[Declude.JunkMail] Feature Idea?
I'm not sure of my terminology here. The MAILFROM tests the e-mail address referred to as the Declude Mailfrom. There is also a displayed mailfrom that is displayed in the e-mail client and can be quite misleading. It would be interesting to have a variable to check the displayed mailfrom. I am thinking of something like this to punish ebay phishs: DISPLAYMAILFROMENDNOTCONTAINSEBAY.COM MAILFROM END CONTAINSEBAY.COM MAILFROM10 NOTCONTAINS EBAY.COM Scott Fisher Director of IT Farm Progress Companies --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] New filter test idea using DNS timeout.
My idea is to punish those people that have a reverse dns timeout. To help counter a case where I have a DNS problem, I'll only perform this when a major RBL test fails. Why? Under normal conditions the reverse dns shouldn't timeout, and that timeout negates the spamdomains tests. Opinions? Is it a bad idea? Reverse-timeout.txt: REVDNS 3 CONTAINSTimeout Combo-revdns-timeout.txt TESTSFAILED END NOTCONTAINS REVDNS-TIMEOUT MAXWEIGHT 12 TESTSFAILED 12 CONTAINSDSBL-DYNA TESTSFAILED 12 CONTAINSMAILPOLICE-COMBO TESTSFAILED 12 CONTAINSSPAMHAUS-SBL TESTSFAILED 12 CONTAINSSPAMCOP-DYNA TESTSFAILED 12 CONTAINSNJABL-SOURCES TESTSFAILED 12 CONTAINSAHBL-SOURCES TESTSFAILED 12 CONTAINSAHBL-DOMAINS Scott Fisher Director of IT Farm Progress Companies --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Example of WHITELIST in a Filter?
I've been playing with the WHITELIST in a filter option, mostly to create a filter for whitelisting mailing lists people subscribe to. Ever since my Whitelist had to move out of Gloabl.cfg due to size (whitelisted employee home email addresses...) I've been looking at moving the few whitelist commands in my global.cfg to a filter for easier maintenance. So... If I create a filter called MailingLists.txt with lines like: SUBJECT WHITELIST CONTAINS [Declude.JunkMail] SUBJECT WHITELIST CONTAINS SecurityWatch SUBJECT WHITELIST CONTAINS Koala Bear News And so on, these will be whitelisted when the filter runs and bypass all JunkMail filtering, correct? Or are these simply bypassing that specific filter? (Which in itself would be helpful on occasion...) Thanks, Jeff --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Example of WHITELIST in a Filter?
WHITELIST will whitelist the mail and bypass all junkmail processing. To bypass the specific filter use an END SUBJECT END CONTAINS [Declude.JunkMail] Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 06/01/04 09:51AM I've been playing with the WHITELIST in a filter option, mostly to create a filter for whitelisting mailing lists people subscribe to. Ever since my Whitelist had to move out of Gloabl.cfg due to size (whitelisted employee home email addresses...) I've been looking at moving the few whitelist commands in my global.cfg to a filter for easier maintenance. So... If I create a filter called MailingLists.txt with lines like: SUBJECT WHITELIST CONTAINS [Declude.JunkMail] SUBJECT WHITELIST CONTAINS SecurityWatch SUBJECT WHITELIST CONTAINS Koala Bear News And so on, these will be whitelisted when the filter runs and bypass all JunkMail filtering, correct? Or are these simply bypassing that specific filter? (Which in itself would be helpful on occasion...) Thanks, Jeff --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Declude version 1.79 and Delog
I noticed after I upgraded to Declude 1.79, Delog 1.08b is no longer able to calculate the number of failed messages from the declude log files. It returns that 0 failed. Apparently the log files for declude have changed with this new version. Does anybody know if there is a newer version of Delog or another program that can analyze the declude log files? Thanks --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Example of WHITELIST in a Filter?
WHITELIST will whitelist the mail and bypass all junkmail processing. To bypass the specific filter use an END SUBJECT END CONTAINS [Declude.JunkMail] That's what I thought, thanks for confirming it. :) Jeff --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Way off topic
Sorry to be a bother but I need to find someone who has successfully harvested the passwords from Post.office so we can migrate to a newer MTA. Currently we are running Declude and Imail on another server in front of our real MTA. Thanks, Doug McKee --- [South Texas Internet scanned this E-mail for viruses using Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude version 1.79 and Delog
Hi, Does anybody know if there is a newer version of Delog or another program that can analyze the declude log files? I use DLAnalyzer (www.DLAnalyzer.com) with great success. Here a few snippets from reports that I schedule daily: Last Action Report Using Action: DELETE, HOLD, BOUNCEONLYIFYOUMUST Total Messages: 10,253 Matched Last Action: 7,116 Percentage: 69.40% Average Message Weight: 24.00 TEST # FAILED Percentage IPNOTINMX...7,035...68.61% NOLEGITCONTENT..6,734...65.68% SNIFFER.6,051...59.02% SPAMCOP.5,185...50.57% SORBS...4,610...44.96% XBL-DYNA4,322...42.15% DSBLSINGLE..3,653...35.63% NJABLDYNA...3,147...30.69% AHBL1,875...18.29% HELOBOGUS...1,752...17.09% REVDNS..1,745...17.02% SPAMROUTING.1,528...14.90% NJABLPROXIES1,294...12.62% SPAMHEADERS.1,251...12.20% SBL.1,159...11.30% BADHEADERS..1,066...10.40% ... Etc ... (you can sort by name as well) IP Summary Report TEST # MESSAGES Percentage 69.59.140.113..540.55% 69.59.140.120..420.43% 64.119.137.13..350.36% 213.91.6.11340.35% 127.0.0.1..320.33% 209.182.0.195..310.32% ... Etc ... And - here my favorite report (that I send daily to my larger customers). It itemizes any reports that we HOLD,DELETE,BOUNCE - so that they know which mails they NEVER even saw in their inboxes (sorry for the wrap-around): Advanced Report 5/31/2004 12:01:13 AM Subject ..: Hi George. it's something increadible... gayer minimizing Qae02200501285d38 From .: [EMAIL PROTECTED] 1 Recipient(s): [EMAIL PROTECTED] 13 Test(s) ...: BYPASS19, NJABL, NJABLDUL, NJABLDYNA, SORBS, SORBS-DUHL, XBL-DYNA, HELOBOGUS, IPNOTINMX, NOLEGITCONTENT, SNIFFER, DYNAMIC-IP, WEIGHTKILL 5/31/2004 12:01:31 AM Subject ..: Get all meds over night - no prescription needed Qae10200801289187 From .: [EMAIL PROTECTED] 4 Recipient(s): [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] 12 Test(s) ...: BYPASS19, BYPASS14, SPAMCOP, NJABLDYNA, XBL-DYNA, IPNOTINMX, SPAMROUTING, NOLEGITCONTENT, BCC4, SNIFFER, SPAMDOMAINS, WEIGHTKILL 5/31/2004 12:01:32 AM Subject ..: Visit me Qae13126c014a9cd2 From .: [EMAIL PROTECTED] 1 Recipient(s): [EMAIL PROTECTED] 13 Test(s) ...: BYPASS19, DSBLSINGLE, SPAMCOP, NJABLDYNA, SORBS, SORBS-DUHL, XBL-DYNA, BASE64, IPNOTINMX, NOLEGITCONTENT, SNIFFER, SPAMDOMAINS, WEIGHTKILL 5/31/2004 12:01:53 AM Subject ..: Don't miss these great products Qae2c200901280168 From .: [EMAIL PROTECTED] 1 Recipient(s): [EMAIL PROTECTED] 12 Test(s) ...: BYPASS19, DSBLSINGLE, SPAMCOP, SORBS, XBL-DYNA, HELOBOGUS, IPNOTINMX, REVDNS, SPAMROUTING, NOLEGITCONTENT, SNIFFER, WEIGHTKILL ... Etc ... Number of Unique Messages Blocked: 1376 Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Karl Hentschel Sent: Tuesday, June 01, 2004 11:35 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Declude version 1.79 and Delog I noticed after I upgraded to Declude 1.79, Delog 1.08b is no longer able to calculate the number of failed messages from the declude log files. It returns that 0 failed. Apparently the log files for declude have changed with this new version. Does anybody know if there is a newer version of Delog or another program that can analyze the declude log files? Thanks --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude version 1.79 and Delog
Scott, I've noticed the logging problem as well and I do have LOGLEVEL MID in my global.cfg. That doesn't resolve the issue. Aaron On Jun 1, 2004, at 9:01 AM, R. Scott Perry wrote: I noticed after I upgraded to Declude 1.79, Delog 1.08b is no longer able to calculate the number of failed messages from the declude log files. It returns that 0 failed. Apparently the log files for declude have changed with this new version. Does anybody know if there is a newer version of Delog or another program that can analyze the declude log files? Thanks I believe this is due to the recent change in the log file format. If you change the LOGLEVEL LOW line in your \IMail\Declude\global.cfg file to LOGLEVEL MID, I believe it will start working again. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude version 1.79 and Delog
I've noticed the logging problem as well and I do have LOGLEVEL MID in my global.cfg. That doesn't resolve the issue. Do you have the Msg failed lines in your log file? If not, then you should go to LOGLEVEL HIGH. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude version 1.79 and Delog
Scott, Did the Msg Failed line under LOGLEVEL MID to report the individual line numbers that it failed in a filter test get moved to HIGH? Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Tuesday, June 01, 2004 12:50 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Declude version 1.79 and Delog I've noticed the logging problem as well and I do have LOGLEVEL MID in my global.cfg. That doesn't resolve the issue. Do you have the Msg failed lines in your log file? If not, then you should go to LOGLEVEL HIGH. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude version 1.79 and Delog
Scott, Thanks, we have been running along with MID since the beginning, all along, upgrading the interim releases. We just this week needed to know which line it failed on in one of our filter files. This is what we get now in our log. I will up to HIGH this week. Thanks, Qff4f4d2301429a89 BADHEADERS:8 SPAMHEADERS:8 FILTER-SUBJECT:9 FILTER-BODYURL:20 . Total weight = 45. 06/01/2004 00:00:24 Qff4f4d2301429a89 Subject: Indebted to your creditors? We can help 06/01/2004 00:00:24 Qff4f4d2301429a89 From: [EMAIL PROTECTED] To: XXX IP: 206.173.149.243 ID: 06/01/2004 00:00:24 Qff4f4d2301429a89 Tests failed [weight=45]: BADHEADERS=WARN IPNOTINMX=IGNORE SPAMHEADERS=WARN SNIFFER-NOTFND=IGNORE WEIGHT10=WARN WEIGHT20=SUBJECT FILTER-SUBJECT=IGNORE FILTER-BODYURL=IGNORE Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Tuesday, June 01, 2004 1:16 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Declude version 1.79 and Delog Did the Msg Failed line under LOGLEVEL MID to report the individual line numbers that it failed in a filter test get moved to HIGH? With v1.78 and earlier, the Msg failed lines were at LOGLEVEL LOW. With v1.79 and later, they are at LOGLEVEL HIGH. I believe that the Msg failed lines for filter tests have always included the line number that triggered the filter. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude version 1.79 and Delog
Thanks, we have been running along with MID since the beginning, all along, upgrading the interim releases. We just this week needed to know which line it failed on in one of our filter files. This is what we get now in our log. I will up to HIGH this week. Thanks, Qff4f4d2301429a89 BADHEADERS:8 SPAMHEADERS:8 FILTER-SUBJECT:9 FILTER-BODYURL:20 . Total weight = 45. 06/01/2004 00:00:24 Qff4f4d2301429a89 Subject: Indebted to your creditors? We can help 06/01/2004 00:00:24 Qff4f4d2301429a89 From: [EMAIL PROTECTED] To: XXX IP: 206.173.149.243 ID: 06/01/2004 00:00:24 Qff4f4d2301429a89 Tests failed [weight=45]: BADHEADERS=WARN IPNOTINMX=IGNORE SPAMHEADERS=WARN SNIFFER-NOTFND=IGNORE WEIGHT10=WARN WEIGHT20=SUBJECT FILTER-SUBJECT=IGNORE FILTER-BODYURL=IGNORE The Msg failed lines at LOGLEVEL HIGH include the line in the filter that failed. So when you move to LOGLEVEL HIGH, it will have the information you desire. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude version 1.79 and Delog
Scott, Changing to Loglevel High seems to have added the Msg Failed lines to the log. I run delog at the end of the day and see what the results are, but I'm pretty sure it works now. Thanks, Aaron On Jun 1, 2004, at 10:16 AM, R. Scott Perry wrote: Did the Msg Failed line under LOGLEVEL MID to report the individual line numbers that it failed in a filter test get moved to HIGH? With v1.78 and earlier, the Msg failed lines were at LOGLEVEL LOW. With v1.79 and later, they are at LOGLEVEL HIGH. I believe that the Msg failed lines for filter tests have always included the line number that triggered the filter. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Message Confirmation Feature
Title: Message
Hi,
Since
this doesn't appear to ever be offered as part of Declude, I took half an hour
and threw a few lines of code together.
If you
have a small subset of messages that you hold but for which you are worried
about occasional false positives being held, then you can use the HOLD and the
ALERT actions to send out a notification to the apparent
sender.
In
theyour alert.eml template,you can offer a link
to:
http://yourmail.yourdomain.com/ReQ.asp?Q=%QUEUENAME%
which
will release the held email for delivery.
Here's
the necessary ASP code for "Req.asp", which you need to run on an IIS server
with write access to your Imail Spool and Declude "hold" folders. (Use
at your own risk and towhatever extent you like. No
warranties!)
Server.ScriptTimeout =
10;Response.Buffer = true;Response.CacheControl =
"Private";Response.Expires = -1;
//
//
Global Variables//
var strSpoolPath =
"C:\\IMail\\Spool\\";var strHoldPath = strSpoolPath +
"Spam\\";
var qQueueID = '';var reQueueID =
/^D\w+\.\w{3}$/i;
//
//
Get Queue ID from QueryString //Qualify valid spool file name
format//
if ( Request.QueryString("Q").Count 0
){qQueueID = ( new String(
Request.QueryString("Q") ) ).valueOf();}
if ( !reQueueID.test( qQueueID ) )
{// Format is not
"Dx.xxx"Response.Write( "Error: The string '" + escape(
qQueueID ) + "' is not in the expected Queue ID format.br\n" );
Response.End();}
var strQueueID_Hdr = "Q" + qQueueID.substr( 1
);
//
//
Move Message File Back to Queue//
var objFS = new
ActiveXObject("Scripting.FileSystemObject");
var strSource1 = strHoldPath +
qQueueID;var strTarget1 = strSpoolPath + qQueueID;
var strSource2 = strHoldPath +
strQueueID_Hdr;var strTarget2 = strSpoolPath +
strQueueID_Hdr;
// validate status of source and target
filesif ( !objFS.FileExists( strSource1 )
){Response.Write( "Error: Message data file not
found!br\n"
)Response.End();}else if (
!objFS.FileExists( strSource2 )
){Response.Write( "Error: Message header file
not found!br\n"
)Response.End();}else if (
objFS.FileExists( strTarget1 ) ){Response.Write(
"Error: Message data file already exists in queue!br\n"
)Response.End();}else if (
objFS.FileExists( strTarget2 ) ){Response.Write(
"Error: Message header file already exists in queue!br\n"
)Response.End();}
// move and rename
filetry{ objFS.MoveFile( strSource1,
strSpoolPath );objFS.MoveFile( strSource2, strSpoolPath
);Response.Write( "Success: Message ID '" + qQueueID + "' has
been re-queued for delivery.br\n" );}catch(e)
{Response.Write( "Error during moving file: " +
e + "br\n" + ( e.number 0x ) + ", " + e.description +
"br\n" );}
objFS = null;
Best
RegardsAndy SchmidtHM Systems Software, Inc.600 East Crescent
Avenue, Suite 203Upper Saddle River, NJ 07458-1846Phone: +1 201 934-3414 x20
(Business)Fax: +1 201 934-9206http://www.HM-Software.com/
[Declude.JunkMail] ALERT then HOLD?
Title: Message
Hi
Scott:
I set up two tests
(same test, different names) that cause an ALERT and a HOLD
action.
After testing a bit,
I get the feeling as if the ALERT is not working (see enclosed debug
log)
Is there some rule
of thumb or chart, which actions are mutually exclusive?
06/01/2004
17:20:25.966 Qf3142d4c01321d40 Processed 60 lines in
LoadActions(44eb90,1,[EMAIL PROTECTED]).06/01/2004
17:20:25.966 Qf3142d4c01321d40 Used SWITCHRECIP ON06/01/2004 17:20:25.966
Qf3142d4c01321d40
..X..X..X...XX...XX..06/01/2004
17:20:25.966 Qf3142d4c01321d40 Test #34 [SBL weight=7] triggered; action = 0
["http://www.spamhaus.org/SBL/sbl.lasso?query=SBL13499"]06/01/2004
17:20:25 Qf3142d4c01321d40 Msg failed SBL ("http://www.spamhaus.org/SBL/sbl.lasso?query=SBL13499").
Action="">06/01/2004 17:20:25.966 Qf3142d4c01321d40 Action 0: SV=30
AV=1006/01/2004 17:20:25.966 Qf3142d4c01321d40 Test #49 [BADHEADERS
weight=5] triggered; action = 7 [This E-mail was sent from a broken mail client
[8004000e].]06/01/2004 17:20:25 Qf3142d4c01321d40 Msg failed BADHEADERS
(This E-mail was sent from a broken mail client [8004000e].).
Action="">06/01/2004 17:20:25.966 Qf3142d4c01321d40 X-Declude-Note:
%WARNING% See: http://www.declude.com/tools/header.php?code=%HEADERCODE%06/01/2004
17:20:25.982 Qf3142d4c01321d40 X-Declude-Note: This E-mail was sent from a
broken mail client [8004000e]. See: http://www.declude.com/tools/header.php?code=8004000e06/01/2004
17:20:25.982 Qf3142d4c01321d40 Test #52 [IPNOTINMX weight=0] triggered; action =
0 []06/01/2004 17:20:25.982 Qf3142d4c01321d40 Action 0: SV=30
AV=1006/01/2004 17:20:25.982 Qf3142d4c01321d40 Test #56 [NOLEGITCONTENT
weight=0] triggered; action = 0 [No content unique to legitimate E-mail
detected.]06/01/2004 17:20:25.982 Qf3142d4c01321d40 Action 0: SV=30
AV=1006/01/2004 17:20:25.982 Qf3142d4c01321d40 Test #61 [SNIFFER weight=4]
triggered; action = 1 [Message failed SNIFFER: 50.]06/01/2004 17:20:25
Qf3142d4c01321d40 Msg failed SNIFFER (Message failed SNIFFER: 50.).
Action="">06/01/2004 17:20:25.982 Qf3142d4c01321d40 Action 1: SV=30
AV=1006/01/2004 17:20:25.982 Qf3142d4c01321d40 Test #77 [WEIGHT10 weight=10]
triggered; action = "" [Total weight between 10 and 19.]06/01/2004 17:20:25
Qf3142d4c01321d40 Msg failed WEIGHT10 (Total weight between 10 and 19.). Action="">.06/01/2004 17:20:25.982
Qf3142d4c01321d40 Action 14: SV=30 AV=1006/01/2004 17:20:25.982
Qf3142d4c01321d40 Test #78 [WEIGHTHOLD weight=10] triggered; action = "" [Total
weight between 10 and 19.]06/01/2004 17:20:25 Qf3142d4c01321d40 Msg failed
WEIGHTHOLD (Total weight between 10 and 19.). Action="">.06/01/2004 17:20:25.982
Qf3142d4c01321d40 Action 17: SV=30 AV=1006/01/2004 17:20:25
Qf3142d4c01321d40 Subject: Act Now to Get 12 CDs For The Price Of 1 with
membership06/01/2004 17:20:25 Qf3142d4c01321d40 From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
IP: 64.124.170.151 ID: 06/01/2004 17:20:25 Qf3142d4c01321d40 Tests failed
[weight=16]: SBL=IGNORE BADHEADERS=WARN IPNOTINMX=IGNORE NOLEGITCONTENT=IGNORE
SNIFFER=LOG WEIGHT10=ALERT WEIGHTHOLD=HOLD 06/01/2004 17:20:25.982 Qf3142d4c01321d40 Done
Looping06/01/2004 17:20:25.982 Qf3142d4c01321d40 AlterRecip( 5, (null),
(null));06/01/2004 17:20:25.982 Qf3142d4c01321d40 AlterRecip: Saving
queuefile06/01/2004 17:20:25 Qf3142d4c01321d40 Last action =
"">06/01/2004 17:20:25.982 Qf3142d4c01321d40 X-Declude: Version 1.79i6;
Df3142d4c01321d40.SMD from mail4.dtmail.net [64.124.170.151]
X-Declude: Triggered
SBL, BADHEADERS, SNIFFER, WEIGHTHOLD [16]
X-Countries: UNITED
STATES-destination
Return-Path: [EMAIL PROTECTED]
06/01/2004
17:20:25.982 Qf3142d4c01321d40 AlterMessage06/01/2004 17:20:25.998
Qf3142d4c01321d40 Set process priority back to 32.06/01/2004 17:20:25.998
Qf3142d4c01321d40 Adding warning06/01/2004
17:20:25.998 Qf3142d4c01321d40 Last Action="">.06/01/2004
17:20:25.998 Qf3142d4c01321d40 Unlocked
D:\IMAIL\spool\Qf3142d4c01321d40.SMD.06/01/2004
17:20:25.998 Qf3142d4c01321d40 Moving file to spam hold
directory06/01/2004 17:20:26.013 Qf3142d4c01321d40 Total
Time: 265ms [4718ms elapsed minus DNS]
Best
RegardsAndy SchmidtHM Systems Software, Inc.600 East Crescent
Avenue, Suite 203Upper Saddle River, NJ 07458-1846Phone: +1 201 934-3414 x20
(Business)Fax: +1 201 934-9206http://www.HM-Software.com/
RE: [Declude.JunkMail] COPYTO combined with DELETE/HOLD/BOUNCE
Title: Message Hi Scott: I think the the issue of "mutually exclusive" actions may not be obvious to a user (after reading the manual). I did some more experimenting using the COPYTO action. My logic was - if I use a "copy" to another user, this reallyshouldn't effect how the "primary" recipient's mail is acted on. From my tests it seems as if DELETE/HOLD/BOUNCE basically are "killer" actions that cannot be combined with ANY other action (other than "LOG/IGNORE")? I have the need to DELETE/HOLD/BOUNCE the "original" message - while (depending on test combinations) also route the mail to a special mailbox for inspection. Best RegardsAndy SchmidtHM Systems Software, Inc.600 East Crescent Avenue, Suite 203Upper Saddle River, NJ 07458-1846Phone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206http://www.HM-Software.com/
RE: [Declude.JunkMail] COPYTO combined with DELETE/HOLD/BOUNCE
My logic was - if I use a copy to another user, this really shouldn't effect how the primary recipient's mail is acted on. From my tests it seems as if DELETE/HOLD/BOUNCE basically are killer actions that cannot be combined with ANY other action (other than LOG/IGNORE)? I have the need to DELETE/HOLD/BOUNCE the original message - while (depending on test combinations) also route the mail to a special mailbox for inspection. Actually, I believe the COPYTO action should be safe to use with other actions. The problem, though, is that if combined with the DELETE action the E-mail is deleted (so the extra recipient won't get the E-mail), if the HOLD action is used, the E-mail will be held (also preventing the extra recipient from seeing it), and with BOUNCE the E-mail is not delivered to the recipient (so the extra recipient won't see it either). It sounds like you are looking to split a single E-mail into two, and have different actions taken on each one (something we are considering, but likely will not happen soon). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] ALERT then HOLD?
I set up two tests (same test, different names) that cause an ALERT and a HOLD action. The problem here is that the ALERT action is designed specifically to deliver the E-mail, and the HOLD action is designed specifically to block it. Since both can't be used together, the HOLD action is used (since it is the stricter of the two actions, per the order they are listed in the manual). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] ALERT then HOLD?
Hi Scott: The problem here is that the ALERT action is designed specifically to deliver the E-mail, and the HOLD action is designed specifically to block it. I get it. I guess my suggestion would be to make a distinction between: - final message disposition: DELETE / HOLD / PASS - message actions: NONE, COPY, ALERT In that context, today's actions could be viewed as a combination of an action and final disposition: BOUNCE = ALERT+DELETE ROUTE = COPY+DELETE COPYTO = COPY+PASS IGNORE = NONE+PASS etc. That would give us more flexibility in determining what actions to take and what final disposition a message should have. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Tuesday, June 01, 2004 06:23 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] ALERT then HOLD? I set up two tests (same test, different names) that cause an ALERT and a HOLD action. The problem here is that the ALERT action is designed specifically to deliver the E-mail, and the HOLD action is designed specifically to block it. Since both can't be used together, the HOLD action is used (since it is the stricter of the two actions, per the order they are listed in the manual). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] COPYTO combined with DELETE/HOLD/BOUNCE
Let me throw in my two cents worth as well. If you are thinking about changing the way you process actions I would like to see the ability to do multiple actions per test. NEWFILTER WARN,COPYTO [EMAIL PROTECTED],HOLD Not sure how you would do this but for me this makes sense. Want the WARN to see that happens in the header Copy it to an administrator type person to see what is happening HOLD it in the queues for releasing or not. This would allow you to test a new filter and monitor it. I also had a crazy request today that a person wanted all the SPAM for the company in question and they would wade through it. Although I suppose that could be done with a WEIGHT10 ROUTETO [EMAIL PROTECTED] in that domain's config. Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Tuesday, June 01, 2004 6:32 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] COPYTO combined with DELETE/HOLD/BOUNCE My logic was - if I use a copy to another user, this really shouldn't effect how the primary recipient's mail is acted on. From my tests it seems as if DELETE/HOLD/BOUNCE basically are killer actions that cannot be combined with ANY other action (other than LOG/IGNORE)? I have the need to DELETE/HOLD/BOUNCE the original message - while (depending on test combinations) also route the mail to a special mailbox for inspection. Actually, I believe the COPYTO action should be safe to use with other actions. The problem, though, is that if combined with the DELETE action the E-mail is deleted (so the extra recipient won't get the E-mail), if the HOLD action is used, the E-mail will be held (also preventing the extra recipient from seeing it), and with BOUNCE the E-mail is not delivered to the recipient (so the extra recipient won't see it either). It sounds like you are looking to split a single E-mail into two, and have different actions taken on each one (something we are considering, but likely will not happen soon). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude version 1.79 and Delog
But who wants 800MB to 1GB spam log files? The server is so busy doing declude processes there isn't enough time to run a log analyzer on the local machine. It takes to long to transfer the log file to a different machine. Robert - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, June 01, 2004 1:39 PM Subject: RE: [Declude.JunkMail] Declude version 1.79 and Delog Thanks, we have been running along with MID since the beginning, all along, upgrading the interim releases. We just this week needed to know which line it failed on in one of our filter files. This is what we get now in our log. I will up to HIGH this week. Thanks, Qff4f4d2301429a89 BADHEADERS:8 SPAMHEADERS:8 FILTER-SUBJECT:9 FILTER-BODYURL:20 . Total weight = 45. 06/01/2004 00:00:24 Qff4f4d2301429a89 Subject: Indebted to your creditors? We can help 06/01/2004 00:00:24 Qff4f4d2301429a89 From: [EMAIL PROTECTED] To: XXX IP: 206.173.149.243 ID: 06/01/2004 00:00:24 Qff4f4d2301429a89 Tests failed [weight=45]: BADHEADERS=WARN IPNOTINMX=IGNORE SPAMHEADERS=WARN SNIFFER-NOTFND=IGNORE WEIGHT10=WARN WEIGHT20=SUBJECT FILTER-SUBJECT=IGNORE FILTER-BODYURL=IGNORE The Msg failed lines at LOGLEVEL HIGH include the line in the filter that failed. So when you move to LOGLEVEL HIGH, it will have the information you desire. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude version 1.79 and Delog
But who wants 800MB to 1GB spam log files? The server is so busy doing declude processes there isn't enough time to run a log analyzer on the local machine. It takes to long to transfer the log file to a different machine. Once a week, I zip the previous weeks logs, ftp them to my workstation, and run reports there. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
