first step would be to type ipconfig /all from a command prompt (or 'ipconfig /all | find DNS server /i' to see just the DNS lines) to see which DNS server(s) are being used. Then, you'll need to do some testing to see what the problem is with them. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Passing weight to Externalplus test
The problem here is that the %WEIGHT% variable isn't calculated until after all the tests are run. That's too bad, as that means that the -cw (current weight) and -sw (skip-if weight) switches in SPAMC32 aren't usable. Since SKIPIFWEIGHT exists as an internal directive, can you look into populating the %WEIGHT% external variable as the tests are run? --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Passing weight to Externalplus test
Scott, ...and all this time I was banking on this being possible. Is there another variable available like %CURRENTWEIGHT% that could be used for this purpose (whatever SKIPIFWEIGHT uses)? I recall Sandy releasing a SpamD port back in January that included at least the hooks for this, but I was under the impression that Declude supported it (my fault for assuming I guess). This isn't at all important for the Size test, but it would be impossible to create a bypass function for Sniffer based on weight if this wasn't available. Some 60%-70% of the messages hitting Sniffer are already well above my Drop weight, and with some work on a trusted local whitelist (in DNS), I could also skip this test (and others) if under a certain weight. I've been trying hard to solve my own issues where possible without asking for new functionality to Declude, but I'm afraid that I might have to again ask :) Thanks, Matt R. Scott Perry wrote: The %WEIGHT% is supposed to be passed into the script so that it can decide whether or not to fully run or immediately quit, but I can't get it to quit. Although this isn't critical for this one script, it is definitely the main component of the Sniffer bypassed that I would like to also put together. The problem here is that the %WEIGHT% variable isn't calculated until after all the tests are run. I don't believe there is a way to pass an external program the current weight of the E-mail at the time the test is run. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamRouting?
82.49.169.148 is registered with RIPE. What source does declude use to determine it is US, German or whatever? Not being argumentative - curious and so I'll understand . . . Wednesday, April 7, 2004, 3:50:53 PM, R. Scott Perry [EMAIL PROTECTED] wrote: This one started in the US, bounced off an Italian server, and arrived here in the US. Why didn't SpamRouting catch this one? Received: from host148-169.pool8249.interbusiness.it [82.49.169.148] by lovt.com (SMTPD32-8.05) id A7BA1160358; Wed, 07 Apr 2004 14:34:18 -0500 Received: from olympicdrinkingteam.com (mail3.surgeweb.com [216.65.64.234]) by host148-169.pool8249.interbusiness.it (Postfix) with ESMTP id F9F1F16538 for [EMAIL PROTECTED]; Wed, 07 Apr 2004 12:31:14 -0700 RSP It went from 216.65.64.234 to 82.49.169.148 to your server. Neither of RSP those IP ranges is recognized as being outside of North America. RSP Remember, the ROUTING test is not very granular, and not exact. RSP -Scott RSP --- RSP Declude JunkMail: The advanced anti-spam solution for IMail mailservers RSP since 2000. RSP Declude Virus: Ultra reliable virus detection and the leader in mailserver RSP vulnerability detection. RSP Find out what you've been missing: Ask for a free 30-day evaluation. RSP --- RSP [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] RSP --- RSP This E-mail came from the Declude.JunkMail mailing list. To RSP unsubscribe, just send an E-mail to [EMAIL PROTECTED], and RSP type unsubscribe Declude.JunkMail. The archives can be found RSP at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049 Providing Internet Solutions Worldwide - An eDataWeb Affiliate --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Last Action = log line
Scott, I'd like to make the case for moving the: Last action = log line from the LOGLEVEL HIGH setting down to the LOGLEVEL MED setting. If nobody objects, we'll change it. This will be changed in the next interim release. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Passing weight to Externalplus test
Is there another variable available like %CURRENTWEIGHT% that could be used for this purpose (whatever SKIPIFWEIGHT uses)? There is now an interim 1.79i3 at http://www.declude.com/interim that changes the %WEIGHT% variable so that it will include the current weight if it is used before the total weight is calculated. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamRouting?
82.49.169.148 is registered with RIPE. What source does declude use to determine it is US, German or whatever? Not being argumentative - curious and so I'll understand . . . The ROUTING test doesn't use any source. It just has uses very generic IP ranges. The IP-country database, however, uses the information supplied by RIPE, ARIN, APNIC, and LACNIC (and goes down to the individual IP level, and specific country). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Passing weight to Externalplus test
There is now an interim 1.79i3 at http://www.declude.com/interim that changes the %WEIGHT% variable so that it will include the current weight if it is used before the total weight is calculated. Thanks! Now all SPAMC32 features can be used in the real world. :) --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Passing weight to Externalplus test
There is now an interim 1.79i3 at WOW! I have to analyze Matt's and Sanford's messages/spelling/psycology. How the hell it's possible to have such a fast reaction (8 minutes!!!) for such a request? No doubt, support issues are resolved very fast. Also realy important things like EZIP. This is important and good. But I'm asking for month's now for simple new features that in the meantime was repeated several times by other customers... still waiting Can't imagine what I'm doing wrong here. Markus :-( --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Passing weight to Externalplus test
Did you send Scott a Christmas card? :) Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Wednesday, April 07, 2004 4:38 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Passing weight to Externalplus test There is now an interim 1.79i3 at WOW! I have to analyze Matt's and Sanford's messages/spelling/psycology. How the hell it's possible to have such a fast reaction (8 minutes!!!) for such a request? No doubt, support issues are resolved very fast. Also realy important things like EZIP. This is important and good. But I'm asking for month's now for simple new features that in the meantime was repeated several times by other customers... still waiting Can't imagine what I'm doing wrong here. Markus :-( --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Passing weight to Externalplus test
How the hell it's possible to have such a fast reaction (8 minutes!!!) for such a request? Ah, but to be fair, SPAMC32 has implemented that feature for a few months now without matching functionality. :) --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Why is this getting thru????
the dns server I use on this machine is managed by ATT it is giving the same response.. which is also the dns server I use as a forward for my dns server Bennie - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, April 07, 2004 5:10 PM Subject: Re: [Declude.JunkMail] Why is this getting thru tried this from two different computers.. one being the mail server which uses my dns server and one that uses an upstream dns server and I get the same response from both C:\Documents and Settings\Administratorping 2.0.0.127.bl.spamcop.net Ping request could not find host 2.0.0.127.bl.spamcop.net. Please check the name and try again. That would definitely be a problem. Your DNS isn't working properly. The first step would be to type ipconfig /all from a command prompt (or 'ipconfig /all | find DNS server /i' to see just the DNS lines) to see which DNS server(s) are being used. Then, you'll need to do some testing to see what the problem is with them. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Why is this getting thru????
tried from dns tools (http://www.dnsstuff.com/tools/ping.ch?ip=2.0.0.127.bl.spamcop.net) and I get the following Can not route to 2.0.0.127.bl.spamcop.net so confused... - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, April 07, 2004 5:10 PM Subject: Re: [Declude.JunkMail] Why is this getting thru tried this from two different computers.. one being the mail server which uses my dns server and one that uses an upstream dns server and I get the same response from both C:\Documents and Settings\Administratorping 2.0.0.127.bl.spamcop.net Ping request could not find host 2.0.0.127.bl.spamcop.net. Please check the name and try again. That would definitely be a problem. Your DNS isn't working properly. The first step would be to type ipconfig /all from a command prompt (or 'ipconfig /all | find DNS server /i' to see just the DNS lines) to see which DNS server(s) are being used. Then, you'll need to do some testing to see what the problem is with them. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Why is this getting thru????
tried from dns tools (http://www.dnsstuff.com/tools/ping.ch?ip=2.0.0.127.bl.spamcop.net) and I get the following Can not route to 2.0.0.127.bl.spamcop.net That's normal. If you go to http://www.dnsstuff.com/tools/lookup.ch?ip=2.0.0.127.bl.spamcop.nettype=A , you'll see that the A record of 2.0.0.127.bl.spamcop.net is 127.0.0.2. It is not possible to route to that IP, which is why you see that message. However, typing ping 2.0.0.127.bl.spamcop.net on a Windows computer will display 127.0.0.2 in the results. the dns server I use on this machine is managed by ATT it is giving the same response.. which is also the dns server I use as a forward for my dns server Then you are using the ATT DNS server, which is most likely not allowing those DNS requests to be looked up. Several large ISPs do not allow their DNS servers to be used for such queries. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Why is this getting thru????
not sure where to go from here.. all the checks on the dns server say that it is working correctly. when I look at the cached lookups it shows bl.spamcop.net... but not the a record or the ip address... Bennie - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, April 07, 2004 6:35 PM Subject: Re: [Declude.JunkMail] Why is this getting thru tried from dns tools (http://www.dnsstuff.com/tools/ping.ch?ip=2.0.0.127.bl.spamcop.net) and I get the following Can not route to 2.0.0.127.bl.spamcop.net That's normal. If you go to http://www.dnsstuff.com/tools/lookup.ch?ip=2.0.0.127.bl.spamcop.nettype=A , you'll see that the A record of 2.0.0.127.bl.spamcop.net is 127.0.0.2. It is not possible to route to that IP, which is why you see that message. However, typing ping 2.0.0.127.bl.spamcop.net on a Windows computer will display 127.0.0.2 in the results. the dns server I use on this machine is managed by ATT it is giving the same response.. which is also the dns server I use as a forward for my dns server Then you are using the ATT DNS server, which is most likely not allowing those DNS requests to be looked up. Several large ISPs do not allow their DNS servers to be used for such queries. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Why is this getting thru????
not sure where to go from here.. all the checks on the dns server say that it is working correctly. No. If you type the ping command and don't see 127.0.0.2, the DNS server isn't working properly. when I look at the cached lookups it shows bl.spamcop.net... but not the a record or the ip address... That's because ATT ain't letting you do it. Since you have your own DNS server, I would recommend not using forwarders, which forces you to follow any restrictions that ATT places on you. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Passing weight to Externalplus test
Markus, Just to be fair, I have mentioned or asked for a lot of different things that have not been introduced into Declude. Clearly by the speed of this modification, it was a very minor change to the environment, essentially exposing data that wasn't previously exposed in this way, but existed in other forms. Changing the way that Declude Virus handles per-domain settings though probably represents a major re-write to the system, and although I definitely want to see this, I have no expectations of it happening at least until after the next full release. There are other items also that appear that they may be minor modifications that also haven't been changed, and I'm sure that there is a reason for these, and although my opinion or perception may differ, I accept that it's Scott's call. I'm absolutely certain though that Scott is not playing favorites here. I can tell you that it took me a month and multiple posts to figure out why I couldn't get a VBScript to return a result code to Declude, and the preface for that functionality required the presence of a current weight that didn't exist to be passed to the script. I've spent probably 20 trying to figure out something that was not possible until a moment ago, and that's a bit frustrating honestly, but I am of course relieved now. This is also not functionality built for just me, it's for everyone because after the scripts are finished, I'm going to share them with everyone, and the benefit can be seen by anyone using any type of external test, for instance SpamD and SpamChk (if you enable it). If you add that together with the ease of the change, it makes perfect sense that he would at least consider this strongly. The majority of things that I have asked for or indicated interest in though have not been provided, but I ask for or indicate interest in many of these things just to show that there is at least one or one more person interested in them. I'm not unhappy though with the response; I'm definitely getting my money's worth and I hope that in return for the consideration for my multiple requests, that I am also providing something of value in return as many around here have as well. What I am also trying to do here I expect will someday be built into Declude (skipping external tests by weight, and having a test for message size), and in reality that's what I would have preferred, but because I didn't expect for my requests to be honored, I sought to do what I could on my own. So in reality, I've asked for skipping external tests by weight and didn't get it, and then I asked for a weight variable so that I could do this myself and got it. That seems to be par for the course. Cheer up :) Matt Markus Gufler wrote: There is now an interim 1.79i3 at WOW! I have to analyze Matt's and Sanford's messages/spelling/psycology. How the hell it's possible to have such a fast reaction (8 minutes!!!) for such a request? No doubt, support issues are resolved very fast. Also realy important things like EZIP. This is important and good. But I'm asking for month's now for "simple" new features that in the meantime was repeated several times by other customers... still waiting Can't imagine what I'm doing wrong here. Markus :-( --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] Why is this getting thru????
BINGO.. removed the forwards to att and it let me find it... thanks Scott Bennie - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, April 07, 2004 7:00 PM Subject: Re: [Declude.JunkMail] Why is this getting thru not sure where to go from here.. all the checks on the dns server say that it is working correctly. No. If you type the ping command and don't see 127.0.0.2, the DNS server isn't working properly. when I look at the cached lookups it shows bl.spamcop.net... but not the a record or the ip address... That's because ATT ain't letting you do it. Since you have your own DNS server, I would recommend not using forwarders, which forces you to follow any restrictions that ATT places on you. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Habeas win judgment
Just noticed this in the news and didn't see it on this list. http://www.theregister.co.uk/2004/04/07/habeas_spam_lawsuit/ Glad they are doing something about it. Meanwhile Habeas is implementing technical modifications that will render future Habeas Warrant Mark spoofing attacks ineffective. It is the above sentence that caused me to remove Habeas from our server within days of implementing it. It is too easy to spoof and Spam was getting past because of it. I still have not seen anything get past Bondedsender. This is a good way to do this in my opinion! Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Habeas win judgment
Based on the following link, Habeas is recommending that users no longer rely on solely on the Habeas headers to whitelist messages: http://habeas.com/configurationPages/spamassassin.htm The patches Habeas provides for Spamassassin remove the weight reduction rules based on the Habeas headers and adds the HIL (BlackList) and HUL (WhiteList) RBLs instead. I've added them to the Declude JunkMail global.cfg as: HABEAS-INFRINGER ip4r hil.habeas.com* 10 0 HABEAS-USER ip4r hul.habeas.com* -10 0 Adjust the weights to meet your own needs and requirements. Bill - Original Message - From: Nathan Fouarge [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, April 07, 2004 2:05 PM Subject: [Declude.JunkMail] Habeas win judgment Just noticed this in the news and didn't see it on this list. http://www.theregister.co.uk/2004/04/07/habeas_spam_lawsuit/ Glad they are doing something about it. Nathan Fouarge AmberWave Communications --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Fw: Announcing SURBL support in SA 2.63 and 3.0 plugins
Scott, since SpamCop has now setup a RBL to support URI checking, is this something you will consider adding support for in Declude JunkMail? Bill - Original Message - From: Jeff Chan [EMAIL PROTECTED] To: SpamAssassin Users [EMAIL PROTECTED] Sent: Wednesday, April 07, 2004 6:22 PM Subject: Announcing SURBL support in SA 2.63 and 3.0 plugins Hello SpamAssassin Users, I'm pleased to announce a new type of RBL for blocking messages based on spam domains contained in message bodies called SURBL. Unlike other RBLs, the Spam URI RBL (SURBL) is not used to block spam server IP addresses, but instead to block messages based on URI domains previously reported to SpamCop. We feel this is a very direct approach to the issue of stopping spam. It is also proving highly effective, with spam detection rates currently approaching 60% together with zero false positives. Future improvement is expected as we continue to tune things better. Acknowledgements go to Julian Haight, Justin Mason, Eric Kolve and countless others for making this possible, including SpamCop and SpamAssassin developers and users. Here's the Quick Start from our web site: __ http://www.surbl.org/ SURBL -- Spam URI Realtime Blocklist Quick Start [...] In order to use SURBL you need software that can parse URIs in message bodies, extract their domains, and check them against SURBL. [...] For those familiar with adding plugins to SpamAssassin, these quick start comments may enough information to get started using SURBL. More details about SURBL itself appear in following sections. SpamCopURI SpamAssassin 2.63 plugin http://sourceforge.net/projects/spamcopuri/ One such program is Eric Kolve's SpamCopURI which is a SpamAssassin 2.63 plug in. In order to use SURBL in SpamCopURI, please comment out the older tests SPAMCOP_URI and SPAMCOP_URI_HOST and increase the score for the new test up to something like 2.5 or greater: score SPAMCOP_URI_RBL 2.5 in the spamcop_uri.cf file. Values higher than 2.5 may be appropriate because this test is a highly accurate indicator of spam, for some of the reasons mentioned below. Some people are using scores of 3.0; others are using up to 6.0. URIBL SpamAssassin 3.0 plugin http://spamassassin.org/full/3.0.x/dist/lib/Mail/SpamAssassin/Plugin/URIDNSBL.pm Another program is the SpamAssassin 3.0 plugin URIDNSBL, to which Justin Mason recently added the urirhsbl command which can be used to do name to name matching from message body URI to SURBL. Here is a sample rule to use urirhsbl with SURBL from the config file for URIBL: http://www.spamassassin.org/full/3.0.x/dist/rules/25_uribl.cf urirhsblURIBL_SC_SURBL sc.surbl.org. A header URIBL_SC_SURBL eval:check_uridnsbl('URIBL_SC_SURBL') describeURIBL_SC_SURBL Contains a URL listed in the SC SURBL blocklist tflags URIBL_SC_SURBL net You will need to score it, presumably with some fairly high value: score URI_SC_SURBL 5.0 Some results of using urirhsbl and SpamCopURI with SURBL appear below. Spam detection rates are running 40-60% with zero false positives noted so far, and with some improvements expected when we revise the code to tune the data better. Update: Feedback so far on the effectiveness of SURBL is very positive, with spam hit rates ranging up to 60% and near-zero False Positives. With some more tuning we may be able to improve that further. We could use help with some more BIND-compatible secondary DNS servers for the zone file since SURBL seems to be starting to take off. Also valuable would be integration of SURBL with an MTA such as postfix. Development of a sendmail milter to use SURBL is rumored to be in the works. Contact jeffc at surbl dot org if you would like to help. Thanks! Raymond Dijkxhoorn has kindly set up an rsync server for the SURBL rbldns and BIND zone files. Administrators of high volume mail servers, please contact Raymond for access at: [EMAIL PROTECTED] Please see the Notes section for more information. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Passing weight to Externalplus test
Scott, I've been playing with this for a bit now and it seems that the weight isn't being passed as %WEIGHT%, or maybe it is strangely formatted. My script now uses two values, the first being the current weight in Declude, and the second being the SKIPIFWEIGHT equivalent. The following line doesn't work (test never returns a result): SIZE-S external 13 "cscript C:\IMail\Declude\Size.vbs //NoLogo //T:2 %WEIGHT% 28" 0 0 However the following line does work (script always returns a result): SIZE-S external 13 "cscript C:\IMail\Declude\Size.vbs //NoLogo //T:2 10 28" 0 0 Here's the source of the Size.vbs file for reference: If WScript.arguments(0) = WScript.arguments(1) Then WScript.Quit(0) Else Dim objFSO, objFile Set objFSO = CreateObject("Scripting.FileSystemObject") Set objFile = objFSO.GetFile(WScript.arguments(2)) If objFile.size 512 Then WScript.Quit(11) 'SIZE-XXS [0 KB - 0.5 KB] ElseIF objFile.size 1024 Then WScript.Quit(12) 'SIZE-XS [0.5 KB - 1 KB] ElseIF objFile.size 30720 Then WScript.Quit(13) 'SIZE-S [1 KB - 30 KB] ElseIF objFile.size 102400 Then WScript.Quit(14) 'SIZE-M [30 KB - 100 KB] ElseIF objFile.size 307200 Then WScript.Quit(15) 'SIZE-L [100 KB - 300 KB] ElseIF objFile.size 1024000 Then WScript.Quit(16) 'SIZE-XL [300 KB - 1,000 KB] ElseIf objFile.size = 1024000 Then WScript.Quit(17) 'SIZE-XXL [1,000+ KB] Else WScript.Quit(0) End If Set objFile = nothing Set objFSO = nothing End If Could you take a look at this when you get a chance. Thanks, Matt R. Scott Perry wrote: Is there another variable available like %CURRENTWEIGHT% that could be used for this purpose (whatever SKIPIFWEIGHT uses)? There is now an interim 1.79i3 at http://www.declude.com/interim that changes the %WEIGHT% variable so that it will include the current weight if it is used before the total weight is calculated. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
RE: [Declude.JunkMail] Habeas win judgment
Great info! Thanks Bill. Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Wednesday, April 07, 2004 8:19 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Habeas win judgment Based on the following link, Habeas is recommending that users no longer rely on solely on the Habeas headers to whitelist messages: http://habeas.com/configurationPages/spamassassin.htm The patches Habeas provides for Spamassassin remove the weight reduction rules based on the Habeas headers and adds the HIL (BlackList) and HUL (WhiteList) RBLs instead. I've added them to the Declude JunkMail global.cfg as: HABEAS-INFRINGER ip4r hil.habeas.com* 10 0 HABEAS-USER ip4r hul.habeas.com* -10 0 Adjust the weights to meet your own needs and requirements. Bill - Original Message - From: Nathan Fouarge [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, April 07, 2004 2:05 PM Subject: [Declude.JunkMail] Habeas win judgment Just noticed this in the news and didn't see it on this list. http://www.theregister.co.uk/2004/04/07/habeas_spam_lawsuit/ Glad they are doing something about it. Nathan Fouarge AmberWave Communications --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.