Re: [Declude.JunkMail] Passing weight to Externalplus test
Scott,
FYI, in testing I found that the %WEIGHT% is being passed in, however
it seems to be 500 points higher than in reality, with all the weights
showing up as being between 500 and 600 over the space of my test.
Thanks,
Matt
Matt wrote:
Scott,
I've been playing with this for a bit now and it seems that the weight
isn't being passed as %WEIGHT%, or maybe it is strangely formatted.
My script now uses two values, the first being the current weight in
Declude, and the second being the SKIPIFWEIGHT equivalent. The
following line doesn't work (test never returns a result):
SIZE-S external 13 "cscript
C:\IMail\Declude\Size.vbs //NoLogo //T:2 %WEIGHT% 28" 0 0
However the following line does work (script always returns a result):
SIZE-S external 13 "cscript
C:\IMail\Declude\Size.vbs //NoLogo //T:2 10 28" 0 0
Here's the source of the Size.vbs file for reference:
If WScript.arguments(0) = WScript.arguments(1)
Then
WScript.Quit(0)
Else
Dim objFSO, objFile
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.GetFile(WScript.arguments(2))
If objFile.size 512 Then
WScript.Quit(11) 'SIZE-XXS [0 KB - 0.5 KB]
ElseIF objFile.size 1024 Then
WScript.Quit(12) 'SIZE-XS [0.5 KB - 1 KB]
ElseIF objFile.size 30720 Then
WScript.Quit(13) 'SIZE-S [1 KB - 30 KB]
ElseIF objFile.size 102400 Then
WScript.Quit(14) 'SIZE-M [30 KB - 100 KB]
ElseIF objFile.size 307200 Then
WScript.Quit(15) 'SIZE-L [100 KB - 300 KB]
ElseIF objFile.size 1024000 Then
WScript.Quit(16) 'SIZE-XL [300 KB - 1,000 KB]
ElseIf objFile.size = 1024000 Then
WScript.Quit(17) 'SIZE-XXL [1,000+ KB]
Else
WScript.Quit(0)
End If
Set objFile = nothing
Set objFSO = nothing
End If
Could you take a look at this when you get a chance.
Thanks,
Matt
R. Scott Perry wrote:
Is there another variable available like
%CURRENTWEIGHT% that could be used for this purpose (whatever
SKIPIFWEIGHT uses)?
There is now an interim 1.79i3 at http://www.declude.com/interim
that
changes the %WEIGHT% variable so that it will include the current
weight if it is used before the total weight is calculated.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in
mailserver vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
Re: [Declude.JunkMail] Gateways and CMDSPACE conundrum
Sandy et al., Regarding how peering is handled, that sucks! It was a bit of a kludge anyway, more than most at least. I just got mail bombed on both servers by three different ISP relays. The recipient address was invalid (sent to and from itself), and if I had MS SMTP/ORF configured on both machines to blacklist invalid addresses (instead of just the domain on the backup as is done currently), this would have stopped that attack cold without me lifting a finger. Instead I was stuck scanning as many as 15 incoming messages per second, or at least trying to do so, but not succeeding. Worse yet, the destination server was bouncing NDR's back through our server and each of those were being virus scanned despite the original being in plain text. I've also noticed that there are a couple hundred E-mails a day in the backup's BadMail directory for locally hosted domains with non-existant accounts. I'm only hosting about 300 accounts in total, and this is all to just those addresses and not the gatewayed domains. Address validation would stop these needless bounces to forged addresses from my servers and help to clean up the Internet. I have a feeling that the need for CMDSPACE detection falls far short of the need for address validation for gatewayed domains. ORF seems to be a great tool for this because I can do things like configure a local RBL for instance to block virus sending machines on the gateway by maintaining a single zone, along with sender and recipient blacklisting. ORF of course is a very limited spam blocking tool at the moment and not appropriate for such needs. I'm still thinking about approaching IMail for a solution to recipient blacklisting on gatewayed domains using an 'everything but' methodology. How unrealistic do you think that would be??? It might just be easier to ask VAMSoft for CMDSPACE header logging and dealing with the two separate pieces of technology. Matt Sanford Whiteman wrote: With a recent IMail release, you can now set up peering to use RCPT TO to test incoming messages for valid senders. Right, but the resulting envelope behavior is not different from the old VRFY scenario, AFAIK. As long as IMail does envelope rejection for peered domains that fail validation, this setup should work. There's never been real-time validation and rejection with peering. With just IMail servers, the idea is that a message can enter a "farm" of peers and will only be bounced (not rejected) after the message has been spooled and delivery attempted at every peer. Once you add an MS SMTP server into the mix, you only have one-way peering. Maybe I'm not clear on what you're suggesting, but I don't see it shedding any light on your issue. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] Fw: Announcing SURBL support in SA 2.63 and 3.0 plugins
Scott, since SpamCop has now setup a RBL to support URI checking, is this something you will consider adding support for in Declude JunkMail? Thanks for mentioning this -- I'm surprised that this is the first I've heard of it. We will likely add support for this to Declude JunkMail. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Passing weight to Externalplus test
Thanks :) R. Scott Perry wrote: FYI, in testing I found that the %WEIGHT% is being passed in, however it seems to be 500 points higher than in reality, with all the weights showing up as being between 500 and 600 over the space of my test. There is a new interim 1.79i4 that fixes this. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Passing weight to Externalplus test
Cheer up :) No problem. Just wondered about the 8 minutes. :-) I know that in Declude we have a great tool and I can't have it 100% as I want. Hope your external test will work fine and you can add additional tests. As we check for message sizes in SpamChk for over a year now maybe I can give you some input about my observations. What about the idea to use this script as an external weight test and let return the script the result as weight? So you have one single test in the declude.cfg file and you can return whatever weight you want directly to the delcude weighting system. For example I've seen that around 50% of al incomming spam is under 5 kBytes. However there are spam messages up to 100 kBytes. (see attached diagram based on around 2 hold spam messages on our server in the last 4 days) Based on this values we've decided to give a very small negative weight to messages having less then 32 kByte. More negative points for messages having at least 48 kBytes and another more neg. points for messages having more then 64 kByte Theoreticaly it should be a good idea to return the result directly dependent on the file size. So for example the minimum file size for a negative weight should be 30 kByte. This should return e negative weight of 5% of the hold value. (-1 point for hold-on-20) The returned negative weight should be increased for every additional 10 kBytes by 5% of the hold weight. Size Weight 10 0 20 0 30 -1 40 -2 50 -3 60 -4 ... 100 -8 ... 220 -20 On my server I can see the following variation of message file sizes: 12% 64 kByte 2% 48 to 64 kByte 6%32 to 47 kByte 80% 32 kByte I consider negative points for large messages as relative secure because spammers - even if using an army of zombies - can't easily send out a large quantity of spam of this size. Markus spam_filesizes.pdf Description: Adobe PDF document
Re: [Declude.JunkMail] Passing weight to Externalplus test
On 7 Apr 2004 at 17:20, R. Scott Perry wrote: There is now an interim 1.79i3 at http://www.declude.com/interim that changes the %WEIGHT% variable so that it will include the current weight if it is used before the total weight is calculated. Scott, For me this is what makes me so loyal to your products. You listen to your customers.. -Nick Hayer -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [AUTOMATED NOTE: Your mail server [170.222.200.91] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] feature request IPBYPASS and COUNTRY-CHAIN
Hi Scott, You know my problem with numerous false positives caused by changing IP Blacklist results for several italian ISP-Ips. Occassionaly I can see such false positives now also for certain austrian Ips Would it by possible to specify certain IPBYPASS-COUNTRIES and if the mail oroginates from one of this country, no points for IP blacklist lookups would be added to the weighting system? Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] COUNTRIES and Warn Doesn't Always Add Header?
Hello, All, Just looking for a little feedback. I have the following entries in my configuration files... - GLOBAL.CFG FILTER-COUNTRYfilterD:\IMail\declude\JunkMail.23.Filter.Country.txtx00 JunkMail.23.Filter.Country.txt COUNTRIES5CONTAINStw# Taiwan srp.com\$default$.junkmail FILTER-COUNTRYWARN - I received the following message... - Received: from cc.jyu.fi [61.219.34.140] by srpdevelopment.com with ESMTP (SMTPD32-6.06) id AEE110080132; Thu, 08 Apr 2004 11:25:21 -0400MIME-Version: 1.0From: "Antonio Rushing" [EMAIL PROTECTED]X-MimeOLE: Produced By Microsoft Exchange V6.0.6600.0Subject: =?iso-8859-1?b?VmkmYWdyYSBTcGVjaWFs?=Date: Thu, 08 Apr 2004 15:23:07 +To: [EMAIL PROTECTED]Message-ID: [EMAIL PROTECTED]Content-Type: text/htmlContent-Transfer-Encoding: 8bitX-RBL-Warning: SD-2LD: Spamdomain '@wuerzburg.de' found: Address of [EMAIL PROTECTED] sent from invalid 61-219-34-140.HINET-IP.hinet.net.X-Declude-Sender: [EMAIL PROTECTED] [61.219.34.140]X-Note: This E-mail was scanned filtered by Declude [1.75] for SPAM viruses.X-Country-Chain: TAIWAN-destinationX-Note: Recipient(s): [EMAIL PROTECTED]X-Note: Sent with HELO [cc.jyu.fi] from Reverse DNS [61-219-34-140.HINET-IP.hinet.net] X-Spam-Tests-Failed: SPAMCOP, IPNOTINMX, NOLEGITCONTENT, WEIGHTRANGE-13+, SD-2LD [18] - Does anyone know why it didn't adda header similar to... - X-RBL-Warning: FILTER-COUNTRY: Message failed FILTER-COUNTRY test (83) - to the headers of that message? This is not the first one of these that I have seen. I've got another from Japan which came in about the same time. Thanks In Advance, Dan Geiser [EMAIL PROTECTED]
Re: [Declude.JunkMail] COUNTRIES and Warn Doesn't Always Add Header?
Just looking for a little feedback. I have the following entries in my configuration files... JunkMail.23.Filter.Country.txt COUNTRIES 5 CONTAINS tw # Taiwan The problem here is that the list of countries never contains tw # Taiwan. If you change the line to: COUNTRIES 5 CONTAINS tw then it should work. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] feature request IPBYPASS and COUNTRY-CHAIN
You know my problem with numerous false positives caused by changing IP Blacklist results for several italian ISP-Ips. Occassionaly I can see such false positives now also for certain austrian Ips Would it by possible to specify certain IPBYPASS-COUNTRIES and if the mail oroginates from one of this country, no points for IP blacklist lookups would be added to the weighting system? We will look into this. However, since the geolocation (IP-country functionality) is still considered experimental, it probably will not be a high priority. In the meantime, my recommendation would be to use filters to assign a negative weight to E-mails from those countries (a filter file with a line such as COUNTRY -10 CONTAINS IT). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] COUNTRIES and Warn Doesn't Always Add Header?
Scott, So we can't use comments in flat text files that are you used as filter files? Or do they just to be on their own line? Thanks, Dan - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 08, 2004 12:28 PM Subject: Re: [Declude.JunkMail] COUNTRIES and Warn Doesn't Always Add Header? Just looking for a little feedback. I have the following entries in my configuration files... JunkMail.23.Filter.Country.txt COUNTRIES 5 CONTAINS tw # Taiwan The problem here is that the list of countries never contains tw # Taiwan. If you change the line to: COUNTRIES 5 CONTAINS tw then it should work. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] COUNTRIES and Warn Doesn't Always Add Header?
So we can't use comments in flat text files that are you used as filter files? Or do they just to be on their own line? Comments must be on their own line in the filter files (otherwise, you couldn't do something like have a filter for SPECIAL ###OFFER###). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude JunkMail FAQ or Knowledge Base?
Hello, All, Unless this resource has been created and I missed it I'm assuming there's still a need in the Declude user community for this. To that end I did some research and found Wiki hosting site which offers both free and paid hosting accounts. I believe my plan for the Wiki would keep it in the Non-Commercial Use category which means it would be free for now. I have created a Wiki which we can use to address some of the commonly occuring issues with Declude. I haven't done much with it yet but moving forward I'll be adding FAQs as they come up and also going back through the Declude mailing list archives to cull what I can out of them. Anybody is welcome to contribute but don't go too nuts until a basic structure starts to form. I'm hoping that the form of the wiki will follow from the way that we Declude users use it. Here is the link to the wiki, http://www.seedwiki.com/page.cfm?doc=Decludewikiid=4974. Feeback is welcome! Feel free to contact me directly if you have any questions. Thanks, Dan Geiser [EMAIL PROTECTED] - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, July 21, 2003 7:07 PM Subject: Re: [Declude.JunkMail] Declude JunkMail FAQ or Knowledge Base? I am considering creating a Declude JunkMail Knowledge Base or at the very minimum some sort of Frequently Answered Questions document. I was curious to know if there are any equivalent documents or resources in existence, perhaps that I've not come across, that would cover the type of information that would be contained within a KB or FAQ. Also, do the power that be at Horizons have any issues with me making a resource of this type? This is a very good idea -- and one we have no problem with. :) -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. This E-mail is scanned and free from viruses. www.nexustechgroup.com --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] X-Spam-Tests-Failed: Whitelisted
One of our clients requested for us to Whitelist one of their customers... I did it yesterday, and this morning it went (again) to the spam folder I copied part of the header message (changed the names/IP's to protect the 'innocent'). X-Spam-Tests-Failed: Whitelisted X-RCPT-TO: [EMAIL PROTECTED] Status: R X-IMail-Rule: H~SBL:[EMAIL PROTECTED] Data- x.com [000.000.000.000] by X-UIDL: 373940800 -Anyone know what happened here? Presently, all of our client whitelisting is done in the Global.cfg file -is there a way to make it separate for each mail domain? (instead of affecting every e-mail domain?) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] X-Spam-Tests-Failed: Whitelisted
One of our clients requested for us to Whitelist one of their customers... I did it yesterday, and this morning it went (again) to the spam folder I copied part of the header message (changed the names/IP's to protect the 'innocent'). X-Spam-Tests-Failed: Whitelisted This line means that the E-mail was whitelisted by Declude JunkMail. X-IMail-Rule: H~SBL:[EMAIL PROTECTED] Data- x.com [000.000.000.000] by This line means that an IMail rule caught the E-mail (and presumably moved it to the spam folder). Presently, all of our client whitelisting is done in the Global.cfg file -is there a way to make it separate for each mail domain? (instead of affecting every e-mail domain?) You can do that, using the WHITELISTFILE option (see the manual at http://www.declude.com/junkmail/manual.htm for details). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Translate subject line encoded
Does some one know what this means in plain English? =?Windows-1252?Q?Lu=A0:_RE John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Translate subject line encoded
Hmmm...looks like a reference to the 7th Crusade which lasted from 1248-1254. Like all of the other crusades, it was launched in the hopes of finding the Golden Windows or, as some call it today, the Holy Grail. We see the clear reference to Windows, or Grail, but some Latin and/or Spanish influence may have caused this line to get corrupted, thus the adjective representing gold after the noun (at the end of the line). Lu, presumably for Lux, and A0:_RE, probably corrupted from AU or AUR, thus Lu=A0:_RE makes sense in that gold shines. The ?Q? seems to indicated some disillusionment with this late crusade or Quest, which is to be expected after 150 years...and this being the next to last crusade. Hope this helps...grin Darin. - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 08, 2004 2:28 PM Subject: [Declude.JunkMail] Translate subject line encoded Does some one know what this means in plain English? =?Windows-1252?Q?Lu=A0:_RE John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Translate subject line encoded
So are you saying this has nothing to do with the 7th Crusade a little strange humor after a strange night Darin. - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 08, 2004 2:48 PM Subject: Re: [Declude.JunkMail] Translate subject line encoded Does some one know what this means in plain English? =?Windows-1252?Q?Lu=A0:_RE I believe that translates to: Luá:_RE where the =A0 turns into an accented lowercase letter a. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Translate subject line encoded
8-0 John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Thursday, April 08, 2004 11:47 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Translate subject line encoded Hmmm...looks like a reference to the 7th Crusade which lasted from 1248-1254. Like all of the other crusades, it was launched in the hopes of finding the Golden Windows or, as some call it today, the Holy Grail. We see the clear reference to Windows, or Grail, but some Latin and/or Spanish influence may have caused this line to get corrupted, thus the adjective representing gold after the noun (at the end of the line). Lu, presumably for Lux, and A0:_RE, probably corrupted from AU or AUR, thus Lu=A0:_RE makes sense in that gold shines. The ?Q? seems to indicated some disillusionment with this late crusade or Quest, which is to be expected after 150 years...and this being the next to last crusade. Hope this helps...grin Darin. - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 08, 2004 2:28 PM Subject: [Declude.JunkMail] Translate subject line encoded Does some one know what this means in plain English? =?Windows-1252?Q?Lu=A0:_RE John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HELOBOGUS
Why did this fail HELOBOGUS: X-RBL-Warning: HELOBOGUS: Domain mail.sbapro.com has no MX or A records [0301]. Query: sbapro.com. Query type: Any record Declude JunkMail looks at the host name (mail.sbapro.com), not the parent (otherwise, it would look for com if the HELO/EHLO was example.com). Note that mail.sbapro.com does not have an MX record. It does *currently* have an A record, but I'm guessing it did not when you processed the E-mail (its DNS is handled by root-dns.com/temp-url.com, which smells like some sort of dynamic IP service -- but neither web site works). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Translate subject line encoded
Hmmm...looks like a reference to the 7th Crusade which lasted from 1248-1254. Like all of the other crusades, it was launched in the hopes of finding the Golden Windows or, as some call it today, the Holy Grail. We see the clear reference to Windows, or Grail, but some Latin and/or Spanish influence may have caused this line to get corrupted, thus the adjective representing gold after the noun (at the end of the line). Lu, presumably for Lux, and A0:_RE, probably corrupted from AU or AUR, thus Lu=A0:_RE makes sense in that gold shines. The ?Q? seems to indicated some disillusionment with this late crusade or Quest, which is to be expected after 150 years...and this being the next to last crusade. Hope this helps...grin Ok, I hate to encourage him any more ..but sheesh ..THIS WAS FUNNY LMAO Sharyn Darin. - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 08, 2004 2:28 PM Subject: [Declude.JunkMail] Translate subject line encoded Does some one know what this means in plain English? =?Windows-1252?Q?Lu=A0:_RE John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. We are the worldwide producer and marketer of the award winning Cruzan Single Barrel Rum, judged Best in the World at the annual San Francisco Wine and Spirits Championships. For more information, please click (go to) htmla href=http://www.cruzanrums.com;www.cruzanrums.com/a/html --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] feature request IPBYPASS and COUNTRY-CHAIN
We will look into this. However, since the geolocation (IP-country functionality) is still considered experimental, it probably will not be a high priority. Well for an experimental feature I can confirm that it works realy good and with 40% of right results by 6% of false positives it is far bether then most other tests. In other words it outperforms tests like HELOBOGUS, REVDNS, BADHEADERS, SPAMHEADERS, ROUTING and nearly all IP blacklists. In the meantime, my recommendation would be to use filters to assign a negative weight to E-mails from those countries (a filter file with a line such as COUNTRY -10 CONTAINS IT). Hmm, it would be a little bit bether then maintaining a list of italian IP ranges but the real problem will remain the same: I use a static counterweight for a dynamic up and downgoing weight from different IP blacklists. I can understand that this feature wouldn't be usefull for most (american) customers, but as an idea maybe it would be possible to use a more detailed GeoIP datasource that is able to identify also states, regions or provinces. The latest versions of Sawmill contain a GeoIP database with around 13.8 MB filesize. With this file it's possible to create webreports containing detailed information about the origin of visitors. And this not only for countries but also for states, regions or provinces. I don't know the situation in oversea but probably there are several mailservers around that can profit from such a detailed IP location. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] NOLEGITCONTENT Test
Is there a description of what the NOLEGITCONTENT test looks for? It is adding -5 to a lot of mails and I would like to understand it better. It looks for information that is rarely ever seen in spam, that appears more frequently in legitimate E-mail. The idea is to help ensure that legitimate E-mail gets delivered. However, it seems that since the test was created, more and more spammers have started using portions of real legitimate E-mails in their spam (in an attempt to bypass Bayesian filtering), which may cause this test to be triggered. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] NOLEGITCONTENT Test
This test should NOT be used to detect spam! It will be triggered Declude JunkMail does not detect any legitimate content in an E-mail. Note that a lot of legitimate E-mail will fail this test, but almost all spam will fail it. Like the IPNOTINMX test, this test is good for helping reduce false positives. By default, Declude JunkMail will subtract several points from the weighting system when an E-mail does not fail this test (which is very different from the way a spam test normally works). IPNOTINMX and NOLEGITCONTENT tests are designed to help legitimate E-mail rather than hurt spam. As a result, E-mails that fail those tests will have not have any points added to them, but E-mails that do not fail them will have points subtracted from their total weight. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, April 08, 2004 4:34 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] NOLEGITCONTENT Test Hi, Is there a description of what the NOLEGITCONTENT test looks for? It is adding -5 to a lot of mails and I would like to understand it better. Thanx Goran Jovanovic The LAN Shoppe 2345 Yonge Street, Suite 302 Toronto, Ontario M4P 2E5 Phone: (416) 440-1167 x-2113 Cell: (416) 931-0688 E-Mail: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Recall: [Declude.JunkMail] NOLEGITCONTENT Test
Lukasz Kaminski would like to recall the message, [Declude.JunkMail] NOLEGITCONTENT Test. attachment: winmail.dat
[Declude.JunkMail] NOLEGITCONTENT Test
Hi, Is there a description of what the NOLEGITCONTENT test looks for? It is adding -5 to a lot of mails and I would like to understand it better. Thanx Goran Jovanovic The LAN Shoppe 2345 Yonge Street, Suite 302 Toronto, Ontario M4P 2E5 Phone: (416) 440-1167 x-2113 Cell: (416) 931-0688 E-Mail: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Translate subject line encoded
Rolling Eyes If you have seen one Crusade, you have seen them all. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Sharyn Schmidt Sent: Thursday, April 08, 2004 12:38 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Translate subject line encoded Hmmm...looks like a reference to the 7th Crusade which lasted from 1248-1254. Like all of the other crusades, it was launched in the hopes of finding the Golden Windows or, as some call it today, the Holy Grail. We see the clear reference to Windows, or Grail, but some Latin and/or Spanish influence may have caused this line to get corrupted, thus the adjective representing gold after the noun (at the end of the line). Lu, presumably for Lux, and A0:_RE, probably corrupted from AU or AUR, thus Lu=A0:_RE makes sense in that gold shines. The ?Q? seems to indicated some disillusionment with this late crusade or Quest, which is to be expected after 150 years...and this being the next to last crusade. Hope this helps...grin Ok, I hate to encourage him any more ..but sheesh ..THIS WAS FUNNY LMAO Sharyn Darin. - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 08, 2004 2:28 PM Subject: [Declude.JunkMail] Translate subject line encoded Does some one know what this means in plain English? =?Windows-1252?Q?Lu=A0:_RE John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. We are the worldwide producer and marketer of the award winning Cruzan Single Barrel Rum, judged Best in the World at the annual San Francisco Wine and Spirits Championships. For more information, please click (go to) htmla href=http://www.cruzanrums.com;www.cruzanrums.com/a/html --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] NOLEGITCONTENT Test
Scott, Would you say that this test is still a valid test? Is it still worth -5 when the e-mail does not fail it? If both SPAM and HAM are almost never tripping it perhaps it is a moot point anyway as all mail will have the -5 added to it. Goran Jovanovic The LAN Shoppe 2345 Yonge Street, Suite 302 Toronto, Ontario M4P 2E5 Phone: (416) 440-1167 x-2113 Cell: (416) 931-0688 E-Mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Thursday, April 08, 2004 4:48 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] NOLEGITCONTENT Test Is there a description of what the NOLEGITCONTENT test looks for? It is adding -5 to a lot of mails and I would like to understand it better. It looks for information that is rarely ever seen in spam, that appears more frequently in legitimate E-mail. The idea is to help ensure that legitimate E-mail gets delivered. However, it seems that since the test was created, more and more spammers have started using portions of real legitimate E-mails in their spam (in an attempt to bypass Bayesian filtering), which may cause this test to be triggered. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Passing weight to Externalplus test
Markus, Thanks for the stats. I've actually been keeping copies of all of the false positives that we are reprocessing since Monday. Here's a break down by the sender (considering that some newsletters and ads are sent to multiple recipients and that throws off the numbers): 1 - 0.5 KB 1 - 0.5 KB to 1 KB 5 - 1 KB to 5 KB 2 - 5 KB to 10 KB 2 - 10 KB to 15 KB 6 - 15 KB to 20 KB 0 - 20 KB to 30 KB 1 - 30 KB to 40 KB 2 - 40 KB to 50 KB 0 - 50 KB to 75 KB 2 - 75 KB to 100 KB 1 - 100 KB to 200 KB 1 - 200 KB to 300 KB 1 - 300 KB I'm mostly concerned about false positives and performance currently, and while our FP rate is regularly below 0.02% now, this still takes almost as much time to find problems and fix them as it did when our rate was many times more that. I need to therefore balance the potential of causing FP's with adding points for weight with the incremental benefit of being able to block a small extra percentage of spam, and err heavily to the side of protecting from FP's. Also note that I am very liberal in classifying good E-mail, allowing through anything where the recipient has a first-party relationship with the sender. FootLocker.com for instance sent me two ads in a week for the first time since I bought something from them 20 months ago. I figure that as long as they honor my opt-out (despite not every opting-in to their ads), this protects those that want the content from having it blocked. Unfortunately many administrators consider this stuff to be spam, and it makes my job more difficult because of reports to SpamCop, Sniffer, and other places that nominate such things. While this stuff may be spam, people should also take note of the limitations of the blocking mechanism to differentiate between spam from a particular source, and a legitimate E-mail from that source or containing similar links. If you can't differentiate, administrators should seek out a better method IMO. Anyway... I've done some review of our held spam that scores between 10 and 24 points on our system (a 150% boundary) and for instance so far in the past 4 days every message held over 100 KB was a FP from an individual (the worst kind). There's definitely spam between 30 KB and 100 KB, but as a percentage, this also represents an area where messages falling in that range are far more likely to be a false positive because newsletters from dirty sources often enough come in over 30 KB, while opt-in spammers don't generally bother with that much content and zombie spammers certainly don't (for now at least). My thoughts about the weight test are two fold. For one, I'm really only interested in adding points to zombie spam since static spammers can be caught once and then their whole IP space can be blacklisted. Static spammers aren't very dynamic outside of their owned blocks, and I'm not very concerned about proactive protections using a message size filter. Zombie spam though is almost always below 5 KB, and sometimes below 0.5 KB. If I can narrow this down to 99.9% of it falling below a certain size, I can use the size test to defeat my processor intensive filters like GIBBERISH, IPLINKED and @LINKED among others. Yesterday I managed to skip processing these filters on 5% of my mail volume when set to only run below 30 KB in size. If that magic number is more like 5 KB, I can save much more in terms of processing power. Another added benefit is that when you don't run a filter on messages above a certain size, you limit the potential of a false positive with that filter. For instance, I see plenty of FP's on IPLINKED in newsletters, but this filter is built to target zombie spam, not spam from static sources which are easily tagged. So in effect, even without subtracting points, and just using larger sizes to defeat certain tests, this protects from FP's and saves processing power. So far I'm differentiating between filters built for static sources or a mix, and filters built specifically for zombie spam, and not processing those types according to different message sizes. I'm probably only going to add points to things below 0.5 KB, and this will only be 10% to 20% of my hold weight. I did see some FP's from 0.5 KB to 1 KB, mostly very brief messages that just scraped under the limit. I'm going to try looking for the minimum size of a message sent from a legit mail client and only add points below that point. The sweet spot for zombie spam certainly appears to be below 5 K, but I have to do some more research on that. Unfortunately I can't parse the COPYFILE message bodies for headers so that I could more effectively identify the zombie stuff. For those that have asked or are interested in the weight filter, what I'm going to do is set it up with the ability to set 7 different ranges by way of the arguments in a comma delimited string. This way everyone can tune it to their own needs. The skipping of the filter will also be configurable with arguments as long as you are using 1.79i4+. Matt Markus
[Declude.JunkMail] Double hit on SPAM/BADHEADERS with c020040c
Scott, I'm wondering if the following double hit for SPAMHEADERS and BADHEADERS for the same code is related to the same problem (an invalid date header) and if failing both tests is intentional? Out of 4,000 messages held in the last week scoring between 10 and 24 on my system (higher scores land elsewhere), this code only came up matching two different sources, one false positive and the other a piece of spam that scored a 17 sent with X-EAMsg. I see the double hit causing FP's on an occasion and it doesn't seem to be providing much benefit on my system. Thanks, Matt Received: from mo.bulk.sprintpcs.com [68.28.3.13] by mx1.mailpure.com with ESMTP (SMTPD32-8.05) id A6144C3017C; Wed, 07 Apr 2004 16:35:32 -0400 Received: from [192.168.5.14] (helo=messaging.sprintpcs.com) by mo.bulk.sprintpcs.com with smtp (Exim 4.30) id 1BBJiz-p8-II for [EMAIL PROTECTED]; Wed, 07 Apr 2004 15:32:41 -0500 FROM:[EMAIL PROTECTED] TO:[EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] Subject: [13] X-MailPure: X-MailPure: NOREVDNS: Failed, no reverse DNS entry (weight 1). X-MailPure: HELOBOGUS: Failed, bogus connecting server name (weight 3). X-MailPure: BADHEADERS: Failed, headers not RFC compliant [c020040c] (weight 4). X-MailPure: SPAMHEADERS: Failed, header code consistent with spam [c020040c] (weight 4). X-MailPure: SIZE-XXS: Failed, found XX-Small file size (weight 3). X-MailPure: LEGITCONTENT: Passed, legitimate content detected (weight -2). X-MailPure: -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] NOLEGITCONTENT Test
You're just baiting me to see if I'll go wacko again, aren't you? SPAM, HAM...must resist... From what I've seen, it's still a very useful test for reducing false positives. Darin. - Original Message - From: Goran Jovanovic [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 08, 2004 5:11 PM Subject: RE: [Declude.JunkMail] NOLEGITCONTENT Test Scott, Would you say that this test is still a valid test? Is it still worth -5 when the e-mail does not fail it? If both SPAM and HAM are almost never tripping it perhaps it is a moot point anyway as all mail will have the -5 added to it. Goran Jovanovic The LAN Shoppe 2345 Yonge Street, Suite 302 Toronto, Ontario M4P 2E5 Phone: (416) 440-1167 x-2113 Cell: (416) 931-0688 E-Mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Thursday, April 08, 2004 4:48 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] NOLEGITCONTENT Test Is there a description of what the NOLEGITCONTENT test looks for? It is adding -5 to a lot of mails and I would like to understand it better. It looks for information that is rarely ever seen in spam, that appears more frequently in legitimate E-mail. The idea is to help ensure that legitimate E-mail gets delivered. However, it seems that since the test was created, more and more spammers have started using portions of real legitimate E-mails in their spam (in an attempt to bypass Bayesian filtering), which may cause this test to be triggered. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Double hit on SPAM/BADHEADERS with c020040c
I'm wondering if the following double hit for SPAMHEADERS and BADHEADERS for the same code is related to the same problem (an invalid date header) and if failing both tests is intentional? It's due to two problems -- whenever both tests fail, there are two (or more) problems. An E-mail will fail one of those two tests if it has a header that is [1] spam-like, and [2] not usually seen with legitimate mail clients. If the header is RFC-compliant, it fails the SPAMHEADERS test; otherwise, it fails the BADHEADERS test. Note that the same code is used for both the BADHEADERS and SPAMHEADERS (so if an E-mail fails both tests, the code for each one will always be the same). X-MailPure: BADHEADERS: Failed, headers not RFC compliant [c020040c] (weight 4). X-MailPure: SPAMHEADERS: Failed, header code consistent with spam [c020040c] (weight 4). The c020040c indicates an E-mail that [1] Has no Date: header, which is a required header per the RFCs, causing the E-mail to fail the BADHEADERS test, and [2] Has no space after the To: header, which is technically valid, so the E-mail fails the SPAMHEADERS test as well. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] X-Declude-Status: Waiting for activation code
I have the above header in my mail. Just showed up not too long ago. I have JM Pro and Visur Standard. Virus Standard is running and I have disabled JM Pro by renaming my global.cfg. Whats happening here? I've got a service agreement. That's a bug in an old beta -- if you upgrade to the latest beta, it will take care of the problem. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] X-Declude-Status: Waiting for activation code
I have the above header in my mail. Just showed up not too long ago. I have JM Pro and Visur Standard. Virus Standard is running and I have disabled JM Pro by renaming my global.cfg. Whats happening here? I've got a service agreement. -- --- Matt Robertson, [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- -- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Double hit on SPAM/BADHEADERS with c020040c
Scott, Thanks for the explanation. I was just making sure. I agree that the logic is sound, it was just the code that was confusing. Strangely enough the only time this code comes up, which is rare, both tests fail. Matt R. Scott Perry wrote: I'm wondering if the following double hit for SPAMHEADERS and BADHEADERS for the same code is related to the same problem (an invalid date header) and if failing both tests is intentional? It's due to two problems -- whenever both tests fail, there are two (or more) problems. An E-mail will fail one of those two tests if it has a header that is [1] spam-like, and [2] not usually seen with legitimate mail clients. If the header is RFC-compliant, it fails the SPAMHEADERS test; otherwise, it fails the BADHEADERS test. Note that the same code is used for both the BADHEADERS and SPAMHEADERS (so if an E-mail fails both tests, the code for each one will always be the same). X-MailPure: BADHEADERS: Failed, headers not RFC compliant [c020040c] (weight 4). X-MailPure: SPAMHEADERS: Failed, header code consistent with spam [c020040c] (weight 4). The c020040c indicates an E-mail that [1] Has no Date: header, which is a required header per the RFCs, causing the E-mail to fail the BADHEADERS test, and [2] Has no space after the To: header, which is technically valid, so the E-mail fails the SPAMHEADERS test as well. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Double hit on SPAM/BADHEADERS with c020040c
Thanks for the explanation. I was just making sure. I agree that the logic is sound, it was just the code that was confusing. Strangely enough the only time this code comes up, which is rare, both tests fail. That's because the code has a list of the flaws that Declude JunkMail finds in the E-mail. So every time that code comes up, the E-mail will fail both the SPAMHEADERS and BADHEADERS test (and in the same way, if you take the code of an E-mail that fails the SPAMHEADERS test, you'll find that every other E-mail with that same code fails only the SPAMHEADERS test). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] OT: Adaptec 29160
If any one out there likes playing with hardware and has time, I have an Adaptec 29160 that I removed from service as it was showing parity errors and would cause drives to dismount. Turns out it is an OEM board that my previous employer had purchased as a BULK item about 2 years ago. Card is free, just pay for UPS ground shipping. Otherwise, it is going to be filed in the appropriate place for such things, commonly known as the file cabinet which is cylindrical in shape and is loaded from the top. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Size v1.0.0 - Externalplus test
Ok, looks like I finally got it all together. I tried to code this up
so that it is flexible, allowing an administrator to specify as many
different sizes as he or she wishes, and opt whether or not to use the
weight skipping mechanism. Here's how it works...
There are three arguments to the script, SZ, which is the list of sizes
you specify, CW, which is the current weight in Declude, and SW, which
is the weight at which you skip processing the test. Note that you
must use Declude JunkMail 1.79i4 or higher to properly make use of the
weight skipping mechanism. A command line (without the CScript
stuff) would look like the following:
C:\IMail\Declude\Filters\Size.vbs SZ=.5,5,30,100,300,1000
CW=%WEIGHT% SW=28
Note that you don't need the identifiers if you don't want to use them
("SZ=", "CW=" and "SW="). The above arguments will cause the script to
only run if the current weight is less than 28. The 6 values for the
size settings are done in KB's, and 6 values will result in 7 non-zero
result codes since it will also return a code for anything larger than
the last value.
The result codes passed to Declude will begin with a value of 11 and
increment by one for each successive size. Only one match will be
returned, the lowest matching value. For instance, the above example
will return the following result codes according to message size:
Result Code 11 - Less than 0.5 KB (but not zero)
Result Code 12 - Between 0.5 KB and 5 KB
Result Code 13 - Between 5 KB and 30 KB
Result Code 14 - Between 30 KB and 100 KB
Result Code 15 - Between 100 KB and 300 KB
Result Code 16 - Between 300 KB and 1000 KB
Result Code 17 - Greater than or equal to 1000 KB
You can use as many or as few size values as you wish, for instance if
you used "SZ=10,50", the following would be returned
Result Code 11 - Less than 10 KB (but not zero)
Result Code 12 - Between 10 KB and 50 KB
Result Code 13 - Greater than or equal to 50 KB
My current implementation in Declude is as follows. Note that this
shows the CScript calls necessary unless you configure your system for
a default scripting host with the appropriate arguments:
SIZE-XXS external 11 "CScript
C:\IMail\Declude\Filters\Size.vbs //NoLogo //T:2
SZ=.5,5,30,100,300,1000 CW=%WEIGHT% SW=28" 2 0
SIZE-XS external 12 "CScript
C:\IMail\Declude\Filters\Size.vbs //NoLogo //T:2
SZ=.5,5,30,100,300,1000 CW=%WEIGHT% SW=28" 0 0
SIZE-S external 13 "CScript
C:\IMail\Declude\Filters\Size.vbs //NoLogo //T:2
SZ=.5,5,30,100,300,1000 CW=%WEIGHT% SW=28" 0 0
SIZE-M external 14 "CScript
C:\IMail\Declude\Filters\Size.vbs //NoLogo //T:2
SZ=.5,5,30,100,300,1000 CW=%WEIGHT% SW=28" 0 0
SIZE-L external 15 "CScript
C:\IMail\Declude\Filters\Size.vbs //NoLogo //T:2
SZ=.5,5,30,100,300,1000 CW=%WEIGHT% SW=28" -2 0
SIZE-XL external 16 "CScript
C:\IMail\Declude\Filters\Size.vbs //NoLogo //T:2
SZ=.5,5,30,100,300,1000 CW=%WEIGHT% SW=28" -3 0
SIZE-XXL external 17 "CScript
C:\IMail\Declude\Filters\Size.vbs //NoLogo //T:2
SZ=.5,5,30,100,300,1000 CW=%WEIGHT% SW=28" -5 0
In this implementation, the following test names correspond to the
message sizes as follows:
SIZE-XXS = Result Code 11 - Less than 0.5 KB (but not zero)
SIZE-XS = Result Code 12 - Between 0.5 KB and 5 KB
SIZE-S = Result Code 13 - Between 5 KB and 30 KB
SIZE-M = Result Code 14 - Between 30 KB and 100 KB
SIZE-L = Result Code 15 - Between 100 KB and 300 KB
SIZE-XL = Result Code 16 - Between 300 KB and 1000 KB
SIZE-XXL = Result Code 17 - Greater than or equal to 1000 KB
There is a tiny bit of error correction in the script, for instance it
won't take the wrong number of arguments and returns a result code of
zero if that condition is found. If others feel that the script can be
improved, please share your thoughts and code. Also, after a little
bit of testing to make sure that it is sufficiently flexible and
properly suited to general needs, I certainly wouldn't mind this being
converted to a compiled executable. For now, the Size.vbs file can be
downloaded from the beta filters section of my site.
http://www.mailpure.com/software/decludefilters/beta/
(Size_v1-0-0.zip)
Thanks to everyone for helping me along the way.
Matt
--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
[Declude.JunkMail] %RemoteRecps%
Hi scott The external test matt just wrote is an unvaluable tool for junkmail It also gives us some insight on how to write our own tests to achieve many many things One of them will however need the %RemoteRecep% variable already available in delude virus Is is also available or can it be easily imported to junkmail ? (And while you are at it, %nbremoterecp% would also be very usufull) Finaly, we all know you have a feature list you work on, is it possible to publish it on your web site so we know what to expect ? I understand the list is not always accurate, and some features may never be implemented, but it will still give us some insight. I personaly have a wish list of less then 10 features that will make my life easier, if i do post it here, would you give me some info about which features may be implemented and a rough timeframe (like few days, few weeks, few months, ...) TIA --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
