Re: [Declude.JunkMail] Clam AV Updates
We've been running Clam for Windows and getting a lot of time-outs and 'unable to delete - file in use . . .". The C:\Temp folder fills up with left over vir files. We also have synch problems for updates. We took it out of production today, since it was keeping dual xeon CPU's continuously at 100% and we didn't have time to drop everything to trouble-shoot it. Any input is appreciated. Thursday, November 9, 2006, 7:07:01 PM, Darrell ([EMAIL PROTECTED]) <[EMAIL PROTECTED]> wrote: Dsic> Dsic> Dsic> I tend to have clamav update issues. For some reason Dsic> freshclam will start taking 100% cpu and just run on. This Dsic> caused a few queue backups all caught early thanks to Dsic> QueueMon. I changed the task to kill it after 5 minutes. When Dsic> watching the server its not uncommon to see clam sync issues with the daily.inc folder. Dsic> Dsic> Dsic> Dsic> Darrell Dsic> Dsic> Dsic> Check out http://www.invariantsystems.com for utilities for Dsic> Declude And Imail. IMail/Declude Overflow Queue Monitoring, Dsic> SURBL/URI integration, MRTG Integration, and Log Parsers. Dsic> Dsic> Dsic> - Original Message - Dsic> Dsic> From: MarkReimer Dsic> Dsic> To: Declude JunkMail Dsic> Dsic> Sent: Thursday, November 09, 2006 5:52PM Dsic> Dsic> Subject: [Declude.JunkMail] Clam AVUpdates Dsic> Dsic> Dsic> Dsic> Today I noticed that my daily.incfolder was gone and when I Dsic> ran freshclam it gave me a mirror is notsynchronized error. Anyone else see this? Dsic> Dsic> Dsic> Dsic> MarkReimer Dsic> Dsic> IT System Admin Dsic> Dsic> American CareSource Dsic> Dsic> 972-308-6887 Dsic> Dsic> Dsic> --- Dsic> ThisE-mail came from the Declude.JunkMail mailing list. To Dsic> unsubscribe, justsend an E-mail to [EMAIL PROTECTED], and Dsic> type"unsubscribe Declude.JunkMail". The archives can be found Dsic> athttp://www.mail-archive.com. Dsic> Dsic> --- Dsic> This E-mail came from the Declude.JunkMail mailing list. To Dsic> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and Dsic> type "unsubscribe Declude.JunkMail". The archives can be found Dsic> at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] End of headers {was - declude not modifying subject line}
Hi Mike; I'm sure that you are correct, but it would have to be both malformed and have the large header. Right now there are hundreds of messages a day slipping thru that are not being addressed at all. This MAY be a way to get the vast majority of them without the apparent difficulty of finding the end of the header so that it can by modified. So far the ones I have seen have been image spam that are do not have a large number of to addresses. Thanks for your feedback. Herb Mike N wrote: I've seen some messages with dozens of Kbytes of CC and TO E-mail lists that would fail this test. - Original Message - From: Herb Guenther To: declude.junkmail@declude.com Sent: Thursday, November 09, 2006 3:30 PM Subject: Re: [Declude.JunkMail] End of headers {was - declude not modifying subject line} What about a brute force rule "I am appending a header more than x characters from the beginning of a y length message so this cannot be a correctly formatted message" and you have set the "deletebadforematmail" switch to "Yes" so delete. Herb Kevin Bilbee wrote: OK sounds reasonable. Since you are the expert and I am trying to understand. Have you ever seen a legitimate message with a no real end of headers, where the two line terminators designating the end of headers are separated by more than white space, tab or space characters? Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of David Franco-Rocha [ Declude ] Sent: Thursday, November 09, 2006 5:32 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] declude not modifying subject line Kevin, I am very well aware of what byte sequences constitute the end of a line. However, if the problem were this simple it would have been fixed long ago. Contrary to what some have said here, we have seen many instances where IMail likewise appends its headers to the end of the message. The broken line terminators are not necessarily of the same type in a given message. In addition, they are not necessarily adjacent to each other (with leading whitespace or unprintable characters on a line). What may appear obvious to the eye is often not at all what exists behind the scene. You may look at a message and be certain where the headers end and the body begins (the separating blank line). However, that message may not necessarily contain two consecutive EOL sequences of any type anywhere. David Franco-Rocha - Original Message - From: "Kevin Bilbee" <[EMAIL PROTECTED]> To: Sent: Wednesday, November 08, 2006 5:45 PM Subject: RE: [Declude.JunkMail] declude not modifying subject line I do not understand why you need to rewrite the message beyond what you already do? Just determine the end of headers properly then rewrite the message with your headers in the proper location. You already rewrite the message when adding headers so why would it take any longer to properly detect the end of headers. If you have two LF sequences next to each other ignoring the CR then you have the end of headers. For example if you have CRLFCRLF OR LFCRLFCR OR LFLF I have never seen a message use CR alone for an end of line. There are two LF bytes in each sequence ignore the CR bytes. Then when writing out the message with the Declude headers include the original byte sequences for each line. And the Declude lines should have the proper CRLF sequences. My two cents! Kevin Bilbee 1. I don't like to keep going in circles on this. If it was as easy as "just fix it" there would be no issue. Please understand that this is a lot more complex than you may realize, we are considering making the fixing of line terminators as an optional feature to be turned on/off because of a potential performance degradation of rewriting the messages. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- Herb Guenther Lanex, LLC www.lanex.com (262)789-0966x102 Office (262)780-0424 Direct This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and a
Re: [Declude.JunkMail] End of headers {was - declude not modifying subject line}
I've seen some messages with dozens of Kbytes of CC and TO E-mail lists that would fail this test. - Original Message - From: Herb Guenther To: declude.junkmail@declude.com Sent: Thursday, November 09, 2006 3:30 PM Subject: Re: [Declude.JunkMail] End of headers {was - declude not modifying subject line} What about a brute force rule "I am appending a header more than x characters from the beginning of a y length message so this cannot be a correctly formatted message" and you have set the "deletebadforematmail" switch to "Yes" so delete.HerbKevin Bilbee wrote: OK sounds reasonable. Since you are the expert and I am trying to understand. Have you ever seen a legitimate message with a no real end of headers, where the two line terminators designating the end of headers are separated by more than white space, tab or space characters? Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of David Franco-Rocha [ Declude ] Sent: Thursday, November 09, 2006 5:32 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] declude not modifying subject line Kevin, I am very well aware of what byte sequences constitute the end of a line. However, if the problem were this simple it would have been fixed long ago. Contrary to what some have said here, we have seen many instances where IMail likewise appends its headers to the end of the message. The broken line terminators are not necessarily of the same type in a given message. In addition, they are not necessarily adjacent to each other (with leading whitespace or unprintable characters on a line). What may appear obvious to the eye is often not at all what exists behind the scene. You may look at a message and be certain where the headers end and the body begins (the separating blank line). However, that message may not necessarily contain two consecutive EOL sequences of any type anywhere. David Franco-Rocha - Original Message - From: "Kevin Bilbee" <[EMAIL PROTECTED]> To: Sent: Wednesday, November 08, 2006 5:45 PM Subject: RE: [Declude.JunkMail] declude not modifying subject line I do not understand why you need to rewrite the message beyond what you already do? Just determine the end of headers properly then rewrite the message with your headers in the proper location. You already rewrite the message when adding headers so why would it take any longer to properly detect the end of headers. If you have two LF sequences next to each other ignoring the CR then you have the end of headers. For example if you have CRLFCRLF OR LFCRLFCR OR LFLF I have never seen a message use CR alone for an end of line. There are two LF bytes in each sequence ignore the CR bytes. Then when writing out the message with the Declude headers include the original byte sequences for each line. And the Declude lines should have the proper CRLF sequences. My two cents! Kevin Bilbee 1. I don't like to keep going in circles on this. If it was as easy as "just fix it" there would be no issue. Please understand that this is a lot more complex than you may realize, we are considering making the fixing of line terminators as an optional feature to be turned on/off because of a potential performance degradation of rewriting the messages. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- Herb Guenther Lanex, LLC www.lanex.com (262)789-0966x102 Office (262)780-0424 Direct This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way.---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] Clam AV Updates
I tend to have clamav update issues. For some reason freshclam will start taking 100% cpu and just run on. This caused a few queue backups all caught early thanks to QueueMon. I changed the task to kill it after 5 minutes. When watching the server its not uncommon to see clam sync issues with the daily.inc folder. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Mark Reimer To: Declude JunkMail Sent: Thursday, November 09, 2006 5:52 PM Subject: [Declude.JunkMail] Clam AV Updates Today I noticed that my daily.inc folder was gone and when I ran freshclam it gave me a mirror is not synchronized error. Anyone else see this? Mark Reimer IT System Admin American CareSource 972-308-6887 ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] Clam AV Updates
Hi Mark, I just sent you off list my \share\clamav dir zipped up... -Nick Mark Reimer wrote: My daily.inc folder is missing from the clam directory. Could anyone please help me? Mark Reimer IT System Admin American CareSource 972-308-6887 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark Reimer Sent: Thursday, November 09, 2006 4:53 PM To: Declude JunkMail Subject: [Declude.JunkMail] Clam AV Updates Today I noticed that my daily.inc folder was gone and when I ran freshclam it gave me a mirror is not synchronized error. Anyone else see this? Mark Reimer IT System Admin American CareSource 972-308-6887 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] Spam not being caught
Scott Fisher wrote: I get over a 1000 spam a day from this spammer. If you don't have a pattern would you mind sending me off list a few of the ones you do receive from different days? I do not recognize this gut so I would like to see more of his product. -Nick ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] Clam AV Updates
My daily.inc folder is missing from the clam directory. Could anyone please help me? Mark Reimer IT System Admin American CareSource 972-308-6887 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer Sent: Thursday, November 09, 2006 4:53 PM To: Declude JunkMail Subject: [Declude.JunkMail] Clam AV Updates Today I noticed that my daily.inc folder was gone and when I ran freshclam it gave me a mirror is not synchronized error. Anyone else see this? Mark Reimer IT System Admin American CareSource 972-308-6887 ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] Spam not being caught
Hi Scott I know it will morph -but that is all I see for now . Do you have a pattern that will persist for this spammer? -Nick Scott Fisher wrote: The @debora will change... I get over a 1000 spam a day from this spammer. I don't think you'll be able to target his zombies effectively with any IP4r list. - Original Message - From: Nick Hayer To: declude.junkmail@declude.com Sent: Thursday, November 09, 2006 4:51 PM Subject: Re: [Declude.JunkMail] Spam not being caught So far - and I have been hammered as well is they all contain 2 "$$" and end with @debora I have a regex that hits these - [EMAIL PROTECTED] -Nick Karl Hentschel wrote: Here are a headers from a few of the messages, with our email address removed, that we have been receiving. We have been receiving tons of these from different domains, IP's.. I have been using IMail filters to catch some of them because Declude hasn't been doing a very good job. This one didn't fail any Declude tests. from <[EMAIL PROTECTED]> Wed Nov 08 12:53:17 2006 Received: from host33-74.birch.net [216.212.33.74] by mail.pcfcu.org with ESMTP (SMTPD32-8.15) id A3A7FB00E8; Wed, 08 Nov 2006 12:52:55 -0800 Return-Path: <[EMAIL PROTECTED]> Received: from 208.65.145.2 (HELO buckeyenissan.com.inbound15.mxlogicmx.net) by pcfcu.org with esmtp (D70MB482Y 8LJH6) id IFLT4O-RHJVV5-3H for xxx@ourdomain.com; Wed, 8 Nov 2006 20:52:49 +0360 From: "Mamie Cabrera" <[EMAIL PROTECTED]> To: @ourdomain.com> Subject: X-IMail-SPAM-Phrase Mamie wrote: Date: Wed, 8 Nov 2006 20:52:49 +0360 Message-ID: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506 Thread-Index: Aca6Q3OW2X20X4MXS950OD9TUPU55Z== X-Declude-Sender: [EMAIL PROTECTED] [216.212.33.74] X-Declude-Spoolname: D43a700fb00e8c9be.smd X-Declude-Note: Scanned by Declude 3.1.1 for spam. "http://www.declude.com/x-note.htm" X-Declude-Scan: Incoming Score [0] at 12:53:16 on 08 Nov 2006 X-Declude-Fail: None X-Country-Chain: UNITED STATES->destination X-IMAIL-SPAM-PHRASE: (43a700fb00e8c9be, whats the first rule of investing) X-RCPT-TO: xxx@ourdomain.com Status: U X-IMail-Rule: H~x-imail-spam:xxx@ourdomain.comData- X-IMAIL-SPAM-PHRASE MAMIE WRO X-UIDL: 463003429 This failed a few. from <[EMAIL PROTECTED]> Thu Nov 09 12:03:16 2006 Received: from APuteaux-152-1-90-68.w86-205.abo.wanadoo.fr [86.205.87.68] by mail.pcfcu.org with ESMTP (SMTPD32-8.15) id A96664D00D0; Thu, 09 Nov 2006 12:02:46 -0800 Return-Path: <[EMAIL PROTECTED]> Received: from 207.236.26.82 (HELO mail.cableteksystems.com) by pcfcu.org with esmtp (DEIL1D7SO3 S7E59) id V714O9-TFHDJZ-CD for xxx@ourdomain.com; Thu, 9 Nov 2006 20:02:42 -0060 From: "Bud Mora" <[EMAIL PROTECTED]> To: @ourdomain.com> Subject: X-IMail-SPAM-Phrase It's Bud :) Date: Thu, 9 Nov 2006 20:02:42 -0060 Message-ID: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Thread-Index: Aca6QIH9S2BNQ98OSCRZRQUO3YHU09== X-RBL-Warning: FIVETEN-SRC: 68.87.205.86.blackholes.five-ten-sg.com. X-RBL-Warning: DYNHELO: Dynamic HELO found. X-Declude-Sender: [EMAIL PROTECTED] [86.205.87.68] X-Declude-Spoolname: D8965064d00d0eb56.smd X-Declude-Note: Scanned by Declude 3.1.1 for spam. "http://www.declude.com/x-note.htm" X-Declude-Scan: Incoming Score [9] at 12:03:15 on 09 Nov 2006 X-Declude-Fail: FIVETEN-SRC [4], DYNHELO [5] X-Country-Chain: CANADA->FRANCE->destination X-IMAIL-SPAM-PHRASE: (8965064d00d0eb56, our hottest pick) X-RCPT-TO: @ourdomain.com> Status: U X-IMail-Rule: H~x-imail-spam:xxx@ourdomain.com Data- X-IMAIL-SPAM-PHRASE IT'S BUD X-UIDL: 463095290 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick Hayer Sent: Thursday, November 09, 2006 11:31 AM To: declude.junkmail@declude.com Subject: X-IMail-SPAM-Phrase Re: [Declude.JunkMail] Spam not being caught Hi Karl, Post a sample with full headers so we can see what the scofflaw is sending you -Nick Karl Hentschel wrote: Thanks for the tip, but unfortunately I am not using the Pro version of Declude so I cannot create my own filters. Are others being slammed with stock spam recently? Declude is blocking several hundred of them a day, but many are still slipping through without failing any or very few tests. Is it possible to block with the country chain? I noticed that they are coming from out of the coun
Re: [Declude.JunkMail] Spam not being caught
The @debora will change... I get over a 1000 spam a day from this spammer. I don't think you'll be able to target his zombies effectively with any IP4r list. - Original Message - From: Nick Hayer To: declude.junkmail@declude.com Sent: Thursday, November 09, 2006 4:51 PM Subject: Re: [Declude.JunkMail] Spam not being caught So far - and I have been hammered as well is they all contain 2 "$$" and end with @debora I have a regex that hits these - [EMAIL PROTECTED]-NickKarl Hentschel wrote: Here are a headers from a few of the messages, with our email address removed, that we have been receiving. We have been receiving tons of these from different domains, IP's.. I have been using IMail filters to catch some of them because Declude hasn't been doing a very good job. This one didn't fail any Declude tests. from <[EMAIL PROTECTED]> Wed Nov 08 12:53:17 2006Received: from host33-74.birch.net [216.212.33.74] by mail.pcfcu.org with ESMTP (SMTPD32-8.15) id A3A7FB00E8; Wed, 08 Nov 2006 12:52:55 -0800Return-Path: <[EMAIL PROTECTED]>Received: from 208.65.145.2 (HELO buckeyenissan.com.inbound15.mxlogicmx.net) by pcfcu.org with esmtp (D70MB482Y 8LJH6) id IFLT4O-RHJVV5-3H for xxx@ourdomain.com; Wed, 8 Nov 2006 20:52:49 +0360From: "Mamie Cabrera" <[EMAIL PROTECTED]>To: @ourdomain.com>Subject: X-IMail-SPAM-Phrase Mamie wrote:Date: Wed, 8 Nov 2006 20:52:49 +0360Message-ID: <[EMAIL PROTECTED]>MIME-Version: 1.0Content-Type: text/plain; charset="iso-8859-1"Content-Transfer-Encoding: 7bitX-Priority: 3 (Normal)X-MSMail-Priority: NormalX-Mailer: Microsoft Office Outlook, Build 11.0.6353X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506Thread-Index: Aca6Q3OW2X20X4MXS950OD9TUPU55Z==X-Declude-Sender: [EMAIL PROTECTED] [216.212.33.74]X-Declude-Spoolname: D43a700fb00e8c9be.smdX-Declude-Note: Scanned by Declude 3.1.1 for spam. "http://www.declude.com/x-note.htm"X-Declude-Scan: Incoming Score [0] at 12:53:16 on 08 Nov 2006X-Declude-Fail: NoneX-Country-Chain: UNITED STATES->destinationX-IMAIL-SPAM-PHRASE: (43a700fb00e8c9be, whats the first rule of investing)X-RCPT-TO: xxx@ourdomain.comStatus: UX-IMail-Rule: H~x-imail-spam:xxx@ourdomain.comData- X-IMAIL-SPAM-PHRASE MAMIE WROX-UIDL: 463003429 This failed a few. from <[EMAIL PROTECTED]> Thu Nov 09 12:03:16 2006Received: from APuteaux-152-1-90-68.w86-205.abo.wanadoo.fr [86.205.87.68] by mail.pcfcu.org with ESMTP (SMTPD32-8.15) id A96664D00D0; Thu, 09 Nov 2006 12:02:46 -0800Return-Path: <[EMAIL PROTECTED]>Received: from 207.236.26.82 (HELO mail.cableteksystems.com) by pcfcu.org with esmtp (DEIL1D7SO3 S7E59) id V714O9-TFHDJZ-CD for xxx@ourdomain.com; Thu, 9 Nov 2006 20:02:42 -0060From: "Bud Mora" <[EMAIL PROTECTED]>To: @ourdomain.com>Subject: X-IMail-SPAM-Phrase It's Bud :)Date: Thu, 9 Nov 2006 20:02:42 -0060Message-ID: <[EMAIL PROTECTED]>MIME-Version: 1.0Content-Type: text/plain; charset="iso-8859-1"Content-Transfer-Encoding: 7bitX-Priority: 3 (Normal)X-MSMail-Priority: NormalX-Mailer: Microsoft Office Outlook, Build 11.0.6353X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400Thread-Index: Aca6QIH9S2BNQ98OSCRZRQUO3YHU09==X-RBL-Warning: FIVETEN-SRC: 68.87.205.86.blackholes.five-ten-sg.com.X-RBL-Warning: DYNHELO: Dynamic HELO found.X-Declude-Sender: [EMAIL PROTECTED] [86.205.87.68]X-Declude-Spoolname: D8965064d00d0eb56.smdX-Declude-Note: Scanned by Declude 3.1.1 for spam. "http://www.declude.com/x-note.htm"X-Declude-Scan: Incoming Score [9] at 12:03:15 on 09 Nov 2006X-Declude-Fail: FIVETEN-SRC [4], DYNHELO [5]X-Country-Chain: CANADA->FRANCE->destinationX-IMAIL-SPAM-PHRASE: (8965064d00d0eb56, our hottest pick)X-RCPT-TO: @ourdomain.com>Status: UX-IMail-Rule: H~x-imail-spam:xxx@ourdomain.com Data- X-IMAIL-SPAM-PHRASE IT'S BUD X-UIDL: 463095290 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick HayerSent: Thursday, November 09, 2006 11:31 AMTo: declude.junkmail@declude.comSubject: X-IMail-SPAM-Phrase Re: [Declude.JunkMail] Spam not being caughtHi Karl,Post a sample with full headers so we can see what the scofflaw is sending you-Nick Karl Hentschel wrote: Thanks for the tip, but unfortunately I am not using the Pro version of Declude so I cannot create my own filters. Are others being slammed with stock spam recently? Declude is blocking several hundred of them a day, but many are still slipping through without failing any or very few tests. Is it possible to block with the country chain? I noticed that they are coming from out of the country. How is everyone dealing with these?
FW: [Declude.JunkMail] Results ! 92.9 percent delete rate...
Hadn't really thought of selling it myself. Give me a few days to get my Exchange box 100% functional, and we'll see. I'd need to make a few changes since I hard coded log file locations and a few other things. Karl Drugge -Original Message- From: Craig Edmonds [mailto:[EMAIL PROTECTED] Sent: Thursday, November 02, 2006 3:45 PM To: IS - Systems Eng. (Karl Drugge) Subject: RE: [Declude.JunkMail] Results ! 92.9 percent delete rate... Importance: High Hi Karl, I have to ask Off List and hope you don't mind. Would you consider selling me a copy or a license? Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com E : [EMAIL PROTECTED] LEGAL DISCLAIMER - This message may contain confidential, proprietary or legally privileged information and is intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby informed that you must not use, disseminate, copy it in any form or take any action in reliance on it. If you have received this message in error please delete it and any copies of it and notify it to the sender. AVISO LEGAL - Este mensaje puede contener informacion confidencial, en propiedad o legalmente protegida y esta dirigida unicamente para el uso de la persona destinataria. Si usted no es la persona destinataria de este mensaje, por la presente se le comunica que no debe usar, difundir, copiar de ninguna forma, ni emprender ninguna accion en relacion con ella. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of IS - Systems Eng. (Karl Drugge) Sent: Thursday, November 02, 2006 9:35 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Results ! 92.9 percent delete rate... Wrote it myself ! Kind a 'swiss army knife' for the logs.. Summary report for rules, and the old "What happened to Aunt Martha's email she sent me from Tibet". Typical stuff in the daily life of a Declude admin. It doesn't do everything some of the others do, but more than enough for me and my friends. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Edmonds Sent: Thursday, November 02, 2006 1:20 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Results ! 92.9 percent delete rate... Importance: High Hi, Where did you get the declude log reader from? Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of IS - Systems Eng. (Karl Drugge) Sent: Thursday, November 02, 2006 7:13 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Results ! 92.9 percent delete rate... Doing my monthly checkup on how my rules are working, and was blown away at the actual amount I am getting. 11 thousand a day ? Damn, we only have 250 employees ! Anyone else seeing this upswing ? Two-three months ago I was getting 6 thousand a day.. The new version of Declude is rocking.. Check it outhttp://www.casselberry.org/results.bmp Karl Drugge --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spam not being caught
So far - and I have been hammered as well is they all contain 2 "$$" and end with @debora I have a regex that hits these - [EMAIL PROTECTED] -Nick Karl Hentschel wrote: Here are a headers from a few of the messages, with our email address removed, that we have been receiving. We have been receiving tons of these from different domains, IP's.. I have been using IMail filters to catch some of them because Declude hasn't been doing a very good job. This one didn't fail any Declude tests. from <[EMAIL PROTECTED]> Wed Nov 08 12:53:17 2006 Received: from host33-74.birch.net [216.212.33.74] by mail.pcfcu.org with ESMTP (SMTPD32-8.15) id A3A7FB00E8; Wed, 08 Nov 2006 12:52:55 -0800 Return-Path: <[EMAIL PROTECTED]> Received: from 208.65.145.2 (HELO buckeyenissan.com.inbound15.mxlogicmx.net) by pcfcu.org with esmtp (D70MB482Y 8LJH6) id IFLT4O-RHJVV5-3H for xxx@ourdomain.com; Wed, 8 Nov 2006 20:52:49 +0360 From: "Mamie Cabrera" <[EMAIL PROTECTED]> To: @ourdomain.com> Subject: X-IMail-SPAM-Phrase Mamie wrote: Date: Wed, 8 Nov 2006 20:52:49 +0360 Message-ID: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506 Thread-Index: Aca6Q3OW2X20X4MXS950OD9TUPU55Z== X-Declude-Sender: [EMAIL PROTECTED] [216.212.33.74] X-Declude-Spoolname: D43a700fb00e8c9be.smd X-Declude-Note: Scanned by Declude 3.1.1 for spam. "http://www.declude.com/x-note.htm" X-Declude-Scan: Incoming Score [0] at 12:53:16 on 08 Nov 2006 X-Declude-Fail: None X-Country-Chain: UNITED STATES->destination X-IMAIL-SPAM-PHRASE: (43a700fb00e8c9be, whats the first rule of investing) X-RCPT-TO: xxx@ourdomain.com Status: U X-IMail-Rule: H~x-imail-spam:xxx@ourdomain.comData- X-IMAIL-SPAM-PHRASE MAMIE WRO X-UIDL: 463003429 This failed a few. from <[EMAIL PROTECTED]> Thu Nov 09 12:03:16 2006 Received: from APuteaux-152-1-90-68.w86-205.abo.wanadoo.fr [86.205.87.68] by mail.pcfcu.org with ESMTP (SMTPD32-8.15) id A96664D00D0; Thu, 09 Nov 2006 12:02:46 -0800 Return-Path: <[EMAIL PROTECTED]> Received: from 207.236.26.82 (HELO mail.cableteksystems.com) by pcfcu.org with esmtp (DEIL1D7SO3 S7E59) id V714O9-TFHDJZ-CD for xxx@ourdomain.com; Thu, 9 Nov 2006 20:02:42 -0060 From: "Bud Mora" <[EMAIL PROTECTED]> To: @ourdomain.com> Subject: X-IMail-SPAM-Phrase It's Bud :) Date: Thu, 9 Nov 2006 20:02:42 -0060 Message-ID: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Thread-Index: Aca6QIH9S2BNQ98OSCRZRQUO3YHU09== X-RBL-Warning: FIVETEN-SRC: 68.87.205.86.blackholes.five-ten-sg.com. X-RBL-Warning: DYNHELO: Dynamic HELO found. X-Declude-Sender: [EMAIL PROTECTED] [86.205.87.68] X-Declude-Spoolname: D8965064d00d0eb56.smd X-Declude-Note: Scanned by Declude 3.1.1 for spam. "http://www.declude.com/x-note.htm" X-Declude-Scan: Incoming Score [9] at 12:03:15 on 09 Nov 2006 X-Declude-Fail: FIVETEN-SRC [4], DYNHELO [5] X-Country-Chain: CANADA->FRANCE->destination X-IMAIL-SPAM-PHRASE: (8965064d00d0eb56, our hottest pick) X-RCPT-TO: @ourdomain.com> Status: U X-IMail-Rule: H~x-imail-spam:xxx@ourdomain.com Data- X-IMAIL-SPAM-PHRASE IT'S BUD X-UIDL: 463095290 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick Hayer Sent: Thursday, November 09, 2006 11:31 AM To: declude.junkmail@declude.com Subject: X-IMail-SPAM-Phrase Re: [Declude.JunkMail] Spam not being caught Hi Karl, Post a sample with full headers so we can see what the scofflaw is sending you -Nick Karl Hentschel wrote: Thanks for the tip, but unfortunately I am not using the Pro version of Declude so I cannot create my own filters. Are others being slammed with stock spam recently? Declude is blocking several hundred of them a day, but many are still slipping through without failing any or very few tests. Is it possible to block with the country chain? I noticed that they are coming from out of the country. How is everyone dealing with these? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Scott Fisher Sent: Monday, November 06, 2006 11:27 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Spam not being caught This filter will work for targeting CMDSPACE with a gif attachment. You might want to SKIPIFWEIGHT 315 STOPATFIRSTHIT BODY END NOTCONTAINS Content-Type: image/gif TESTSFAILED END NOTCONTAINS CMDSPACE BODY 100 CONTAINS img src="" BODY 100 CONTAINS src="" class="moz-txt-link-rfc2396E" href="">"cid: BODY 100 CONTAINS src=""moz-txt-link-rfc2396E" href="">"cid: BODY 100 CONTAINS src=""
[Declude.JunkMail] Clam AV Updates
Today I noticed that my daily.inc folder was gone and when I ran freshclam it gave me a mirror is not synchronized error. Anyone else see this? Mark Reimer IT System Admin American CareSource 972-308-6887 ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] Negative weight isn't working
Andrew - I learn a lot from people on this list, and you are no exception. I looked to see why the email failed the FILTER-SPAM test, and it was because of "ad.doubleclick.net". I think that is common for some of the more well-known "news" newsletters that I've seen failing. What I could do is give less points for that particular penalty (it's at 15 now and this newsletter missed passing altogether by just 3 points), and then re-visit some of the others that are coming in. I'm still getting a handful of messages that are making it through, and you'd think they would be obvious. Like you said, it's a sort of science and I, for one, apprecaite the time that goes into making this work. This particular negative-weight test probably has way too high, so I think I will adjust those too. I think as I gain a better understanding of what I'm looing for, and how everything works, I will undoubtedly have to tweak things. Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Thursday, November 09, 2006 3:32 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working No problem, Todd. To answer your question in the other thread, yes, more specific is more better. On the other hand, you also have to look at what you're really trying to counterweight. In this case, you could certainly counterweight both the REVDNS of their mailserver, and the particular MAILFROM email address too, but after visiting the site, I suspect that you really don't care about the MAILFROM. You can use the REVDNS -30 ENDSWITH .ibsys.com Just fine. If you do use a MAILFROM, don't use much weight, because viruses harvest all email addresses from the infectee and report them back to the virus writer or spammer, and that address becomes a spoofed MAILFROM later down the road. Viruses also spoof the HELO, so a: HELO -30 ENDSWITH comcast.com Or REVDNS -30 ENDSWITH .comcast.com Would be a bad thing to put in your counterweight file, because a virus is quite likely to come from a zombie on that network. What I'd suggest you do for ibsys.com is look at your FILTER-SPAM test and see why it gave 15 points to this email. You will likely get better mileage (i.e. spend less of your time on your counterweight file making exceptions for MTAs) by assigning only incremental points to text values in your filter files, don't look for the "big win" by blocking small text phrases or small bits of text in a URL. To go the extra mile (hey, a driving theme today [pun intended]) why not decide which IP4R tests you trust, and/or which external tests you trust, and cancel the dangerously punitive text files? At the top of your FILTER-SPAM test, you *could* put in: TESTSFAILED END CONTAINS MXRATE-ALLOW And then messages like this sample wouldn't have received any points from the FILTER-SPAM test, you would save CPU time on your server, save your user's time in figuring out that they didn't receive that inbound message, and save your time on finding the false positives and making counterweight entries. The downside of making a "cancel line" in your filter files is that MXRATE-ALLOW will trigger on, say, a well known ISPs' MTA, and you *want* to do content filtering on, say, scam text that is so common from HotMail, Yahoo!, and various international free webmail providers that you wouldn't otherwise hear about. Most Declude users end up with filter files that are focused on kinds of spam and tweak their "cancel lines" accordingly. There is a great deal of art to this science. Andrew 8) > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Todd Richards > Sent: Thursday, November 09, 2006 12:42 PM > To: declude.junkmail@declude.com > Subject: RE: [Declude.JunkMail] Negative weight isn't working > > Thanks Andrew. I'm starting to catch on. The good news is that > everyone "else" thinks I'm a miracle worker because of the drastic > decrease in spam. > One of these days I'll break down and tell them the truth. > So if you all happen to start getting "Thank You" cards from people > you don't know, that's probably why... > > Todd > > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Colbeck, Andrew > Sent: Thursday, November 09, 2006 2:23 PM > To: declude.junkmail@declude.com > Subject: RE: [Declude.JunkMail] Negative weight isn't working > > Todd, do this from a command line: > > C:\Temp>nslookup 66.187.204.25 > Server: Andrew's.obfuscated.dns.server > Address: 192.168.0.1 > > Name:treets100.ibsys.com > Address: 66.187.204.25 > > C:\Temp> > > That tells me that your REVDNS won't match, because their reverse DNS > is > *not* the same as the HELO value that you used for your REVDNS test. > > The same is also true for your use of the MAILFROM, which does not > have to match the From: address you see in the header. Look at the > X-D
Re: [Declude.JunkMail] 2001 Virus got past declude
Kevin, Since messages that are being held are not going to be immediately moved out of that folder (like actively being processed messages), why don't you have your on-access virus scanner monitor the hold directory. This way the messages will be scanned and deleted if infected. Dean On 11/9/06, Kevin Bilbee <[EMAIL PROTECTED]> wrote: I was afraid of that. It would be great to be able to re-queue and only virus scan or better yet virus can all message that do not get deleted by junkmail including held messages. Then if HELD and VIRUS the hold as virus not as spam. Kevin Bilbee From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Thursday, November 09, 2006 12:57 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] 2001 Virus got past declude Kevin, It's my understanding that newer versions of Smartermail do not require the file to have the "X" prepended. When the user requeues the message do you drop it into the smartermail spool or the declude proc directory? In order for it to be rescanned by Declude you need to drop it into the proc folder. Also, there is no way to the best of my knowledge to say just virus process this requeued message. Maybe you can (on the requeue process) append somethign to the message that Declude Junkmail will force it to be whitelisted. THis way it wont be held again but will get processed by declude virus. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Kevin Bilbee To: JunkMail Declude Sent: Thursday, November 09, 2006 2:42 PM Subject: [Declude.JunkMail] 2001 Virus got past declude I know why the virus got past Declude but I would like to know how to stop it in the future. We have the AFTERJUNKMAIL directive on. So the message was trapped as spam and then when the user re-queued the message it was delivered to the users mailbox. Is there a way to get Declude to virus scan messages that have been re-queued and not do the spam checks? What I am unclear on is how Declude interacts with SmarterMail This is what I think happens. 1. SmarterMail 3.x receives a message and places it into the proc folder for Declude to process it 2. On HOLD action Declude moves the message to the hold folder 3. A message is re-queued into the SmarterMail spool folder with an "X" pre-prepended to the file name. 4. SmarterMail then delivers the message to the mailbox Does Declude ever see a message that has been placed back into the SmarterMail spool? Should I be placing these messages back into the proc folder for Declude to move them to the spool folder I would like to see Declude virus scan all message that are not deleted by JunkMail even if they are held. Kevin Bilbee --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- __ Dean Lawrence, CIO/Partner Internet Data Technology 888.GET.IDT1 ext. 701 * fax: 888.438.4381 http://www.idatatech.com/ Corporate Internet Development and Marketing Specialists --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spam not being caught
Here are a headers from a few of the messages, with our email address removed, that we have been receiving. We have been receiving tons of these from different domains, IP's.. I have been using IMail filters to catch some of them because Declude hasn't been doing a very good job. This one didn't fail any Declude tests. from <[EMAIL PROTECTED]> Wed Nov 08 12:53:17 2006Received: from host33-74.birch.net [216.212.33.74] by mail.pcfcu.org with ESMTP (SMTPD32-8.15) id A3A7FB00E8; Wed, 08 Nov 2006 12:52:55 -0800Return-Path: <[EMAIL PROTECTED]>Received: from 208.65.145.2 (HELO buckeyenissan.com.inbound15.mxlogicmx.net) by pcfcu.org with esmtp (D70MB482Y 8LJH6) id IFLT4O-RHJVV5-3H for xxx@ourdomain.com; Wed, 8 Nov 2006 20:52:49 +0360From: "Mamie Cabrera" <[EMAIL PROTECTED]>To: @ourdomain.com>Subject: X-IMail-SPAM-Phrase Mamie wrote:Date: Wed, 8 Nov 2006 20:52:49 +0360Message-ID: <[EMAIL PROTECTED]>MIME-Version: 1.0Content-Type: text/plain; charset="iso-8859-1"Content-Transfer-Encoding: 7bitX-Priority: 3 (Normal)X-MSMail-Priority: NormalX-Mailer: Microsoft Office Outlook, Build 11.0.6353X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506Thread-Index: Aca6Q3OW2X20X4MXS950OD9TUPU55Z==X-Declude-Sender: [EMAIL PROTECTED] [216.212.33.74]X-Declude-Spoolname: D43a700fb00e8c9be.smdX-Declude-Note: Scanned by Declude 3.1.1 for spam. "http://www.declude.com/x-note.htm"X-Declude-Scan: Incoming Score [0] at 12:53:16 on 08 Nov 2006X-Declude-Fail: NoneX-Country-Chain: UNITED STATES->destinationX-IMAIL-SPAM-PHRASE: (43a700fb00e8c9be, whats the first rule of investing)X-RCPT-TO: xxx@ourdomain.comStatus: UX-IMail-Rule: H~x-imail-spam:xxx@ourdomain.comData- X-IMAIL-SPAM-PHRASE MAMIE WROX-UIDL: 463003429 This failed a few. from <[EMAIL PROTECTED]> Thu Nov 09 12:03:16 2006Received: from APuteaux-152-1-90-68.w86-205.abo.wanadoo.fr [86.205.87.68] by mail.pcfcu.org with ESMTP (SMTPD32-8.15) id A96664D00D0; Thu, 09 Nov 2006 12:02:46 -0800Return-Path: <[EMAIL PROTECTED]>Received: from 207.236.26.82 (HELO mail.cableteksystems.com) by pcfcu.org with esmtp (DEIL1D7SO3 S7E59) id V714O9-TFHDJZ-CD for xxx@ourdomain.com; Thu, 9 Nov 2006 20:02:42 -0060From: "Bud Mora" <[EMAIL PROTECTED]>To: @ourdomain.com>Subject: X-IMail-SPAM-Phrase It's Bud :)Date: Thu, 9 Nov 2006 20:02:42 -0060Message-ID: <[EMAIL PROTECTED]>MIME-Version: 1.0Content-Type: text/plain; charset="iso-8859-1"Content-Transfer-Encoding: 7bitX-Priority: 3 (Normal)X-MSMail-Priority: NormalX-Mailer: Microsoft Office Outlook, Build 11.0.6353X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400Thread-Index: Aca6QIH9S2BNQ98OSCRZRQUO3YHU09==X-RBL-Warning: FIVETEN-SRC: 68.87.205.86.blackholes.five-ten-sg.com.X-RBL-Warning: DYNHELO: Dynamic HELO found.X-Declude-Sender: [EMAIL PROTECTED] [86.205.87.68]X-Declude-Spoolname: D8965064d00d0eb56.smdX-Declude-Note: Scanned by Declude 3.1.1 for spam. "http://www.declude.com/x-note.htm"X-Declude-Scan: Incoming Score [9] at 12:03:15 on 09 Nov 2006X-Declude-Fail: FIVETEN-SRC [4], DYNHELO [5]X-Country-Chain: CANADA->FRANCE->destinationX-IMAIL-SPAM-PHRASE: (8965064d00d0eb56, our hottest pick)X-RCPT-TO: @ourdomain.com>Status: UX-IMail-Rule: H~x-imail-spam:xxx@ourdomain.com Data- X-IMAIL-SPAM-PHRASE IT'S BUD X-UIDL: 463095290 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick HayerSent: Thursday, November 09, 2006 11:31 AMTo: declude.junkmail@declude.comSubject: X-IMail-SPAM-Phrase Re: [Declude.JunkMail] Spam not being caught Hi Karl,Post a sample with full headers so we can see what the scofflaw is sending you-Nick Karl Hentschel wrote: Thanks for the tip, but unfortunately I am not using the Pro version of Declude so I cannot create my own filters. Are others being slammed with stock spam recently? Declude is blocking several hundred of them a day, but many are still slipping through without failing any or very few tests. Is it possible to block with the country chain? I noticed that they are coming from out of the country. How is everyone dealing with these? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Scott Fisher Sent: Monday, November 06, 2006 11:27 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Spam not being caught This filter will work for targeting CMDSPACE with a gif attachment. You might want to SKIPIFWEIGHT 315 STOPATFIRSTHIT BODY END NOTCONTAINS Content-Type: image/gif TESTSFAILED END NOTCONTAINS CMDSPACE BODY 100 CONTAINS img src="" BODY 100 CONTAINS src="" class=moz-txt-link-rfc2396E href="">"cid: BODY 100 CONTAINS src=""cid:BODY100CONTAINSsrc=3D">"cid: BODY 100 CONTAINS src="">= cid: - Original Message - From: "Karl Hentschel" <[EMAIL PROTECTED]> To: Sent: Monday, November 06, 2006 12:58 PM Subject: [Declude.JunkMail] Spam not being caught We have been getting quite a bit of SPAM, usually about stocks that is not
RE: [Declude.JunkMail] 2001 Virus got past declude
I was afraid of that. It would be great to be able to re-queue and only virus scan or better yet virus can all message that do not get deleted by junkmail including held messages. Then if HELD and VIRUS the hold as virus not as spam. Kevin Bilbee From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Thursday, November 09, 2006 12:57 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] 2001 Virus got past declude Kevin, It's my understanding that newer versions of Smartermail do not require the file to have the "X" prepended. When the user requeues the message do you drop it into the smartermail spool or the declude proc directory? In order for it to be rescanned by Declude you need to drop it into the proc folder. Also, there is no way to the best of my knowledge to say just virus process this requeued message. Maybe you can (on the requeue process) append somethign to the message that Declude Junkmail will force it to be whitelisted. THis way it wont be held again but will get processed by declude virus. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Kevin Bilbee To: JunkMail Declude Sent: Thursday, November 09, 2006 2:42 PM Subject: [Declude.JunkMail] 2001 Virus got past declude I know why the virus got past Declude but I would like to know how to stop it in the future. We have the AFTERJUNKMAIL directive on. So the message was trapped as spam and then when the user re-queued the message it was delivered to the users mailbox. Is there a way to get Declude to virus scan messages that have been re-queued and not do the spam checks? What I am unclear on is how Declude interacts with SmarterMail This is what I think happens. 1. SmarterMail 3.x receives a message and places it into the proc folder for Declude to process it 2. On HOLD action Declude moves the message to the hold folder 3. A message is re-queued into the SmarterMail spool folder with an “X” pre-prepended to the file name. 4. SmarterMail then delivers the message to the mailbox Does Declude ever see a message that has been placed back into the SmarterMail spool? Should I be placing these messages back into the proc folder for Declude to move them to the spool folder I would like to see Declude virus scan all message that are not deleted by JunkMail even if they are held. Kevin Bilbee --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] Negative weight isn't working
No problem, Todd. To answer your question in the other thread, yes, more specific is more better. On the other hand, you also have to look at what you're really trying to counterweight. In this case, you could certainly counterweight both the REVDNS of their mailserver, and the particular MAILFROM email address too, but after visiting the site, I suspect that you really don't care about the MAILFROM. You can use the REVDNS -30 ENDSWITH .ibsys.com Just fine. If you do use a MAILFROM, don't use much weight, because viruses harvest all email addresses from the infectee and report them back to the virus writer or spammer, and that address becomes a spoofed MAILFROM later down the road. Viruses also spoof the HELO, so a: HELO -30 ENDSWITH comcast.com Or REVDNS -30 ENDSWITH .comcast.com Would be a bad thing to put in your counterweight file, because a virus is quite likely to come from a zombie on that network. What I'd suggest you do for ibsys.com is look at your FILTER-SPAM test and see why it gave 15 points to this email. You will likely get better mileage (i.e. spend less of your time on your counterweight file making exceptions for MTAs) by assigning only incremental points to text values in your filter files, don't look for the "big win" by blocking small text phrases or small bits of text in a URL. To go the extra mile (hey, a driving theme today [pun intended]) why not decide which IP4R tests you trust, and/or which external tests you trust, and cancel the dangerously punitive text files? At the top of your FILTER-SPAM test, you *could* put in: TESTSFAILED END CONTAINS MXRATE-ALLOW And then messages like this sample wouldn't have received any points from the FILTER-SPAM test, you would save CPU time on your server, save your user's time in figuring out that they didn't receive that inbound message, and save your time on finding the false positives and making counterweight entries. The downside of making a "cancel line" in your filter files is that MXRATE-ALLOW will trigger on, say, a well known ISPs' MTA, and you *want* to do content filtering on, say, scam text that is so common from HotMail, Yahoo!, and various international free webmail providers that you wouldn't otherwise hear about. Most Declude users end up with filter files that are focused on kinds of spam and tweak their "cancel lines" accordingly. There is a great deal of art to this science. Andrew 8) > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Todd Richards > Sent: Thursday, November 09, 2006 12:42 PM > To: declude.junkmail@declude.com > Subject: RE: [Declude.JunkMail] Negative weight isn't working > > Thanks Andrew. I'm starting to catch on. The good news is > that everyone "else" thinks I'm a miracle worker because of > the drastic decrease in spam. > One of these days I'll break down and tell them the truth. > So if you all happen to start getting "Thank You" cards from > people you don't know, that's probably why... > > Todd > > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Colbeck, Andrew > Sent: Thursday, November 09, 2006 2:23 PM > To: declude.junkmail@declude.com > Subject: RE: [Declude.JunkMail] Negative weight isn't working > > Todd, do this from a command line: > > C:\Temp>nslookup 66.187.204.25 > Server: Andrew's.obfuscated.dns.server > Address: 192.168.0.1 > > Name:treets100.ibsys.com > Address: 66.187.204.25 > > C:\Temp> > > That tells me that your REVDNS won't match, because their > reverse DNS is > *not* the same as the HELO value that you used for your REVDNS test. > > The same is also true for your use of the MAILFROM, which > does not have to match the From: address you see in the > header. Look at the > X-Declude-Sender: line in the header that has been marked up. > The MAILFROM was really "[EMAIL PROTECTED]". > > Andrew 8) > > > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > > Todd Richards > > Sent: Thursday, November 09, 2006 11:44 AM > > To: declude.junkmail@declude.com > > Subject: RE: [Declude.JunkMail] Negative weight isn't working > > > > OK, here is an update with the header of the particular message. > > > > Todd > > > > > > Received: from treetso101.mtc.ibsys.com [66.187.204.25] by > > mail.nnepa.com with ESMTP > > (SMTPD-8.22) id ACCC0340; Thu, 09 Nov 2006 12:00:44 -0600 > > Date: Thu, 9 Nov 2006 12:02:02 -0600 (CST) > > From: "KETV.com Newsroom" <[EMAIL PROTECTED]> > > Reply-to: [EMAIL PROTECTED] > > Message-Id: <[EMAIL PROTECTED]> > > X-unsub: > ?unsub.cfm?u=2656017216813-oma_12pm-oma_12pm_1_12000311092006 > > Subject: [21] KETV.com Noon Headlines > > To: <[EMAIL PROTECTED]> > > Content-type: text/html; charset=us-ascii > > X-RBL-Warning: MXRATE-ALLOW: "GOOD SENDER" > > X-RBL-Warning: HELOBOGUS: Domain treetso101.mtc.ibsys.com > has no MX or > > A records [0301]. > > X-RBL-Warnin
Re: [Declude.JunkMail] 2001 Virus got past declude
Kevin, It's my understanding that newer versions of Smartermail do not require the file to have the "X" prepended. When the user requeues the message do you drop it into the smartermail spool or the declude proc directory? In order for it to be rescanned by Declude you need to drop it into the proc folder. Also, there is no way to the best of my knowledge to say just virus process this requeued message. Maybe you can (on the requeue process) append somethign to the message that Declude Junkmail will force it to be whitelisted. THis way it wont be held again but will get processed by declude virus. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Kevin Bilbee To: JunkMail Declude Sent: Thursday, November 09, 2006 2:42 PM Subject: [Declude.JunkMail] 2001 Virus got past declude I know why the virus got past Declude but I would like to know how to stop it in the future. We have the AFTERJUNKMAIL directive on. So the message was trapped as spam and then when the user re-queued the message it was delivered to the users mailbox. Is there a way to get Declude to virus scan messages that have been re-queued and not do the spam checks? What I am unclear on is how Declude interacts with SmarterMail This is what I think happens. 1. SmarterMail 3.x receives a message and places it into the proc folder for Declude to process it 2. On HOLD action Declude moves the message to the hold folder 3. A message is re-queued into the SmarterMail spool folder with an “X” pre-prepended to the file name. 4. SmarterMail then delivers the message to the mailbox Does Declude ever see a message that has been placed back into the SmarterMail spool? Should I be placing these messages back into the proc folder for Declude to move them to the spool folder I would like to see Declude virus scan all message that are not deleted by JunkMail even if they are held. Kevin Bilbee---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] Negative weight isn't working
Thanks Andrew. I'm starting to catch on. The good news is that everyone "else" thinks I'm a miracle worker because of the drastic decrease in spam. One of these days I'll break down and tell them the truth. So if you all happen to start getting "Thank You" cards from people you don't know, that's probably why... Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Thursday, November 09, 2006 2:23 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working Todd, do this from a command line: C:\Temp>nslookup 66.187.204.25 Server: Andrew's.obfuscated.dns.server Address: 192.168.0.1 Name:treets100.ibsys.com Address: 66.187.204.25 C:\Temp> That tells me that your REVDNS won't match, because their reverse DNS is *not* the same as the HELO value that you used for your REVDNS test. The same is also true for your use of the MAILFROM, which does not have to match the From: address you see in the header. Look at the X-Declude-Sender: line in the header that has been marked up. The MAILFROM was really "[EMAIL PROTECTED]". Andrew 8) > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Todd Richards > Sent: Thursday, November 09, 2006 11:44 AM > To: declude.junkmail@declude.com > Subject: RE: [Declude.JunkMail] Negative weight isn't working > > OK, here is an update with the header of the particular message. > > Todd > > > Received: from treetso101.mtc.ibsys.com [66.187.204.25] by > mail.nnepa.com with ESMTP > (SMTPD-8.22) id ACCC0340; Thu, 09 Nov 2006 12:00:44 -0600 > Date: Thu, 9 Nov 2006 12:02:02 -0600 (CST) > From: "KETV.com Newsroom" <[EMAIL PROTECTED]> > Reply-to: [EMAIL PROTECTED] > Message-Id: <[EMAIL PROTECTED]> > X-unsub: ?unsub.cfm?u=2656017216813-oma_12pm-oma_12pm_1_12000311092006 > Subject: [21] KETV.com Noon Headlines > To: <[EMAIL PROTECTED]> > Content-type: text/html; charset=us-ascii > X-RBL-Warning: MXRATE-ALLOW: "GOOD SENDER" > X-RBL-Warning: HELOBOGUS: Domain treetso101.mtc.ibsys.com has no MX or > A records [0301]. > X-RBL-Warning: FILTER-SPAM: Message failed FILTER-SPAM test (line 55, > weight > 15) > X-RBL-Warning: GIBBERISH: Message failed GIBBERISH test (line 76, > weight 4) > X-RBL-Warning: WEIGHT10: Weight of 21 reaches or exceeds the limit of > 10. > X-Declude-Sender: [EMAIL PROTECTED] [66.187.204.25] > X-Declude-Spoolname: D6ccc08932bf7.smd > X-Declude-RefID: > X-Declude-Note: Scanned by Declude 4.3.14 for spam. > "http://www.declude.com/x-note.htm"; > X-Declude-Scan: Incoming Score [21] at 12:01:18 on 09 Nov 2006 > X-Declude-Fail: MXRATE-ALLOW [-3], HELOBOGUS [5], FILTER-SPAM [15], > GIBBERISH [4], WEIGHT10 [10], WEIGHT15 [15], WEIGHT19 [19], WEIGHT19a > [19] > X-Country-Chain: UNITED STATES->destination > X-RCPT-TO: <[EMAIL PROTECTED]> > Status: U > X-UIDL: 463090338 > X-IMail-ThreadID: 6ccc08932bf7 > X-Antivirus: AVG for E-mail 7.5.431 [268.14.0/524] > > > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Todd Richards > Sent: Thursday, November 09, 2006 1:19 PM > To: declude.junkmail@declude.com > Subject: RE: [Declude.JunkMail] Negative weight isn't working > > Hi David - > > OK, it appears that it is running the test. Here is a snip of the > log: > > 11/09/2006 13:14:20.937 q7df6083c3523.smd Doing filter file > D:\imail\Declude\Filters\FILTER-SPAM.txt. > 11/09/2006 13:14:21.312 q7df6083c3523.smd Doing filter file > D:\imail\Declude\Filters\FILTER-GERMAN.txt. > 11/09/2006 13:14:21.390 q7df6083c3523.smd Doing filter file > D:\imail\Declude\Filters\FILTER-SURBL.txt. > 11/09/2006 13:14:21.390 q7df6083c3523.smd Filter: Will stop at > first hit. > 11/09/2006 13:14:21.781 q7df6083c3523.smd Doing filter file > D:\iMail\Declude\Filters\Gibberish.txt. > 11/09/2006 13:14:22.875 q7df6083c3523.smd Doing filter file > D:\iMail\Declude\Filters\Anti-Gibberish.txt. > 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file > D:\imail\Declude\Filters\FILTER-COUNTRY.txt. > 11/09/2006 13:14:23.953 q7df6083c3523.smd Checking > countries: US . > 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file > D:\IMail\Declude\filters\allowlist_low.txt. > 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file > D:\IMail\Declude\filters\allowlist_med.txt. > 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file > D:\IMail\Declude\filters\allowlist_high.txt. > 11/09/2006 13:14:23.968 q7df6083c3523.smd nIPNOTINMX:-3 . > Total weight = -3. > > However, before I ran the Debug mode I had one of the emails in > question caught in the trap, and there was nothing in the headers > about an "allowlist_med". Which means that there must be something > not right in the filter itself. This particular newsletter is listed > in my ALLOWLIST_MED as a MAILFROM with the full email address of > [EMAIL P
Re: [Declude.JunkMail] Negative weight isn't working
What are you adding to outgoing headers in the config? You won't see the test in the headers unless you add a header that displays all of the tests the message fails. Darin. - Original Message - From: "Todd Richards" <[EMAIL PROTECTED]> To: Sent: Thursday, November 09, 2006 2:18 PM Subject: RE: [Declude.JunkMail] Negative weight isn't working Hi David - OK, it appears that it is running the test. Here is a snip of the log: 11/09/2006 13:14:20.937 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-SPAM.txt. 11/09/2006 13:14:21.312 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-GERMAN.txt. 11/09/2006 13:14:21.390 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-SURBL.txt. 11/09/2006 13:14:21.390 q7df6083c3523.smd Filter: Will stop at first hit. 11/09/2006 13:14:21.781 q7df6083c3523.smd Doing filter file D:\iMail\Declude\Filters\Gibberish.txt. 11/09/2006 13:14:22.875 q7df6083c3523.smd Doing filter file D:\iMail\Declude\Filters\Anti-Gibberish.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-COUNTRY.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Checking countries: US . 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_low.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_med.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_high.txt. 11/09/2006 13:14:23.968 q7df6083c3523.smd nIPNOTINMX:-3 . Total weight = -3. However, before I ran the Debug mode I had one of the emails in question caught in the trap, and there was nothing in the headers about an "allowlist_med". Which means that there must be something not right in the filter itself. This particular newsletter is listed in my ALLOWLIST_MED as a MAILFROM with the full email address of [EMAIL PROTECTED] Is there a better way to do that? Should I wait to see what the logs look like on the debug mode when the next one comes through later today? Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, November 09, 2006 12:07 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working Todd, Run you global.cfg on DEBUG see if the test is being called correctly. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, November 09, 2006 11:54 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Negative weight isn't working Hi Everyone - I've been playing with some negative weighting, but it doesn't seem to be working. I have the following in my global.cfg file (down towards the bottom): ALLOWLIST_MED filter D:\IMail\Declude\filters\allowlist_med.txt x -30 0 In my allowlist_med.txt file, I have the following entries: MAILFROM 0 ENDSWITH [EMAIL PROTECTED] REVDNS 0 ENDSWITH .asaenet.org However, these messages are still getting caught. When I look at the headers, it doesn't even appear that it is running this test. I have the test listed in $default$.junkmail as ALLOWLIST_MED WARN And in diags.txt as ALLOWLIST_MED FILTER I would like to add some others as well but need to get at least one working first. Any help is appreciated (as always)! Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Negative weight isn't working
Oh Geesss (head down, walking towards corner)... Seeing that (now), what's the best practice? MAILFROM [EMAIL PROTECTED] Or MAILFROM @mailer.ibsys.com I would think the more specific, the better. Thanks, David! Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, November 09, 2006 2:02 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working The actual MAILFROM is: X-Declude-Sender: [EMAIL PROTECTED] [66.187.204.25] Not From: "KETV.com Newsroom" <[EMAIL PROTECTED]> David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, November 09, 2006 2:44 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working OK, here is an update with the header of the particular message. Todd Received: from treetso101.mtc.ibsys.com [66.187.204.25] by mail.nnepa.com with ESMTP (SMTPD-8.22) id ACCC0340; Thu, 09 Nov 2006 12:00:44 -0600 Date: Thu, 9 Nov 2006 12:02:02 -0600 (CST) From: "KETV.com Newsroom" <[EMAIL PROTECTED]> Reply-to: [EMAIL PROTECTED] Message-Id: <[EMAIL PROTECTED]> X-unsub: ?unsub.cfm?u=2656017216813-oma_12pm-oma_12pm_1_12000311092006 Subject: [21] KETV.com Noon Headlines To: <[EMAIL PROTECTED]> Content-type: text/html; charset=us-ascii X-RBL-Warning: MXRATE-ALLOW: "GOOD SENDER" X-RBL-Warning: HELOBOGUS: Domain treetso101.mtc.ibsys.com has no MX or A records [0301]. X-RBL-Warning: FILTER-SPAM: Message failed FILTER-SPAM test (line 55, weight 15) X-RBL-Warning: GIBBERISH: Message failed GIBBERISH test (line 76, weight 4) X-RBL-Warning: WEIGHT10: Weight of 21 reaches or exceeds the limit of 10. X-Declude-Sender: [EMAIL PROTECTED] [66.187.204.25] X-Declude-Spoolname: D6ccc08932bf7.smd X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.3.14 for spam. "http://www.declude.com/x-note.htm"; X-Declude-Scan: Incoming Score [21] at 12:01:18 on 09 Nov 2006 X-Declude-Fail: MXRATE-ALLOW [-3], HELOBOGUS [5], FILTER-SPAM [15], GIBBERISH [4], WEIGHT10 [10], WEIGHT15 [15], WEIGHT19 [19], WEIGHT19a [19] X-Country-Chain: UNITED STATES->destination X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 463090338 X-IMail-ThreadID: 6ccc08932bf7 X-Antivirus: AVG for E-mail 7.5.431 [268.14.0/524] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, November 09, 2006 1:19 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working Hi David - OK, it appears that it is running the test. Here is a snip of the log: 11/09/2006 13:14:20.937 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-SPAM.txt. 11/09/2006 13:14:21.312 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-GERMAN.txt. 11/09/2006 13:14:21.390 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-SURBL.txt. 11/09/2006 13:14:21.390 q7df6083c3523.smd Filter: Will stop at first hit. 11/09/2006 13:14:21.781 q7df6083c3523.smd Doing filter file D:\iMail\Declude\Filters\Gibberish.txt. 11/09/2006 13:14:22.875 q7df6083c3523.smd Doing filter file D:\iMail\Declude\Filters\Anti-Gibberish.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-COUNTRY.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Checking countries: US . 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_low.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_med.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_high.txt. 11/09/2006 13:14:23.968 q7df6083c3523.smd nIPNOTINMX:-3 . Total weight = -3. However, before I ran the Debug mode I had one of the emails in question caught in the trap, and there was nothing in the headers about an "allowlist_med". Which means that there must be something not right in the filter itself. This particular newsletter is listed in my ALLOWLIST_MED as a MAILFROM with the full email address of [EMAIL PROTECTED] Is there a better way to do that? Should I wait to see what the logs look like on the debug mode when the next one comes through later today? Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, November 09, 2006 12:07 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working Todd, Run you global.cfg on DEBUG see if the test is being called correctly. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, November 09, 2006 11:54 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Negative weight isn't working Hi
Re: [Declude.JunkMail] End of headers {was - declude not modifying subject line}
What about a brute force rule "I am appending a header more than x characters from the beginning of a y length message so this cannot be a correctly formatted message" and you have set the "deletebadforematmail" switch to "Yes" so delete. Herb Kevin Bilbee wrote: OK sounds reasonable. Since you are the expert and I am trying to understand. Have you ever seen a legitimate message with a no real end of headers, where the two line terminators designating the end of headers are separated by more than white space, tab or space characters? Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of David Franco-Rocha [ Declude ] Sent: Thursday, November 09, 2006 5:32 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] declude not modifying subject line Kevin, I am very well aware of what byte sequences constitute the end of a line. However, if the problem were this simple it would have been fixed long ago. Contrary to what some have said here, we have seen many instances where IMail likewise appends its headers to the end of the message. The broken line terminators are not necessarily of the same type in a given message. In addition, they are not necessarily adjacent to each other (with leading whitespace or unprintable characters on a line). What may appear obvious to the eye is often not at all what exists behind the scene. You may look at a message and be certain where the headers end and the body begins (the separating blank line). However, that message may not necessarily contain two consecutive EOL sequences of any type anywhere. David Franco-Rocha - Original Message - From: "Kevin Bilbee" <[EMAIL PROTECTED]> To: Sent: Wednesday, November 08, 2006 5:45 PM Subject: RE: [Declude.JunkMail] declude not modifying subject line I do not understand why you need to rewrite the message beyond what you already do? Just determine the end of headers properly then rewrite the message with your headers in the proper location. You already rewrite the message when adding headers so why would it take any longer to properly detect the end of headers. If you have two LF sequences next to each other ignoring the CR then you have the end of headers. For example if you have CRLFCRLF OR LFCRLFCR OR LFLF I have never seen a message use CR alone for an end of line. There are two LF bytes in each sequence ignore the CR bytes. Then when writing out the message with the Declude headers include the original byte sequences for each line. And the Declude lines should have the proper CRLF sequences. My two cents! Kevin Bilbee 1. I don't like to keep going in circles on this. If it was as easy as "just fix it" there would be no issue. Please understand that this is a lot more complex than you may realize, we are considering making the fixing of line terminators as an optional feature to be turned on/off because of a potential performance degradation of rewriting the messages. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- Herb Guenther Lanex, LLC www.lanex.com (262)789-0966x102 Office (262)780-0424 Direct This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] Negative weight isn't working
Todd, do this from a command line: C:\Temp>nslookup 66.187.204.25 Server: Andrew's.obfuscated.dns.server Address: 192.168.0.1 Name:treets100.ibsys.com Address: 66.187.204.25 C:\Temp> That tells me that your REVDNS won't match, because their reverse DNS is *not* the same as the HELO value that you used for your REVDNS test. The same is also true for your use of the MAILFROM, which does not have to match the From: address you see in the header. Look at the X-Declude-Sender: line in the header that has been marked up. The MAILFROM was really "[EMAIL PROTECTED]". Andrew 8) > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Todd Richards > Sent: Thursday, November 09, 2006 11:44 AM > To: declude.junkmail@declude.com > Subject: RE: [Declude.JunkMail] Negative weight isn't working > > OK, here is an update with the header of the particular message. > > Todd > > > Received: from treetso101.mtc.ibsys.com [66.187.204.25] by > mail.nnepa.com with ESMTP > (SMTPD-8.22) id ACCC0340; Thu, 09 Nov 2006 12:00:44 -0600 > Date: Thu, 9 Nov 2006 12:02:02 -0600 (CST) > From: "KETV.com Newsroom" <[EMAIL PROTECTED]> > Reply-to: [EMAIL PROTECTED] > Message-Id: <[EMAIL PROTECTED]> > X-unsub: ?unsub.cfm?u=2656017216813-oma_12pm-oma_12pm_1_12000311092006 > Subject: [21] KETV.com Noon Headlines > To: <[EMAIL PROTECTED]> > Content-type: text/html; charset=us-ascii > X-RBL-Warning: MXRATE-ALLOW: "GOOD SENDER" > X-RBL-Warning: HELOBOGUS: Domain treetso101.mtc.ibsys.com has > no MX or A records [0301]. > X-RBL-Warning: FILTER-SPAM: Message failed FILTER-SPAM test > (line 55, weight > 15) > X-RBL-Warning: GIBBERISH: Message failed GIBBERISH test (line > 76, weight 4) > X-RBL-Warning: WEIGHT10: Weight of 21 reaches or exceeds the > limit of 10. > X-Declude-Sender: [EMAIL PROTECTED] [66.187.204.25] > X-Declude-Spoolname: D6ccc08932bf7.smd > X-Declude-RefID: > X-Declude-Note: Scanned by Declude 4.3.14 for spam. > "http://www.declude.com/x-note.htm"; > X-Declude-Scan: Incoming Score [21] at 12:01:18 on 09 Nov 2006 > X-Declude-Fail: MXRATE-ALLOW [-3], HELOBOGUS [5], FILTER-SPAM > [15], GIBBERISH [4], WEIGHT10 [10], WEIGHT15 [15], WEIGHT19 > [19], WEIGHT19a [19] > X-Country-Chain: UNITED STATES->destination > X-RCPT-TO: <[EMAIL PROTECTED]> > Status: U > X-UIDL: 463090338 > X-IMail-ThreadID: 6ccc08932bf7 > X-Antivirus: AVG for E-mail 7.5.431 [268.14.0/524] > > > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Todd Richards > Sent: Thursday, November 09, 2006 1:19 PM > To: declude.junkmail@declude.com > Subject: RE: [Declude.JunkMail] Negative weight isn't working > > Hi David - > > OK, it appears that it is running the test. Here is a snip > of the log: > > 11/09/2006 13:14:20.937 q7df6083c3523.smd Doing filter > file D:\imail\Declude\Filters\FILTER-SPAM.txt. > 11/09/2006 13:14:21.312 q7df6083c3523.smd Doing filter > file D:\imail\Declude\Filters\FILTER-GERMAN.txt. > 11/09/2006 13:14:21.390 q7df6083c3523.smd Doing filter > file D:\imail\Declude\Filters\FILTER-SURBL.txt. > 11/09/2006 13:14:21.390 q7df6083c3523.smd Filter: Will > stop at first hit. > 11/09/2006 13:14:21.781 q7df6083c3523.smd Doing filter > file D:\iMail\Declude\Filters\Gibberish.txt. > 11/09/2006 13:14:22.875 q7df6083c3523.smd Doing filter > file D:\iMail\Declude\Filters\Anti-Gibberish.txt. > 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter > file D:\imail\Declude\Filters\FILTER-COUNTRY.txt. > 11/09/2006 13:14:23.953 q7df6083c3523.smd Checking > countries: US . > 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter > file D:\IMail\Declude\filters\allowlist_low.txt. > 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter > file D:\IMail\Declude\filters\allowlist_med.txt. > 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter > file D:\IMail\Declude\filters\allowlist_high.txt. > 11/09/2006 13:14:23.968 q7df6083c3523.smd nIPNOTINMX:-3 . > Total weight = -3. > > However, before I ran the Debug mode I had one of the emails > in question caught in the trap, and there was nothing in the > headers about an "allowlist_med". Which means that there > must be something not right in the filter itself. This > particular newsletter is listed in my ALLOWLIST_MED as a > MAILFROM with the full email address of > [EMAIL PROTECTED] Is there a better way to do that? > > Should I wait to see what the logs look like on the debug > mode when the next one comes through later today? > > Todd > > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of David Barker > Sent: Thursday, November 09, 2006 12:07 PM > To: declude.junkmail@declude.com > Subject: RE: [Declude.JunkMail] Negative weight isn't working > > Todd, > > Run you global.cfg on DEBUG see if the test is being called correctly. > > David B > www.declude.com > > -Origin
RE: [Declude.JunkMail] Negative weight isn't working
The actual MAILFROM is: X-Declude-Sender: [EMAIL PROTECTED] [66.187.204.25] Not From: "KETV.com Newsroom" <[EMAIL PROTECTED]> David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, November 09, 2006 2:44 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working OK, here is an update with the header of the particular message. Todd Received: from treetso101.mtc.ibsys.com [66.187.204.25] by mail.nnepa.com with ESMTP (SMTPD-8.22) id ACCC0340; Thu, 09 Nov 2006 12:00:44 -0600 Date: Thu, 9 Nov 2006 12:02:02 -0600 (CST) From: "KETV.com Newsroom" <[EMAIL PROTECTED]> Reply-to: [EMAIL PROTECTED] Message-Id: <[EMAIL PROTECTED]> X-unsub: ?unsub.cfm?u=2656017216813-oma_12pm-oma_12pm_1_12000311092006 Subject: [21] KETV.com Noon Headlines To: <[EMAIL PROTECTED]> Content-type: text/html; charset=us-ascii X-RBL-Warning: MXRATE-ALLOW: "GOOD SENDER" X-RBL-Warning: HELOBOGUS: Domain treetso101.mtc.ibsys.com has no MX or A records [0301]. X-RBL-Warning: FILTER-SPAM: Message failed FILTER-SPAM test (line 55, weight 15) X-RBL-Warning: GIBBERISH: Message failed GIBBERISH test (line 76, weight 4) X-RBL-Warning: WEIGHT10: Weight of 21 reaches or exceeds the limit of 10. X-Declude-Sender: [EMAIL PROTECTED] [66.187.204.25] X-Declude-Spoolname: D6ccc08932bf7.smd X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.3.14 for spam. "http://www.declude.com/x-note.htm"; X-Declude-Scan: Incoming Score [21] at 12:01:18 on 09 Nov 2006 X-Declude-Fail: MXRATE-ALLOW [-3], HELOBOGUS [5], FILTER-SPAM [15], GIBBERISH [4], WEIGHT10 [10], WEIGHT15 [15], WEIGHT19 [19], WEIGHT19a [19] X-Country-Chain: UNITED STATES->destination X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 463090338 X-IMail-ThreadID: 6ccc08932bf7 X-Antivirus: AVG for E-mail 7.5.431 [268.14.0/524] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, November 09, 2006 1:19 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working Hi David - OK, it appears that it is running the test. Here is a snip of the log: 11/09/2006 13:14:20.937 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-SPAM.txt. 11/09/2006 13:14:21.312 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-GERMAN.txt. 11/09/2006 13:14:21.390 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-SURBL.txt. 11/09/2006 13:14:21.390 q7df6083c3523.smd Filter: Will stop at first hit. 11/09/2006 13:14:21.781 q7df6083c3523.smd Doing filter file D:\iMail\Declude\Filters\Gibberish.txt. 11/09/2006 13:14:22.875 q7df6083c3523.smd Doing filter file D:\iMail\Declude\Filters\Anti-Gibberish.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-COUNTRY.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Checking countries: US . 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_low.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_med.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_high.txt. 11/09/2006 13:14:23.968 q7df6083c3523.smd nIPNOTINMX:-3 . Total weight = -3. However, before I ran the Debug mode I had one of the emails in question caught in the trap, and there was nothing in the headers about an "allowlist_med". Which means that there must be something not right in the filter itself. This particular newsletter is listed in my ALLOWLIST_MED as a MAILFROM with the full email address of [EMAIL PROTECTED] Is there a better way to do that? Should I wait to see what the logs look like on the debug mode when the next one comes through later today? Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, November 09, 2006 12:07 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working Todd, Run you global.cfg on DEBUG see if the test is being called correctly. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, November 09, 2006 11:54 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Negative weight isn't working Hi Everyone - I've been playing with some negative weighting, but it doesn't seem to be working. I have the following in my global.cfg file (down towards the bottom): ALLOWLIST_MED filter D:\IMail\Declude\filters\allowlist_med.txt x -30 0 In my allowlist_med.txt file, I have the following entries: MAILFROM0 ENDSWITH[EMAIL PROTECTED] REVDNS 0 ENDSWITH.asaenet.org However, these messages are still getting caught. When I
RE: [Declude.JunkMail] Negative weight isn't working
OK, here is an update with the header of the particular message. Todd Received: from treetso101.mtc.ibsys.com [66.187.204.25] by mail.nnepa.com with ESMTP (SMTPD-8.22) id ACCC0340; Thu, 09 Nov 2006 12:00:44 -0600 Date: Thu, 9 Nov 2006 12:02:02 -0600 (CST) From: "KETV.com Newsroom" <[EMAIL PROTECTED]> Reply-to: [EMAIL PROTECTED] Message-Id: <[EMAIL PROTECTED]> X-unsub: ?unsub.cfm?u=2656017216813-oma_12pm-oma_12pm_1_12000311092006 Subject: [21] KETV.com Noon Headlines To: <[EMAIL PROTECTED]> Content-type: text/html; charset=us-ascii X-RBL-Warning: MXRATE-ALLOW: "GOOD SENDER" X-RBL-Warning: HELOBOGUS: Domain treetso101.mtc.ibsys.com has no MX or A records [0301]. X-RBL-Warning: FILTER-SPAM: Message failed FILTER-SPAM test (line 55, weight 15) X-RBL-Warning: GIBBERISH: Message failed GIBBERISH test (line 76, weight 4) X-RBL-Warning: WEIGHT10: Weight of 21 reaches or exceeds the limit of 10. X-Declude-Sender: [EMAIL PROTECTED] [66.187.204.25] X-Declude-Spoolname: D6ccc08932bf7.smd X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.3.14 for spam. "http://www.declude.com/x-note.htm"; X-Declude-Scan: Incoming Score [21] at 12:01:18 on 09 Nov 2006 X-Declude-Fail: MXRATE-ALLOW [-3], HELOBOGUS [5], FILTER-SPAM [15], GIBBERISH [4], WEIGHT10 [10], WEIGHT15 [15], WEIGHT19 [19], WEIGHT19a [19] X-Country-Chain: UNITED STATES->destination X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 463090338 X-IMail-ThreadID: 6ccc08932bf7 X-Antivirus: AVG for E-mail 7.5.431 [268.14.0/524] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, November 09, 2006 1:19 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working Hi David - OK, it appears that it is running the test. Here is a snip of the log: 11/09/2006 13:14:20.937 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-SPAM.txt. 11/09/2006 13:14:21.312 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-GERMAN.txt. 11/09/2006 13:14:21.390 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-SURBL.txt. 11/09/2006 13:14:21.390 q7df6083c3523.smd Filter: Will stop at first hit. 11/09/2006 13:14:21.781 q7df6083c3523.smd Doing filter file D:\iMail\Declude\Filters\Gibberish.txt. 11/09/2006 13:14:22.875 q7df6083c3523.smd Doing filter file D:\iMail\Declude\Filters\Anti-Gibberish.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-COUNTRY.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Checking countries: US . 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_low.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_med.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_high.txt. 11/09/2006 13:14:23.968 q7df6083c3523.smd nIPNOTINMX:-3 . Total weight = -3. However, before I ran the Debug mode I had one of the emails in question caught in the trap, and there was nothing in the headers about an "allowlist_med". Which means that there must be something not right in the filter itself. This particular newsletter is listed in my ALLOWLIST_MED as a MAILFROM with the full email address of [EMAIL PROTECTED] Is there a better way to do that? Should I wait to see what the logs look like on the debug mode when the next one comes through later today? Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, November 09, 2006 12:07 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working Todd, Run you global.cfg on DEBUG see if the test is being called correctly. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, November 09, 2006 11:54 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Negative weight isn't working Hi Everyone - I've been playing with some negative weighting, but it doesn't seem to be working. I have the following in my global.cfg file (down towards the bottom): ALLOWLIST_MED filter D:\IMail\Declude\filters\allowlist_med.txt x -30 0 In my allowlist_med.txt file, I have the following entries: MAILFROM0 ENDSWITH[EMAIL PROTECTED] REVDNS 0 ENDSWITH.asaenet.org However, these messages are still getting caught. When I look at the headers, it doesn't even appear that it is running this test. I have the test listed in $default$.junkmail as ALLOWLIST_MED WARN And in diags.txt as ALLOWLIST_MED FILTER I would like to add some others as well but need to get at least one working first. Any help is appreciated (as always)! Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe,
RE: [Declude.JunkMail] Negative weight isn't working
Where are you getting the MAILFROM address [EMAIL PROTECTED] ? Do you have a header you can post that is addressed to [EMAIL PROTECTED] ? David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, November 09, 2006 2:19 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working Hi David - OK, it appears that it is running the test. Here is a snip of the log: 11/09/2006 13:14:20.937 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-SPAM.txt. 11/09/2006 13:14:21.312 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-GERMAN.txt. 11/09/2006 13:14:21.390 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-SURBL.txt. 11/09/2006 13:14:21.390 q7df6083c3523.smd Filter: Will stop at first hit. 11/09/2006 13:14:21.781 q7df6083c3523.smd Doing filter file D:\iMail\Declude\Filters\Gibberish.txt. 11/09/2006 13:14:22.875 q7df6083c3523.smd Doing filter file D:\iMail\Declude\Filters\Anti-Gibberish.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-COUNTRY.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Checking countries: US . 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_low.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_med.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_high.txt. 11/09/2006 13:14:23.968 q7df6083c3523.smd nIPNOTINMX:-3 . Total weight = -3. However, before I ran the Debug mode I had one of the emails in question caught in the trap, and there was nothing in the headers about an "allowlist_med". Which means that there must be something not right in the filter itself. This particular newsletter is listed in my ALLOWLIST_MED as a MAILFROM with the full email address of [EMAIL PROTECTED] Is there a better way to do that? Should I wait to see what the logs look like on the debug mode when the next one comes through later today? Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, November 09, 2006 12:07 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working Todd, Run you global.cfg on DEBUG see if the test is being called correctly. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, November 09, 2006 11:54 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Negative weight isn't working Hi Everyone - I've been playing with some negative weighting, but it doesn't seem to be working. I have the following in my global.cfg file (down towards the bottom): ALLOWLIST_MED filter D:\IMail\Declude\filters\allowlist_med.txt x -30 0 In my allowlist_med.txt file, I have the following entries: MAILFROM0 ENDSWITH[EMAIL PROTECTED] REVDNS 0 ENDSWITH.asaenet.org However, these messages are still getting caught. When I look at the headers, it doesn't even appear that it is running this test. I have the test listed in $default$.junkmail as ALLOWLIST_MED WARN And in diags.txt as ALLOWLIST_MED FILTER I would like to add some others as well but need to get at least one working first. Any help is appreciated (as always)! Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] End of headers {was - declude not modifying subject line}
OK sounds reasonable. Since you are the expert and I am trying to understand. Have you ever seen a legitimate message with a no real end of headers, where the two line terminators designating the end of headers are separated by more than white space, tab or space characters? Kevin > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > David Franco-Rocha [ Declude ] > Sent: Thursday, November 09, 2006 5:32 AM > To: declude.junkmail@declude.com > Subject: Re: [Declude.JunkMail] declude not modifying subject line > > Kevin, > > I am very well aware of what byte sequences constitute the end of a > line. > However, if the problem were this simple it would have been fixed long > ago. > Contrary to what some have said here, we have seen many instances where > IMail likewise appends its headers to the end of the message. > > The broken line terminators are not necessarily of the same type in a > given > message. In addition, they are not necessarily adjacent to each other > (with > leading whitespace or unprintable characters on a line). What may > appear > obvious to the eye is often not at all what exists behind the scene. > You may > look at a message and be certain where the headers end and the body > begins > (the separating blank line). However, that message may not necessarily > contain two consecutive EOL sequences of any type anywhere. > > David Franco-Rocha > > - Original Message - > From: "Kevin Bilbee" <[EMAIL PROTECTED]> > To: > Sent: Wednesday, November 08, 2006 5:45 PM > Subject: RE: [Declude.JunkMail] declude not modifying subject line > > > I do not understand why you need to rewrite the message beyond what you > already do? Just determine the end of headers properly then rewrite the > message with your headers in the proper location. You already rewrite > the > message when adding headers so why would it take any longer to properly > detect the end of headers. > > If you have two LF sequences next to each other ignoring the CR then > you > have the end of headers. > > For example if you have > > CRLFCRLF > > OR > > LFCRLFCR > > OR > > LFLF > > I have never seen a message use CR alone for an end of line. > > There are two LF bytes in each sequence ignore the CR bytes. Then when > writing out the message with the Declude headers include the original > byte > sequences for each line. And the Declude lines should have the proper > CRLF > sequences. > > > My two cents! > > > Kevin Bilbee > > > > > > > > 1. I don't like to keep going in circles on this. If it was as easy > as > > "just > > fix it" there would be no issue. Please understand that this is a lot > > more > > complex than you may realize, we are considering making the fixing of > > line > > terminators as an optional feature to be turned on/off because of a > > potential performance degradation of rewriting the messages. > > > > > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] 2001 Virus got past declude
I know why the virus got past Declude but I would like to know how to stop it in the future. We have the AFTERJUNKMAIL directive on. So the message was trapped as spam and then when the user re-queued the message it was delivered to the users mailbox. Is there a way to get Declude to virus scan messages that have been re-queued and not do the spam checks? What I am unclear on is how Declude interacts with SmarterMail This is what I think happens. 1. SmarterMail 3.x receives a message and places it into the proc folder for Declude to process it 2. On HOLD action Declude moves the message to the hold folder 3. A message is re-queued into the SmarterMail spool folder with an “X” pre-prepended to the file name. 4. SmarterMail then delivers the message to the mailbox Does Declude ever see a message that has been placed back into the SmarterMail spool? Should I be placing these messages back into the proc folder for Declude to move them to the spool folder I would like to see Declude virus scan all message that are not deleted by JunkMail even if they are held. Kevin Bilbee ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] Spam not being caught
Hi Karl, Post a sample with full headers so we can see what the scofflaw is sending you -Nick Karl Hentschel wrote: Thanks for the tip, but unfortunately I am not using the Pro version of Declude so I cannot create my own filters. Are others being slammed with stock spam recently? Declude is blocking several hundred of them a day, but many are still slipping through without failing any or very few tests. Is it possible to block with the country chain? I noticed that they are coming from out of the country. How is everyone dealing with these? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Scott Fisher Sent: Monday, November 06, 2006 11:27 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Spam not being caught This filter will work for targeting CMDSPACE with a gif attachment. You might want to SKIPIFWEIGHT 315 STOPATFIRSTHIT BODY END NOTCONTAINS Content-Type: image/gif TESTSFAILED END NOTCONTAINS CMDSPACE BODY 100 CONTAINS img src="" BODY 100 CONTAINS src="" class="moz-txt-link-rfc2396E" href="">"cid: BODY 100 CONTAINS src=""moz-txt-link-rfc2396E" href="">"cid: BODY 100 CONTAINS src="">= cid: - Original Message - From: "Karl Hentschel" <[EMAIL PROTECTED]> To: Sent: Monday, November 06, 2006 12:58 PM Subject: [Declude.JunkMail] Spam not being caught We have been getting quite a bit of SPAM, usually about stocks that is not being caught by Declude. I have the newest version of Declude, updated filter files from Imail, invURIBL, trial version of Sniffer. These emails are typically only failing cmdspace and helobogus, not enough to get blocked. Has anyone had any success blocking these recent floods of emails? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] Negative weight isn't working
Hi David - OK, it appears that it is running the test. Here is a snip of the log: 11/09/2006 13:14:20.937 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-SPAM.txt. 11/09/2006 13:14:21.312 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-GERMAN.txt. 11/09/2006 13:14:21.390 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-SURBL.txt. 11/09/2006 13:14:21.390 q7df6083c3523.smd Filter: Will stop at first hit. 11/09/2006 13:14:21.781 q7df6083c3523.smd Doing filter file D:\iMail\Declude\Filters\Gibberish.txt. 11/09/2006 13:14:22.875 q7df6083c3523.smd Doing filter file D:\iMail\Declude\Filters\Anti-Gibberish.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\imail\Declude\Filters\FILTER-COUNTRY.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Checking countries: US . 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_low.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_med.txt. 11/09/2006 13:14:23.953 q7df6083c3523.smd Doing filter file D:\IMail\Declude\filters\allowlist_high.txt. 11/09/2006 13:14:23.968 q7df6083c3523.smd nIPNOTINMX:-3 . Total weight = -3. However, before I ran the Debug mode I had one of the emails in question caught in the trap, and there was nothing in the headers about an "allowlist_med". Which means that there must be something not right in the filter itself. This particular newsletter is listed in my ALLOWLIST_MED as a MAILFROM with the full email address of [EMAIL PROTECTED] Is there a better way to do that? Should I wait to see what the logs look like on the debug mode when the next one comes through later today? Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, November 09, 2006 12:07 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Negative weight isn't working Todd, Run you global.cfg on DEBUG see if the test is being called correctly. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, November 09, 2006 11:54 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Negative weight isn't working Hi Everyone - I've been playing with some negative weighting, but it doesn't seem to be working. I have the following in my global.cfg file (down towards the bottom): ALLOWLIST_MED filter D:\IMail\Declude\filters\allowlist_med.txt x -30 0 In my allowlist_med.txt file, I have the following entries: MAILFROM0 ENDSWITH[EMAIL PROTECTED] REVDNS 0 ENDSWITH.asaenet.org However, these messages are still getting caught. When I look at the headers, it doesn't even appear that it is running this test. I have the test listed in $default$.junkmail as ALLOWLIST_MED WARN And in diags.txt as ALLOWLIST_MED FILTER I would like to add some others as well but need to get at least one working first. Any help is appreciated (as always)! Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spam not being caught
Thanks for the tip, but unfortunately I am not using the Pro version of Declude so I cannot create my own filters. Are others being slammed with stock spam recently? Declude is blocking several hundred of them a day, but many are still slipping through without failing any or very few tests. Is it possible to block with the country chain? I noticed that they are coming from out of the country. How is everyone dealing with these? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Monday, November 06, 2006 11:27 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Spam not being caught This filter will work for targeting CMDSPACE with a gif attachment. You might want to SKIPIFWEIGHT 315 STOPATFIRSTHIT BODY END NOTCONTAINS Content-Type: image/gif TESTSFAILED END NOTCONTAINS CMDSPACE BODY 100 CONTAINS img src=3Dcid: BODY 100 CONTAINS src=3D"cid: BODY 100 CONTAINS src="cid: BODY 100 CONTAINS src=3D"= cid: - Original Message - From: "Karl Hentschel" <[EMAIL PROTECTED]> To: Sent: Monday, November 06, 2006 12:58 PM Subject: [Declude.JunkMail] Spam not being caught > We have been getting quite a bit of SPAM, usually about stocks that is not > being caught by Declude. I have the newest version of Declude, updated > filter files from Imail, invURIBL, trial version of Sniffer. These emails > are typically only failing cmdspace and helobogus, not enough to get > blocked. Has anyone had any success blocking these recent floods of > emails? > > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Paid Subscription Black Lists
Message Sniffer and invURIBL are very worthwhile/ John T eServices For You "Life is a succession of lessons which must be lived to be understood." Ralph Waldo Emerson (1802-1882) > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Anton > Sent: Thursday, November 09, 2006 9:18 AM > To: declude.junkmail@declude.com > Subject: [Declude.JunkMail] Paid Subscription Black Lists > > Hi. Any one have any good luck with any paid subscriptions? We have been hit hard > lately, and are willing to dish out some dough to get our stats back up. Please advise. > Thanks! -Chris > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Paid Subscription Black Lists
Agreed. Message Sniffer is pretty good. Lets not forget the excellent tool from invariant systems... http://www.invariantsystems.com/invuribl/ Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Moore Sent: Thursday, November 09, 2006 6:59 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Paid Subscription Black Lists Message Sniffer buy it. install it. love it. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Anton Sent: Thursday, November 09, 2006 11:18 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Paid Subscription Black Lists Hi. Any one have any good luck with any paid subscriptions? We have been hit hard lately, and are willing to dish out some dough to get our stats back up. Please advise. Thanks! -Chris --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Negative weight isn't working
Todd, Run you global.cfg on DEBUG see if the test is being called correctly. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, November 09, 2006 11:54 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Negative weight isn't working Hi Everyone - I've been playing with some negative weighting, but it doesn't seem to be working. I have the following in my global.cfg file (down towards the bottom): ALLOWLIST_MED filter D:\IMail\Declude\filters\allowlist_med.txt x -30 0 In my allowlist_med.txt file, I have the following entries: MAILFROM0 ENDSWITH[EMAIL PROTECTED] REVDNS 0 ENDSWITH.asaenet.org However, these messages are still getting caught. When I look at the headers, it doesn't even appear that it is running this test. I have the test listed in $default$.junkmail as ALLOWLIST_MED WARN And in diags.txt as ALLOWLIST_MED FILTER I would like to add some others as well but need to get at least one working first. Any help is appreciated (as always)! Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Paid Subscription Black Lists
Message Sniffer buy it. install it. love it. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Anton Sent: Thursday, November 09, 2006 11:18 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Paid Subscription Black Lists Hi. Any one have any good luck with any paid subscriptions? We have been hit hard lately, and are willing to dish out some dough to get our stats back up. Please advise. Thanks! -Chris --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Paid Subscription Black Lists
We have had great success with message sniffer (www.sortmonster.com) Herb Chris Anton wrote: Hi. Any one have any good luck with any paid subscriptions? We have been hit hard lately, and are willing to dish out some dough to get our stats back up. Please advise. Thanks! -Chris --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- Herb Guenther Lanex, LLC www.lanex.com (262)789-0966x102 Office (262)780-0424 Direct This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Paid Subscription Black Lists
MXrate seems relatively competent so far. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Anton Sent: Thursday, November 09, 2006 9:18 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Paid Subscription Black Lists Hi. Any one have any good luck with any paid subscriptions? We have been hit hard lately, and are willing to dish out some dough to get our stats back up. Please advise. Thanks! -Chris --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Paid Subscription Black Lists
Hi. Any one have any good luck with any paid subscriptions? We have been hit hard lately, and are willing to dish out some dough to get our stats back up. Please advise. Thanks! -Chris --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Negative weight isn't working
Hi Everyone - I've been playing with some negative weighting, but it doesn't seem to be working. I have the following in my global.cfg file (down towards the bottom): ALLOWLIST_MED filter D:\IMail\Declude\filters\allowlist_med.txt x -30 0 In my allowlist_med.txt file, I have the following entries: MAILFROM0 ENDSWITH[EMAIL PROTECTED] REVDNS 0 ENDSWITH.asaenet.org However, these messages are still getting caught. When I look at the headers, it doesn't even appear that it is running this test. I have the test listed in $default$.junkmail as ALLOWLIST_MED WARN And in diags.txt as ALLOWLIST_MED FILTER I would like to add some others as well but need to get at least one working first. Any help is appreciated (as always)! Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] declude not modifying subject line
Hi David F, David Franco-Rocha [ Declude ] wrote: The broken line terminators are not necessarily of the same type in a given message. In addition, they are not necessarily adjacent to each other (with leading whitespace or unprintable characters on a line).What may appear obvious to the eye is often not at all what exists behind the scene. You may look at a message and be certain where the headers end and the body begins (the separating blank line). However, that message may not necessarily contain two consecutive EOL sequences of any type anywhere. Would it be possible for you to post to the list samples of emails that are problematic? Lets all have a look and maybe the solution will be found right off - Heck maybe even Scott who I just saw post may chime in on this one. Regards, -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] declude not modifying subject line
Hi David: >> The broken line terminators are not necessarily of the same type in a given message. In addition, they are not necessarily adjacent to each other (with leading whitespace or unprintable characters on a line). What may appear obvious to the eye is often not at all what exists behind the scene. You may look at a message and be certain where the headers end and the body begins (the separating blank line). However, that message may not necessarily contain two consecutive EOL sequences of any type anywhere. << I think part of the frustration is, that some of us are in the business of "problem solving" and/or even systems programming and have a hard time relating to the specific difficulties you have encoutered without seeing live samples. After all, if Outlook can show the "intended content" of the message correctly, there IS a way how Outlook was able to determine the "intended" end of header (with Decludes headers appearing at the bottom of the message body in Outlook). Since Microsoft only cooks with water too (and I can't imagine them having put any deep "thought" into dealing with broken headers), it seems somewhat obvious that there is solution out there that just has been escaping whoever is working on it. Dave said in his message that he was asking for "help" / input / suggestions from users. I think some of us would love to step up to the plate and give it a try to devise an algorithm that discards white spaces, detects any newline sequences and then manages to detect the end of header the same way the "human eye" does and/or the same way "Outlook" clearly manages to. It may be unconventional - but if you placed sample text files of your different scenarios into a zip file and upload it somewhere, we all could collaborate - in the same way that we collaborated in the past when defining/devising new rules, filters, etc. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Franco-Rocha [ Declude ] Sent: Thursday, November 09, 2006 08:32 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] declude not modifying subject line Kevin, I am very well aware of what byte sequences constitute the end of a line. However, if the problem were this simple it would have been fixed long ago. Contrary to what some have said here, we have seen many instances where IMail likewise appends its headers to the end of the message. The broken line terminators are not necessarily of the same type in a given message. In addition, they are not necessarily adjacent to each other (with leading whitespace or unprintable characters on a line). What may appear obvious to the eye is often not at all what exists behind the scene. You may look at a message and be certain where the headers end and the body begins (the separating blank line). However, that message may not necessarily contain two consecutive EOL sequences of any type anywhere. David Franco-Rocha - Original Message - From: "Kevin Bilbee" <[EMAIL PROTECTED]> To: Sent: Wednesday, November 08, 2006 5:45 PM Subject: RE: [Declude.JunkMail] declude not modifying subject line I do not understand why you need to rewrite the message beyond what you already do? Just determine the end of headers properly then rewrite the message with your headers in the proper location. You already rewrite the message when adding headers so why would it take any longer to properly detect the end of headers. If you have two LF sequences next to each other ignoring the CR then you have the end of headers. For example if you have CRLFCRLF OR LFCRLFCR OR LFLF I have never seen a message use CR alone for an end of line. There are two LF bytes in each sequence ignore the CR bytes. Then when writing out the message with the Declude headers include the original byte sequences for each line. And the Declude lines should have the proper CRLF sequences. My two cents! Kevin Bilbee > > 1. I don't like to keep going in circles on this. If it was as easy as > "just > fix it" there would be no issue. Please understand that this is a lot > more > complex than you may realize, we are considering making the fixing of > line > terminators as an optional feature to be turned on/off because of a > potential performance degradation of rewriting the messages. > --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL P
RE: [Declude.JunkMail] declude not modifying subject line
Hi David: >> Unfortunately Andy you are incorrect we have seen numerous instances where IMail likewise has put its headers at the end of the body. << In that case, I agree. Once I encounter a message with Imail Headers trailing the message, I will certainly open a report with Ipswitch. Unfortunately, so far, I have yet to encounter one (but that may just be a function of the type of mail I receive and/or which messages I'm blocking/deleting outright, etc.) Without any files to document the problem to Ipswitch, I don't feel I can approach the other vendor. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, November 09, 2006 08:58 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] declude not modifying subject line Unfortunately Andy you are incorrect we have seen numerous instances where IMail likewise has put its headers at the end of the body. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Wednesday, November 08, 2006 4:57 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] declude not modifying subject line Hi, >> As per previous posts I agree that Declude needs to deal with this >> issue, as neither SmarterMail or Imail have addressed this, just out of curiosity has anyone contacted SmarterMail or Imail and asked them to address this issue, and if so what was their response << I never asked them to address it because Imail prepends the Received headers at the top and appends the other headers in the correct spot, as far as I can tell. It's accepting a message, works around the non-standard line feeds and delivers the message. So there's nothing to "fix" for them, in my opinion. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Wednesday, November 08, 2006 04:37 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] declude not modifying subject line 1. I don't like to keep going in circles on this. If it was as easy as "just fix it" there would be no issue. Please understand that this is a lot more complex than you may realize, we are considering making the fixing of line terminators as an optional feature to be turned on/off because of a potential performance degradation of rewriting the messages. 2. Just so that you know we are a privately funded company and do not have any VC funding. 3. As per previous posts I agree that Declude needs to deal with this issue, as neither SmarterMail or Imail have addressed this, just out of curiosity has anyone contacted SmarterMail or Imail and asked them to address this issue, and if so what was their response ? David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Wednesday, November 08, 2006 2:03 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] declude not modifying subject line Me three! Is it done yet? No? Darn. Frankly, David, if the Declude app is going to have to rewrite the whole message anyway to insert headers, make it an optional *feature* to fix up the line terminators. Then market it as a unique feature; I understand that Venture Capitalists love their "startups" to have innovative features that differentiate their product in the marketplace. Meanwhile, just fix the Declude app so that inserts the header correctly as befits our reasonable expectations as set by all the other products in the marketplace. Andrew. > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Darin Cox > Sent: Wednesday, November 08, 2006 10:41 AM > To: declude.junkmail@declude.com > Subject: Re: [Declude.JunkMail] declude not modifying subject line > > Agreed. Put the headers where they need to be. Don't worry about > "fixing" > the message. > > Having this additional test could be worthwhile as well, to identify > and report on mailers that are broken in this fashion. > > Darin. > > > - Original Message - > From: "Andy Schmidt" <[EMAIL PROTECTED]> > To: > Sent: Wednesday, November 08, 2006 12:03 PM > Subject: RE: [Declude.JunkMail] declude not modifying subject line > > > Hi Dave: > > >> 1. This is currently being worked on, there are several > other things that > need to be taken into account when doing this, for example if Declude > has to rewrite all me messages in order to correct this problem there > will be a hit on performance. We are also looking at some other > alternatives. Any suggestions are welcome. << > > Although I know this had been suggested - I personally don't feel that > Declude needs (or even SHOULD) rewrite the message. If t
RE: [Declude.JunkMail] declude not modifying subject line
Darin, 1. Personal attacks ie. " you're just plain too lazy to make an effort to do anything about it." on this list will not be tolerated I will remove you from the list if you cannot keep to the issue. 2. I have posted how we are looking to resolve this and asked for any helpful feedback, do not forget we had implememnted a fix, but as we have seen it did not solve the problem and we are looking at it again. 3. If this issue cannot be resolved for you when you want it resolved I suggest finding another solution we are not forcing you to use Declude. 4. To start to lecture on how to best run a software development business is again out of the scope of this conversation. My answer is that as of now there is no release date for a fix, as soon as we have determined that we have one I will post this information. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Thursday, November 09, 2006 9:20 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] declude not modifying subject line David, I'm sorry you feel that way, but I will not apologize for my post. Frankly I've had it with posts from Declude that seem to indicate no interest in solving the problem, as David F-R's post seemed. I've tried to be as nice as I could be through these past two years, but I've had enough of put-offs and lack of progress towards fixing issues over the past two years. Instead of a put-off, how about making some statements about what is or will be done? Refusal to give a date for anything just indicates poor project management practices. Our main business is software development, so I completely understand the issues of meeting dates, but in our business it's not acceptable to not give dates. We must use good project estimation and management skills to assess what needs to be done to perform a task, and balance the triangle of due date, resources, and task requirements to get the task done. That said extenuating circumstances can occur, requiring a due date to be moved. Communicating early and often with customers alleviates any concerns that customers might have with due date changes, but again, not giving a date is simply not acceptable. Giving a reasonable outside estimate, and meeting the date earlier is, however. Darin. - Original Message - From: "David Barker" <[EMAIL PROTECTED]> To: Sent: Thursday, November 09, 2006 9:06 AM Subject: RE: [Declude.JunkMail] declude not modifying subject line Darin, I will not commit to a date of having a fix and then not reach that date. I understand your frustration with this issue. The truth is we are currently working on it, I think that your statement of being plain lazy to make an effort is uncalled for. I have posted we are open to suggestions, again if you feel like you need to vent your frustration feel free to call me directly 978-499-2933 xt 7007 David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Thursday, November 09, 2006 8:56 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] declude not modifying subject line Well, David. You've known about the problem for a very long time, and from a customer perspective absolutely nothing has been done. No potential fix release date. Nothing other than we're working on it. From your post to the list, it doesn't even sound like "we're working on it" was true. Pardon my frustration at the continual lack of progress on almost every front, but this post makes it sound like you're just plain too lazy to make an effort to do anything about it. If you need help identify the various scenarios, post samples to the list and we'll help you. There are a lot of bright people on this list who can help you out. Bottom line, figure out what needs to be done, get it done, and we'll stop hounding you on this issue. Darin. - Original Message - From: "David Franco-Rocha [ Declude ]" <[EMAIL PROTECTED]> To: Sent: Thursday, November 09, 2006 8:32 AM Subject: Re: [Declude.JunkMail] declude not modifying subject line Kevin, I am very well aware of what byte sequences constitute the end of a line. However, if the problem were this simple it would have been fixed long ago. Contrary to what some have said here, we have seen many instances where IMail likewise appends its headers to the end of the message. The broken line terminators are not necessarily of the same type in a given message. In addition, they are not necessarily adjacent to each other (with leading whitespace or unprintable characters on a line). What may appear obvious to the eye is often not at all what exists behind the scene. You may look at a message and be certain where the headers end and the body begins (the separating blank line). However, that message may not necessarily contain two consecutive EOL sequences of any type anywhere. David Franco-Rocha --
Re: [Declude.JunkMail] declude not modifying subject line
David, I'm sorry you feel that way, but I will not apologize for my post. Frankly I've had it with posts from Declude that seem to indicate no interest in solving the problem, as David F-R's post seemed. I've tried to be as nice as I could be through these past two years, but I've had enough of put-offs and lack of progress towards fixing issues over the past two years. Instead of a put-off, how about making some statements about what is or will be done? Refusal to give a date for anything just indicates poor project management practices. Our main business is software development, so I completely understand the issues of meeting dates, but in our business it's not acceptable to not give dates. We must use good project estimation and management skills to assess what needs to be done to perform a task, and balance the triangle of due date, resources, and task requirements to get the task done. That said extenuating circumstances can occur, requiring a due date to be moved. Communicating early and often with customers alleviates any concerns that customers might have with due date changes, but again, not giving a date is simply not acceptable. Giving a reasonable outside estimate, and meeting the date earlier is, however. Darin. - Original Message - From: "David Barker" <[EMAIL PROTECTED]> To: Sent: Thursday, November 09, 2006 9:06 AM Subject: RE: [Declude.JunkMail] declude not modifying subject line Darin, I will not commit to a date of having a fix and then not reach that date. I understand your frustration with this issue. The truth is we are currently working on it, I think that your statement of being plain lazy to make an effort is uncalled for. I have posted we are open to suggestions, again if you feel like you need to vent your frustration feel free to call me directly 978-499-2933 xt 7007 David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Thursday, November 09, 2006 8:56 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] declude not modifying subject line Well, David. You've known about the problem for a very long time, and from a customer perspective absolutely nothing has been done. No potential fix release date. Nothing other than we're working on it. From your post to the list, it doesn't even sound like "we're working on it" was true. Pardon my frustration at the continual lack of progress on almost every front, but this post makes it sound like you're just plain too lazy to make an effort to do anything about it. If you need help identify the various scenarios, post samples to the list and we'll help you. There are a lot of bright people on this list who can help you out. Bottom line, figure out what needs to be done, get it done, and we'll stop hounding you on this issue. Darin. - Original Message - From: "David Franco-Rocha [ Declude ]" <[EMAIL PROTECTED]> To: Sent: Thursday, November 09, 2006 8:32 AM Subject: Re: [Declude.JunkMail] declude not modifying subject line Kevin, I am very well aware of what byte sequences constitute the end of a line. However, if the problem were this simple it would have been fixed long ago. Contrary to what some have said here, we have seen many instances where IMail likewise appends its headers to the end of the message. The broken line terminators are not necessarily of the same type in a given message. In addition, they are not necessarily adjacent to each other (with leading whitespace or unprintable characters on a line). What may appear obvious to the eye is often not at all what exists behind the scene. You may look at a message and be certain where the headers end and the body begins (the separating blank line). However, that message may not necessarily contain two consecutive EOL sequences of any type anywhere. David Franco-Rocha - Original Message - From: "Kevin Bilbee" <[EMAIL PROTECTED]> To: Sent: Wednesday, November 08, 2006 5:45 PM Subject: RE: [Declude.JunkMail] declude not modifying subject line I do not understand why you need to rewrite the message beyond what you already do? Just determine the end of headers properly then rewrite the message with your headers in the proper location. You already rewrite the message when adding headers so why would it take any longer to properly detect the end of headers. If you have two LF sequences next to each other ignoring the CR then you have the end of headers. For example if you have CRLFCRLF OR LFCRLFCR OR LFLF I have never seen a message use CR alone for an end of line. There are two LF bytes in each sequence ignore the CR bytes. Then when writing out the message with the Declude headers include the original byte sequences for each line. And the Declude lines should have the proper CRLF sequences. My two cents! Kevin Bilbee > > 1. I don't like to keep going in circles on this. If it was as easy as > "just > fix it" there wou
Re: [Declude.JunkMail] declude not modifying subject line
We're not asking Declude to fix IMail's problem, just do some intelligent parsing and put the headers Declude adds with the rest of the header. We'll work on Ipswitch to fix their issues. Darin. - Original Message - From: "David Barker" <[EMAIL PROTECTED]> To: Sent: Thursday, November 09, 2006 8:58 AM Subject: RE: [Declude.JunkMail] declude not modifying subject line Unfortunately Andy you are incorrect we have seen numerous instances where IMail likewise has put its headers at the end of the body. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Wednesday, November 08, 2006 4:57 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] declude not modifying subject line Hi, >> As per previous posts I agree that Declude needs to deal with this >> issue, as neither SmarterMail or Imail have addressed this, just out of curiosity has anyone contacted SmarterMail or Imail and asked them to address this issue, and if so what was their response << I never asked them to address it because Imail prepends the Received headers at the top and appends the other headers in the correct spot, as far as I can tell. It's accepting a message, works around the non-standard line feeds and delivers the message. So there's nothing to "fix" for them, in my opinion. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Wednesday, November 08, 2006 04:37 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] declude not modifying subject line 1. I don't like to keep going in circles on this. If it was as easy as "just fix it" there would be no issue. Please understand that this is a lot more complex than you may realize, we are considering making the fixing of line terminators as an optional feature to be turned on/off because of a potential performance degradation of rewriting the messages. 2. Just so that you know we are a privately funded company and do not have any VC funding. 3. As per previous posts I agree that Declude needs to deal with this issue, as neither SmarterMail or Imail have addressed this, just out of curiosity has anyone contacted SmarterMail or Imail and asked them to address this issue, and if so what was their response ? David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Wednesday, November 08, 2006 2:03 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] declude not modifying subject line Me three! Is it done yet? No? Darn. Frankly, David, if the Declude app is going to have to rewrite the whole message anyway to insert headers, make it an optional *feature* to fix up the line terminators. Then market it as a unique feature; I understand that Venture Capitalists love their "startups" to have innovative features that differentiate their product in the marketplace. Meanwhile, just fix the Declude app so that inserts the header correctly as befits our reasonable expectations as set by all the other products in the marketplace. Andrew. > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Darin Cox > Sent: Wednesday, November 08, 2006 10:41 AM > To: declude.junkmail@declude.com > Subject: Re: [Declude.JunkMail] declude not modifying subject line > > Agreed. Put the headers where they need to be. Don't worry about > "fixing" > the message. > > Having this additional test could be worthwhile as well, to identify > and report on mailers that are broken in this fashion. > > Darin. > > > - Original Message - > From: "Andy Schmidt" <[EMAIL PROTECTED]> > To: > Sent: Wednesday, November 08, 2006 12:03 PM > Subject: RE: [Declude.JunkMail] declude not modifying subject line > > > Hi Dave: > > >> 1. This is currently being worked on, there are several > other things that > need to be taken into account when doing this, for example if Declude > has to rewrite all me messages in order to correct this problem there > will be a hit on performance. We are also looking at some other > alternatives. Any suggestions are welcome. << > > Although I know this had been suggested - I personally don't feel that > Declude needs (or even SHOULD) rewrite the message. If the message is > "readable" by Imail, Outlook, etc. - then the sender is "in luck". If > not, then the fact that other software can't read the message will > motivate the sender to use RFC compliant formatting. > > I feel all that's necessary is that Declude's end-of-line parsing > should be made intelligent enough so that it DOES detect various CR > CR/LF LF LF/CR combinations and treat them as "end-of-line", so that > it can properly detect the "intended" last header. > > This way, Declude can: > > A) append it's own header at the pr
RE: [Declude.JunkMail] declude not modifying subject line
Darin, I will not commit to a date of having a fix and then not reach that date. I understand your frustration with this issue. The truth is we are currently working on it, I think that your statement of being plain lazy to make an effort is uncalled for. I have posted we are open to suggestions, again if you feel like you need to vent your frustration feel free to call me directly 978-499-2933 xt 7007 David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Thursday, November 09, 2006 8:56 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] declude not modifying subject line Well, David. You've known about the problem for a very long time, and from a customer perspective absolutely nothing has been done. No potential fix release date. Nothing other than we're working on it. From your post to the list, it doesn't even sound like "we're working on it" was true. Pardon my frustration at the continual lack of progress on almost every front, but this post makes it sound like you're just plain too lazy to make an effort to do anything about it. If you need help identify the various scenarios, post samples to the list and we'll help you. There are a lot of bright people on this list who can help you out. Bottom line, figure out what needs to be done, get it done, and we'll stop hounding you on this issue. Darin. - Original Message - From: "David Franco-Rocha [ Declude ]" <[EMAIL PROTECTED]> To: Sent: Thursday, November 09, 2006 8:32 AM Subject: Re: [Declude.JunkMail] declude not modifying subject line Kevin, I am very well aware of what byte sequences constitute the end of a line. However, if the problem were this simple it would have been fixed long ago. Contrary to what some have said here, we have seen many instances where IMail likewise appends its headers to the end of the message. The broken line terminators are not necessarily of the same type in a given message. In addition, they are not necessarily adjacent to each other (with leading whitespace or unprintable characters on a line). What may appear obvious to the eye is often not at all what exists behind the scene. You may look at a message and be certain where the headers end and the body begins (the separating blank line). However, that message may not necessarily contain two consecutive EOL sequences of any type anywhere. David Franco-Rocha - Original Message - From: "Kevin Bilbee" <[EMAIL PROTECTED]> To: Sent: Wednesday, November 08, 2006 5:45 PM Subject: RE: [Declude.JunkMail] declude not modifying subject line I do not understand why you need to rewrite the message beyond what you already do? Just determine the end of headers properly then rewrite the message with your headers in the proper location. You already rewrite the message when adding headers so why would it take any longer to properly detect the end of headers. If you have two LF sequences next to each other ignoring the CR then you have the end of headers. For example if you have CRLFCRLF OR LFCRLFCR OR LFLF I have never seen a message use CR alone for an end of line. There are two LF bytes in each sequence ignore the CR bytes. Then when writing out the message with the Declude headers include the original byte sequences for each line. And the Declude lines should have the proper CRLF sequences. My two cents! Kevin Bilbee > > 1. I don't like to keep going in circles on this. If it was as easy as > "just > fix it" there would be no issue. Please understand that this is a lot > more > complex than you may realize, we are considering making the fixing of > line > terminators as an optional feature to be turned on/off because of a > potential performance degradation of rewriting the messages. > --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] declude not modifying subject line
Unfortunately Andy you are incorrect we have seen numerous instances where IMail likewise has put its headers at the end of the body. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Wednesday, November 08, 2006 4:57 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] declude not modifying subject line Hi, >> As per previous posts I agree that Declude needs to deal with this >> issue, as neither SmarterMail or Imail have addressed this, just out of curiosity has anyone contacted SmarterMail or Imail and asked them to address this issue, and if so what was their response << I never asked them to address it because Imail prepends the Received headers at the top and appends the other headers in the correct spot, as far as I can tell. It's accepting a message, works around the non-standard line feeds and delivers the message. So there's nothing to "fix" for them, in my opinion. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Wednesday, November 08, 2006 04:37 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] declude not modifying subject line 1. I don't like to keep going in circles on this. If it was as easy as "just fix it" there would be no issue. Please understand that this is a lot more complex than you may realize, we are considering making the fixing of line terminators as an optional feature to be turned on/off because of a potential performance degradation of rewriting the messages. 2. Just so that you know we are a privately funded company and do not have any VC funding. 3. As per previous posts I agree that Declude needs to deal with this issue, as neither SmarterMail or Imail have addressed this, just out of curiosity has anyone contacted SmarterMail or Imail and asked them to address this issue, and if so what was their response ? David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Wednesday, November 08, 2006 2:03 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] declude not modifying subject line Me three! Is it done yet? No? Darn. Frankly, David, if the Declude app is going to have to rewrite the whole message anyway to insert headers, make it an optional *feature* to fix up the line terminators. Then market it as a unique feature; I understand that Venture Capitalists love their "startups" to have innovative features that differentiate their product in the marketplace. Meanwhile, just fix the Declude app so that inserts the header correctly as befits our reasonable expectations as set by all the other products in the marketplace. Andrew. > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Darin Cox > Sent: Wednesday, November 08, 2006 10:41 AM > To: declude.junkmail@declude.com > Subject: Re: [Declude.JunkMail] declude not modifying subject line > > Agreed. Put the headers where they need to be. Don't worry about > "fixing" > the message. > > Having this additional test could be worthwhile as well, to identify > and report on mailers that are broken in this fashion. > > Darin. > > > - Original Message - > From: "Andy Schmidt" <[EMAIL PROTECTED]> > To: > Sent: Wednesday, November 08, 2006 12:03 PM > Subject: RE: [Declude.JunkMail] declude not modifying subject line > > > Hi Dave: > > >> 1. This is currently being worked on, there are several > other things that > need to be taken into account when doing this, for example if Declude > has to rewrite all me messages in order to correct this problem there > will be a hit on performance. We are also looking at some other > alternatives. Any suggestions are welcome. << > > Although I know this had been suggested - I personally don't feel that > Declude needs (or even SHOULD) rewrite the message. If the message is > "readable" by Imail, Outlook, etc. - then the sender is "in luck". If > not, then the fact that other software can't read the message will > motivate the sender to use RFC compliant formatting. > > I feel all that's necessary is that Declude's end-of-line parsing > should be made intelligent enough so that it DOES detect various CR > CR/LF LF LF/CR combinations and treat them as "end-of-line", so that > it can properly detect the "intended" last header. > > This way, Declude can: > > A) append it's own header at the proper location (not append it below > the message body.) > > B) determining where the message content starts (so that the content > can be properly scanned for Viruses) > > > I get the feeling this issue of end-of-line detection is being made > overly complicated. > > Declude is not a "message-fixer-upper". I have enough problems with > people using
Re: [Declude.JunkMail] declude not modifying subject line
Well, David. You've known about the problem for a very long time, and from a customer perspective absolutely nothing has been done. No potential fix release date. Nothing other than we're working on it. From your post to the list, it doesn't even sound like "we're working on it" was true. Pardon my frustration at the continual lack of progress on almost every front, but this post makes it sound like you're just plain too lazy to make an effort to do anything about it. If you need help identify the various scenarios, post samples to the list and we'll help you. There are a lot of bright people on this list who can help you out. Bottom line, figure out what needs to be done, get it done, and we'll stop hounding you on this issue. Darin. - Original Message - From: "David Franco-Rocha [ Declude ]" <[EMAIL PROTECTED]> To: Sent: Thursday, November 09, 2006 8:32 AM Subject: Re: [Declude.JunkMail] declude not modifying subject line Kevin, I am very well aware of what byte sequences constitute the end of a line. However, if the problem were this simple it would have been fixed long ago. Contrary to what some have said here, we have seen many instances where IMail likewise appends its headers to the end of the message. The broken line terminators are not necessarily of the same type in a given message. In addition, they are not necessarily adjacent to each other (with leading whitespace or unprintable characters on a line). What may appear obvious to the eye is often not at all what exists behind the scene. You may look at a message and be certain where the headers end and the body begins (the separating blank line). However, that message may not necessarily contain two consecutive EOL sequences of any type anywhere. David Franco-Rocha - Original Message - From: "Kevin Bilbee" <[EMAIL PROTECTED]> To: Sent: Wednesday, November 08, 2006 5:45 PM Subject: RE: [Declude.JunkMail] declude not modifying subject line I do not understand why you need to rewrite the message beyond what you already do? Just determine the end of headers properly then rewrite the message with your headers in the proper location. You already rewrite the message when adding headers so why would it take any longer to properly detect the end of headers. If you have two LF sequences next to each other ignoring the CR then you have the end of headers. For example if you have CRLFCRLF OR LFCRLFCR OR LFLF I have never seen a message use CR alone for an end of line. There are two LF bytes in each sequence ignore the CR bytes. Then when writing out the message with the Declude headers include the original byte sequences for each line. And the Declude lines should have the proper CRLF sequences. My two cents! Kevin Bilbee > > 1. I don't like to keep going in circles on this. If it was as easy as > "just > fix it" there would be no issue. Please understand that this is a lot > more > complex than you may realize, we are considering making the fixing of > line > terminators as an optional feature to be turned on/off because of a > potential performance degradation of rewriting the messages. > --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] "may skip - 1"
The problem I have is I have spam getting through that should have been caught by these filters and I cannot figure out why. Lately we have had a lot of spam passing the filters. Is there a time out in the dnsbl lookup that it will pass the spam if the test cannot be run? This started about 2 - 3 weeks ago...I am getting slammed with spam as well as my users. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, November 08, 2006 4:27 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] "may skip - 1" > Could anyone tell me why these test would be skipped? That's one of the potentially misleading debug log file entries that I added. :) The debug mode was originally designed as a troubleshooting tool for someone with access to the source code, so there are occasionally comments that could be misleading. In this case, I believe the "may skip" was added to indicate that even though the test was about to be processed, any pass/fail/whitelist results hadn't yet been determined (so the test could be skipped by a whitelist, for example). -Scott --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] declude not modifying subject line
Kevin, I am very well aware of what byte sequences constitute the end of a line. However, if the problem were this simple it would have been fixed long ago. Contrary to what some have said here, we have seen many instances where IMail likewise appends its headers to the end of the message. The broken line terminators are not necessarily of the same type in a given message. In addition, they are not necessarily adjacent to each other (with leading whitespace or unprintable characters on a line). What may appear obvious to the eye is often not at all what exists behind the scene. You may look at a message and be certain where the headers end and the body begins (the separating blank line). However, that message may not necessarily contain two consecutive EOL sequences of any type anywhere. David Franco-Rocha - Original Message - From: "Kevin Bilbee" <[EMAIL PROTECTED]> To: Sent: Wednesday, November 08, 2006 5:45 PM Subject: RE: [Declude.JunkMail] declude not modifying subject line I do not understand why you need to rewrite the message beyond what you already do? Just determine the end of headers properly then rewrite the message with your headers in the proper location. You already rewrite the message when adding headers so why would it take any longer to properly detect the end of headers. If you have two LF sequences next to each other ignoring the CR then you have the end of headers. For example if you have CRLFCRLF OR LFCRLFCR OR LFLF I have never seen a message use CR alone for an end of line. There are two LF bytes in each sequence ignore the CR bytes. Then when writing out the message with the Declude headers include the original byte sequences for each line. And the Declude lines should have the proper CRLF sequences. My two cents! Kevin Bilbee 1. I don't like to keep going in circles on this. If it was as easy as "just fix it" there would be no issue. Please understand that this is a lot more complex than you may realize, we are considering making the fixing of line terminators as an optional feature to be turned on/off because of a potential performance degradation of rewriting the messages. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.