Re: [Declude.JunkMail] why does this fail the spam domains test?
Dave, It works like two different CONTAINS filters. It takes the value in the first column, and if the MAILFROM contains the string, then it checks both columns against the REVDNS entry to see if either one matches. Since the first column has an @ symbol in it, that will never match, and the only possible match would be in the second column as a REVDNS CONTAINS type of match. If you only have one entry per line, then both the MAILFROM and REVDNS will need to contain that string. Using an @ symbol in the first column isn't a requirement, and it's only appropriate for domains with one possible REVDNS value since the first column can't match leaving only one string to match on. The reason for putting it in there is because of some uses of VERP which can include addresses within the MAILFROM before the @ symbol, especially with domains like att.net which allow for forwarding. It also prevents matches on partial domains from occurring, though that would generally be rare. I opt to use the @ symbol in the first column with I only know of one legit REVDNS domain, and I leave it off when there are two, and I omit the domain from the list when there are three or more possible REVDNS matches. Hope this helps. Matt Dave Doherty wrote: Scott- I think that I may misunderstand SPAMDOMAINS. From the manual: This test will catch E-mail that is not coming from a mailserver that it should be coming from. This test will only work if you set up a file listing domains that you wish to be included in this test. Specifically, it will check the return address of the E-mail, and then check to see if the reverse DNS entry of the IP that the E-mail was sent from contains the domain name. If not, the E-mail fails the test. For example, if "hotmail.com" is listed in the \IMail\Declude\spamdomains.txt file, then an E-mail coming from "law2.hotmail.com" would not fail the test, but an E-mail from "mail.example.ru" would fail the test. Taking the lead from that description, my SPAMDOMAINS file consists of a simple list of domains, one to a line, like this: ebay.com aol.com Yet every example I have seen on this subject the past few days shows two domains per line like this: @juno.com.untd.com How is this supposed to work? -Dave - Original Message - From: "R. Scott Perry" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 15, 2004 4:42 PM Subject: Re: [Declude.JunkMail] why does this fail the spam domains test? Can anyone explain why this message would fail the spamdomains test? Here is the spamdomains entry: @juno.com.untd.com The key here is the reverse DNS entry -- do you have the full headers for the E-mail? Although the IMail log file shows the IP address, it is possible that Declude JunkMail may have used a different IP, which would be reflected in the headers. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] Updated SURBL filter script
Matt, Thanks for the suggestions. With a maxweight variable it would also make sense to add a body weight variable (so that this weight easily can be set to a value other than 0). At present, the processor load shouldn't be any problem, however, since the number of entries is rather few. This situation can quickly change if SURBL change the expiration time of the records, however, and that is why I included a limit variable for max number of entries. The filter will not be updated if this limit is exceeded. I also thought of an exclude file, but decided that the exclude variable would be enough (but maybe it isn't). After all, this filter script is just a provisional solution until this kind of test is directly implemented in Declude. We also have to remember that SURBL is still very experimental, and the listing criteria havn't settled yet. It also has some other problems, e.g., the permanent test entry example.com (which is excluded in the filter file since it would catch many legitimate messages). I only use this filter with a low weight (15% of hold) to push spam over the edge, but the FP rate should be rather low (or at least lower than similar lists). /Roger Roger, Thanks for the fine work. I finally got around to setting this up after figuring out that it wasn't thousands of URL's long and my server seems to be handling it well enough for now. I have two suggestions for the script. 1) Add a MAXWEIGHT variable. If you score each line at say 4 points and set the MAXWEIGHT to 4, then the filter will stop processing on the first hit and save resources. I tried playing around with this to get it to work, but I'm totally clueless when it comes to batch file programming and I think I was hitting some sort of a reserved word. 2) Add the ability to remove listings contained in a text file (an exclude list). From looking over the current list of domains, there are the following: - norton.com - webhosting.yahoo.com These were probably in spam, but they are not unique to spam. I also found an entry for pe.kg in the list which doesn't resolve and seems like it was probably from a parsing error. A list of top sites from a page linked to from the project's site shows that yahoo.com is one of the most frequently spamvertised domains, though this is clearly not listed in this file due to an exception on their end. This type of test is definitely very vulnerable to pollution and it would be great to have a way to detect such problems and add them to a list for exclusion. Long-term this is best suited for a DNS lookup due to various limitations of doing a contains filter, but for now, it seems to be working very well at adding points to things that are coming in below my drop weight, in fact it might very well be tagging the majority of what is scoring in my Hold level and pushing it over the top. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] tricks for dealing with null senders?
Delete the nobody alias if it's present. That will let Imail reject misaddressed messages before it processes them. This is way more efficient, and it should cut down on your processor and disk activity quite a lot. What if nobody is a real address? Robert - Original Message - From: Dave Doherty [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 15, 2004 3:14 PM Subject: Re: [Declude.JunkMail] tricks for dealing with null senders? Hi Royce- Sounds like you've got a few things going on there. Understand, I'm on version 8.05 now, so your mileage may vary. I'll try to keep it the basics. First off, it sounds to me like you have too much stuff in your spool directory. I suggest that you zip your older log files and move them out of the spool directory. You should be able to delete all spool files older than one or two days if you use normal SMTP retry settings like ten attempts half an hour apart. How large are the attachment files? They may be stuck in the queue because they were never delivered. That can happen if they are large, particularly larger than 2MB. If you have no lists, you should not have an imailsrv alias. Delete that if it's present. Delete the nobody alias if it's present. That will let Imail reject misaddressed messages before it processes them. This is way more efficient, and it should cut down on your processor and disk activity quite a lot. Maybe others here have more / better suggestions. -Dave Doherty Skywaves, Inc. - Original Message - From: Royce Burnett [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 15, 2004 11:06 AM Subject: Re: [Declude.JunkMail] tricks for dealing with null senders? Hi Dave, thanks for the response. I'm not sure of the mechanics of rejection, all I did to stop this for now was to check the reject null senders box in smtp security. Please understand that I'm just a guy who got stuck with this job, and 90% of the conversation in this list is over my head :D Originally this iwebmsg power consumption was happening by means of null senders sending messages to imailsrv which was generating tons of illegal list commands in the log, I got around this by renaming imailsrv.exe to something else which got the log files down to 4 or 5 mbs a day instead of 70 or 80. We don't have any need for the imailsrv function, so I thought what the heck... This lasted for a few weeks, but now it's happening again, although not to the same extent. I was previously getting somewhere around 170,000 of these a day. I'm seeing that a few of them are now starting to send to listserv. The log files are now at around 7 or 8 mbs, I'm getting about 2000 of these null senders a day now, which really shouldn't bother. I do have a number of tmp files in the spool directory which I wasn't getting before I renamed the imailsrv.exe, strangely these tmp files don't look as though they are related to any attempt to send a message to imailsrv. Weird. Another thing that is goofy is that I have a couple of users whose attachments seem to stay in the spool directory for ever and ever, is that normal for a user that pretty much exclusively uses the web mail function? spool directory size is usually about 60 or 70 mbs, with about 100 or 150 files in it. I usually keep about a months worth of logs in the spool. any suggestions? i'm waiting to get a bunch of postmaster messages from rfc-ignorant while i have things set this way. cheers Royce At 10:11 PM 14/04/2004 -0400, you wrote: Hi Royce- How are you rejecting the messages? Do you use a nobody alias with an autoresponse, or do you just let Imail return the standard error message? Any idea how many you're getting? It seems odd that this would effect iwebmsg. Look for another problem somewhere. How many files do you have in your spool directory? -Dave - Original Message - From: Royce Burnett [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 3:43 PM Subject: [Declude.JunkMail] tricks for dealing with null senders? Using Imail 6.05, and Declude 1.79 beta on NT4.0 I've had a spate of crud flowing in the last week or so from @variousaddresses addressed to [EMAIL PROTECTED], which of course get turned away as the addressee is unknown to my mail server. Unfortunately there seems to be such a flood of the damned things that it ends up stalling the iwebmsg service and consuming 100% cpu so a number of times a day I have to shut the iwebmsg service down, which can take up to 20 minutes to accomplish. I've had to turn off accepting null senders just to grab my breath. Whats the quick and dirty solution, some sort of hold action? is there a way to configure a declude test to action these messages? please forgive if this seems a stupid question, i'm pretty foggy after a 4
Re: [Declude.JunkMail] why does this fail the spam domains test?
yahoo.com would require that all possible REVDNS entries contain yahoo.com so a message would pass the test if the REVDNS of its originating IP was abc.yahoo.com, abcyahoo.com or abc.yahoo.com.hk, but not yahoo.ca Correct, but this has the drawback of blocking [EMAIL PROTECTED] if they do not have yahoo.com in the return address. In this case, it probably would not be an issue (few legitimate non-Yahoo domains would end in yahoo.com, and fewer would come from IPs with a reverse DNS entry that did not contain yahoo.com). @yahoo.comyahoo.com would require that all possible REVDNS entries end in yahoo.com so a message would pass the test if the REVDNS of its originating IP was abc.yahoo.com or abcyahoo.com, but not abc.yahoo.com.hk, or yahoo.ca Correct. .yahoo.comyahoo.com would require that all possible REVDNS entries end in .yahoo.com so a message would pass the test if the REVDNS of its originating IP was abc.yahoo.com but not abc.yahoo.com.hk or yahoo.ca Yes, but it would only apply to E-mails from [EMAIL PROTECTED] (specifically, any E-mail address with .yahoo.com in it). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Spamdomains.txt file
Hello, I think I'm going to implement the spam domains tests. Anyone have a file they would like to share that works well for them? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Whitelisting issue
Hi; I know this has been discussed in the past but I am not sure if any solution is available. If one person has [EMAIL PROTECTED] in the address book it appears that an email sent to this person and many others will be whitelisted for all. We have a situation that a person receives a lot of news emails and has whitelisted his address. Now anything that is sent to this organization's info address (going to him and 3 others) is being whitelisted for everyone. Of course info address being one of the favorite addresses of spammers it is not helping the situation. If nothing can be done - may be one idea is to rethink the way whitelist works. What if [EMAIL PROTECTED] simply means no action be taken so spam filters and tests are done but the action is not taken - then others without [EMAIL PROTECTED] can have the action taken on their emails. Regards, Kami
Re: [Declude.JunkMail] New test
Markus; Thanks for the detailed feedback and kind words. I haven't had time to the study our numbers (and I believe our statistical universe is much smaller than yours), but generally speaking I'm pleased with the results we're seeing here. For those who are interested, I'll be posting this test for download from my web site (http://bud.thedurlands.com) this weekend Don't look for it earlier than Sunday, but I promise it will be there. There will be two executables. The current one remains unchanged. The additional test, called HELOISIPX only fails if the HELO is a pure IP address: Received: from 12.107.134.252 [69.6.65.63] by mrpcap.com with ESMTP I created this because I see quite a few messages that use an IP for the HELO, (and often it is MY mail server's IP). I have never, ever, not once seen such a message that wasn't spam, so on my system that test will be weighted quite heavily. Markus Gufler wrote: Two days ago Bud has announced HELOISIP as new external test. After trying this test now for 36 hours I can report the following results for 04/15/2004 Processed messages: 9832 Hold as Spam: 4728 (48% of all messages) Detected by HELOISIP: 1340 (28% of hold spam / 14% of all messages) FP's from SURBL: 55 All of this 55 legit messages has had a final weight below 60% of our hold weight and so hasn't caused any real FP. 91% of all spam messages catched by HELOISIP has already reached a weight 200% of our hold weight. So having a possibility to skip this external test if a certain weight is already reached should significantly save resources. Good test! Markus -- --- illigitimi non carborundum --- Bud Durland, CNE Mold-Rite Plastics Network Administrator http://www.mrpcap.com --- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Whitelisting issue
on 4/16/04 8:39 AM, Kami Razvan wrote: I know this has been discussed in the past but I am not sure if any solution is available. If one person has [EMAIL PROTECTED] in the address book it appears that an email sent to this person and many others will be whitelisted for all. We have a situation that a person receives a lot of news emails and has whitelisted his address. Now anything that is sent to this organization's info address (going to him and 3 others) is being whitelisted for everyone. Of course info address being one of the favorite addresses of spammers it is not helping the situation. If nothing can be done - may be one idea is to rethink the way whitelist works. Add BYPASSWHITELIST bypasswhitelist xx y 0 0 to your global.cfg file. If a message weight exceeds xx and the message was sent to y or more addresses the assigned action will take place. We use delete and have a line in our $default$.JunkMail file(s) that is BYPASSWHITELIST DELETE Basically, this command lets the administrator have the final word as to what should happen with a message. We use 40 and 2 for the values. If tom wants everything whitelisted but dick, harry and joe don't then tom causes the others to get spam (not good). The bypasswhitelist command, which isn't listed on the junkmail page, but is on the release page, let's the admin overrule tom, and depending upon the settings, causes none of them to get the message. Tom won't miss his spam message and the others will never get to see it. Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Whitelisting issue
If one person has mailto:[EMAIL PROTECTED][EMAIL PROTECTED] in the address book it appears that an email sent to this person and many others will be whitelisted for all. Correct. We have a situation that a person receives a lot of news emails and has whitelisted his address. Now anything that is sent to this organization's info address (going to him and 3 others) is being whitelisted for everyone. Of course info address being one of the favorite addresses of spammers it is not helping the situation. If nothing can be done - may be one idea is to rethink the way whitelist works. What if mailto:[EMAIL PROTECTED][EMAIL PROTECTED] simply means no action be taken so spam filters and tests are done but the action is not taken - then others without mailto:[EMAIL PROTECTED][EMAIL PROTECTED] can have the action taken on their emails. The problem with that is that if someone else has the DELETE action, the E-mail will be deleted, yet the one recipient wanted it whitelisted. There is, however, a bypasswhitelisting test that you can set up to help with this situation. It can be defined with a line such as EMERGENCYBYPASS bypasswhitelisting 60 3 0 0. The 60 refers to the weight the E-mail must reach, and the 3 refers to the minimum number of recipients. In this case, it would attempt to bypass the whitelisting for E-mail with 3 or more recipients and a weight of 60 or higher. This way, the more blatant spam will get blocked, even if it was whitelisted. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SURBL filter script
Hi Markus: I'm curious: All of this 24 messages are NDR's or Notifications send from back to the recipient. Why did these NDRs contain a blocked URL? Were they indeed wanted NDRs, or were they NDRs for Spam that wasn't delivered, which happened to have one of your users as the faked sender? Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Friday, April 16, 2004 04:25 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] SURBL filter script It will take a day or two before the log analysis and test check scripts are available, since I must adjust them to handle all log levels. Here are my results from 04/15/2004 Processed messages: 9832 Hold as Spam: 4728 (48% of all messages) Detected by SURBL: 2552 (54% of hold spam / 26% of all messages) FP's from SURBL: 24 All of this 24 messages are NDR's or Notifications send from back to the recipient. None of this SURBL false positives has caused a message to reach the hold weight and so become a real FP. 95% of all spam messages catched by SURBL has already reached a weight 200% of our hold weight. So inserting a initial SKIPIFWEIGHT should significantly save resources. Excellent test! Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Updated SURBL filter script
As for the maxweight, perhaps someone can do it better, but this works for me: In the variables ection add: set V_Maxweight=20 In the code after if not %v_weight%== echo SKIPIFWEIGHT %v_weight% surbl.filter.tmp add: if not %v_maxweight%== echo MAXWEIGHT %v_maxweight% surbl.filter.tmp Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 04/16/04 12:25AM Roger, Thanks for the fine work. I finally got around to setting this up after figuring out that it wasn't thousands of URL's long and my server seems to be handling it well enough for now. I have two suggestions for the script. 1) Add a MAXWEIGHT variable. If you score each line at say 4 points and set the MAXWEIGHT to 4, then the filter will stop processing on the first hit and save resources. I tried playing around with this to get it to work, but I'm totally clueless when it comes to batch file programming and I think I was hitting some sort of a reserved word. 2) Add the ability to remove listings contained in a text file (an exclude list). From looking over the current list of domains, there are the following: - norton.com - webhosting.yahoo.com These were probably in spam, but they are not unique to spam. I also found an entry for pe.kg in the list which doesn't resolve and seems like it was probably from a parsing error. A list of top sites from a page linked to from the project's site shows that yahoo.com is one of the most frequently spamvertised domains, though this is clearly not listed in this file due to an exception on their end. This type of test is definitely very vulnerable to pollution and it would be great to have a way to detect such problems and add them to a list for exclusion. Long-term this is best suited for a DNS lookup due to various limitations of doing a contains filter, but for now, it seems to be working very well at adding points to things that are coming in below my drop weight, in fact it might very well be tagging the majority of what is scoring in my Hold level and pushing it over the top. Matt Roger Eriksson wrote: Hi, The SURBL filter script has been updated and should now run under both Windows NT 4 and Windows 2000. The updated script can be downloaded at http://www.botany.gu.se/download/decludescript/SURBL_filter.zip. Those of you that downloaded the previous version and use it on Windows 2000 don't need to update. /Roger --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SURBL filter script
My results from a business setting are very positive also. 294 hits. 292 SPAM 2 NotSpam (both from the declude mailing list hitting on webhosting.yahoo.com) Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 04/16/04 03:25AM It will take a day or two before the log analysis and test check scripts are available, since I must adjust them to handle all log levels. Here are my results from 04/15/2004 Processed messages: 9832 Hold as Spam: 4728 (48% of all messages) Detected by SURBL: 2552 (54% of hold spam / 26% of all messages) FP's from SURBL: 24 All of this 24 messages are NDR's or Notifications send from back to the recipient. None of this SURBL false positives has caused a message to reach the hold weight and so become a real FP. 95% of all spam messages catched by SURBL has already reached a weight 200% of our hold weight. So inserting a initial SKIPIFWEIGHT should significantly save resources. Excellent test! Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] why does this fail the spam domains test?
Dave, allow me to butt in here with the late night reply and say yes, your interpretation is exactly right for all 3 of your examples. And let me also add that clarity certainly does help, for example I saw a weird false positive and chuckled over it. I had a sd.txt that listed: mac.com apple.com The false positive occurred when a message from [EMAIL PROTECTED] didn't have a suitable revdns, and certainly didn't match apple.com either! So now I have: .mac.com apple.com @mac.com apple.com Andrew 8) -Original Message- From: Dave Doherty [mailto:[EMAIL PROTECTED] Sent: Friday, April 16, 2004 12:15 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] why does this fail the spam domains test? Hi Matt- Thanks for the explanation. Let me feed back to you what I think you said. yahoo.com would require that all possible REVDNS entries contain yahoo.com so a message would pass the test if the REVDNS of its originating IP was abc.yahoo.com, abcyahoo.com or abc.yahoo.com.hk, but not yahoo.ca @yahoo.comyahoo.com would require that all possible REVDNS entries end in yahoo.com so a message would pass the test if the REVDNS of its originating IP was abc.yahoo.com or abcyahoo.com, but not abc.yahoo.com.hk, or yahoo.ca .yahoo.comyahoo.com would require that all possible REVDNS entries end in .yahoo.com so a message would pass the test if the REVDNS of its originating IP was abc.yahoo.com but not abc.yahoo.com.hk or yahoo.ca Is this rght? -d - Original Message - From: Matt To: [EMAIL PROTECTED] Sent: Friday, April 16, 2004 1:46 AM Subject: Re: [Declude.JunkMail] why does this fail the spam domains test? Dave, It works like two different CONTAINS filters. It takes the value in the first column, and if the MAILFROM contains the string, then it checks both columns against the REVDNS entry to see if either one matches. Since the first column has an @ symbol in it, that will never match, and the only possible match would be in the second column as a REVDNS CONTAINS type of match. If you only have one entry per line, then both the MAILFROM and REVDNS will need to contain that string. Using an @ symbol in the first column isn't a requirement, and it's only appropriate for domains with one possible REVDNS value since the first column can't match leaving only one string to match on. The reason for putting it in there is because of some uses of VERP which can include addresses within the MAILFROM before the @ symbol, especially with domains like att.net which allow for forwarding. It also prevents matches on partial domains from occurring, though that would generally be rare. I opt to use the @ symbol in the first column with I only know of one legit REVDNS domain, and I leave it off when there are two, and I omit the domain from the list when there are three or more possible REVDNS matches. Hope this helps. Matt Dave Doherty wrote: Scott- I think that I may misunderstand SPAMDOMAINS. From the manual: This test will catch E-mail that is not coming from a mailserver that it should be coming from. This test will only work if you set up a file listing domains that you wish to be included in this test. Specifically, it will check the return address of the E-mail, and then check to see if the reverse DNS entry of the IP that the E-mail was sent from contains the domain name. If not, the E-mail fails the test. For example, if hotmail.com is listed in the \IMail\Declude\spamdomains.txt file, then an E-mail coming from law2.hotmail.com would not fail the test, but an E-mail from mail.example.ru would fail the test. Taking the lead from that description, my SPAMDOMAINS file consists of a simple list of domains, one to a line, like this: ebay.com aol.com Yet every example I have seen on this subject the past few days shows two domains per line like this: @juno.com.untd.com How is this supposed to work? -Dave - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 15, 2004 4:42 PM Subject: Re: [Declude.JunkMail] why does this fail the spam domains test? Can anyone explain why this message would fail the spamdomains test? Here is the spamdomains entry: @juno.com.untd.com The key here is the reverse DNS entry -- do you have the full headers for the E-mail? Although the IMail log file shows the IP address, it is possible that Declude JunkMail may have used a different IP, which would be reflected in the headers. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list.
Re: [Declude.JunkMail] Updated SURBL filter script
I will update the script so that it can handle both maxweight and an optional exclude file. I don't think that a variable for setting the weight of rows/entries different from the maxweight is necessary, since the purpose is to stop processing at a match, so the maxweight option would set the row/entry weight to the same value as the maxweight. Scott, what will happen if all entries in a filter file have the weight 0 and I use MAXWEIGHT 0? Will the processing stop immediately or at the first match? /Roger As for the maxweight, perhaps someone can do it better, but this works for me: In the variables ection add: set V_Maxweight=20 In the code after if not %v_weight%== echo SKIPIFWEIGHT %v_weight% surbl.filter.tmp add: if not %v_maxweight%== echo MAXWEIGHT %v_maxweight% surbl.filter.tmp Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 04/16/04 12:25AM Roger, Thanks for the fine work. I finally got around to setting this up after figuring out that it wasn't thousands of URL's long and my server seems to be handling it well enough for now. I have two suggestions for the script. 1) Add a MAXWEIGHT variable. If you score each line at say 4 points and set the MAXWEIGHT to 4, then the filter will stop processing on the first hit and save resources. I tried playing around with this to get it to work, but I'm totally clueless when it comes to batch file programming and I think I was hitting some sort of a reserved word. 2) Add the ability to remove listings contained in a text file (an exclude list). From looking over the current list of domains, there are the following: - norton.com - webhosting.yahoo.com These were probably in spam, but they are not unique to spam. I also found an entry for pe.kg in the list which doesn't resolve and seems like it was probably from a parsing error. A list of top sites from a page linked to from the project's site shows that yahoo.com is one of the most frequently spamvertised domains, though this is clearly not listed in this file due to an exception on their end. This type of test is definitely very vulnerable to pollution and it would be great to have a way to detect such problems and add them to a list for exclusion. Long-term this is best suited for a DNS lookup due to various limitations of doing a contains filter, but for now, it seems to be working very well at adding points to things that are coming in below my drop weight, in fact it might very well be tagging the majority of what is scoring in my Hold level and pushing it over the top. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SURBL filter script
I'm curious: I'm too ;-) Why did these NDRs contain a blocked URL? Were they indeed wanted NDRs, or were they NDRs for Spam that wasn't delivered, which happened to have one of your users as the faked sender? After searching trough the logfiles I've discovered that this messages are NDR's or Notifications from other mailservers (Exchange, ...) that are in use on customers side as in-house mailserver. This MTAs are using our Mailserver as smart host/gateway. Talking with on of this customers I've discovered that they're retrieving also messages from another (old) mailbox. So I asume this NDR's contains part of the original body and so also some blacklisted URLs. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Updating Global.CFG
I guess I was not clear. I know that SMTP Auth works in IMAIL versions but my question was does it work in declude for all versions of Imail. Or more Clearly - Does the Whitelist AUTH function in Declude work with all versions of IMAIL - I thought I read that this Declude feature only works with IMAIL 8. Clarification would be appreciated. Chuck Schick Warp 8, Inc. 303-421-5140 www.warp8.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mike Hyslip Sent: Thursday, April 15, 2004 2:25 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Updating Global.CFG There's a checkbox under the properties of the SMTP service, something about disabling the AUTH function. This was on 7.x I am pretty sure, probably supported for quite some time. The introduction into declude I believe has been much more recent. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Thursday, April 15, 2004 4:18 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Updating Global.CFG Doesn't that only work with Imail 8.x and not the earlier versions. I got the impression somewhere, sometime. Chuck Schick Warp 8, Inc. 303-421-5140 www.warp8.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mike Hyslip Sent: Thursday, April 15, 2004 8:22 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Updating Global.CFG It is for user SMTP authentication. To bypass relay settings and show you're really a user of the server when sending an email (so you can relay while off the local network) - since you're an authenticated user, you can choose to whitelist any emails from that particular session. Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Maze - Hostmaster Sent: Thursday, April 15, 2004 10:15 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Updating Global.CFG Hello, I'm also updating my Global.CFG file and noticed something new. What is WHITELIST AUTH? I checked the online manual, but there's nothing listed for it. There's an entry for WHITELIST HABEAS, but not AUTH. Thanks.. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Updated SURBL filter script
I just tested this and the answer is that the processing will stop immediately. /Roger Scott, what will happen if all entries in a filter file have the weight 0 and I use MAXWEIGHT 0? Will the processing stop immediately or at the first match? /Roger -- -- Roger Eriksson Botanical Institute, Göteborg University Box 461, SE 405 30 Göteborg, Sweden Visiting/delivery address: Carl Skottsbergs Gata 22 B, SE 413 19 Göteborg, Sweden Phone: +46 31 7732666 Fax: +46 31 7732677 http://www2.botany.gu.se/staff/rogeri/welcome.html --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] ARGOLINKs SPAM Graph
For the record, it does not read the whole log unless you are not running it regularly, it writes the last read position to a file and seeks to that position on the next gather. If ran regularly using scheduler, it wasn't that bad of a process hog on my old single proc system. I have not set it up on my new server yet, but since, I am building an even bigger replacement for that one, I may get it running again, besides I need to look at the new LOG format, make it work with the summaries. Thanks, Chuck Frolick ArgoLink.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DLAnalyzer Support Sent: Wednesday, April 14, 2004 10:13 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] ARGOLINKs SPAM Graph Terry, I orginally looked at the argolink spam graph, but as the doc's mentioned it goes through the full log file from beginning to end. Our log files are big, but it would tie up the cpu for a bit ~10-15 minutes. We just finished a seperate program that can be used with MRTG to graph junkmail stats. The program is done and I am using it. I just have to package it up and write some small doc's on it. I am in the process of finishing up the program that can be used to link Imail to MRTG as well. Both will be made available for free shortly. I will send a note out when everything is posted on our site.. Darrell Terry Parks writes: OT, A little, any body got it going? I got it to display just the page with the word GRAPH on it. Using Windows 2003. Check Out DLAnalyzer a comprehensive reporting tool for Declude Junkmail Logs - http://www.invariantsystems.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Updating Global.CFG
Yes, it only works with Imail versions 8.x and above. That is when Imail added an indicator in the Q file to show that the sender authenticated to Imail. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Friday, April 16, 2004 8:06 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Updating Global.CFG I guess I was not clear. I know that SMTP Auth works in IMAIL versions but my question was does it work in declude for all versions of Imail. Or more Clearly - Does the Whitelist AUTH function in Declude work with all versions of IMAIL - I thought I read that this Declude feature only works with IMAIL 8. Clarification would be appreciated. Chuck Schick Warp 8, Inc. 303-421-5140 www.warp8.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mike Hyslip Sent: Thursday, April 15, 2004 2:25 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Updating Global.CFG There's a checkbox under the properties of the SMTP service, something about disabling the AUTH function. This was on 7.x I am pretty sure, probably supported for quite some time. The introduction into declude I believe has been much more recent. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Thursday, April 15, 2004 4:18 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Updating Global.CFG Doesn't that only work with Imail 8.x and not the earlier versions. I got the impression somewhere, sometime. Chuck Schick Warp 8, Inc. 303-421-5140 www.warp8.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mike Hyslip Sent: Thursday, April 15, 2004 8:22 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Updating Global.CFG It is for user SMTP authentication. To bypass relay settings and show you're really a user of the server when sending an email (so you can relay while off the local network) - since you're an authenticated user, you can choose to whitelist any emails from that particular session. Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Maze - Hostmaster Sent: Thursday, April 15, 2004 10:15 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Updating Global.CFG Hello, I'm also updating my Global.CFG file and noticed something new. What is WHITELIST AUTH? I checked the online manual, but there's nothing listed for it. There's an entry for WHITELIST HABEAS, but not AUTH. Thanks.. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] WHITELISTFILE problems
I've been wanting to use WHITELISTFILE for a while now to do per-domain whitelists since we're using per-domain/per-user settings now ( I'm obsessive, what can I say ), and week provided a very obtuse way of allowing me to do so. So, as the instructions say in the manual ( using Declude 1.75 ), I started out by trying to put the WHITELISTFILE in my declude\domain.com\$default$.junkmail and waited for the emails to start coming though ( the whitelist file was properly formatted, btw ). Checked the mailheaders, no Whitelisted[0]. So then I tried GLOBAL.cfg which yielded nothing ( and rightfully so, according to the manual ), and my declude\$default$.junkmail which had the same results. I've tried every combination of things I can think off. Putting the addresses as WHITELIST TO in GLOBAL.cfg works. Am I missing something important about WHITELISTFILE? Thanks for your time. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New test = EHLOFILTER
I created this because I see quite a few messages that use an IP for the HELO, (and often it is MY mail server's IP). I have never, ever, not once seen such a message that wasn't spam, so on my system that test will be weighted quite heavily. No other MTA should connect to your MTA using your MTA's IP as HELO string. I don't know if there is any reason to connect with any other IP-address as HELO-string. Several people has set up a filter file containing HELO 0 CONTAINS [your.servers.ip.address] Now add this filter file to your global.cfg file and assign a very high weight. My EHLOFILTER catches 4% of all processed messages without any false positive (looking back the last 50 days) Most spam (~99%) failing this test has already reached a final weight 200% of our hold weight. But anything going over 200% helps to decrease our operators review work. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] WHITELISTFILE problems
Reply to: Ryan Carmelo Briones Re: [Declude.JunkMail] WHITELISTFILE problems on Friday 10:24:44 AM We also see this working intermittently here, so we are a bit confused. We are wondering if we have the general format wrong? [EMAIL PROTECTED] @news.intelligententerprise.com .intelligententerprise.com pottersschool.org and line in $default$.junkmail is: WHITELISTFILE C:\IMail\Declude\filters\emailwhite.txt We just do not know why we see it working sometimes and other times it doesn't??? -- Roger Heath [EMAIL PROTECTED] www.rleeheath.com - Copy of Original Message(s): - RCB I've been wanting to use WHITELISTFILE for a while now to RCB do per-domain whitelists since we're using per-domain/per-user RCB settings now ( I'm obsessive, what can I say ), and week provided RCB a very obtuse way of allowing me to do so. So, as the RCB instructions say in the manual ( using Declude 1.75 ), I started RCB out by trying to put the WHITELISTFILE in my RCB declude\domain.com\$default$.junkmail and waited for the emails RCB to start coming though ( the whitelist file was properly RCB formatted, btw ). Checked the mailheaders, no Whitelisted[0]. So RCB then I tried GLOBAL.cfg which yielded nothing ( and rightfully RCB so, according to the manual ), and my declude\$default$.junkmail RCB which had the same results. I've tried every combination of RCB things I can think off. Putting the addresses as WHITELIST TO in RCB GLOBAL.cfg works. Am I missing something important about RCB WHITELISTFILE? Thanks for your time. RCB --- RCB [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] RCB --- RCB This E-mail came from the Declude.JunkMail mailing list. To RCB unsubscribe, just send an E-mail to [EMAIL PROTECTED], and RCB type unsubscribe Declude.JunkMail. The archives can be found RCB at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] SBL-XBL Question
I see that the Spamhaus XBL returns values 127.0.0.4-6. I'm currently using 127.0.0.4. Can anyone tell me what return values 127.0.0.5 and 127.0.0.6 refer to? Scott Fisher Director of IT Farm Progress Companies --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spamdomains.txt file
Anyone? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Maze - Hostmaster Sent: Friday, April 16, 2004 8:26 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Spamdomains.txt file Hello, I think I'm going to implement the spam domains tests. Anyone have a file they would like to share that works well for them? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Ipfile.txt
One other thing.. If there are changes made to the ipfile.txt file, does the SMTP server need to be restarted for Declude to see and use these changes? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Thursday, April 15, 2004 1:22 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Ipfile.txt In the global.cfg file I would enter the following entry: IPTEST ipfile C:\IMail\Declude\ipfile.txt x 10 0 And then in the $default$.junkmail file, I would enter the following entry: IPTEST ROUTETO [EMAIL PROTECTED] (or whatever I want) This appear as being correct, right? That looks good to me. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Ipfile.txt
One other thing.. If there are changes made to the ipfile.txt file, does the SMTP server need to be restarted for Declude to see and use these changes? No; any changes to Declude config files are reflected immediately upon saving the file. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test = EHLOFILTER
Markus Gufler wrote: No other MTA should connect to your MTA using your MTA's IP as HELO string. I don't know if there is any reason to connect with any other IP-address as HELO-string. My thinking exactly Several people has set up a filter file containing HELO 0 CONTAINS [your.servers.ip.address] Now add this filter file to your global.cfg file and assign a very high weight. If I had Declude JM Pro, I probably would. I only have Standard, so no filters.. -- --- illigitimi non carborundum --- Bud Durland, CNE Mold-Rite Plastics Network Administrator http://www.mrpcap.com --- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] tricks for dealing with null senders?
You mean as a mailbox name instead of an alias? Good question. I don't know whether it would retain its wildcard capabilities or not., never tried it. -Dave - Original Message - From: Robert [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 15, 2004 4:59 PM Subject: Re: [Declude.JunkMail] tricks for dealing with null senders? Delete the nobody alias if it's present. That will let Imail reject misaddressed messages before it processes them. This is way more efficient, and it should cut down on your processor and disk activity quite a lot. What if nobody is a real address? Robert - Original Message - From: Dave Doherty [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 15, 2004 3:14 PM Subject: Re: [Declude.JunkMail] tricks for dealing with null senders? Hi Royce- Sounds like you've got a few things going on there. Understand, I'm on version 8.05 now, so your mileage may vary. I'll try to keep it the basics. First off, it sounds to me like you have too much stuff in your spool directory. I suggest that you zip your older log files and move them out of the spool directory. You should be able to delete all spool files older than one or two days if you use normal SMTP retry settings like ten attempts half an hour apart. How large are the attachment files? They may be stuck in the queue because they were never delivered. That can happen if they are large, particularly larger than 2MB. If you have no lists, you should not have an imailsrv alias. Delete that if it's present. Delete the nobody alias if it's present. That will let Imail reject misaddressed messages before it processes them. This is way more efficient, and it should cut down on your processor and disk activity quite a lot. Maybe others here have more / better suggestions. -Dave Doherty Skywaves, Inc. - Original Message - From: Royce Burnett [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 15, 2004 11:06 AM Subject: Re: [Declude.JunkMail] tricks for dealing with null senders? Hi Dave, thanks for the response. I'm not sure of the mechanics of rejection, all I did to stop this for now was to check the reject null senders box in smtp security. Please understand that I'm just a guy who got stuck with this job, and 90% of the conversation in this list is over my head :D Originally this iwebmsg power consumption was happening by means of null senders sending messages to imailsrv which was generating tons of illegal list commands in the log, I got around this by renaming imailsrv.exe to something else which got the log files down to 4 or 5 mbs a day instead of 70 or 80. We don't have any need for the imailsrv function, so I thought what the heck... This lasted for a few weeks, but now it's happening again, although not to the same extent. I was previously getting somewhere around 170,000 of these a day. I'm seeing that a few of them are now starting to send to listserv. The log files are now at around 7 or 8 mbs, I'm getting about 2000 of these null senders a day now, which really shouldn't bother. I do have a number of tmp files in the spool directory which I wasn't getting before I renamed the imailsrv.exe, strangely these tmp files don't look as though they are related to any attempt to send a message to imailsrv. Weird. Another thing that is goofy is that I have a couple of users whose attachments seem to stay in the spool directory for ever and ever, is that normal for a user that pretty much exclusively uses the web mail function? spool directory size is usually about 60 or 70 mbs, with about 100 or 150 files in it. I usually keep about a months worth of logs in the spool. any suggestions? i'm waiting to get a bunch of postmaster messages from rfc-ignorant while i have things set this way. cheers Royce At 10:11 PM 14/04/2004 -0400, you wrote: Hi Royce- How are you rejecting the messages? Do you use a nobody alias with an autoresponse, or do you just let Imail return the standard error message? Any idea how many you're getting? It seems odd that this would effect iwebmsg. Look for another problem somewhere. How many files do you have in your spool directory? -Dave - Original Message - From: Royce Burnett [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 3:43 PM Subject: [Declude.JunkMail] tricks for dealing with null senders? Using Imail 6.05, and Declude 1.79 beta on NT4.0 I've had a spate of crud flowing in the last week or so from @variousaddresses addressed to [EMAIL PROTECTED], which of course get turned away as the addressee is unknown to my mail server. Unfortunately there seems to be such a flood of the damned things
[Declude.JunkMail] OT: Cosmic 419er lost in space
http://www.theregister.co.uk/2004/04/16/cosmic_419er/ A little levity for Friday. Andrew 8) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] [Declude.Virus] Scott, what do you use to generate this report
Hi, Bill- I've been trying to use the latest download and I can't figure out what's wrong. I provide complete paths to the log file and global.cfg. The program lists the tests that are available, then issues a few 0's. After a while it gives me a blank report. LOGLEVEL is set to MID Any suggestions? -Dave - Original Message - From: Bill [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 12:43 PM Subject: RE: [Declude.JunkMail] [Declude.Virus] Scott, what do you use to generate this report I have been using this program for months with no problem but you guys managed to break it in a matter of hours. :) I guess that I should have called it a BETA release! Anyway, that's what I call it now (v1.4B). I have fixed the problems that you have pointed out to me and have added the following: 1) The output file (wamlog.txt) goes in the same folder as the log file. 2) There is a progress counter so you know it is working. If you find any more problems PLEASE let me know. Thanks, Bill The new version is as of 11:40 am CDT 4/14/04. www.wamusa.com/wamtools Hi, I have a utility to do a quick analysis of my decMMDD.log file to discover test effectiveness. If anyone would like to use it, I have it available for free from my website: http://www.wamusa.com/wamtools The program is designed for LOGLEVEL MID but it may work for other levels. My system analyzed this 120Mb decMMDD.log in less than one minute. This is a sample output: Message Recipient Test Name Fail Count % Fail Count % WEIGHT10 116362 96 169684 96 SNIFFER2 114790 94 167322 95 WEIGHT15 112700 93 165299 94 WEIGHT20 108443 89 159758 91 WEIGHTDEL 108443 89 159758 91 SPAMCOP 84740 70 129602 73 SBL 52552 43 53879 30 AHBL 48506 40 57094 32 CBL 46445 38 89827 51 DSBL 39527 32 77743 44 SORBS-DUHL 29673 24 58427 33 REVDNS 28996 23 41544 23 BADHEADERS 27493 22 34922 19 SORBS-SPAM 25119 20 27995 15 NOPOSTMASTER 22488 18 46530 26 NOABUSE 21746 17 42732 24 SPAMHEADERS 19613 16 20587 11 SPAM-DOMAINS 15263 12 33776 19 ROUTING 120419 25060 14 FOREIGN 100988 163309 GIBBERISH9072799325 DSN84847 137557 SORBS-HTTP65845 124597 SORBS-SOCKS65085 126977 SPFFAIL4954465273 BLITZEDALL3350259913 BASE642252129561 MAILFROM1684128411 COMMENTS1328120561 MYFILTERFAIL1159017230 WAMO 5850 6090 MYFILTERPASS 512012390 SORBS-MISC 5040 9230 SORBS-SMTP 445011320 OBFUSCATION 3600 4570 ORDB 3160 6540 SORBS-WEB 3160 5140 SORBS-ZOMBIE 2800 2800 SPFPASS 2080 2340 BONDEDSENDER 620 620 @LINKED 100 140 HABEAS 40 40 WAMCHECK 10 20 Message Count 120934 175163 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] [Declude.Virus] Scott, what do you use to generate this report
I simply copied a current DEC.log file into the directory I create for WAMLOG and ran Wamlog dec0416.log And it produced a file wamlog.txt in the same directory Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Dave Doherty Sent: Friday, April 16, 2004 5:31 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] [Declude.Virus] Scott, what do you use to generate this report Hi, Bill- I've been trying to use the latest download and I can't figure out what's wrong. I provide complete paths to the log file and global.cfg. The program lists the tests that are available, then issues a few 0's. After a while it gives me a blank report. LOGLEVEL is set to MID Any suggestions? -Dave - Original Message - From: Bill [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 12:43 PM Subject: RE: [Declude.JunkMail] [Declude.Virus] Scott, what do you use to generate this report I have been using this program for months with no problem but you guys managed to break it in a matter of hours. :) I guess that I should have called it a BETA release! Anyway, that's what I call it now (v1.4B). I have fixed the problems that you have pointed out to me and have added the following: 1) The output file (wamlog.txt) goes in the same folder as the log file. 2) There is a progress counter so you know it is working. If you find any more problems PLEASE let me know. Thanks, Bill The new version is as of 11:40 am CDT 4/14/04. www.wamusa.com/wamtools Hi, I have a utility to do a quick analysis of my decMMDD.log file to discover test effectiveness. If anyone would like to use it, I have it available for free from my website: http://www.wamusa.com/wamtools The program is designed for LOGLEVEL MID but it may work for other levels. My system analyzed this 120Mb decMMDD.log in less than one minute. This is a sample output: Message Recipient Test Name Fail Count % Fail Count % WEIGHT10 116362 96 169684 96 SNIFFER2 114790 94 167322 95 WEIGHT15 112700 93 165299 94 WEIGHT20 108443 89 159758 91 WEIGHTDEL 108443 89 159758 91 SPAMCOP 84740 70 129602 73 SBL 52552 43 53879 30 AHBL 48506 40 57094 32 CBL 46445 38 89827 51 DSBL 39527 32 77743 44 SORBS-DUHL 29673 24 58427 33 REVDNS 28996 23 41544 23 BADHEADERS 27493 22 34922 19 SORBS-SPAM 25119 20 27995 15 NOPOSTMASTER 22488 18 46530 26 NOABUSE 21746 17 42732 24 SPAMHEADERS 19613 16 20587 11 SPAM-DOMAINS 15263 12 33776 19 ROUTING 120419 25060 14 FOREIGN 100988 163309 GIBBERISH9072799325 DSN84847 137557 SORBS-HTTP65845 124597 SORBS-SOCKS65085 126977 SPFFAIL4954465273 BLITZEDALL3350259913 BASE642252129561 MAILFROM1684128411 COMMENTS1328120561 MYFILTERFAIL1159017230 WAMO 5850 6090 MYFILTERPASS 512012390 SORBS-MISC 5040 9230 SORBS-SMTP 445011320 OBFUSCATION 3600 4570 ORDB 3160 6540 SORBS-WEB 3160 5140 SORBS-ZOMBIE 2800 2800 SPFPASS 2080 2340 BONDEDSENDER 620 620 @LINKED 100 140 HABEAS 40 40 WAMCHECK 10 20 Message Count 120934 175163 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by
RE: [Declude.JunkMail] SURBL filter script
Roger, I just downloaded the script and got it to update. Thank you. I looked through the messages on the list but I could not find what is the suggested weight for this test. Any suggestions? I am currently marking SPAM at 10 and seeing how that goes. I would like to start deleting at 20 or so. I figure I will need the following command in GLOBAL.CFG but I am not sure what to use for weight. SURBL filter D:\IMail\Declude\SURBL\surbl.txt x 0 0 The filter has 0 on each line so this means to me that if it trips on any line it will return a 0 to the processing engine and that will get added to the x in the line above. Suggestions would be appreciated. Thanx Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SBL-XBL Question
Not surprising that you missed this one, based on the subject line: http://www.mail-archive.com/[EMAIL PROTECTED]/msg17684.html Sorry if this has already been answered here. My inbound messages on this list have been highly out of sort order. Andrew 8) -Original Message- From: Scott Fisher [mailto:[EMAIL PROTECTED] Sent: Friday, April 16, 2004 9:11 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] SBL-XBL Question I see that the Spamhaus XBL returns values 127.0.0.4-6. I'm currently using 127.0.0.4. Can anyone tell me what return values 127.0.0.5 and 127.0.0.6 refer to? Scott Fisher Director of IT Farm Progress Companies --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SURBL filter script
I looked through the messages on the list but I could not find what is the suggested weight for this test. Any suggestions? I can see that SURBL has the same efficiency as CBL, DSBL or XBL-DYNA. So maybe you can use the same weight as for this tests. At the moment I use a weight corresponding to 35% of our HOLD/DELETE weight but as this test is fairly new we have to test it for some additional days/week. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: Cosmic 419er lost in space
I say let him pay for the transgressions of his brethren in Lagos! ;) Todd Holt Xidix Technologies, Inc Las Vegas, NV USA 702.319.4349 www.xidix.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, April 16, 2004 1:20 PM To: '[EMAIL PROTECTED]' Subject: [Declude.JunkMail] OT: Cosmic 419er lost in space http://www.theregister.co.uk/2004/04/16/cosmic_419er/ A little levity for Friday. Andrew 8) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: Cosmic 419er lost in space
http://www.theregister.co.uk/2004/04/16/cosmic_419er/ In the current edition of c't (german computer magazine) is an article about scambaiters http://www.craigscrap.co.uk/scam/scam.pdf (german) People answering to fraud emails and involving the swindlers in email dialogs for several weeks and months. They show interest and let the swindlers do strange things. For example they announce the arrival on the Lagos airport (Nigeria) under the name Gillian Anderson (you know it from X-Files) The swindler should wait on the airport entrance with a card showing I love fags, and bring Mrs. Anderson and his 80.000 USD bag to the suite in the sheraton hotel (booked by the swindler). More about scambaiters on www.419eater.com www.africanscam.co.uk www.nanomole.co.uk www.419fun.com Have a nice weekend! Markus ;-) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] [Declude.Virus] Scott, what do you use to generate this report
I tried that first on my laptop, then gave up and tried to run it on the server with the same results. The wamlog.txt file is empty. -d - Original Message - From: Goran Jovanovic [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, April 16, 2004 5:39 PM Subject: RE: [Declude.JunkMail] [Declude.Virus] Scott, what do you use to generate this report I simply copied a current DEC.log file into the directory I create for WAMLOG and ran Wamlog dec0416.log And it produced a file wamlog.txt in the same directory Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Dave Doherty Sent: Friday, April 16, 2004 5:31 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] [Declude.Virus] Scott, what do you use to generate this report Hi, Bill- I've been trying to use the latest download and I can't figure out what's wrong. I provide complete paths to the log file and global.cfg. The program lists the tests that are available, then issues a few 0's. After a while it gives me a blank report. LOGLEVEL is set to MID Any suggestions? -Dave - Original Message - From: Bill [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 12:43 PM Subject: RE: [Declude.JunkMail] [Declude.Virus] Scott, what do you use to generate this report I have been using this program for months with no problem but you guys managed to break it in a matter of hours. :) I guess that I should have called it a BETA release! Anyway, that's what I call it now (v1.4B). I have fixed the problems that you have pointed out to me and have added the following: 1) The output file (wamlog.txt) goes in the same folder as the log file. 2) There is a progress counter so you know it is working. If you find any more problems PLEASE let me know. Thanks, Bill The new version is as of 11:40 am CDT 4/14/04. www.wamusa.com/wamtools Hi, I have a utility to do a quick analysis of my decMMDD.log file to discover test effectiveness. If anyone would like to use it, I have it available for free from my website: http://www.wamusa.com/wamtools The program is designed for LOGLEVEL MID but it may work for other levels. My system analyzed this 120Mb decMMDD.log in less than one minute. This is a sample output: Message Recipient Test Name Fail Count % Fail Count % WEIGHT10 116362 96 169684 96 SNIFFER2 114790 94 167322 95 WEIGHT15 112700 93 165299 94 WEIGHT20 108443 89 159758 91 WEIGHTDEL 108443 89 159758 91 SPAMCOP 84740 70 129602 73 SBL 52552 43 53879 30 AHBL 48506 40 57094 32 CBL 46445 38 89827 51 DSBL 39527 32 77743 44 SORBS-DUHL 29673 24 58427 33 REVDNS 28996 23 41544 23 BADHEADERS 27493 22 34922 19 SORBS-SPAM 25119 20 27995 15 NOPOSTMASTER 22488 18 46530 26 NOABUSE 21746 17 42732 24 SPAMHEADERS 19613 16 20587 11 SPAM-DOMAINS 15263 12 33776 19 ROUTING 120419 25060 14 FOREIGN 100988 163309 GIBBERISH9072799325 DSN84847 137557 SORBS-HTTP65845 124597 SORBS-SOCKS65085 126977 SPFFAIL4954465273 BLITZEDALL3350259913 BASE642252129561 MAILFROM1684128411 COMMENTS1328120561 MYFILTERFAIL1159017230 WAMO 5850 6090 MYFILTERPASS 512012390 SORBS-MISC 5040 9230 SORBS-SMTP 445011320 OBFUSCATION 3600 4570 ORDB 3160 6540 SORBS-WEB 3160 5140 SORBS-ZOMBIE 2800 2800 SPFPASS 2080 2340 BONDEDSENDER 620 620 @LINKED 100 140 HABEAS 40 40 WAMCHECK 10 20 Message Count 120934 175163 --- [This E-mail was
Re: [Declude.JunkMail] why does this fail the spam domains test?
Thanks, Scott. - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, April 16, 2004 6:58 AM Subject: Re: [Declude.JunkMail] why does this fail the spam domains test? yahoo.com would require that all possible REVDNS entries contain yahoo.com so a message would pass the test if the REVDNS of its originating IP was abc.yahoo.com, abcyahoo.com or abc.yahoo.com.hk, but not yahoo.ca Correct, but this has the drawback of blocking [EMAIL PROTECTED] if they do not have yahoo.com in the return address. In this case, it probably would not be an issue (few legitimate non-Yahoo domains would end in yahoo.com, and fewer would come from IPs with a reverse DNS entry that did not contain yahoo.com). @yahoo.comyahoo.com would require that all possible REVDNS entries end in yahoo.com so a message would pass the test if the REVDNS of its originating IP was abc.yahoo.com or abcyahoo.com, but not abc.yahoo.com.hk, or yahoo.ca Correct. .yahoo.comyahoo.com would require that all possible REVDNS entries end in .yahoo.com so a message would pass the test if the REVDNS of its originating IP was abc.yahoo.com but not abc.yahoo.com.hk or yahoo.ca Yes, but it would only apply to E-mails from [EMAIL PROTECTED] (specifically, any E-mail address with .yahoo.com in it). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] [Declude.Virus] Scott, what do you use to generate this report
This works for me: wamlog dec0416.log c:\imail\declude\global.cfg Modify the parameters to suite your environment, of course. Andrew 8) -Original Message- From: Dave Doherty [mailto:[EMAIL PROTECTED] Sent: Friday, April 16, 2004 8:54 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] [Declude.Virus] Scott, what do you use to generate this report I tried that first on my laptop, then gave up and tried to run it on the server with the same results. The wamlog.txt file is empty. -d - Original Message - From: Goran Jovanovic [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, April 16, 2004 5:39 PM Subject: RE: [Declude.JunkMail] [Declude.Virus] Scott, what do you use to generate this report I simply copied a current DEC.log file into the directory I create for WAMLOG and ran Wamlog dec0416.log And it produced a file wamlog.txt in the same directory Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Dave Doherty Sent: Friday, April 16, 2004 5:31 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] [Declude.Virus] Scott, what do you use to generate this report Hi, Bill- I've been trying to use the latest download and I can't figure out what's wrong. I provide complete paths to the log file and global.cfg. The program lists the tests that are available, then issues a few 0's. After a while it gives me a blank report. LOGLEVEL is set to MID Any suggestions? -Dave - Original Message - From: Bill [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 12:43 PM Subject: RE: [Declude.JunkMail] [Declude.Virus] Scott, what do you use to generate this report I have been using this program for months with no problem but you guys managed to break it in a matter of hours. :) I guess that I should have called it a BETA release! Anyway, that's what I call it now (v1.4B). I have fixed the problems that you have pointed out to me and have added the following: 1) The output file (wamlog.txt) goes in the same folder as the log file. 2) There is a progress counter so you know it is working. If you find any more problems PLEASE let me know. Thanks, Bill The new version is as of 11:40 am CDT 4/14/04. www.wamusa.com/wamtools Hi, I have a utility to do a quick analysis of my decMMDD.log file to discover test effectiveness. If anyone would like to use it, I have it available for free from my website: http://www.wamusa.com/wamtools The program is designed for LOGLEVEL MID but it may work for other levels. My system analyzed this 120Mb decMMDD.log in less than one minute. This is a sample output: Message Recipient Test Name Fail Count % Fail Count % WEIGHT10 116362 96 169684 96 SNIFFER2 114790 94 167322 95 WEIGHT15 112700 93 165299 94 WEIGHT20 108443 89 159758 91 WEIGHTDEL 108443 89 159758 91 SPAMCOP 84740 70 129602 73 SBL 52552 43 53879 30 AHBL 48506 40 57094 32 CBL 46445 38 89827 51 DSBL 39527 32 77743 44 SORBS-DUHL 29673 24 58427 33 REVDNS 28996 23 41544 23 BADHEADERS 27493 22 34922 19 SORBS-SPAM 25119 20 27995 15 NOPOSTMASTER 22488 18 46530 26 NOABUSE 21746 17 42732 24 SPAMHEADERS 19613 16 20587 11 SPAM-DOMAINS 15263 12 33776 19 ROUTING 120419 25060 14 FOREIGN 100988 163309 GIBBERISH9072799325 DSN84847 137557 SORBS-HTTP65845 124597 SORBS-SOCKS65085 126977 SPFFAIL4954465273 BLITZEDALL3350259913 BASE642252129561 MAILFROM1684128411 COMMENTS1328120561 MYFILTERFAIL1159017230 WAMO 5850 6090 MYFILTERPASS 512012390 SORBS-MISC 5040 9230 SORBS-SMTP 445011320 OBFUSCATION 3600 4570 ORDB 3160 6540 SORBS-WEB 3160 5140 SORBS-ZOMBIE 2800
Re: [Declude.JunkMail] why does this fail the spam domains test?
Thanks, Andrew- That follows the pattern I often use with whitelisting... It reinforces the power of tools we have at our disposal and the care with which we need to use them. ie: sex matches a lot of common place names like middlesex and essex. -d - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, April 16, 2004 4:16 AM Subject: RE: [Declude.JunkMail] why does this fail the spam domains test? Dave, allow me to butt in here with the late night reply and say yes, your interpretation is exactly right for all 3 of your examples. And let me also add that clarity certainly does help, for example I saw a weird false positive and chuckled over it. I had a sd.txt that listed: mac.com apple.com The false positive occurred when a message from [EMAIL PROTECTED] didn't have a suitable revdns, and certainly didn't match apple.com either! So now I have: .mac.com apple.com @mac.com apple.com Andrew 8) -Original Message- From: Dave Doherty [mailto:[EMAIL PROTECTED] Sent: Friday, April 16, 2004 12:15 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] why does this fail the spam domains test? Hi Matt- Thanks for the explanation. Let me feed back to you what I think you said. yahoo.com would require that all possible REVDNS entries contain yahoo.com so a message would pass the test if the REVDNS of its originating IP was abc.yahoo.com, abcyahoo.com or abc.yahoo.com.hk, but not yahoo.ca @yahoo.comyahoo.com would require that all possible REVDNS entries end in yahoo.com so a message would pass the test if the REVDNS of its originating IP was abc.yahoo.com or abcyahoo.com, but not abc.yahoo.com.hk, or yahoo.ca .yahoo.comyahoo.com would require that all possible REVDNS entries end in .yahoo.com so a message would pass the test if the REVDNS of its originating IP was abc.yahoo.com but not abc.yahoo.com.hk or yahoo.ca Is this rght? -d - Original Message - From: Matt To: [EMAIL PROTECTED] Sent: Friday, April 16, 2004 1:46 AM Subject: Re: [Declude.JunkMail] why does this fail the spam domains test? Dave, It works like two different CONTAINS filters. It takes the value in the first column, and if the MAILFROM contains the string, then it checks both columns against the REVDNS entry to see if either one matches. Since the first column has an @ symbol in it, that will never match, and the only possible match would be in the second column as a REVDNS CONTAINS type of match. If you only have one entry per line, then both the MAILFROM and REVDNS will need to contain that string. Using an @ symbol in the first column isn't a requirement, and it's only appropriate for domains with one possible REVDNS value since the first column can't match leaving only one string to match on. The reason for putting it in there is because of some uses of VERP which can include addresses within the MAILFROM before the @ symbol, especially with domains like att.net which allow for forwarding. It also prevents matches on partial domains from occurring, though that would generally be rare. I opt to use the @ symbol in the first column with I only know of one legit REVDNS domain, and I leave it off when there are two, and I omit the domain from the list when there are three or more possible REVDNS matches. Hope this helps. Matt Dave Doherty wrote: Scott- I think that I may misunderstand SPAMDOMAINS. From the manual: This test will catch E-mail that is not coming from a mailserver that it should be coming from. This test will only work if you set up a file listing domains that you wish to be included in this test. Specifically, it will check the return address of the E-mail, and then check to see if the reverse DNS entry of the IP that the E-mail was sent from contains the domain name. If not, the E-mail fails the test. For example, if hotmail.com is listed in the \IMail\Declude\spamdomains.txt file, then an E-mail coming from law2.hotmail.com would not fail the test, but an E-mail from mail.example.ru would fail the test. Taking the lead from that description, my SPAMDOMAINS file consists of a simple list of domains, one to a line, like this: ebay.com aol.com Yet every example I have seen on this subject the past few days shows two domains per line like this: @juno.com.untd.com How is this supposed to work? -Dave - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 15, 2004 4:42 PM Subject: Re: [Declude.JunkMail] why does this fail the spam domains test? Can anyone explain why this message would fail the spamdomains test? Here is the spamdomains entry: @juno.com.untd.com The key here is the reverse DNS entry -- do you have the full headers for the E-mail? Although the IMail log file shows the IP address, it is possible that
