Re: [Declude.JunkMail] New test
on 4/21/04 2:35 PM, ISPHuset Nordic wrote: And how do you can the spam if it's a legitime user? We delete it. Spam is spam no matter who sends it. Later, Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] This too got through.. No spamdomains?
I got this message in one of my main accounts. It first came through our sec mail server, but then nothing appears to have been flagged by Declude. Weird thing is, I'm running SPAMDOMAINS. So shouldn't this message have failed at least SPAMDOMAINS? This is why: X-Note: This E-mail was sent from (timeout) ([67.169.68.81]). The reverse DNS lookup timed out. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] This too got through.. No spamdomains?
Hello, I got this message in one of my main accounts. It first came through our sec mail server, but then nothing appears to have been flagged by Declude. Weird thing is, I'm running SPAMDOMAINS. So shouldn't this message have failed at least SPAMDOMAINS? I have IPBYPASS 67.17.218.70 within the GLOBAL.CFG file and running Declude v.1.79. SPAMDOMAIN.TXT Entries: comcast.net msn.com hotmail.com Internet Headers: Received: from secmail.crescentdigital.com [67.17.218.70] by mail.crescentdigital.com with ESMTP (SMTPD32-6.06) id A9E6D4010A; Wed, 21 Apr 2004 19:55:18 -0400 Received: from c-67-169-68-81.client.comcast.net (c-67-169-68-81.client.comcast.net [67.169.68.81]) by secmail.crescentdigital.com (8.12.8/8.12.8) with SMTP id i3LNvYoi026730; Wed, 21 Apr 2004 19:57:37 -0400 Received: from 133.226.240.152 by 67.169.68.81; Thu, 22 Apr 2004 02:46:47 +0200 Message-ID: [EMAIL PROTECTED] From: Rose Acevedo [EMAIL PROTECTED] Reply-To: Rose Acevedo [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: Cc:Lôw Côst Term Life ins. - Free Quôtes Date: Wed, 21 Apr 2004 20:45:47 -0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=--25203145111901053 X-Originating-IP: 67.17.218.70 X-Declude-Sender: [EMAIL PROTECTED] [67.169.68.81] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: None [0] X-Note: This E-mail was sent from (timeout) ([67.169.68.81]). X-RCPT-TO: [EMAIL PROTECTED] X-UIDL: 382031063 Status: U --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Hijack Logs
Hi, I am new to the declude world and inherited a network that utilizes all 3 of the declude solutions. I am using Imail 7.5 and declude 1.75. I have received several complaints from customers stating that email has not arrived to certain recipients. When researching this I found that the recipients are listed in the hijack log. Here is a snippet of the log. I have looked and can not find clarification on what is going on, any help would be appreciated. 04/22/2004 00:01:01 Q437c088e00f224cb [EMAIL PROTECTED] is not local. jeff --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] This too got through.. No spamdomains?
Ok.. Thanks.. I'll have to look into this more.. Sorry to be a pain, but most of the messages that got through (14 of them between 12am and 5am) last night were caused by this problem. Thanks again.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Thursday, April 22, 2004 8:27 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] This too got through.. No spamdomains? Hmmm.. Ok.. And this timeout is because of our DNS servers, correct? The timeout could be caused by a number of factors -- it could be your DNS server, theirs, or it is possible that the DNS packet was dropped somewhere along the way. But, didn't it already do a lookup in order to get this line: Received: from c-67-169-68-81.client.comcast.net (c-67-169-68-81.client.comcast.net [67.169.68.81]) No. That line was added by the mailserver that handled the E-mail before IMail. Either it was able to get the reverse DNS entry (if it is a legitimate mailserver), or it didn't try (if that is a forged header, or it was sent via spamware). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Hijack Logs
Hi Jeffrey, You'll need to provide a little more information than that. All that log snippet shows is that domain.com isn't local, which in itself is not an issue or a reason to not deliver an email (providing you are allowing relay for the sender). Declude HiJack will only block emails based on sender IP, not recipient domain, so unless the senders IP is being blocked by HiJack, HiJack won't be the problem. If this is the case, and the sender IP is being stopped by HiJack - no emails from that IP will be delivered. Are the clients that are having problems on static or dynamic IP addresses? Also are there any files in your \imail\spool\spam\hold2 directory? If not this would confirm HiJack isn't stopping anything. I'd check the general Imail SMTP logs first, depending on what you have there would indicate where to look next. Regards, Lyndon. -Original Message- From: Jeffrey M Donley [mailto:[EMAIL PROTECTED] Sent: 22 April 2004 13:33 To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Hijack Logs Hi, I am new to the declude world and inherited a network that utilizes all 3 of the declude solutions. I am using Imail 7.5 and declude 1.75. I have received several complaints from customers stating that email has not arrived to certain recipients. When researching this I found that the recipients are listed in the hijack log. Here is a snippet of the log. I have looked and can not find clarification on what is going on, any help would be appreciated. 04/22/2004 00:01:01 Q437c088e00f224cb [EMAIL PROTECTED] is not local. jeff --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. Email checked by UKsubnet anti-virus service To prevent email abuse block spam contact [EMAIL PROTECTED] Tel: +44(0)8712360301 Web: www.uksubnet.net Fax: +44(0)8712360300 Powered by UKsubnet Internet Service Provider Business to Business Internet (ISP) Email checked by UKsubnet anti-virus service To prevent email abuse block spam contact [EMAIL PROTECTED] Tel: +44(0)8712360301 Web: www.uksubnet.net Fax: +44(0)8712360300 Powered by UKsubnet Internet Service Provider Business to Business Internet (ISP) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Hotmail Sending Mail From IP's with No Reverse DNS
Has anyone else noticed over the last day or so that some of the hotmail messages are coming from servers without revdns.. This is a snag cause they are failing both revdns and spamdomains.. Any thoughts? Received: from hotmail.com [207.68.164.107] by mail2.gannett-tv.com with ESMTP (SMTPD32-8.05) id A6657F0180; Wed, 21 Apr 2004 18:32:05 -0400 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 21 Apr 2004 15:30:14 -0700 Received: from 134.84.102.157 by sea2-dav3.sea2.hotmail.com with DAV; Wed, 21 Apr 2004 22:30:14 + X-Originating-IP: [134.84.102.157] X-Originating-Email: [EMAIL PROTECTED] X-Sender: [EMAIL PROTECTED] From: x [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [POTENTIAL SPAM]Assignment Desk Date: Wed, 21 Apr 2004 17:27:30 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_0009_01C427C5.ECC21740 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1409 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Message-ID: [EMAIL PROTECTED] X-OriginalArrivalTime: 21 Apr 2004 22:30:14.0967 (UTC) FILETIME=[377B2C70:01C427F0] X-RBL-Warning: SPAMDOMAINS: Spamdomain 'hotmail.com' found: Address of [EMAIL PROTECTED] sent from invalid [No Reverse DNS]. [2-10-5000] X-RBL-Warning: NOPOSTMASTER: Not supporting [EMAIL PROTECTED] [2-48-18000] X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 207.68.164.107 with no reverse DNS entry. [2-53-1a800] X-Declude-Sender: [EMAIL PROTECTED] [207.68.164.107] X-Declude-Spoolname: Df665007f01804541.SMD X-Declude-Sender: [EMAIL PROTECTED] [12.25.87.100] X-Declude-Spoolname: Df66c3910081cb3c8.SMD X-Spam-Tests-Failed: Whitelisted X-Spam-Weight: 0 X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 377609636 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Log analysis and test check scripts
Thank you Bill and Roger for sharing your excellent work. [EMAIL PROTECTED] The scripts run under both Windows NT 4 and Windows 2000. They are pure Windows command scripts and therefore not as fast as some of the other log analysis tools. The analyses below took about one minute each in all mode. Took a bit longer on my system but there were 230,000 messages. In comparing the results with my program (WAMLOG) they were within 0.2%! Your program: WEIGHT10 218863 WEIGHTdel 207491 My Program: WEIGHT10 218866 WEIGHTDEL 207493 I didn't know command script was so powerful. Only about 100 lines of code! I wrote my program in C++ and it took about 300 lines of code :) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Processing load on machine
Since my weights are all so close I could make them the same. Is there a way to combined these 8 tests into 1 to determine if it failed any if the tests? That is, IF NOT 127.0.0.0, or what ever their OK response is? Does it really matter? Paul Fuhrmeister [EMAIL PROTECTED] If the following is in the Global.cfg file, is it true that dnsbl.sorbs.net will be queried once and the result will be evaluated 8 times? SORBS-HTTP ip4rdnsbl.sorbs.net 127.0.0.2 5 0 SORBS-SOCKS ip4rdnsbl.sorbs.net 127.0.0.3 5 0 SORBS-MISC ip4rdnsbl.sorbs.net 127.0.0.4 5 0 SORBS-SMTP ip4rdnsbl.sorbs.net 127.0.0.5 5 0 SORBS-SPAM ip4rdnsbl.sorbs.net 127.0.0.6 7 0 SORBS-WEB ip4rdnsbl.sorbs.net 127.0.0.7 5 0 SORBS-BLOCK ip4rdnsbl.sorbs.net 127.0.0.8 5 0 SORBS-DUHL ip4rdnsbl.sorbs.net 127.0.0.10 6 0 That is correct. With old versions of Declude JunkMail -- back when multiple tests on the same zone first came out -- would make 8 DNS queries. But recent versions of Declude JunkMail will send just 1 DNS query, and evaluate the results 8 times. -Scott --- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Log analysis and test check scripts
ditto! -- Roger Heath [EMAIL PROTECTED] www.rleeheath.com - Copy of Original Message(s): - PF Thank you Bill and Roger for sharing your excellent work. PF [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Comcast.net Spam
An email is from [EMAIL PROTECTED] [24.5.121.88] AND was received from cib.co.za (c-24-5-121-88.client.comcast.net [24.5.121.88] Is there a way to add weight when - received from client.comcast.net BUT sender is not @comcast.net Here are example headers: Received: from cib.co.za (c-24-5-121-88.client.comcast.net [24.5.121.88]) by mail17.**.com (Postfix) with SMTP id 858D630F4B; Wed, 21 Apr 2004 21:25:31 -0500 (CDT) (envelope-from [EMAIL PROTECTED]) Message-ID: [EMAIL PROTECTED] From: Tim Salazar [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Pain Pills V.icodin Hy.drocodone Lortab Lorcet Norco Date: Thu, 22 Apr 2004 01:00:15 + MIME-Version: 1.0 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 8bit X-RBL-Warning: DSBL: http://dsbl.org/listing?ip=24.5.121.88; X-RBL-Warning: BLOCKTEXT: Message failed BLOCKTEXT test (line 394, weight 7) X-Declude-Sender: [EMAIL PROTECTED] [24.5.121.88] X-Declude-Spoolname: D2d2c2f4000be40bf.SMD X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 1049636097 Paul Fuhrmeister [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Processing load on machine
Since my weights are all so close I could make them the same. Is there a way to combined these 8 tests into 1 to determine if it failed any if the tests? That is, IF NOT 127.0.0.0, or what ever their OK response is? Does it really matter? You could, by using something like SORBS-ALL ip4r dnsbl.sorbs.net * 5 0. But, there will likely not be a noticeable gain in performance by doing that, and it removes some flexibility. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Comcast.net Spam
Using 1.78+ Pro, you can use the following in a custom filter MAILFROM END ENDSWITH @comcast.net REVDNS 5 ENDSWITH client.comcast.net You could probably throw a list of END statements for various domains in there as long as you know the naming convention for the REVDNS entries and can isolate them to their residential IP space (which can't be done for all domains). Also note that this will often double hit with SPAMDOMAINS, and I do see some false positives on SPAMDOMAINS when boneheads buy themselves bulk-mail software to run on their residential-class service and use accounts on places like yahoo.com as the MAILFROM. I think this might be worth a few more points though. Matt Paul Fuhrmeister wrote: An email is from [EMAIL PROTECTED] [24.5.121.88] AND was received from cib.co.za (c-24-5-121-88.client.comcast.net [24.5.121.88] Is there a way to add weight when - received from client.comcast.net BUT sender is not @comcast.net Here are example headers: Received: from cib.co.za (c-24-5-121-88.client.comcast.net [24.5.121.88]) by mail17.**.com (Postfix) with SMTP id 858D630F4B; Wed, 21 Apr 2004 21:25:31 -0500 (CDT) (envelope-from [EMAIL PROTECTED]) Message-ID: [EMAIL PROTECTED] From: Tim Salazar [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Pain Pills V.icodin Hy.drocodone Lortab Lorcet Norco Date: Thu, 22 Apr 2004 01:00:15 + MIME-Version: 1.0 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 8bit X-RBL-Warning: DSBL: http://dsbl.org/listing?ip=24.5.121.88; X-RBL-Warning: BLOCKTEXT: Message failed BLOCKTEXT test (line 394, weight 7) X-Declude-Sender: [EMAIL PROTECTED] [24.5.121.88] X-Declude-Spoolname: D2d2c2f4000be40bf.SMD X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 1049636097 Paul Fuhrmeister [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Comcast.net Spam
Hello, Yeah, I too have notice A LOT of spam originating from ComCast networks lately. You could implement SPAMDOMAINS that would check the from and where the message came from to add weight to the message. Seems to work well when you don't get DNS timeouts (which I have been having problems with lately). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Fuhrmeister Sent: Thursday, April 22, 2004 10:12 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Comcast.net Spam An email is from [EMAIL PROTECTED] [24.5.121.88] AND was received from cib.co.za (c-24-5-121-88.client.comcast.net [24.5.121.88] Is there a way to add weight when - received from client.comcast.net BUT sender is not @comcast.net Here are example headers: Received: from cib.co.za (c-24-5-121-88.client.comcast.net [24.5.121.88]) by mail17.**.com (Postfix) with SMTP id 858D630F4B; Wed, 21 Apr 2004 21:25:31 -0500 (CDT) (envelope-from [EMAIL PROTECTED]) Message-ID: [EMAIL PROTECTED] From: Tim Salazar [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Pain Pills V.icodin Hy.drocodone Lortab Lorcet Norco Date: Thu, 22 Apr 2004 01:00:15 + MIME-Version: 1.0 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 8bit X-RBL-Warning: DSBL: http://dsbl.org/listing?ip=24.5.121.88; X-RBL-Warning: BLOCKTEXT: Message failed BLOCKTEXT test (line 394, weight 7) X-Declude-Sender: [EMAIL PROTECTED] [24.5.121.88] X-Declude-Spoolname: D2d2c2f4000be40bf.SMD X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 1049636097 Paul Fuhrmeister [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Comcast.net Spam
Yes, I too have noticed an unusually high number of DNS timeouts recently. I was hit hard with a flood of spam starting yesterday afternoon and continuing all night. In every instance, the DNS timed out. Shayne Hello, Yeah, I too have notice A LOT of spam originating from ComCast networks lately. You could implement SPAMDOMAINS that would check the from and where the message came from to add weight to the message. Seems to work well when you don't get DNS timeouts (which I have been having problems with lately). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Fuhrmeister Sent: Thursday, April 22, 2004 10:12 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Comcast.net Spam An email is from [EMAIL PROTECTED] [24.5.121.88] AND was received from cib.co.za (c-24-5-121-88.client.comcast.net [24.5.121.88] Is there a way to add weight when - received from client.comcast.net BUT sender is not @comcast.net Here are example headers: Received: from cib.co.za (c-24-5-121-88.client.comcast.net [24.5.121.88]) by mail17.**.com (Postfix) with SMTP id 858D630F4B; Wed, 21 Apr 2004 21:25:31 -0500 (CDT) (envelope-from [EMAIL PROTECTED]) Message-ID: [EMAIL PROTECTED] From: Tim Salazar [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Pain Pills V.icodin Hy.drocodone Lortab Lorcet Norco Date: Thu, 22 Apr 2004 01:00:15 + MIME-Version: 1.0 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 8bit X-RBL-Warning: DSBL: http://dsbl.org/listing?ip=24.5.121.88; X-RBL-Warning: BLOCKTEXT: Message failed BLOCKTEXT test (line 394, weight 7) X-Declude-Sender: [EMAIL PROTECTED] [24.5.121.88] X-Declude-Spoolname: D2d2c2f4000be40bf.SMD X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 1049636097 Paul Fuhrmeister [EMAIL PROTECTED] --- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Comcast.net Spam
I have SPAM-DOMAINS setup, my spamdomains.txt file contains .comcast. @comcast. .comcast. The messages (headers below) did not fail this test. That's because: X-Declude-Sender: [EMAIL PROTECTED] [24.5.121.88] The sender is not an @comcast.com address, so it was not considered for this test. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Comcast.net Spam
OK, I understand. SPAMDOMAINS would fail if they said they were [EMAIL PROTECTED] and sent through a tvp.ndo.co.uk mail server, But does not fail if they say they are [EMAIL PROTECTED] and send through a comcast.net server. So, I need to looks at Matt's filter. I am using 1.78+ Pro, but do not understand the filter Matt referenced earlier ( MAILFROM END ENDSWITH @comcast.net REVDNS 5 ENDSWITH client.comcast.net ) Where is that filtering documented? Archives? Paul Fuhrmeister [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Hotmail Sending Mail From IP's with No Rev erse DNS
There has been a few posting about this over the last week. I began noticing it last Friday in my logs. Test messages I have sent from my hotmail account are now coming through without failing the REVDNS test. It looks like they are finally correcting this issue. It's about time! Jeffrey Di GregorioCCNP MCSE Systems Administrator Pacific School of Religion [EMAIL PROTECTED] 510-849-8283 -Original Message- From: Darrell LaRock [mailto:[EMAIL PROTECTED] Sent: Thursday, April 22, 2004 6:18 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Hotmail Sending Mail From IP's with No Reverse DNS Has anyone else noticed over the last day or so that some of the hotmail messages are coming from servers without revdns.. This is a snag cause they are failing both revdns and spamdomains.. Any thoughts? Received: from hotmail.com [207.68.164.107] by mail2.gannett-tv.com with ESMTP (SMTPD32-8.05) id A6657F0180; Wed, 21 Apr 2004 18:32:05 -0400 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 21 Apr 2004 15:30:14 -0700 Received: from 134.84.102.157 by sea2-dav3.sea2.hotmail.com with DAV; Wed, 21 Apr 2004 22:30:14 + X-Originating-IP: [134.84.102.157] X-Originating-Email: [EMAIL PROTECTED] X-Sender: [EMAIL PROTECTED] From: x [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [POTENTIAL SPAM]Assignment Desk Date: Wed, 21 Apr 2004 17:27:30 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_0009_01C427C5.ECC21740 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1409 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Message-ID: [EMAIL PROTECTED] X-OriginalArrivalTime: 21 Apr 2004 22:30:14.0967 (UTC) FILETIME=[377B2C70:01C427F0] X-RBL-Warning: SPAMDOMAINS: Spamdomain 'hotmail.com' found: Address of [EMAIL PROTECTED] sent from invalid [No Reverse DNS]. [2-10-5000] X-RBL-Warning: NOPOSTMASTER: Not supporting [EMAIL PROTECTED] [2-48-18000] X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 207.68.164.107 with no reverse DNS entry. [2-53-1a800] X-Declude-Sender: [EMAIL PROTECTED] [207.68.164.107] X-Declude-Spoolname: Df665007f01804541.SMD X-Declude-Sender: [EMAIL PROTECTED] [12.25.87.100] X-Declude-Spoolname: Df66c3910081cb3c8.SMD X-Spam-Tests-Failed: Whitelisted X-Spam-Weight: 0 X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 377609636 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Processing Order
I am looking at the Processing Order from the JunkMail manual 1. IMail's Control Access file (to block IPs) 2. IMail's Kill List (to block return addresses) 3. IMail v8 anti-spam (most tests) 4. Declude Virus 5. Declude Hijack 6. Declude JunkMail 7. IMail's filters and extra IMail v8 anti-spam tests If I use IMail Antispam to add an X-Header for statistical filtering and HTML features detection, would Declude JunkMail see it? Or are those IMail tests after JunkMail? Paul Fuhrmeister [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Processing Order
I am looking at the Processing Order from the JunkMail manual 1. IMail's Control Access file (to block IPs) 2. IMail's Kill List (to block return addresses) 3. IMail v8 anti-spam (most tests) 4. Declude Virus 5. Declude Hijack 6. Declude JunkMail 7. IMail's filters and extra IMail v8 anti-spam tests If I use IMail Antispam to add an X-Header for statistical filtering and HTML features detection, would Declude JunkMail see it? Or are those IMail tests after JunkMail? I believe those both count as extra IMail v8 anti-spam tests, which would be done after Declude JunkMail processes the E-mail (so Declude JunkMail would not see the header). It is too bad that Ipswitch set it up that way. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filtering outgoing mail - silent failure
To make sure I wasn't introducing a typo, I used my text editor to find the filter file, so the file name is exactly what the computer found. Among the results I get when I run -diag is ... Declude JunkMail Status: PRO version registered. I've made sure each file involved in this process has the line return you describe. The OUTGO filter definition and action are the last two lines in the global.cfg file (not including the final blank line). I have again tested this by sending out messages with the target text string; no luck. Keith Purtell, Web/Network Administrator VantageMed Corporation (Kansas City office) CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Wednesday, April 21, 2004 5:23 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Filtering outgoing mail - silent failure I sent an email from within our domain (containing that word in both the subject and body) to an external account. Then checked the Declude log. Nothing. That's what I suspected -- that means that there is a problem with the way that the test is set up. Are you sure that the filter file is named the same as the way that it is defined in the global.cfg file? Are you sure that you are running Declude JunkMail Pro (\IMail\Declude -diag from a command prompt will show you)? Is the problem only occurring with the last line in the file (if you cannot move a cursor to the line below it, you need to hit ENTER at the end of the line for Windows to recognize the line)? -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Nameserver issues and Spam fighting
With the increase in people trying to fight spam, nameservers are getting bombarded with lookup request. Recently I understand that ATT has taken steps to not allow lookups of most of the blacklists using their network. The easy answer to this is to use your own DNS servers -- if you do (and they are decent DNS servers; BIND is preferred), you won't be subject to the restrictions of ATT, Sprint, and others that block spam database lookups. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Nameserver issues and Spam fighting
Chuck, Your most efficient option would be to run your own DNS server. Then YOU control the query volumes, and no longer rely on ATT. Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Thursday, April 22, 2004 11:16 AM To: Declude. JunkMail Subject: [Declude.JunkMail] Nameserver issues and Spam fighting With the increase in people trying to fight spam, nameservers are getting bombarded with lookup request. Recently I understand that ATT has taken steps to not allow lookups of most of the blacklists using their network. It seems that we are seeing more and more DNS timeouts which result in more spam getting through. Anyone else perceive this as a problem that will only get worse? Anyone have any suggestions to make the DNS lookup process more efficient? It would be nice feature if we could bypass some of the DNS lookups if the email scored over a certain amount which would allow some of the email to bypass the lookups thereby reducing the load. [AUTOMATED NOTE: Your mail server [66.140.194.140] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filtering outgoing mail - silent failure
To make sure I wasn't introducing a typo, I used my text editor to find the filter file, so the file name is exactly what the computer found. Among the results I get when I run -diag is ... Declude JunkMail Status: PRO version registered. I've made sure each file involved in this process has the line return you describe. The OUTGO filter definition and action are the last two lines in the global.cfg file (not including the final blank line). I have again tested this by sending out messages with the target text string; no luck. If you send me the global.cfg file and the filter file, I can take a look. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] CMDSPACE Test
Hello, I was wondering what exactly the CMDSPACE test is. I wasn't able to find anything about it in the Junkmail manual.. Thanks.. -Jeff --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] CMDSPACE Test
I was wondering what exactly the CMDSPACE test is. I wasn't able to find anything about it in the Junkmail manual.. It's part of the latest beta, which means that it is currently only covered in the release notes ( http://www.declude.com/relnotes.htm ) and on the mailing list. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Nameserver issues and Spam fighting
I guess I was not clear. I do not use ATT (for anything) but we have seen the load increase so much on our own name servers that we are adding more. I only use ATT as a reference point - they must have decided the load was too much to take such drastic action. Many desktop Spam filters are now incorporating blacklist lookups. It is one thing to have mail servers and gateways doing lookups but if end users start doing them it is only going to increase the congestion. The timeouts are from the blacklists not our name servers. I think this is going to be a bigger problem as time goes. We are probably going to do zone transfers on as many of the blacklists as possible and make our own nameservers authoritative for those zones within our network. Maybe I am the only one that sees this as an issue. Chuck Schick Warp 8, Inc. 303-421-5140 www.warp8.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jason Sent: Thursday, April 22, 2004 10:28 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Nameserver issues and Spam fighting Chuck, Your most efficient option would be to run your own DNS server. Then YOU control the query volumes, and no longer rely on ATT. Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Thursday, April 22, 2004 11:16 AM To: Declude. JunkMail Subject: [Declude.JunkMail] Nameserver issues and Spam fighting With the increase in people trying to fight spam, nameservers are getting bombarded with lookup request. Recently I understand that ATT has taken steps to not allow lookups of most of the blacklists using their network. It seems that we are seeing more and more DNS timeouts which result in more spam getting through. Anyone else perceive this as a problem that will only get worse? Anyone have any suggestions to make the DNS lookup process more efficient? It would be nice feature if we could bypass some of the DNS lookups if the email scored over a certain amount which would allow some of the email to bypass the lookups thereby reducing the load. [AUTOMATED NOTE: Your mail server [66.140.194.140] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Nameserver issues and Spam fighting
I guess I was not clear. I do not use ATT (for anything) but we have seen the load increase so much on our own name servers that we are adding more. How many E-mails do you send/receive per day? How many spam databases do you query for each E-mail? At 100,000 E-mails/day and 20 DNS queries per E-mail, that's 2,000,000 DNS queries a day -- which sounds like a lot, but that's only 23 per second, less than 1% of the load that some DNS servers handle. We have a DNS server here that often handles 20+ queries per second, and the CPU load is negligible. I only use ATT as a reference point - they must have decided the load was too much to take such drastic action. Correct -- at 1,000 business customers with those 100,000 E-mails/day and 20 DNS queries each, you're talking 2 billion lookups a day, which starts to add up. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Nameserver issues and Spam fighting
At 12:16 PM 4/22/2004, you wrote: With the increase in people trying to fight spam, nameservers are getting bombarded with lookup request. Recently I understand that ATT has taken steps to not allow lookups of most of the blacklists using their network. It seems that we are seeing more and more DNS timeouts which result in more spam getting through. Anyone else perceive this as a problem that will only get worse? Anyone have any suggestions to make the DNS lookup process more efficient? We are working on an add-on to Message Sniffer called IPDB which will collaborate to generate statistics on IPs from multiple research points. In addition to collaborative data, local data for IPs can be added through alternate processes. One of those will be to scan a user defined list of DNS BLs to produce a local IPDB entry based on the combined results. With this arrangement local queries will always be very quick (sub 200ms including the heuristics scan). If an IP is unknown by the local group then the first query to IPDB may be indeterminate - but subsequent queries will have good statistics available based on the local rules and those results will be pushed to the local peer group as well. IPDB can afford to be patient with it's queries - and will make fewer of them since each IPDB node collaborates with a number of trusted peers. If the system catches on then IPDB protocols may provide an alternative publication method for black lists - but that's thinking too far ahead at this point. IPDB will also rank both negative and positive going IP data so that IPs not producing spam can be scored negatively to mitigate false positives. IPDB will also be able to make an educated guess on network blocks based on the data available at the time of the query - so that if 50% of the IPs in a network block are 100% spam and none of the others have been heard from, a new query to that block _may_ result in a strong spam probability. This will help to mitigate any delays in pending DNS queries. Finally a wave-front detection mechanism that can be built into IPDB will be able to detect new sources of spam/malware by aggregating announcements of new IP sources from local peers. In theory if a new machine gets zombied by spammers or a virus then that IP source will be new to a great number of servers in a short period. Each IPDB peer detecting the new IP source will announce the hit to it's neighbors. If enough neoghbors pick up on the new source within a given threshold then they will begin weighting the source negatively - if the source is very aggressive then it _may_ be blacklisted on a number of systems in the group - and that event also will be published. The result is that a newly infected machine or new spam source can be detected and effectively shut down before any ordinary BL process or even virus protection mechanism can respond. Tools can be added to alert researchers and system admins of new threats detected by the wave-front detection mechanism so that new virii worms might be researched more quickly - and in the case of a false positive an admin can intervene quickly (even before the end users are aware) to white the source... This event would also be propagated through the peer groups. Tools will be available to drive ACLs from the IPDB as well so that consistently bad sources might be blocked at gateway routers and/or servers. Those are some of the plans anyway... _M --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Scaling Up The Declude Weighting System
Hi, Markus, Thanks for responding. Well I went ahead and did it. I've rescaled everything to have 100 points be my HOLD weight. It was pretty easy because my previous HOLD weight was 5 so I just had to multiply everything by 20 to keep thingsrelative. Now, that I have it there I would like to re-tune some of my weights. In your system, if you have a test like HELOBOGUS, for example, how do you decide what weight to give HELOBOGUS? I was thinking that if I had the correct statistics about which types of messages, spam or legit, were flagged by which tests it would be pretty straightforward. For example, if I knew that of 1000 messages that were flagged as failing the HELOBOGUS test and 37% of them were legit messages and 73% setting the weight of HELOBOGUS to 73 would be statistically sound. Is my thinking correct on that or am I way off base? Thanks, Dan Geiser [EMAIL PROTECTED] - Original Message - From: Markus Gufler To: [EMAIL PROTECTED] Sent: Tuesday, April 20, 2004 4:25 PM Subject: RE: [Declude.JunkMail] Scaling Up The Declude Weighting System Dan, We've choosen to scale up the weighting system exactly for the two reasons you've mentioned below: -more granularity -absolute weight and percentage is the same Note that there are some good filter files maintained by other Declude users that are updated regulary and has the "inside" weights set up for a Hold-on-20 weighting system. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan GeiserSent: Tuesday, April 20, 2004 4:48 PMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] Scaling Up The Declude Weighting System Hello, All, Over the year or so that I've been reading the discussions on this list it seems I've read quite a bit about people scaling their weights up, i.e. instead of having a HOLD weight of 10, you might have a HOLD weight of 100 and then you adjust the corresponding test weights accordingly. Assuming that what I've read is correct, for those who uses this scaled up system... What sort of benefit is is that you feel that you receive from doing this? Does it allow a more granular tuning of your weighting system? Are there any other benefits I'm not thinking of? Does having a hold weight of 100, for example, help you think more clearly about each test being a percentage of the overall HOLD weight? I'm doing a major overhaul of Declude JunkMail configuration and I figured if a scaled up weight system is the best way to do things then I might want to implement that now. Thanks In Advance For Your Comments! Dan Geiser [EMAIL PROTECTED]
[Declude.JunkMail] Span Domains file
Somehow one of my guys have deleted our spamdomains file. I was wondering if someone could provide us with one that is working well for them. Anyone can send it directly to [EMAIL PROTECTED] Thanks in advance. gb --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Minimum weight of a filter
I working on trapping more Nigerian Scams. Is there any way to limit a filter a minimum weight. If the Nigerian filter gets tripped for at least 3 points, I would like for it to be implemented. If it is less than 3 points, I'd like to ignore the filter. Can I do this with minweight Scott Fisher Director of IT Farm Progress Companies --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Minimum weight of a filter
Is there any way to limit a filter a minimum weight. If the Nigerian filter gets tripped for at least 3 points, I would like for it to be implemented. If it is less than 3 points, I'd like to ignore the filter. Declude JunkMail doesn't have an option to do that. However, someone here might be able to figure out a creative way to do this. Can I do this with minweight No -- that determines a weight at which filter processing will stop. But it sounds like you want the filter to only return a weight if multiple lines match. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Scaling Up The Declude Weighting System
If a test false positived 37% of the time, I certainly wouldn't be weighing it that high. Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 04/22/04 12:57PM Hi, Markus, Thanks for responding. Well I went ahead and did it. I've rescaled everything to have 100 points be my HOLD weight. It was pretty easy because my previous HOLD weight was 5 so I just had to multiply everything by 20 to keep things relative. Now, that I have it there I would like to re-tune some of my weights. In your system, if you have a test like HELOBOGUS, for example, how do you decide what weight to give HELOBOGUS? I was thinking that if I had the correct statistics about which types of messages, spam or legit, were flagged by which tests it would be pretty straightforward. For example, if I knew that of 1000 messages that were flagged as failing the HELOBOGUS test and 37% of them were legit messages and 73% setting the weight of HELOBOGUS to 73 would be statistically sound. Is my thinking correct on that or am I way off base? Thanks, Dan Geiser [EMAIL PROTECTED] - Original Message - From: Markus Gufler To: [EMAIL PROTECTED] Sent: Tuesday, April 20, 2004 4:25 PM Subject: RE: [Declude.JunkMail] Scaling Up The Declude Weighting System Dan, We've choosen to scale up the weighting system exactly for the two reasons you've mentioned below: -more granularity -absolute weight and percentage is the same Note that there are some good filter files maintained by other Declude users that are updated regulary and has the inside weights set up for a Hold-on-20 weighting system. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Tuesday, April 20, 2004 4:48 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Scaling Up The Declude Weighting System Hello, All, Over the year or so that I've been reading the discussions on this list it seems I've read quite a bit about people scaling their weights up, i.e. instead of having a HOLD weight of 10, you might have a HOLD weight of 100 and then you adjust the corresponding test weights accordingly. Assuming that what I've read is correct, for those who uses this scaled up system... What sort of benefit is is that you feel that you receive from doing this? Does it allow a more granular tuning of your weighting system? Are there any other benefits I'm not thinking of? Does having a hold weight of 100, for example, help you think more clearly about each test being a percentage of the overall HOLD weight? I'm doing a major overhaul of Declude JunkMail configuration and I figured if a scaled up weight system is the best way to do things then I might want to implement that now. Thanks In Advance For Your Comments! Dan Geiser [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] CMDSPACE Test
According to a note I found in the archives, CMDSPACE needs Imail v8, with SMTP-Authentication, and AUTOWHITELIST ON in global.cfg to work correctly. Otherwise, you get false positives from Outlook clients. As we are not on Imail v8, I ran into that problem. I handled it by reduced the weight on CMDSPACE to 4 and increased the weight of SPAMHEADERS to 4 and saw a significant improvement in the spam being trapped without any losing any valid mail. Royce -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jeff Maze - Hostmaster Sent: Thursday, April 22, 2004 11:37 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] CMDSPACE Test Hello, I was wondering what exactly the CMDSPACE test is. I wasn't able to find anything about it in the Junkmail manual.. Thanks.. -Jeff --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Scaling Up The Declude Weighting System
I did exactly this when we added SPAMCHK as a test last year. I believe they recommended this range because spamchk would add a lot of small weights and a 1-10 scale is too narrow. It also allows us to create filters with words that are more common in non-spam, but more likely to be spam in higher frequency. That is, a dozen or so words that have a weight of 2 or 3 out of 100 would give me the desired final weight. But the best I could do on a 1-10 scale is give each 1 point which would put me over my hold weight pretty quick. --Todd. Dan Geiser wrote: Hello, All, Over the year or so that I've been reading the discussions on this list it seems I've read quite a bit about people scaling their weights up, i.e. instead of having a HOLD weight of 10, you might have a HOLD weight of 100 and then you adjust the corresponding test weights accordingly. Assuming that what I've read is correct, for those who uses this scaled up system... What sort of benefit is is that you feel that you receive from doing this? Does it allow a more granular tuning of your weighting system? Are there any other benefits I'm not thinking of? Does having a hold weight of 100, for example, help you think more clearly about each test being a percentage of the overall HOLD weight? I'm doing a major overhaul of Declude JunkMail configuration and I figured if a scaled up weight system is the best way to do things then I might want to implement that now. Thanks In Advance For Your Comments! Dan Geiser [EMAIL PROTECTED]
Re: [Declude.JunkMail] Nameserver issues and Spam fighting
Some very good ideas here. Thanks, Pete. Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 22, 2004 1:49 PM Subject: Re: [Declude.JunkMail] Nameserver issues and Spam fighting At 12:16 PM 4/22/2004, you wrote: With the increase in people trying to fight spam, nameservers are getting bombarded with lookup request. Recently I understand that ATT has taken steps to not allow lookups of most of the blacklists using their network. It seems that we are seeing more and more DNS timeouts which result in more spam getting through. Anyone else perceive this as a problem that will only get worse? Anyone have any suggestions to make the DNS lookup process more efficient? We are working on an add-on to Message Sniffer called IPDB which will collaborate to generate statistics on IPs from multiple research points. In addition to collaborative data, local data for IPs can be added through alternate processes. One of those will be to scan a user defined list of DNS BLs to produce a local IPDB entry based on the combined results. With this arrangement local queries will always be very quick (sub 200ms including the heuristics scan). If an IP is unknown by the local group then the first query to IPDB may be indeterminate - but subsequent queries will have good statistics available based on the local rules and those results will be pushed to the local peer group as well. IPDB can afford to be patient with it's queries - and will make fewer of them since each IPDB node collaborates with a number of trusted peers. If the system catches on then IPDB protocols may provide an alternative publication method for black lists - but that's thinking too far ahead at this point. IPDB will also rank both negative and positive going IP data so that IPs not producing spam can be scored negatively to mitigate false positives. IPDB will also be able to make an educated guess on network blocks based on the data available at the time of the query - so that if 50% of the IPs in a network block are 100% spam and none of the others have been heard from, a new query to that block _may_ result in a strong spam probability. This will help to mitigate any delays in pending DNS queries. Finally a wave-front detection mechanism that can be built into IPDB will be able to detect new sources of spam/malware by aggregating announcements of new IP sources from local peers. In theory if a new machine gets zombied by spammers or a virus then that IP source will be new to a great number of servers in a short period. Each IPDB peer detecting the new IP source will announce the hit to it's neighbors. If enough neoghbors pick up on the new source within a given threshold then they will begin weighting the source negatively - if the source is very aggressive then it _may_ be blacklisted on a number of systems in the group - and that event also will be published. The result is that a newly infected machine or new spam source can be detected and effectively shut down before any ordinary BL process or even virus protection mechanism can respond. Tools can be added to alert researchers and system admins of new threats detected by the wave-front detection mechanism so that new virii worms might be researched more quickly - and in the case of a false positive an admin can intervene quickly (even before the end users are aware) to white the source... This event would also be propagated through the peer groups. Tools will be available to drive ACLs from the IPDB as well so that consistently bad sources might be blocked at gateway routers and/or servers. Those are some of the plans anyway... _M --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Scaling Up The Declude Weighting System
Hi, Scott, Thanks for the feedback. The more I thought about it after sending the e-mail a few minutes ago the more certain I was that my logic was not. in fact not even remotely close to being sound. It really has to be thought of as a factor of multiple tests and not just one, so I understand what you are saying. But I have to disagree with your terminology. I wasn't describing a false positive situation. I don't think the HELOBOGUS test by itself can have a false positive. A message either passes or fails the HELOBOGUS test. If a message fails the HELOBOGUS test, meaning the HELO is bogus by Scott's criterion, yet that message is not a spam message, i.e. it is a legit e-mail, it doesn't mean that the HELOBOGUS generated a false positive. The HELO either truly is BOGUS or NOT BOGUS. If HELOBOGUS misidentified a message as being BOGUS that was NOT BOGUS then, yes, I think that would be a false positive. But by it's nature one single test cannot create a false positive unless the program code for the test is written incorrectly. Just my thoughts. Dan - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 22, 2004 2:20 PM Subject: Re: [Declude.JunkMail] Scaling Up The Declude Weighting System If a test false positived 37% of the time, I certainly wouldn't be weighing it that high. Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 04/22/04 12:57PM Hi, Markus, Thanks for responding. Well I went ahead and did it. I've rescaled everything to have 100 points be my HOLD weight. It was pretty easy because my previous HOLD weight was 5 so I just had to multiply everything by 20 to keep things relative. Now, that I have it there I would like to re-tune some of my weights. In your system, if you have a test like HELOBOGUS, for example, how do you decide what weight to give HELOBOGUS? I was thinking that if I had the correct statistics about which types of messages, spam or legit, were flagged by which tests it would be pretty straightforward. For example, if I knew that of 1000 messages that were flagged as failing the HELOBOGUS test and 37% of them were legit messages and 73% setting the weight of HELOBOGUS to 73 would be statistically sound. Is my thinking correct on that or am I way off base? Thanks, Dan Geiser [EMAIL PROTECTED] - Original Message - From: Markus Gufler To: [EMAIL PROTECTED] Sent: Tuesday, April 20, 2004 4:25 PM Subject: RE: [Declude.JunkMail] Scaling Up The Declude Weighting System Dan, We've choosen to scale up the weighting system exactly for the two reasons you've mentioned below: -more granularity -absolute weight and percentage is the same Note that there are some good filter files maintained by other Declude users that are updated regulary and has the inside weights set up for a Hold-on-20 weighting system. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Tuesday, April 20, 2004 4:48 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Scaling Up The Declude Weighting System Hello, All, Over the year or so that I've been reading the discussions on this list it seems I've read quite a bit about people scaling their weights up, i.e. instead of having a HOLD weight of 10, you might have a HOLD weight of 100 and then you adjust the corresponding test weights accordingly. Assuming that what I've read is correct, for those who uses this scaled up system... What sort of benefit is is that you feel that you receive from doing this? Does it allow a more granular tuning of your weighting system? Are there any other benefits I'm not thinking of? Does having a hold weight of 100, for example, help you think more clearly about each test being a percentage of the overall HOLD weight? I'm doing a major overhaul of Declude JunkMail configuration and I figured if a scaled up weight system is the best way to do things then I might want to implement that now. Thanks In Advance For Your Comments! Dan Geiser [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the
Re: [Declude.JunkMail] Scaling Up The Declude Weighting System
Dan, Individual tests do not false positive (unless they are poorly conceived). The term False Positive in relation to spam filtering means a message that was tagged as spam (with Declude this usually results from failure of multiple tests), but is in reality a legitimate email that needs to be delivered. Understandably there is some grey area in that, due to varying definitions on what email should be considered spam. For this reason, many admins' weighting systems vary on some of the details of implementation, due mostly to their user community, individual policies, and attempts to filter as much as possible without adversely affecting their community. I believe the point Scott was making was that the HELOBOGUS should not have much weight if you are seeing such a high percentage of emails (37%) that fail this particular test but are not spam. Darin. - Original Message - From: Dan Geiser [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 22, 2004 2:42 PM Subject: Re: [Declude.JunkMail] Scaling Up The Declude Weighting System Hi, Scott, Thanks for the feedback. The more I thought about it after sending the e-mail a few minutes ago the more certain I was that my logic was not. in fact not even remotely close to being sound. It really has to be thought of as a factor of multiple tests and not just one, so I understand what you are saying. But I have to disagree with your terminology. I wasn't describing a false positive situation. I don't think the HELOBOGUS test by itself can have a false positive. A message either passes or fails the HELOBOGUS test. If a message fails the HELOBOGUS test, meaning the HELO is bogus by Scott's criterion, yet that message is not a spam message, i.e. it is a legit e-mail, it doesn't mean that the HELOBOGUS generated a false positive. The HELO either truly is BOGUS or NOT BOGUS. If HELOBOGUS misidentified a message as being BOGUS that was NOT BOGUS then, yes, I think that would be a false positive. But by it's nature one single test cannot create a false positive unless the program code for the test is written incorrectly. Just my thoughts. Dan - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 22, 2004 2:20 PM Subject: Re: [Declude.JunkMail] Scaling Up The Declude Weighting System If a test false positived 37% of the time, I certainly wouldn't be weighing it that high. Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 04/22/04 12:57PM Hi, Markus, Thanks for responding. Well I went ahead and did it. I've rescaled everything to have 100 points be my HOLD weight. It was pretty easy because my previous HOLD weight was 5 so I just had to multiply everything by 20 to keep things relative. Now, that I have it there I would like to re-tune some of my weights. In your system, if you have a test like HELOBOGUS, for example, how do you decide what weight to give HELOBOGUS? I was thinking that if I had the correct statistics about which types of messages, spam or legit, were flagged by which tests it would be pretty straightforward. For example, if I knew that of 1000 messages that were flagged as failing the HELOBOGUS test and 37% of them were legit messages and 73% setting the weight of HELOBOGUS to 73 would be statistically sound. Is my thinking correct on that or am I way off base? Thanks, Dan Geiser [EMAIL PROTECTED] - Original Message - From: Markus Gufler To: [EMAIL PROTECTED] Sent: Tuesday, April 20, 2004 4:25 PM Subject: RE: [Declude.JunkMail] Scaling Up The Declude Weighting System Dan, We've choosen to scale up the weighting system exactly for the two reasons you've mentioned below: -more granularity -absolute weight and percentage is the same Note that there are some good filter files maintained by other Declude users that are updated regulary and has the inside weights set up for a Hold-on-20 weighting system. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Tuesday, April 20, 2004 4:48 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Scaling Up The Declude Weighting System Hello, All, Over the year or so that I've been reading the discussions on this list it seems I've read quite a bit about people scaling their weights up, i.e. instead of having a HOLD weight of 10, you might have a HOLD weight of 100 and then you adjust the corresponding test weights accordingly. Assuming that what I've read is correct, for those who uses this scaled up system... What sort of benefit is is that you feel that you receive from doing this? Does it allow a more granular tuning of your weighting system? Are there any other benefits I'm not thinking of? Does having a hold weight of 100, for example, help you think more clearly about each test being a percentage of the
[Declude.JunkMail] Subject Action
I'd like to request an alternative to the SUBJECT action where we could have it placed at the end rather than the beginning of the existing subject. I would like to place the score in the subject and it will not allow me to sort by subject cleanly when using SpamReview. WEIGHTHOLDSUBJSUBJECT[SPAM %WEIGHT%] With this it would sort alphabetically on the weight rather than the original subject. John Olden - Systems Administrator Champaign Park District --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Scaling Up The Declude Weighting System
You guys are correct, I should have I shouldn't have said false positive with regards to the test. I just kept seeing the mostly good 37% of the mail 73% toward failing and false positives kept ringing in my head. Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 04/22/04 02:10PM Dan, Individual tests do not false positive (unless they are poorly conceived). The term False Positive in relation to spam filtering means a message that was tagged as spam (with Declude this usually results from failure of multiple tests), but is in reality a legitimate email that needs to be delivered. Understandably there is some grey area in that, due to varying definitions on what email should be considered spam. For this reason, many admins' weighting systems vary on some of the details of implementation, due mostly to their user community, individual policies, and attempts to filter as much as possible without adversely affecting their community. I believe the point Scott was making was that the HELOBOGUS should not have much weight if you are seeing such a high percentage of emails (37%) that fail this particular test but are not spam. Darin. - Original Message - From: Dan Geiser [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 22, 2004 2:42 PM Subject: Re: [Declude.JunkMail] Scaling Up The Declude Weighting System Hi, Scott, Thanks for the feedback. The more I thought about it after sending the e-mail a few minutes ago the more certain I was that my logic was not. in fact not even remotely close to being sound. It really has to be thought of as a factor of multiple tests and not just one, so I understand what you are saying. But I have to disagree with your terminology. I wasn't describing a false positive situation. I don't think the HELOBOGUS test by itself can have a false positive. A message either passes or fails the HELOBOGUS test. If a message fails the HELOBOGUS test, meaning the HELO is bogus by Scott's criterion, yet that message is not a spam message, i.e. it is a legit e-mail, it doesn't mean that the HELOBOGUS generated a false positive. The HELO either truly is BOGUS or NOT BOGUS. If HELOBOGUS misidentified a message as being BOGUS that was NOT BOGUS then, yes, I think that would be a false positive. But by it's nature one single test cannot create a false positive unless the program code for the test is written incorrectly. Just my thoughts. Dan - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 22, 2004 2:20 PM Subject: Re: [Declude.JunkMail] Scaling Up The Declude Weighting System If a test false positived 37% of the time, I certainly wouldn't be weighing it that high. Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 04/22/04 12:57PM Hi, Markus, Thanks for responding. Well I went ahead and did it. I've rescaled everything to have 100 points be my HOLD weight. It was pretty easy because my previous HOLD weight was 5 so I just had to multiply everything by 20 to keep things relative. Now, that I have it there I would like to re-tune some of my weights. In your system, if you have a test like HELOBOGUS, for example, how do you decide what weight to give HELOBOGUS? I was thinking that if I had the correct statistics about which types of messages, spam or legit, were flagged by which tests it would be pretty straightforward. For example, if I knew that of 1000 messages that were flagged as failing the HELOBOGUS test and 37% of them were legit messages and 73% setting the weight of HELOBOGUS to 73 would be statistically sound. Is my thinking correct on that or am I way off base? Thanks, Dan Geiser [EMAIL PROTECTED] - Original Message - From: Markus Gufler To: [EMAIL PROTECTED] Sent: Tuesday, April 20, 2004 4:25 PM Subject: RE: [Declude.JunkMail] Scaling Up The Declude Weighting System Dan, We've choosen to scale up the weighting system exactly for the two reasons you've mentioned below: -more granularity -absolute weight and percentage is the same Note that there are some good filter files maintained by other Declude users that are updated regulary and has the inside weights set up for a Hold-on-20 weighting system. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Tuesday, April 20, 2004 4:48 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Scaling Up The Declude Weighting System Hello, All, Over the year or so that I've been reading the discussions on this list it seems I've read quite a bit about people scaling their weights up, i.e. instead of having a HOLD weight of 10, you might have a HOLD weight of 100 and then you adjust the corresponding test weights accordingly. Assuming that what I've read is correct, for those who uses this scaled up system...
Re: [Declude.JunkMail] Subject Action
I'd like to request an alternative to the SUBJECT action where we could have it placed at the end rather than the beginning of the existing subject. I would like to place the score in the subject and it will not allow me to sort by subject cleanly when using SpamReview. WEIGHTHOLDSUBJSUBJECT[SPAM %WEIGHT%] With this it would sort alphabetically on the weight rather than the original subject. We will consider this. The problem, though, is that a lot of subjects are longer than will fit on the line in the mail client -- so with the spam appearing at the end of the subject, it likely would often not be seen. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Subject Action
It would be useful with SpamReview...perhaps by truncating the subject at N characters and appending the SUBJECT message after that. If we get our hands on Tom's code, or write a spam review utility ourselves, we'll probably have separate grid columns for some of the common header addtions, like spam weight, and leave the subject alone. Then we can sort by either spam weight or subject at whim. Darin. - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 22, 2004 3:40 PM Subject: Re: [Declude.JunkMail] Subject Action I'd like to request an alternative to the SUBJECT action where we could have it placed at the end rather than the beginning of the existing subject. I would like to place the score in the subject and it will not allow me to sort by subject cleanly when using SpamReview. WEIGHTHOLDSUBJSUBJECT[SPAM %WEIGHT%] With this it would sort alphabetically on the weight rather than the original subject. We will consider this. The problem, though, is that a lot of subjects are longer than will fit on the line in the mail client -- so with the spam appearing at the end of the subject, it likely would often not be seen. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Subject Action
We will consider this. The problem, though, is that a lot of subjects are longer than will fit on the line in the mail client -- so with the spam appearing at the end of the subject, it likely would often not be seen. My current settings in Declude and Spamcheck usually take care of such situations. If they are that long, they've probably tripped off a few other tests and went into my Delete action range. I currently hold at 100 and delete at 250. Of course we're not a high volume ISP. I usually only have 1-3 messages a day that get held by accident. The weight information is mostly for our end users use. Putting it in the body (header, footer) does no good on HTML messages. Thanks for the consideration. John Olden - Systems Administrator Champaign Park District --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Scaling Up The Declude Weighting System
I call them false positives, big whoop. I think people know what you mean :) Whatever you do though, don't mention women and spam in the same sentence!!! Matt Scott Fisher wrote: You guys are correct, I should have I shouldn't have said false positive with regards to the test. I just kept seeing the mostly good 37% of the mail 73% toward failing and "false positives" kept ringing in my head. Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 04/22/04 02:10PM Dan, Individual tests do not "false positive" (unless they are poorly conceived). The term "False Positive" in relation to spam filtering means a message that was tagged as spam (with Declude this usually results from failure of multiple tests), but is in reality a legitimate email that needs to be delivered. Understandably there is some grey area in that, due to varying definitions on what email should be considered spam. For this reason, many admins' weighting systems vary on some of the details of implementation, due mostly to their user community, individual policies, and attempts to filter as much as possible without adversely affecting their community. I believe the point Scott was making was that the HELOBOGUS should not have much weight if you are seeing such a high percentage of emails (37%) that fail this particular test but are not spam. Darin. - Original Message - From: "Dan Geiser" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 22, 2004 2:42 PM Subject: Re: [Declude.JunkMail] Scaling Up The Declude Weighting System Hi, Scott, Thanks for the feedback. The more I thought about it after sending the e-mail a few minutes ago the more certain I was that my logic was not. in fact not even remotely close to being sound. It really has to be thought of as a factor of multiple tests and not just one, so I understand what you are saying. But I have to disagree with your terminology. I wasn't describing a false positive situation. I don't think the HELOBOGUS test by itself can have a false positive. A message either passes or fails the HELOBOGUS test. If a message fails the HELOBOGUS test, meaning the HELO is bogus by Scott's criterion, yet that message is not a spam message, i.e. it is a legit e-mail, it doesn't mean that the HELOBOGUS generated a false positive. The HELO either truly is BOGUS or NOT BOGUS. If HELOBOGUS misidentified a message as being BOGUS that was NOT BOGUS then, yes, I think that would be a false positive. But by it's nature one single test cannot create a false positive unless the program code for the test is written incorrectly. Just my thoughts. Dan - Original Message - From: "Scott Fisher" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 22, 2004 2:20 PM Subject: Re: [Declude.JunkMail] Scaling Up The Declude Weighting System If a test false positived 37% of the time, I certainly wouldn't be weighing it that high. Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 04/22/04 12:57PM Hi, Markus, Thanks for responding. Well I went ahead and did it. I've rescaled everything to have 100 points be my HOLD weight. It was pretty easy because my previous HOLD weight was 5 so I just had to multiply everything by 20 to keep things relative. Now, that I have it there I would like to re-tune some of my weights. In your system, if you have a test like HELOBOGUS, for example, how do you decide what weight to give HELOBOGUS? I was thinking that if I had the correct statistics about which types of messages, spam or legit, were flagged by which tests it would be pretty straightforward. For example, if I knew that of 1000 messages that were flagged as failing the HELOBOGUS test and 37% of them were legit messages and 73% setting the weight of HELOBOGUS to 73 would be statistically sound. Is my thinking correct on that or am I way off base? Thanks, Dan Geiser [EMAIL PROTECTED] - Original Message - From: Markus Gufler To: [EMAIL PROTECTED] Sent: Tuesday, April 20, 2004 4:25 PM Subject: RE: [Declude.JunkMail] Scaling Up The Declude Weighting System Dan, We've choosen to scale up the weighting system exactly for the two reasons you've mentioned below: -more granularity -absolute weight and percentage is the same Note that there are some good filter files maintained by other Declude users that are updated regulary and has the "inside" weights set up for a Hold-on-20 weighting system. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Geiser Sent: Tuesday, April 20, 2004 4:48 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Scaling Up The Declude Weighting System Hello, All, Over the year or so that I've been reading the discussions on this
Re: [Declude.JunkMail] Scaling Up The Declude Weighting System
Guess we can't sing Monty Python songs then, can we? Darin. - Original Message - From: Matt To: [EMAIL PROTECTED] Sent: Thursday, April 22, 2004 3:58 PM Subject: Re: [Declude.JunkMail] Scaling Up The Declude Weighting System I call them false positives, big whoop. I think people know what you mean :)Whatever you do though, don't mention women and spam in the same sentence!!!MattScott Fisher wrote: You guys are correct, I should have I shouldn't have said false positive with regards to the test. I just kept seeing the mostly good 37% of the mail 73% toward failing and "false positives" kept ringing in my head. Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 04/22/04 02:10PM Dan, Individual tests do not "false positive" (unless they are poorly conceived). The term "False Positive" in relation to spam filtering means a message that was tagged as spam (with Declude this usually results from failure of multiple tests), but is in reality a legitimate email that needs to be delivered. Understandably there is some grey area in that, due to varying definitions on what email should be considered spam. For this reason, many admins' weighting systems vary on some of the details of implementation, due mostly to their user community, individual policies, and attempts to filter as much as possible without adversely affecting their community. I believe the point Scott was making was that the HELOBOGUS should not have much weight if you are seeing such a high percentage of emails (37%) that fail this particular test but are not spam. Darin. - Original Message - From: "Dan Geiser" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 22, 2004 2:42 PM Subject: Re: [Declude.JunkMail] Scaling Up The Declude Weighting System Hi, Scott, Thanks for the feedback. The more I thought about it after sending the e-mail a few minutes ago the more certain I was that my logic was not. in fact not even remotely close to being sound. It really has to be thought of as a factor of multiple tests and not just one, so I understand what you are saying. But I have to disagree with your terminology. I wasn't describing a false positive situation. I don't think the HELOBOGUS test by itself can have a false positive. A message either passes or fails the HELOBOGUS test. If a message fails the HELOBOGUS test, meaning the HELO is bogus by Scott's criterion, yet that message is not a spam message, i.e. it is a legit e-mail, it doesn't mean that the HELOBOGUS generated a false positive. The HELO either truly is BOGUS or NOT BOGUS. If HELOBOGUS misidentified a message as being BOGUS that was NOT BOGUS then, yes, I think that would be a false positive. But by it's nature one single test cannot create a false positive unless the program code for the test is written incorrectly. Just my thoughts. Dan - Original Message - From: "Scott Fisher" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 22, 2004 2:20 PM Subject: Re: [Declude.JunkMail] Scaling Up The Declude Weighting System If a test false positived 37% of the time, I certainly wouldn't be weighing it that high. Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 04/22/04 12:57PM Hi, Markus, Thanks for responding. Well I went ahead and did it. I've rescaled everything to have 100 points be my HOLD weight. It was pretty easy because my previous HOLD weight was 5 so I just had to multiply everything by 20 to keep things relative. Now, that I have it there I would like to re-tune some of my weights. In your system, if you have a test like HELOBOGUS, for example, how do you decide what weight to give HELOBOGUS? I was thinking that if I had the correct statistics about which types of messages, spam or legit, were flagged by which tests it would be pretty straightforward. For example, if I knew that of 1000 messages that were flagged as failing the HELOBOGUS test and 37% of them were legit messages and 73% setting the weight of HELOBOGUS to 73 would be statistically sound. Is my thinking correct on that or am I way off base? Thanks, Dan Geiser [EMAIL PROTECTED] - Original Message - From: Markus Gufler To: [EMAIL PROTECTED] Sent: Tuesday, April 20, 2004 4:25 PM Subject: RE: [Declude.JunkMail] Scaling Up The Declude Weighting System Dan, We've choosen to scale up the weighting system exactly for the two reasons you've mentioned below: -more granularity -absolute weight and percentage is the same Note that there are some good filter files maintained by other Declude users that are updated regulary and has the "inside" weights set up for a Hold-on-20 weighting system. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Geiser Sent: Tuesday, April 20, 2004 4:48 PM To:
RE: [Declude.JunkMail] Scaling Up The Declude Weighting System
I think it's not possible to calculate the weight of an individual test strictly from his catch/failure rate. On http://www.zcom.it/spamtest/you can see what we generate from our daily logfiles. In my opinion it's not enough to count wrong or right results. Theoretically there are 5 possible results for every individual test correct result for a spam messageFor example SPAMCOP has a positive result for a spam message wrong result for a spam messageFor example NOLEGITCONTENT has a positive result (and so will substract points) for a spam message correct result for a legit messageFor example AUTOWHITE has a positive result (and so will substract points) for a legit message wrong result for a legit messageFor example REVDNS has a positive result for a legit message no resultFor example no line ina FILTER file matches with something in the legit or spam message Practically most spam tests has only 3 possible results because they are counting "only" or as positive or as negative test. For example SPAMCOP can't fail on a spam message because his result is a "positive weight" or "no weight" (unless you decide to assign a negative weight if spamcop hasn't a positive result = not considered) Another test like NOLEGITCONTENT will only substract points or if NO-LEGIT-CONTENT was found return zero as result. Some tests like SPAMCHK can have a positive/negative weight or zero as result and so he can have all 5 results mentioned above. On the report (link above) you can see this 5 possible results both in absolute numbers or as relative values in the diagramm: dark green dark red light green light red grey The more green you can see, the bether a test is. The red bars indicate that this test has counted in the opposite direction as the final weight. (You can move the mouse pointer above the bar to show the percentage.) If a certain test has no false positives over several days, weeks or months you can increase his weight near to your hold weight or also above. But this tests are very rare. Good tests has a good detection rate, and very few false positves. for example SPAMCOP. My scripts, applications and the database for all this research is a work in progress and I have a lot of ideas to implement. For example I've added a report to view mail-from, -to and subject for every message where a certain test has had the wrong result. So I can see if this test if failing has some effect or can be ignored. The report above shows the result for one business day. But I can also create average values for several days or weeks. The next thing I plan is to create a diagram containing the daily results for one single test. So I can see if the quality of this test changes over time (goes up, down, ...) and so the weight should be adapted. Unfortunately I can't code this into a redistribuable application. My VBscripts are not very fast (would be much faster without error checking for corrupt logfile lines) and parsing trough 10 MB logfiles, analizing the individual results, saving them into a database (MS-SQL Server) and creating all necessary conjuntions takes several minutes with high CPU usage. I'm sure a good programmer and compiler can code this in a small and fast application. But at the moment I see this as a research what's worth analizing and searching for. Finaly some comments to previous posts: 37% as way too much. Even if the resting 63% (not 73% Scott :-) are correct results. Remove this test! Some "old" test like REVDNS or HELOBOGUS seem sto have an unexpected high rate of wrong results. I've decreased their weight since I've discovered this. regaring the terminology of false positives: I agree with Dan, that a single test can't create a false positive (unless his own weight is superior then the HOLD weight) So a test failing in his result should be interpreted as "wrong result". The"False positive"is a legit message in your spamfolder. The "False negative" is a spam message in your mailbox. Hope my "english" is not too terrible ;-) Markus
RE: [Declude.JunkMail] Scaling Up The Declude Weighting System
Title: Message This is the weighting that I use: Hold Weight = 10 Delete Weight = 20 9: SNIFFER2 8: BADHEADERS 7: BLITZEDALL SBL SPAMCOP COMMENTS 6: SPAM-DOMAINS AHBL DSBL 5: ORDB SORBS-HTTP SORBS-SOCKS SORBS-MISC SORBS-SMTP SORBS-SPAM SORBS-WEB SORBS-ZOMBIE SORBS-DUHL 4: MAILFROM CBL BASE64 REVDNS ROUTING SPFFAIL 3: DSN HOUR (12AM - 6AM) SPAMHEADERS 2: NOABUSE NOPOSTMASTER -5 BONDEDSENDER SPFPASS For filters, I normally will use a 9 unless it is a new one that I am testing. I end up with a hold percentage of about 93% and a delete of about 89%. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan GeiserSent: Tuesday, April 20, 2004 9:48 AMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] Scaling Up The Declude Weighting System Hello, All, Over the year or so that I've been reading the discussions on this list it seems I've read quite a bit about people scaling their weights up, i.e. instead of having a HOLD weight of 10, you might have a HOLD weight of 100 and then you adjust the corresponding test weights accordingly. Assuming that what I've read is correct, for those who uses this scaled up system... What sort of benefit is is that you feel that you receive from doing this? Does it allow a more granular tuning of your weighting system? Are there any other benefits I'm not thinking of? Does having a hold weight of 100, for example, help you think more clearly about each test being a percentage of the overall HOLD weight? I'm doing a major overhaul of Declude JunkMail configuration and I figured if a scaled up weight system is the best way to do things then I might want to implement that now. Thanks In Advance For Your Comments! Dan Geiser [EMAIL PROTECTED]
RE: [Declude.JunkMail] Minimum weight of a filter
No -- that determines a weight at which filter processing will stop. But it sounds like you want the filter to only return a weight if multiple lines match. That would be great. When can we expect it??? :') --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Hijack Logs
Hi, Thanks for the response. I was able to take a quick look at the Imail logs today and I have an R for the message received but that is where it stops, I never receive the D for delivery. I do not have hold1 or hold2 Directories, I am assuming these are auto created and deleted, if not then it is safe to say it is not working properly. Today was very busy so I did not get much time to look at it. The answer to your question is they are outbound. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lyndon Eaton Sent: Thursday, April 22, 2004 8:48 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Hijack Logs Could you clarify one thing for me: The emails that are not being delivered to the recipients - are they inbound or outbound? IE is your client the recipient your is your client the sender? -Original Message- From: Jeffrey M Donley [mailto:[EMAIL PROTECTED] Sent: 22 April 2004 13:33 To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Hijack Logs Hi, I am new to the declude world and inherited a network that utilizes all 3 of the declude solutions. I am using Imail 7.5 and declude 1.75. I have received several complaints from customers stating that email has not arrived to certain recipients. When researching this I found that the recipients are listed in the hijack log. Here is a snippet of the log. I have looked and can not find clarification on what is going on, any help would be appreciated. 04/22/2004 00:01:01 Q437c088e00f224cb [EMAIL PROTECTED] is not local. jeff --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. Email checked by UKsubnet anti-virus service To prevent email abuse block spam contact [EMAIL PROTECTED] Tel: +44(0)8712360301 Web: www.uksubnet.net Fax: +44(0)8712360300 Powered by UKsubnet Internet Service Provider Business to Business Internet (ISP) Email checked by UKsubnet anti-virus service To prevent email abuse block spam contact [EMAIL PROTECTED] Tel: +44(0)8712360301 Web: www.uksubnet.net Fax: +44(0)8712360300 Powered by UKsubnet Internet Service Provider Business to Business Internet (ISP) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] bug with subject filter
Regarding the bug with subject filter that Matt reported Thursday with his gibberishsub filter. I too have noticed some oddities with the Gibberishsub filter results. Matt said it was happening at the end of the subject. I believe it may also be happening at the beginning of the subject. Also some subjects appear to wrap. Triggered CONTAINS filter GIBBERISHSUB on xr [weight-3; xRe: Optaflexx]. Subject was: Re: Optaflexx Triggered CONTAINS filter GIBBERISHSUB on tq [weight-3; tQ2 pay report]. Subject was: Q2 pay report Here's an odd one that appears to wrap? Triggered CONTAINS filter MP-GIBBERISHSUB on xd [weight-3; xdTvPut on a few inches and im]. Subject was: Put on a few inches and impress the ladies! YOBpxdTv Triggered CONTAINS filter GIBBERISHSUB on xr [weight-3; xrvg Slash your de-bt by up to]. Subject was: rvg Slash your de-bt by up to 60% kdx --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Minimum weight of a filter
Scott, I working on trapping more Nigerian Scams. What would you do in a filter? Search the body for phrases that are found in these types of e-mails? Goran --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Nameserver issues and Spam fighting
Scott, The easy answer to this is to use your own DNS servers -- if you do (and they are decent DNS servers; BIND is preferred), you won't be subject to the restrictions of ATT, Sprint, and others that block spam database lookups. Since we are running IMail (ie Windows) what is the performance of the Windows DNS service? I know that it works but how good/fast is it? If you are going to run a Windows DNS server would you recommend running it on the IMail box or on another one? Goran --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Minimum weight of a filter
Nigeria filtering Have a look at the spam assassin files. They have a very good Nigerian spam filter so you should be able to find the search strings in there. Search for Nigerian and you will find it in these files: 20_head_tests.cf 20_meta_tests.cf 20_phrases.cf 50_scores.cf Good Luck Cheers Adrian - - Original Message - From: Goran Jovanovic [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, April 23, 2004 1:45 PM Subject: RE: [Declude.JunkMail] Minimum weight of a filter Scott, I working on trapping more Nigerian Scams. What would you do in a filter? Search the body for phrases that are found in these types of e-mails? Goran --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.