RE: SPAM-WARN:Re: [Declude.JunkMail] RE: On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned
Matt, Justa minor point, it doesn't affect your logic. Now according to Michael's tests, the CR-only pattern leads to parsing issues in Declude Virus where it can't even find the attachment to scan it. Actually, it was the "No Cr" (I.E. LF only) test that passed completely undetected. By the way, I agree with you. As I pointed out in my original message, there are several web sites that send legitimate response messages (an Airline comes to mind readily) that fail the test. They are not entirely broken, but some lines are missing the Cr. I think it depends on what section of code they happen to be running through. It is a typical issue of Linux/Unix '\n' programming habit. Michael ThomasMathbox978-683-67181-877-MATHBOX (Toll Free) ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
[Declude.JunkMail] Different issue - Process flow question
Hi All, 1. Is it not true that when properly installed and running, that Declude handles EVERY message that passes through the mail server? 2. There is only one GLOBAL.CFG. 3. Every message processed should attempt to run every external test. (That's why many external tests accept the current weight as a parameter so it can bail out early if the current weight meets or exceeds the external test's set bail out weight) But regardless of whether the external test decides to bail early, it should still get invoked. Isn't that correct? Michael Thomas Mathbox 978-683-6718 1-877-MATHBOX (Toll Free) --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Different issue - Process flow question
1. Is it not true that when properly installed and running, that Declude handles EVERY message that passes through the mail server? Every message that (in the case of Imail) SMTPD32 service hands it. 2. There is only one GLOBAL.CFG. Correct. 3. Every message processed should attempt to run every external test. (That's why many external tests accept the current weight as a parameter so it can bail out early if the current weight meets or exceeds the external test's set bail out weight) But regardless of whether the external test decides to bail early, it should still get invoked. Isn't that correct? Correct EXCEPT AND UNLESS you have in the Global.Cfg file PREWHITELIST and set to ON. In that case, further tests are NOT run and processing is completed at that point. John T eServices For You Seek, and ye shall find! --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] RE: On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned
Hi Matt: Now according to Michael's tests, the CR-only pattern leads to parsing issues in Declude Virus where it can't even find the attachment to scan it The point I'm trying to make is, that the attachment not discovered problem may not at all be a problem with incorrect linefeeds IN the attachments themselves, but rather simply an error of incorrect linefeeds in the HEADERS. By not detecting the intended end-of-header (and possibly MIME headers), Declude considers the body (and attachments) part of the header until it reaches end-of-message. In other words, they should be able to concentrate on handling single LF or CF characters in the SMTP and MIME headers. Inside the attachments, Unix style LF characters are pefectly fine and valid. The fact that attachments are scanned is just a secondary problem of the underlying header issue. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, October 23, 2006 01:35 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] RE: On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned Andy, Declude introduced NONSTANDARDHDR as a vulnerability in 4.2.20. This was their answer to handling the broken spam issue, but it is not an appropriate fix since this throws the message into your Virus directory which is typically outside of one's review process. There was an assumption by Declude that this was all spam at the time that they introduced this as a fix for the broken header thing (after they failed to find a solution for resolving the header issues). Here's what Scott Fisher said in response to my claim that this wasn't all spam: I certainly regularly receive incorrectly formatted email. I'm pretty small volumne, but looking over my logs (I have an external test for this condition), it is 111 non-spam messages this month. My email volume is pretty low. But I'm not looking forward to hand correcting 120 of these a month. I don't have stats on this, I just know that I don't need to be blocking this. In fact, the broken spam doesn't even get to Declude but very rarely since greylisting takes care of it. I would have just about a 100% FP rate on this filter. Now according to Michael's tests, the CR-only pattern leads to parsing issues in Declude Virus where it can't even find the attachment to scan it. I think the best approach is to read the E-mail into memory, convert the main copy in memory to CRLF if a non-CRLF pattern is found anywhere and store another original copy, set a value to trigger a Declude JunkMail test if the pattern is present in the headers, and if that is set, when it comes time to write the message, use the CRLF patterned headers and the original body that way you aren't rewriting someone's purposefully formated LF-only or CR-only pattern. Unfortunately all it takes to trigger this is a Perl or PHP programmer doing a message form and using \n being not aware of the RFC's, but being consistent with Linux, and instead of the \r\n pattern that it should be. I can't block E-mail based simply on this one pattern because it will capture good E-mail regularly, and do so outside of my spam review system. Also, there are dozens of RFC violations that are not only common, but also tolerated by mail servers and E-mail clients, and outside of Declude, this is one of those things that is mostly tolerated. The reasoning to treat it as a vulnerability was not because it was, but because they couldn't figure out a way to rewrite the headers properly. I'm confused as to why unless they just simply didn't want to touch the code involved. I do hope that they go back and figure out how to make that work otherwise I will be faced with blocking legitimate E-mail in a non-reviewable area, or potentially passing viruses completely unscanned. That's not a good set of choices. Matt Andy Schmidt wrote: Hi Matt, I'm not sure that the issue is attachments. There is nothing wrong with attachments using Unix/Apple linefeeds. But the RFCs for SMTP (and similar protocols) all require that each header line must end with CRLF and each header line ends with CRLFCRLF. Anything else is not a legitimate SMTP mailer - but rather a poor attempt in faking one. We agree that in the headers CR only or LF only should be treated by Declude as if they were CRLF (and detected as header violations, nevertheless). I also have no problem if Declude were to fix those linefees to proper CRLF if it so desires. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From:
Re: SPAM-WARN: Re: [Declude.JunkMail] RE: On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned
David Barker, Can you tell us the status of this old case? What progress has been made on this seemingly critical issue? Darin. - Original Message - From: Michael Thomas - Mathbox [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Monday, October 23, 2006 1:09 AM Subject: RE: SPAM-WARN: Re: [Declude.JunkMail] RE: On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned Hi All, I said in my original email that Declude had been notified of LF only issue. I just looked back through my email and found the report. It was Declude case [06D-0BBF1866-F5A3] on Thu, 30 Mar 2006 22:29:58 -0500. Michael Thomas Mathbox 978-683-6718 1-877-MATHBOX (Toll Free) --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: SPAM-WARN: Re: [Declude.JunkMail] RE: On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned
Darin, Our engineer Dave Franco is looking at a way to rewrite every message to standardize the format in order to overcome the incorrect line terminator issue. As there are several other things he is working on I do not have a definitive release date for this, I am looking at moving around some additional resources to further expedite a solution. David Barker Director of Product Development Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Monday, October 23, 2006 9:38 AM To: declude.junkmail@declude.com Subject: Re: SPAM-WARN: Re: [Declude.JunkMail] RE: On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned David Barker, Can you tell us the status of this old case? What progress has been made on this seemingly critical issue? Darin. - Original Message - From: Michael Thomas - Mathbox [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Monday, October 23, 2006 1:09 AM Subject: RE: SPAM-WARN: Re: [Declude.JunkMail] RE: On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned Hi All, I said in my original email that Declude had been notified of LF only issue. I just looked back through my email and found the report. It was Declude case [06D-0BBF1866-F5A3] on Thu, 30 Mar 2006 22:29:58 -0500. Michael Thomas Mathbox 978-683-6718 1-877-MATHBOX (Toll Free) --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: SPAM-WARN: Re: [Declude.JunkMail] RE: On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned
Thanks, David. We appreciate your input. Is it feasible to post a list of known issues and/or issues being worked? I realize that's a lot of disclosure, and would probably increase call volume significantly, but I also know that would make me feel much more comfortable of someday being able to exercise our two-year-old unused SA, and upgrade to 4.x. Thanks again, Darin. - Original Message - From: David Barker [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Monday, October 23, 2006 10:00 AM Subject: RE: SPAM-WARN: Re: [Declude.JunkMail] RE: On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned Darin, Our engineer Dave Franco is looking at a way to rewrite every message to standardize the format in order to overcome the incorrect line terminator issue. As there are several other things he is working on I do not have a definitive release date for this, I am looking at moving around some additional resources to further expedite a solution. David Barker Director of Product Development Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Monday, October 23, 2006 9:38 AM To: declude.junkmail@declude.com Subject: Re: SPAM-WARN: Re: [Declude.JunkMail] RE: On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned David Barker, Can you tell us the status of this old case? What progress has been made on this seemingly critical issue? Darin. - Original Message - From: Michael Thomas - Mathbox [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Monday, October 23, 2006 1:09 AM Subject: RE: SPAM-WARN: Re: [Declude.JunkMail] RE: On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned Hi All, I said in my original email that Declude had been notified of LF only issue. I just looked back through my email and found the report. It was Declude case [06D-0BBF1866-F5A3] on Thu, 30 Mar 2006 22:29:58 -0500. Michael Thomas Mathbox 978-683-6718 1-877-MATHBOX (Toll Free) --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: SPAM-WARN: Re: [Declude.JunkMail] RE: On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned
I will see what I can do to bring together a list of known issues. Just give me some time (days) and I will get it posted. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Monday, October 23, 2006 10:19 AM To: declude.junkmail@declude.com Subject: Re: SPAM-WARN: Re: [Declude.JunkMail] RE: On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned Thanks, David. We appreciate your input. Is it feasible to post a list of known issues and/or issues being worked? I realize that's a lot of disclosure, and would probably increase call volume significantly, but I also know that would make me feel much more comfortable of someday being able to exercise our two-year-old unused SA, and upgrade to 4.x. Thanks again, Darin. - Original Message - From: David Barker [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Monday, October 23, 2006 10:00 AM Subject: RE: SPAM-WARN: Re: [Declude.JunkMail] RE: On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned Darin, Our engineer Dave Franco is looking at a way to rewrite every message to standardize the format in order to overcome the incorrect line terminator issue. As there are several other things he is working on I do not have a definitive release date for this, I am looking at moving around some additional resources to further expedite a solution. David Barker Director of Product Development Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Monday, October 23, 2006 9:38 AM To: declude.junkmail@declude.com Subject: Re: SPAM-WARN: Re: [Declude.JunkMail] RE: On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned David Barker, Can you tell us the status of this old case? What progress has been made on this seemingly critical issue? Darin. - Original Message - From: Michael Thomas - Mathbox [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Monday, October 23, 2006 1:09 AM Subject: RE: SPAM-WARN: Re: [Declude.JunkMail] RE: On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned Hi All, I said in my original email that Declude had been notified of LF only issue. I just looked back through my email and found the report. It was Declude case [06D-0BBF1866-F5A3] on Thu, 30 Mar 2006 22:29:58 -0500. Michael Thomas Mathbox 978-683-6718 1-877-MATHBOX (Toll Free) --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: SPAM-WARN: Re: [Declude.JunkMail] RE: On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned
Thanks, David. We appreciate your efforts. Darin. - Original Message - From: David Barker [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Monday, October 23, 2006 10:26 AM Subject: RE: SPAM-WARN: Re: [Declude.JunkMail] RE: On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned I will see what I can do to bring together a list of known issues. Just give me some time (days) and I will get it posted. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Monday, October 23, 2006 10:19 AM To: declude.junkmail@declude.com Subject: Re: SPAM-WARN: Re: [Declude.JunkMail] RE: On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned Thanks, David. We appreciate your input. Is it feasible to post a list of known issues and/or issues being worked? I realize that's a lot of disclosure, and would probably increase call volume significantly, but I also know that would make me feel much more comfortable of someday being able to exercise our two-year-old unused SA, and upgrade to 4.x. Thanks again, Darin. - Original Message - From: David Barker [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Monday, October 23, 2006 10:00 AM Subject: RE: SPAM-WARN: Re: [Declude.JunkMail] RE: On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned Darin, Our engineer Dave Franco is looking at a way to rewrite every message to standardize the format in order to overcome the incorrect line terminator issue. As there are several other things he is working on I do not have a definitive release date for this, I am looking at moving around some additional resources to further expedite a solution. David Barker Director of Product Development Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Monday, October 23, 2006 9:38 AM To: declude.junkmail@declude.com Subject: Re: SPAM-WARN: Re: [Declude.JunkMail] RE: On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned David Barker, Can you tell us the status of this old case? What progress has been made on this seemingly critical issue? Darin. - Original Message - From: Michael Thomas - Mathbox [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Monday, October 23, 2006 1:09 AM Subject: RE: SPAM-WARN: Re: [Declude.JunkMail] RE: On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned Hi All, I said in my original email that Declude had been notified of LF only issue. I just looked back through my email and found the report. It was Declude case [06D-0BBF1866-F5A3] on Thu, 30 Mar 2006 22:29:58 -0500. Michael Thomas Mathbox 978-683-6718 1-877-MATHBOX (Toll Free) --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] OT: imail q files magically dissapearing
On one of my imail servers, my spool folder is slowly filling up with D files. I am using fpreview to view the files in the spool and there are currently 180 or so emails. when i try to "return to queue" I get an error saying that the q file could not be found, whch isa bit strange becasue many many of the emails are local to the server. When I look in the /spool there is a not a single q file anywhere. Any ideas whats happening? Has sniffer or declude gone nuts? Kindest RegardsCraig Edmonds123 Marbella InternetW: www.123marbella.com . ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: SPAM-WARN: Re: [Declude.JunkMail] RE: On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned
David, Thanks to both you and the other Dave for taking another look at this. Matt David Barker wrote: Darin, Our engineer Dave Franco is looking at a way to rewrite every message to standardize the format in order to overcome the incorrect line terminator issue. As there are several other things he is working on I do not have a definitive release date for this, I am looking at moving around some additional resources to further expedite a solution. David Barker Director of Product Development Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Monday, October 23, 2006 9:38 AM To: declude.junkmail@declude.com Subject: Re: SPAM-WARN: Re: [Declude.JunkMail] RE: On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned David Barker, Can you tell us the status of this old case? What progress has been made on this seemingly critical issue? Darin. - Original Message - From: Michael Thomas - Mathbox [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Monday, October 23, 2006 1:09 AM Subject: RE: SPAM-WARN: Re: [Declude.JunkMail] RE: On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned Hi All, I said in my original email that Declude had been notified of LF only issue. I just looked back through my email and found the report. It was Declude case [06D-0BBF1866-F5A3] on Thu, 30 Mar 2006 22:29:58 -0500. Michael Thomas Mathbox 978-683-6718 1-877-MATHBOX (Toll Free) --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: imail q files magically dissapearing
I've noticed the same thing in all versions of Ipswitch IMail Server; the cause was broken connections, 99% of which were spam. Only in the absolute latest, v9.10 from Sep-06-2006, have I noticed that IMail cleans up after itself. There is an item about this in the latest release notes. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig EdmondsSent: Monday, October 23, 2006 3:13 PMTo: declude.junkmail@declude.comSubject: [Declude.JunkMail] OT: imail q files magically dissapearingImportance: HighSensitivity: Confidential On one of my imail servers, my spool folder is slowly filling up with D files. I am using fpreview to view the files in the spool and there are currently 180 or so emails. when i try to "return to queue" I get an error saying that the q file could not be found, whch isa bit strange becasue many many of the emails are local to the server. When I look in the /spool there is a not a single q file anywhere. Any ideas whats happening? Has sniffer or declude gone nuts? Kindest RegardsCraig Edmonds123 Marbella InternetW: www.123marbella.com . ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: imail q files magically dissapearing
on further inspection, the files where the q spool files have dissapeared all have the ERR 02 Virus scan in the log file.I am running ClamWIN. Is this an clamwin error? 20622910:23 23:59 SMTPD(3b24000400828f94) [65.17.213.163] connect 80.33.86.200 port 1291320623010:23 23:59 SMTPD(3b24000400828f94) [80.33.86.200] EHLO gordo20623210:23 23:59 SMTPD(3b24000400828f94) Authenticated [EMAIL PROTECTED], session treated as local.20623310:23 23:59 SMTPD(3b24000400828f94) [80.33.86.200] MAIL FROM: [EMAIL PROTECTED]20623510:23 23:59 SMTPD(3b24000400828f94) [80.33.86.200] RCPT TO: [EMAIL PROTECTED]20623910:23 23:59 SMTPD(3b24000400828f94) [80.33.86.200] C:\IMail\Spool\D3b24000400828f94.SMD 719820627810:23 23:59 SMTP-() Info - Adding Queue file C:\IMail\Spool\q3b24000400828f94.smd 20627910:23 23:59 SMTP-(3b24000400828f94) processing C:\IMail\Spool\q3b24000400828f94.smd20628010:23 23:59 SMTP-(3b24000400828f94) [x] looking up sanquets.com in HOSTS and MX20629110:23 23:59 SMTP-(3b24000400828f94) Info - Adding sanquets.com to DNS cache - TTL = 40280 20629210:23 23:59 SMTP-(3b24000400828f94) ERR 029 - Virus scan call generated general fault, treating as infected20629310:23 23:59 SMTP-(3b24000400828f94) Virus detected, Not repaired, Message deleted, Virus data =""> 20629410:23 23:59 SMTP-(3b24000400828f94) Creating message from Postmaster20629510:23 23:59 SMTP-(3b24000400828f94) finished C:\IMail\Spool\q3b24000400828f94.smd status=1 Kindest RegardsCraig Edmonds123 Marbella InternetW: www.123marbella.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig EdmondsSent: Tuesday, October 24, 2006 12:13 AMTo: declude.junkmail@declude.comSubject: [Declude.JunkMail] OT: imail q files magically dissapearingImportance: HighSensitivity: Confidential On one of my imail servers, my spool folder is slowly filling up with D files. I am using fpreview to view the files in the spool and there are currently 180 or so emails. when i try to "return to queue" I get an error saying that the q file could not be found, whch isa bit strange becasue many many of the emails are local to the server. When I look in the /spool there is a not a single q file anywhere. Any ideas whats happening? Has sniffer or declude gone nuts? Kindest RegardsCraig Edmonds123 Marbella InternetW: www.123marbella.com . ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
