[Declude.JunkMail] SPF Abuse Filter

[Andy Schmidt]

Hi,



A lot of spam comes with valid SPF pass configurations (but so does
legitimate).

However, if someone is sophisticated enough to set up SPF for their domain,
they should also be sophisticated enough to have valid Reverse DNS and
Hostnames configured.



So I'm experimenting with this filter that will ADD weight if SPFPASS and if
the Reverse DNS or Hostname are bad:



SKIPIFWEIGHT   20

MAXWEIGHT 3



TESTSFAILED  END   NOTCONTAINS SPFPASS



TESTSFAILED  2  CONTAINS  REVDNS

TESTSFAILED  2  CONTAINS  HELOBOGUS



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] No one at Declude?

[Andy Schmidt]

Not from THAT folder, but I found it in another folder on the FTP site - same 
recent date.

-Original Message-
From: Dave Beckstrom [mailto:db...@atving.com]
Sent: Thursday, April 18, 2013 9:51 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] No one at Declude?

Was anyone able to download the all_list.dat file from the interim directory 
that David posted?  Everything else downloaded for me except that file.

-Original Message-
From: David Barker [mailto:david.bar...@mailsbestfriend.com]
Sent: Thursday, April 18, 2013 8:37 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] No one at Declude?

Filters yes all_list.dat working on that.

-Original Message-
From: John Dobbin [mailto:jo...@penpublishing.com]
Sent: Thursday, April 18, 2013 9:14 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] No one at Declude?

David - with your support extended to the community, will you be able to offer 
maintenance of the all_list.dat as well as the filters?


-Original Message-
From: David Barker [mailto:david.bar...@mailsbestfriend.com]
Sent: Thursday, April 18, 2013 1:02 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] No one at Declude?

Not that I can think of, the real advantage is it shuts off all  internal 
validations, AVG which has already stopped, SNF and CT which will stop anytime 
soon.

-Original Message-
From: Andy Schmidt [mailto:andy_schm...@hm-software.com]
Sent: Thursday, April 18, 2013 1:43 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] No one at Declude?

Thanks David,

So, OTHER than Sniffer, any OTHER advantages of using the HOSTS trick vs.
the Bypass key?

-Original Message-
From: David Barker [mailto:david.bar...@mailsbestfriend.com]
Sent: Thursday, April 18, 2013 1:09 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] No one at Declude?

If internal SNF is still ON then it can conflict with external Message Sniffer 
by grabbing the port which SNF uses. By using our fix will ensure internal SNF 
is turned OFF. If using the bypass key has everything OFF then that is fine too.

-Original Message-
From: Andy Schmidt [mailto:andy_schm...@hm-software.com]
Sent: Thursday, April 18, 2013 12:46 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] No one at Declude?

So - is there any advantage of using the hosts file trick (to invalidate the 
license server IP address) http://mailsbestfriend.com/declude-fix
vs. using the special "bypass" license code?

Does one enable more functions that the other?

-Original Message-
From: David Barker [mailto:david.bar...@mailsbestfriend.com]
Sent: Thursday, April 18, 2013 12:31 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] No one at Declude?

Yes Internal Sniffer is no longer a valid option. Need to switch to external.

-Original Message-----
From: Andy Schmidt [mailto:andy_schm...@hm-software.com]
Sent: Thursday, April 18, 2013 12:06 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] No one at Declude?

Uh - but with that code, the internal SNF is turned off?

So one has to configure Sniffer has an external test with a separate Sniffer 
license code?

-Original Message-
From: Stephan Chayer [mailto:scha...@intrasoft.net]
Sent: Wednesday, April 17, 2013 5:37 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] No one at Declude?

Use this key: CODE 28607230-BF21-4CDE-A59B-A451CC7C9CA0

-Message d'origine-
De : SM Admin [mailto:imailad...@bcwebhost.net] Envoyé : 17 avril, 2013 2:43 À 
: Declude.JunkMail@declude.com Objet : Re: [Declude.JunkMail] No one at Declude?

Apparently I was too quick on the draw as this line has since been added to the 
diag file:

04/16/2013 22:24:21.947[BB86F9-606322-C04138-958B5A-AB7343-94F75B]
IS INVALID KEY

Did someone say something about new keys?

-Original Message-
From: SM Admin
Sent: Tuesday, April 16, 2013 10:25 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] No one at Declude?

I noticed today that Declude wasn't processing.  I checked the diag file and it 
has the usual entries at the top plus an entry at the bottom saying that the 
Sniffer license is invalid.  How is that?

So then I restarted the Declud service and now the diag file only shows
this:

Declude 4.12.02 Diagnostics
Compilation Platform: SmarterMail
Copyright (c) 2000-2013 Declude, Inc.

Host Name   mail1.bcwebhost.net
Declude Key 

So I have no idea what's going on. Anyone?

-Original Message-
From: Brian Baker
Sent: Tuesday, April 16, 2013 7:09 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] No one at Declude?

Looks like tonight we better figure out a new approach. My declude diag file is 
now reading declude lic as invalid. Anyone else?


- Original 

RE: [Declude.JunkMail] No one at Declude?

[Andy Schmidt]

Thanks David,

So, OTHER than Sniffer, any OTHER advantages of using the HOSTS trick vs. the 
Bypass key?

-Original Message-
From: David Barker [mailto:david.bar...@mailsbestfriend.com]
Sent: Thursday, April 18, 2013 1:09 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] No one at Declude?

If internal SNF is still ON then it can conflict with external Message Sniffer 
by grabbing the port which SNF uses. By using our fix will ensure internal SNF 
is turned OFF. If using the bypass key has everything OFF then that is fine too.

-Original Message-
From: Andy Schmidt [mailto:andy_schm...@hm-software.com]
Sent: Thursday, April 18, 2013 12:46 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] No one at Declude?

So - is there any advantage of using the hosts file trick (to invalidate the 
license server IP address) http://mailsbestfriend.com/declude-fix
vs. using the special "bypass" license code?

Does one enable more functions that the other?

-Original Message-
From: David Barker [mailto:david.bar...@mailsbestfriend.com]
Sent: Thursday, April 18, 2013 12:31 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] No one at Declude?

Yes Internal Sniffer is no longer a valid option. Need to switch to external.

-Original Message-----
From: Andy Schmidt [mailto:andy_schm...@hm-software.com]
Sent: Thursday, April 18, 2013 12:06 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] No one at Declude?

Uh - but with that code, the internal SNF is turned off?

So one has to configure Sniffer has an external test with a separate Sniffer 
license code?

-Original Message-
From: Stephan Chayer [mailto:scha...@intrasoft.net]
Sent: Wednesday, April 17, 2013 5:37 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] No one at Declude?

Use this key: CODE 28607230-BF21-4CDE-A59B-A451CC7C9CA0

-Message d'origine-
De : SM Admin [mailto:imailad...@bcwebhost.net] Envoyé : 17 avril, 2013 2:43 À 
: Declude.JunkMail@declude.com Objet : Re: [Declude.JunkMail] No one at Declude?

Apparently I was too quick on the draw as this line has since been added to the 
diag file:

04/16/2013 22:24:21.947[BB86F9-606322-C04138-958B5A-AB7343-94F75B]
IS INVALID KEY

Did someone say something about new keys?

-Original Message-
From: SM Admin
Sent: Tuesday, April 16, 2013 10:25 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] No one at Declude?

I noticed today that Declude wasn't processing.  I checked the diag file and it 
has the usual entries at the top plus an entry at the bottom saying that the 
Sniffer license is invalid.  How is that?

So then I restarted the Declud service and now the diag file only shows
this:

Declude 4.12.02 Diagnostics
Compilation Platform: SmarterMail
Copyright (c) 2000-2013 Declude, Inc.

Host Name   mail1.bcwebhost.net
Declude Key 

So I have no idea what's going on. Anyone?

-Original Message-
From: Brian Baker
Sent: Tuesday, April 16, 2013 7:09 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] No one at Declude?

Looks like tonight we better figure out a new approach. My declude diag file is 
now reading declude lic as invalid. Anyone else?


- Original Message -
From: "Todd Richards" 
To: 
Sent: Monday, April 15, 2013 9:34 AM
Subject: RE: [Declude.JunkMail] No one at Declude?



What system is that?  Our users are getting hammered with spam.  Reminds me of 
the days, many years ago, before I happened upon Declude...

Todd



-Original Message-
On Sunday, April 14, 2013 10:24 PM,  John Doyle wrote:
>>I have reverted to a system that works.




---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe, just 
send an E-mail to imail...@declude.com, and type "unsubscribe 
Declude.JunkMail".  The archives can be found at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe, just 
send an E-mail to imail...@declude.com, and type "unsubscribe 
Declude.JunkMail".  The archives can be found at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe, just 
send an E-mail to imail...@declude.com, and type "unsubscribe 
Declude.JunkMail".  The archives can be found at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe, just 
send an E-mail to imail...@declude.com, and type "unsubscribe 
Declude.JunkMail".  The archives can be found at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe, just 
send an E-mail to imail...@declude.com, and type "unsubscribe 
Declude.JunkMail".  The archives can be found at http://www.mail-archive.com.

RE: [Declude.JunkMail] No one at Declude?

[Andy Schmidt]

So - is there any advantage of using the hosts file trick (to invalidate the 
license server IP address) http://mailsbestfriend.com/declude-fix
vs. using the special "bypass" license code?

Does one enable more functions that the other?

-Original Message-
From: David Barker [mailto:david.bar...@mailsbestfriend.com]
Sent: Thursday, April 18, 2013 12:31 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] No one at Declude?

Yes Internal Sniffer is no longer a valid option. Need to switch to external.

-Original Message-----
From: Andy Schmidt [mailto:andy_schm...@hm-software.com]
Sent: Thursday, April 18, 2013 12:06 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] No one at Declude?

Uh - but with that code, the internal SNF is turned off?

So one has to configure Sniffer has an external test with a separate Sniffer 
license code?

-Original Message-
From: Stephan Chayer [mailto:scha...@intrasoft.net]
Sent: Wednesday, April 17, 2013 5:37 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] No one at Declude?

Use this key: CODE 28607230-BF21-4CDE-A59B-A451CC7C9CA0

-Message d'origine-
De : SM Admin [mailto:imailad...@bcwebhost.net] Envoyé : 17 avril, 2013 2:43 À 
: Declude.JunkMail@declude.com Objet : Re: [Declude.JunkMail] No one at Declude?

Apparently I was too quick on the draw as this line has since been added to the 
diag file:

04/16/2013 22:24:21.947[BB86F9-606322-C04138-958B5A-AB7343-94F75B]
IS INVALID KEY

Did someone say something about new keys?

-Original Message-
From: SM Admin
Sent: Tuesday, April 16, 2013 10:25 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] No one at Declude?

I noticed today that Declude wasn't processing.  I checked the diag file and it 
has the usual entries at the top plus an entry at the bottom saying that the 
Sniffer license is invalid.  How is that?

So then I restarted the Declud service and now the diag file only shows
this:

Declude 4.12.02 Diagnostics
Compilation Platform: SmarterMail
Copyright (c) 2000-2013 Declude, Inc.

Host Name   mail1.bcwebhost.net
Declude Key 

So I have no idea what's going on. Anyone?

-Original Message-
From: Brian Baker
Sent: Tuesday, April 16, 2013 7:09 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] No one at Declude?

Looks like tonight we better figure out a new approach. My declude diag file is 
now reading declude lic as invalid. Anyone else?


- Original Message -
From: "Todd Richards" 
To: 
Sent: Monday, April 15, 2013 9:34 AM
Subject: RE: [Declude.JunkMail] No one at Declude?



What system is that?  Our users are getting hammered with spam.  Reminds me of 
the days, many years ago, before I happened upon Declude...

Todd



-Original Message-
On Sunday, April 14, 2013 10:24 PM,  John Doyle wrote:
>>I have reverted to a system that works.




---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe, just 
send an E-mail to imail...@declude.com, and type "unsubscribe 
Declude.JunkMail".  The archives can be found at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe, just 
send an E-mail to imail...@declude.com, and type "unsubscribe 
Declude.JunkMail".  The archives can be found at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe, just 
send an E-mail to imail...@declude.com, and type "unsubscribe 
Declude.JunkMail".  The archives can be found at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe, just 
send an E-mail to imail...@declude.com, and type "unsubscribe 
Declude.JunkMail".  The archives can be found at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe, just 
send an E-mail to imail...@declude.com, and type "unsubscribe 
Declude.JunkMail".  The archives can be found at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe, just 
send an E-mail to imail...@declude.com, and type "unsubscribe 
Declude.JunkMail".  The archives can be found at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe, just 
send an E-mail to imail...@declude.com, and type "unsubscribe 
Declude.JunkMail".  The archives can be found at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] No one at Declude?

[Andy Schmidt]

Uh - but with that code, the internal SNF is turned off?

So one has to configure Sniffer has an external test with a separate Sniffer 
license code?

-Original Message-
From: Stephan Chayer [mailto:scha...@intrasoft.net]
Sent: Wednesday, April 17, 2013 5:37 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] No one at Declude?

Use this key: CODE 28607230-BF21-4CDE-A59B-A451CC7C9CA0

-Message d'origine-
De : SM Admin [mailto:imailad...@bcwebhost.net] Envoyé : 17 avril, 2013 2:43 À 
: Declude.JunkMail@declude.com Objet : Re: [Declude.JunkMail] No one at Declude?

Apparently I was too quick on the draw as this line has since been added to the 
diag file:

04/16/2013 22:24:21.947[BB86F9-606322-C04138-958B5A-AB7343-94F75B]
IS INVALID KEY

Did someone say something about new keys?

-Original Message-
From: SM Admin
Sent: Tuesday, April 16, 2013 10:25 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] No one at Declude?

I noticed today that Declude wasn't processing.  I checked the diag file and it 
has the usual entries at the top plus an entry at the bottom saying that the 
Sniffer license is invalid.  How is that?

So then I restarted the Declud service and now the diag file only shows
this:

Declude 4.12.02 Diagnostics
Compilation Platform: SmarterMail
Copyright (c) 2000-2013 Declude, Inc.

Host Name   mail1.bcwebhost.net
Declude Key 

So I have no idea what's going on. Anyone?

-Original Message-
From: Brian Baker
Sent: Tuesday, April 16, 2013 7:09 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] No one at Declude?

Looks like tonight we better figure out a new approach. My declude diag file is 
now reading declude lic as invalid. Anyone else?


- Original Message -
From: "Todd Richards" 
To: 
Sent: Monday, April 15, 2013 9:34 AM
Subject: RE: [Declude.JunkMail] No one at Declude?



What system is that?  Our users are getting hammered with spam.  Reminds me of 
the days, many years ago, before I happened upon Declude...

Todd



-Original Message-
On Sunday, April 14, 2013 10:24 PM,  John Doyle wrote:
>>I have reverted to a system that works.




---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe, just 
send an E-mail to imail...@declude.com, and type "unsubscribe 
Declude.JunkMail".  The archives can be found at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe, just 
send an E-mail to imail...@declude.com, and type "unsubscribe 
Declude.JunkMail".  The archives can be found at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe, just 
send an E-mail to imail...@declude.com, and type "unsubscribe 
Declude.JunkMail".  The archives can be found at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe, just 
send an E-mail to imail...@declude.com, and type "unsubscribe 
Declude.JunkMail".  The archives can be found at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe, just 
send an E-mail to imail...@declude.com, and type "unsubscribe 
Declude.JunkMail".  The archives can be found at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] IS INVALID KEY

[Andy Schmidt]

Phew - thanks for posting this.

This WAS scary. Within a few minutes I had hundreds of spam emails in my 
inbox... Stopped the SMTP service and Queue service. This CODE did seem to help!

-Original Message-
From: Stephan Chayer [mailto:scha...@intrasoft.net]
Sent: Wednesday, April 17, 2013 5:37 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] No one at Declude?

Use this key: CODE 28607230-BF21-4CDE-A59B-A451CC7C9CA0





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Interim and Downloads sites still working

[Andy Schmidt]

This may be your last shot to still get the files that were updated in the past 
month or so (as recent as last weekend!)







So better drop everything before they wake up and shut those down too…



http://interim.declude.com/

U: Interim

P: decinterimv4



http://downloads.declude.com/



U: DecDown

P:  DecDown



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
<>

RE: Re[2]: [Declude.JunkMail] No one at Declude?

[Andy Schmidt]

>> Not to mention the grossly unethical, possibly illegal behavior of 
>> abandoning people with active maintenance <<



I’m still prepaid until end of June…



From: Sanford Whiteman [mailto:sa...@figureone.com]
Sent: Monday, April 08, 2013 7:37 PM
To: Declude.JunkMail@declude.com
Subject: Re[2]: [Declude.JunkMail] No one at Declude?



> So, has no one still heard nothing from Declude? This is my favorite 
> anti-spam service and I would hate to lose them.

Well, no apologetic post here == bye-bye to the product, IMO.

What really irks me when this happens (I've had it happen to two beloved 
"boutique" apps in the past) is that no one gives a thought to open-sourcing 
it, just destroying it.  We aren't OS zealots and most of us are sysadmins, but 
that doesn't mean we couldn't make us of the code. Not to mention the grossly 
unethical, possibly illegal behavior of abandoning people with active 
maintenance.

-- S.

--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, 
just send an E-mail to imail...@declude.com, and type "unsubscribe 
Declude.JunkMail". The archives can be found at http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] why have spam scores jumped?

[Andy Schmidt]

If you're that small - how many PUBLIC domains do you have to be authoritative 
for? What is the change frequency in a year, that you need this to be on your 
local DNS.

For redundancy and availability purposes, why not host your public DNS at your 
registry, block incoming DNS queries at your border router/firewall - and set 
up your strinctly IN-HOUSE DNS server recursive?

-Original Message-
From: SM Admin [mailto:imailad...@bcwebhost.net]
Sent: Saturday, March 16, 2013 2:04 AM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] why have spam scores jumped?

Very succinct. But I need further explanation...

Forget forwarding. We'd like to keep it to off-load the server and network 
traffic, but we can live without.  However, I need one server to be both 
recursive for our mail server and non-recursive for our authoritative zones.
We don't have to worry about our internal workstations because those I can set 
up to directly use the Comcast DNS servers (small network so I don't need 
internal DNS).  But the mail server presents us the same kind of problem.

The perfect solution would be a setting that tells the MS DNS server to accept 
recursive requests only from specified client IPs, but I don't see any way to 
do that.  Any ideas?

Thanks,

Ben

-Original Message-
From: Scott Fosseen
Sent: Friday, March 15, 2013 10:33 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] why have spam scores jumped?

Another way to look at it.

Recursion:
  Off: DNS server can only answer queries from its local zone files.
Queries for any other records returns no results.  Used when server is 
authoritative for Public domains (declude.com, nasa.gov)
  On:  DNS server will try to answer all Queries.  If it does not know the 
answer it will call out to other DNS servers to get the answer.
( I run both.  I have 4 non-recursive DNS servers for hosting zone files, and 2 
recursive DNS servers for workstations to point to.  )

Forwarders:  Valid only if Recurion is on.
If Forwarder is set and DNS server does not know the answer to a query, the 
DNS server will ask the Forwarder DNS server for the answer.
If no Forwarder is set and the DNS server does not know the answer to a 
query the DNS server will contact the Root servers and find the answer itself.

My experience with  MS DNS is that forwarders are setup at installation because 
the installer assumes a blank forwarder means the DNS server will be unable to 
lookup addresses.  Because DNS works with a forwarder the setting gets left on. 
 About the only time I recommend forwarders is if the site uses something like 
OpenDNS for Content Filtering, in which case all queries should go tot he 
OpenDNS servers.



-Original Message-
From: "Sanford Whiteman"  Sent 3/15/2013 8:08:14 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] why have spam scores jumped?

> The challenge for me is in not using forwarding. For MS DNS > servers,
> forwarding and recursion are tied together; turn off one > and you
> lose both. Incorrect. Turning off recursion turns off forwarders, but
> not vice versa. You can have a perfectly operating recursive MS DNS
> server that does not delegate recursion to any other server
> (forwarding amounts to delegating recursion, but the server as a whole
> is still recursive, thus the unidirectional relationship between the
> two settings). You only MUST use forwarders if you are not allowed to
> pass DNS requests out past your ISP's border (similar to when you have
> to use the ISP's outbound SMTP gateway). > So if I turn off recursion
> and forwarding, then all my DNS requests > will have to go to the root
> servers for resolution. No, if you turn off recursion completely, you
> can't get responses for domains that aren't on your box. No one is going to 
> do it for you -- the "root servers"
> sure won't. > I do understand the dangers of being an open resolver
> You're mixing up a lot of terms here. An open resolver is one that
> will perform recursive lookups for any address on the open internet. >
> but I am also under the impression that resolving only through root > servers 
> is bad.
> It's not "bad," it doesn't exist. > Since MS seems to recommend
> forwarding I doubt that... > With a stub zone, queries to URIBL.com
> are resolved directly through > the URIBL Name servers... ... and
> there is no reason to go down this road. If you can get DNS requests
> past your ISP, there's no reason to have forwarders. -- S. --- This
> E-mail came from the Declude.JunkMail mailing list. To unsubscribe,
> just send an E-mail to imail...@declude.com, and type "unsubscribe
> Declude.JunkMail". The archives can be found at http://www.mail-archive.com.


---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe, just 
send an E-mail to imail...@declude.com, and type "unsubscribe 
Declude.JunkMail".  The archives can be found at http://www.mail-archive.com.




---
This E-mai

[Declude.JunkMail] NJABL Shut Down

[Andy Schmidt]

March 1, 2013: NJABL is in the process of being shut down. The DNSBL zones
have been emptied. After "the Internet" has had some time to remove NJABL
from server configs, the NS's will be pointed off into unallocated space
(192.0.2.0/24 TEST-NET-1) to hopefully make the shutdown obvious to those
who were slower to notice.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] OT - need "stand-by" Hyper-V host

[Andy Schmidt]

Hi,



I’m using this list, because I do know that some of you have small hosting 
operations and I have to come to value and respect your expertise over the 
years.



I have a client who is hosting a few small Hyper-V virtual machines with me.



After the recent Hurricane, they have asked if I could help them find a 
emergency host who would be able to bring up their virtual machines if OUR part 
of the country was ever out of reach for a prolonged period.



Specifically, currently these are two machines, each configured with 4 GB of 
RAM, 4 virtual processors, and with less than 100 GB VHDs each. (Incidentally, 
they are running RHEL 6.3 – but that really doesn’t matter.)  However, they do 
host very active web sites, so the Hyper-V host should be equipped with recent 
generation hardware (such as fast quad-core CPUs and modern SATA/SCSI disk 
technology).



If this is an arrangement you are willing to discuss, please email me directly.



Best Regards,

Andy







---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] OT - Message Body Line-Ends in PHP

[Andy Schmidt]

Hi,



Recently, gateways have clamped down on malformed message bodies that contain 
single LF instead of the proper CF/LF mandated by RFCs:



http://www.ietf.org/rfc/rfc2822.txt
2.1 "A line is a series of
   characters that is delimited with the two characters carriage-return
   and line-feed; that is, the carriage return (CR) character (ASCII
   value 13) followed immediately by the line feed (LF) character (ASCII
   value 10)."

and it clarifies further:


2.3 "CR and LF MUST only occur together as CRLF; they MUST NOT appear
 independently in the body."



I believe there is no ambiguity as to the ONLY acceptable line-ending anywhere 
in an Internet email?



Historically though, many programmers who grew up in the Unix/Apple world are 
used to seeing “LF”-only line-ends in their text files, and (out of 
understandable) ignorance of the written standards, have used their regular 
programming technique in any form handlers and other applications that 
generated automated SMTP messages.



The main source of these emails that I see being caught by gateways in hundreds 
every single day, are PHP-based form handlers, many of which are using the 
PHPmail extension. Of course, when programmers read the PHP official manual 
(the mail() function) they are event “educated” to ONLY use “LF” as the 
line-end – perpetuating this myth.



I have attempted to point their standards-violation to the PHP and PHPmail 
folks – but when the open source community (who usually points to the big bad 
wolf “Microsoft” for ignoring standards) is called to follow RFCs, they 
suddenly are full of excuses themselves.



I invite you to share your professional opinion:



PHP Manual on mail() function:

https://bugs.php.net/bug.php?id=63778 
 &edit=2

regarding:

http://php.net/manual/en/function.mail.php



PHPmailer

http://code.google.com/a/apache-extras.org/p/phpmailer/issues/detail?id=62

They actually fixed it – and then REVERSED that fix (probably because of a 
bunch of lazy/ignorant developers who feel that following RFCs is NOT desirable 
if they would have to follow the lead of Microsoft in this case – which is 
getting it RIGHT).



Best Regards,

Andy





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] invisible attachments?

[Andy Schmidt]

Most likely a malformed header created by the sending application.



Depending on how strict an application insists on  CR/LF combinations (vs just 
CR or just LF) – the attachment is either recognized as a distinct MAPI element 
– or treated as excess junk in the headers or some previous MAPI segment.



That’s why it’s still “there” after forwarding it. It was never GONE. It’s not 
just “visible” to certain email applications who have strict standards 
implementations.



You can get to the bottom of it, by setting up a temporary test rule in Declude 
based on the subject or some even the senders address that sends the email to 
some “hold” folder (like the Virus or Junkmail hold folders).  Then, disable 
that rule again. Now you have the “native” message body and you can inspect it 
with a hex editor and you’ll be able to see some issue with quoting or folding 
and then tell the sender how to fix their application to be MAPI compliant.



From: Imail Admin [mailto:imailad...@bcwebhost.net]
Sent: Monday, March 12, 2012 9:11 PM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] invisible attachments?



Hi,



I have a  problem with invisible attachments and I'm wondering if it's an IMail 
problem, a Declude problem, or something else.



A law firm that I've dealt with for a long time recently has a problem that 
messages send to us with attachments sometimes don't display the attachments.  
They leave the sender with an attachment, but they arrive with no clue that  
there is an attachment.  If I forward them on to a gmail account I use for 
testing, then the attachments are visible there.



I've tested this with both Outlook Express and Mail Live on the receiving end 
and see nothing about the attachments.   I check on an Android phone using K-9 
and it doesn't show the attachments but does show the mail.dat file usually 
associated with Outlook and the formatting of messages (and these senders are 
using Outlook with MS Exchange).  However, the usual fix (use Plain Text Only) 
doesn't seem to help.



My first thought was that the attachments were getting stripped (by Declude?) 
at our server.  But since they still seem to be there once I forward to the 
gmail account, that excludes that idea.  I haven't had any problems receiving 
test JPG files as attachments and sometimes their PDF files get through just 
fine. So any idea what's going on here?



Thanks,



Ben


--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, 
just send an E-mail to imail...@declude.com, and type "unsubscribe 
Declude.JunkMail". The archives can be found at http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Interim Download of CFG File

[Andy Schmidt]

Hi,



The old problem with the interim files is back/still there.



Your web server does NOT have .CFG configured in the MIME types - so it
refuses to download the sample CFG files. You need to either update the web
server settings to permit .CFG filetypes OR rename or zip those sample CFG
files.





Best Regards
Andy Schmidt

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] error 0xC0000142 smtp.exe

[Andy Schmidt]

PS: I also upgraded Declude to use the integrated Sniffer and the integrated 
Anti-Virus engine so that I could eliminate the number of command line 
invocations.



From: IMail Admin [mailto:imailad...@bcwebhost.net]
Sent: Thursday, May 05, 2011 4:10 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] error 0xC142 smtp.exe



That sounds like me.  What’s the cure?  Drop the number of threads in 
declude.cfg?  I haven’t looked at it yet to see what I have.



From: Andy Schmidt <mailto:andy_schm...@hm-software.com>

Sent: Thursday, May 05, 2011 1:05 PM

To: Declude.JunkMail@declude.com

Subject: RE: [Declude.JunkMail] error 0xC142 smtp.exe



I had encountered the problem when I introduced another Declude add-on to the 
mix (e.g., another command line program that Declude was launching). Eventually 
there were too many command line processes using up too much heap…



Some of us were using the old command-line sniffer and 2 or 3 anti-virus 
command line tools, and invURIBL and various other – each one chipping away at 
the heap.



From: IMail Admin [mailto:imailad...@bcwebhost.net]
Sent: Thursday, May 05, 2011 2:21 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] error 0xC142 smtp.exe



HI Pete,



Thanks for the links.  After reading all of those, and everything they link to, 
I have a better idea of what’s happening.  What Declude originally called the 
“mystery heap” is apparently the desktop heap, which had a system wide limit of 
48 mb (Win2k and Win2k3), allocated between interactive and non-interactive 
desktops.  Presumably, too many processes are launched, exhausting this heap.  
Setting a smaller value for the per-process allocation (512 kb by default) 
should allow more processes to run.  So all of this makes sense but doesn’t 
explain why my server should have this problem.



My business is so small any more than I could imagine using my smart phone to 
run the mail server.  If it’s the smtp32.exe process causing the crash, then 
that would imply to me that I’ve got a lot of outbound messages all at once.  I 
just don’t see how this could happen.  I’m guessing that we’ve got no more than 
a couple hundred mailboxes spread over 30 domains, and no lists larger than 
200.  So how do I find out where all this outbound stuff is coming from? And is 
there a setting I could use to limit the number of outbound messages sent (or 
processed) at one time?



Any suggestions are appreciated.



Thanks,



Ben



P.S. I wonder what would happen if I moved my software (Imail 2006.23) to a Win 
7 PC or a Windows 2010 server? Just thinking out loud.



From: Pete McNeil <mailto:madscient...@microneil.com>

Sent: Wednesday, May 04, 2011 8:34 PM

To: Declude.JunkMail@declude.com

Subject: Re: [Declude.JunkMail] error 0xC142 smtp.exe



On 5/4/2011 11:08 PM, Imail Admin wrote:

Hi,

Â

I recall a while back about errors where you get Error #0xC142 (The 
application failed to initialize) for smtp32.exe, somehow related to Declude.  
We started getting these recently for no particular reason that I can think 
of.  Is there a setting in Declude that helps with this?


IIRC, this is the "mystery heap" problem and solving it will mostly have to do 
with the setting you're using.

http://kb.imailserver.com/cgi-bin/imail.cfg/php/enduser/std_adp.php?p_faqid=686

There is a particular chunk of memory that runs out if too many 
applications/processes are started at once as children of other processes. In 
your case, for example, too many concurrent instances of SMTP32.exe along with 
a number of other factors.

If I'm guessing correctly, you could suddenly experience this problem due to 
allowing enough SMTP32 processes (usually controlled by the number of 
processing threads you allow) and also having enough mail running through your 
system to exhaust the mystery heap.

This search might help you find what you're looking for in previous discussions.

Hope this helps,

_M



--
Pete McNeil, President
MicroNeil Research Corporation
www.microneil.com
703.779.4909
x7010



--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, 
just send an E-mail to imail...@declude.com, and type "unsubscribe 
Declude.JunkMail". The archives can be found at http://www.mail-archive.com.


--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, 
just send an E-mail to imail...@declude.com, and type "unsubscribe 
Declude.JunkMail". The archives can be found at http://www.mail-archive.com.


--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, 
just send an E-mail to imail...@declude.com, and type "unsubscribe 
Declude.JunkMail". The archives can be found at http://www.mail-archive.com.


--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, 
just send an E-mail to imail...@declude.com, and type "unsubscribe 
Declude.JunkMai

RE: [Declude.JunkMail] error 0xC0000142 smtp.exe

[Andy Schmidt]

In MY case it was not the number of threads, but eliminating one of the third 
party command line applications. Although – I had never TRIED reducing the 
number of threads to see if that would help the situation.



From: IMail Admin [mailto:imailad...@bcwebhost.net]
Sent: Thursday, May 05, 2011 4:10 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] error 0xC142 smtp.exe



That sounds like me.  What’s the cure?  Drop the number of threads in 
declude.cfg?  I haven’t looked at it yet to see what I have.



From: Andy Schmidt <mailto:andy_schm...@hm-software.com>

Sent: Thursday, May 05, 2011 1:05 PM

To: Declude.JunkMail@declude.com

Subject: RE: [Declude.JunkMail] error 0xC142 smtp.exe



I had encountered the problem when I introduced another Declude add-on to the 
mix (e.g., another command line program that Declude was launching). Eventually 
there were too many command line processes using up too much heap…



Some of us were using the old command-line sniffer and 2 or 3 anti-virus 
command line tools, and invURIBL and various other – each one chipping away at 
the heap.



From: IMail Admin [mailto:imailad...@bcwebhost.net]
Sent: Thursday, May 05, 2011 2:21 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] error 0xC142 smtp.exe



HI Pete,



Thanks for the links.  After reading all of those, and everything they link to, 
I have a better idea of what’s happening.  What Declude originally called the 
“mystery heap” is apparently the desktop heap, which had a system wide limit of 
48 mb (Win2k and Win2k3), allocated between interactive and non-interactive 
desktops.  Presumably, too many processes are launched, exhausting this heap.  
Setting a smaller value for the per-process allocation (512 kb by default) 
should allow more processes to run.  So all of this makes sense but doesn’t 
explain why my server should have this problem.



My business is so small any more than I could imagine using my smart phone to 
run the mail server.  If it’s the smtp32.exe process causing the crash, then 
that would imply to me that I’ve got a lot of outbound messages all at once.  I 
just don’t see how this could happen.  I’m guessing that we’ve got no more than 
a couple hundred mailboxes spread over 30 domains, and no lists larger than 
200.  So how do I find out where all this outbound stuff is coming from? And is 
there a setting I could use to limit the number of outbound messages sent (or 
processed) at one time?



Any suggestions are appreciated.



Thanks,



Ben



P.S. I wonder what would happen if I moved my software (Imail 2006.23) to a Win 
7 PC or a Windows 2010 server? Just thinking out loud.



From: Pete McNeil <mailto:madscient...@microneil.com>

Sent: Wednesday, May 04, 2011 8:34 PM

To: Declude.JunkMail@declude.com

Subject: Re: [Declude.JunkMail] error 0xC142 smtp.exe



On 5/4/2011 11:08 PM, Imail Admin wrote:

Hi,

Â

I recall a while back about errors where you get Error #0xC142 (The 
application failed to initialize) for smtp32.exe, somehow related to Declude.  
We started getting these recently for no particular reason that I can think 
of.  Is there a setting in Declude that helps with this?


IIRC, this is the "mystery heap" problem and solving it will mostly have to do 
with the setting you're using.

http://kb.imailserver.com/cgi-bin/imail.cfg/php/enduser/std_adp.php?p_faqid=686

There is a particular chunk of memory that runs out if too many 
applications/processes are started at once as children of other processes. In 
your case, for example, too many concurrent instances of SMTP32.exe along with 
a number of other factors.

If I'm guessing correctly, you could suddenly experience this problem due to 
allowing enough SMTP32 processes (usually controlled by the number of 
processing threads you allow) and also having enough mail running through your 
system to exhaust the mystery heap.

This search might help you find what you're looking for in previous discussions.

Hope this helps,

_M



--
Pete McNeil, President
MicroNeil Research Corporation
www.microneil.com
703.779.4909
x7010



--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, 
just send an E-mail to imail...@declude.com, and type "unsubscribe 
Declude.JunkMail". The archives can be found at http://www.mail-archive.com.


--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, 
just send an E-mail to imail...@declude.com, and type "unsubscribe 
Declude.JunkMail". The archives can be found at http://www.mail-archive.com.


--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, 
just send an E-mail to imail...@declude.com, and type "unsubscribe 
Declude.JunkMail". The archives can be found at http://www.mail-archive.com.


--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, 
just send an E-mail to imail...@decl

RE: [Declude.JunkMail] error 0xC0000142 smtp.exe

[Andy Schmidt]

I had encountered the problem when I introduced another Declude add-on to the 
mix (e.g., another command line program that Declude was launching). Eventually 
there were too many command line processes using up too much heap…



Some of us were using the old command-line sniffer and 2 or 3 anti-virus 
command line tools, and invURIBL and various other – each one chipping away at 
the heap.



From: IMail Admin [mailto:imailad...@bcwebhost.net]
Sent: Thursday, May 05, 2011 2:21 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] error 0xC142 smtp.exe



HI Pete,



Thanks for the links.  After reading all of those, and everything they link to, 
I have a better idea of what’s happening.  What Declude originally called the 
“mystery heap” is apparently the desktop heap, which had a system wide limit of 
48 mb (Win2k and Win2k3), allocated between interactive and non-interactive 
desktops.  Presumably, too many processes are launched, exhausting this heap.  
Setting a smaller value for the per-process allocation (512 kb by default) 
should allow more processes to run.  So all of this makes sense but doesn’t 
explain why my server should have this problem.



My business is so small any more than I could imagine using my smart phone to 
run the mail server.  If it’s the smtp32.exe process causing the crash, then 
that would imply to me that I’ve got a lot of outbound messages all at once.  I 
just don’t see how this could happen.  I’m guessing that we’ve got no more than 
a couple hundred mailboxes spread over 30 domains, and no lists larger than 
200.  So how do I find out where all this outbound stuff is coming from? And is 
there a setting I could use to limit the number of outbound messages sent (or 
processed) at one time?



Any suggestions are appreciated.



Thanks,



Ben



P.S. I wonder what would happen if I moved my software (Imail 2006.23) to a Win 
7 PC or a Windows 2010 server? Just thinking out loud.



From: Pete McNeil 

Sent: Wednesday, May 04, 2011 8:34 PM

To: Declude.JunkMail@declude.com

Subject: Re: [Declude.JunkMail] error 0xC142 smtp.exe



On 5/4/2011 11:08 PM, Imail Admin wrote:

Hi,

Â

I recall a while back about errors where you get Error #0xC142 (The 
application failed to initialize) for smtp32.exe, somehow related to Declude.  
We started getting these recently for no particular reason that I can think 
of.  Is there a setting in Declude that helps with this?


IIRC, this is the "mystery heap" problem and solving it will mostly have to do 
with the setting you're using.

http://kb.imailserver.com/cgi-bin/imail.cfg/php/enduser/std_adp.php?p_faqid=686

There is a particular chunk of memory that runs out if too many 
applications/processes are started at once as children of other processes. In 
your case, for example, too many concurrent instances of SMTP32.exe along with 
a number of other factors.

If I'm guessing correctly, you could suddenly experience this problem due to 
allowing enough SMTP32 processes (usually controlled by the number of 
processing threads you allow) and also having enough mail running through your 
system to exhaust the mystery heap.

This search might help you find what you're looking for in previous discussions.

Hope this helps,

_M




--
Pete McNeil, President
MicroNeil Research Corporation
www.microneil.com
703.779.4909
x7010



--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, 
just send an E-mail to imail...@declude.com, and type "unsubscribe 
Declude.JunkMail". The archives can be found at http://www.mail-archive.com.


--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, 
just send an E-mail to imail...@declude.com, and type "unsubscribe 
Declude.JunkMail". The archives can be found at http://www.mail-archive.com.


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] How to send notices about email held by HiJack

[Andy Schmidt]

PS: appears they removed it in v10 – not just v11 (or v11.03).

I went back to version 11.02 installer, and after going through the entire 
activation sequence for a new/second trial install – I ended up with 11.02 – 
but no Imail1.exe. I don’t have a pre-version 10 installer laying around!

  _

From: "John T" 

Sender: "John T" 

Date: Sat, 26 Mar 2011 16:09:11 GMT

To: 

ReplyTo: Declude.JunkMail@declude.com

Subject: [Declude.JunkMail] How to send notices about email held by HiJack



With Ipswitches decision to remove imail1.exe from Imail 11.03 the scripts we 
have been using to check the HiJack hold folders and send emails when email is 
found hold no longer work.

What options are avilable now to be able to send automated email through 
scripts?

John T
eServices For You


--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, 
just send an E-mail to imail...@declude.com, and type "unsubscribe 
Declude.JunkMail". The archives can be found at http://www.mail-archive.com.


--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, 
just send an E-mail to imail...@declude.com, and type "unsubscribe 
Declude.JunkMail". The archives can be found at http://www.mail-archive.com.


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] JunkMail Bounce and Virus Notices

[Andy Schmidt]

Hi,



It’s not just limited to HiJack, it seems that Declude Virus and Declude 
Junkmail are both hardcoded to use IMail1 for virus notifications, Bounce 
Messages.



I can’t find any configuration option where you can either use BLAT or some 
other command line mailer and/or mailer script.



Here snippets from the VIR* and DEC* logs:



03/27/2011 09:08:21.095 q57ef0032830be332.smd Error starting imail1: 2 
[D:\IMAIL\IMail1.exe -h "Postmaster.Argos.net" -t 
"PostMaster@[123.26.186.94],PostMaster@localhost" -u 
"postmas...@postmaster.argos.net" -s "Our Virus Firewall has Rejected an 
Apparent Email of Your User!" -f 
"D:\IMail\spool\proc\work\D57ef0032830be332.sm0"]



03/27/2011 00:03:01.096 q216f00324ee89e2d.smd Error starting imail1: 2 
[D:\IMAIL\IMail1.exe -h "Postmaster.Argos.net" -t 
"r...@images.solarcycle29.info" -u "postmas...@postmaster.argos.net" -s 
"Undelivered Mail" -f "D:\IMail\spool\proc\work\D216f00324ee89e2d.sm0"]



Best Regards,

Andy

  _

From: "John T" 

Sender: "John T" 

Date: Sat, 26 Mar 2011 16:09:11 GMT

To: 

ReplyTo: Declude.JunkMail@declude.com

Subject: [Declude.JunkMail] How to send notices about email held by HiJack



With Ipswitches decision to remove imail1.exe from Imail 11.03 the scripts we 
have been using to check the HiJack hold folders and send emails when email is 
found hold no longer work.

What options are avilable now to be able to send automated email through 
scripts?

John T
eServices For You


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Idea for new Declude add-on

[Andy Schmidt]

>> I couldn't think of any specific instances where you would not want to 
>> whitelist a recipient's address.  Obviously nobody should be emailing a 
>> spammer. <<

In general, that's reasonable - but certainly not bullet-proof. Since spammers 
always use other people's email addresses (specially phishing, trojan and virus 
emails), these messages will now be white-listed instead of being caught. This 
is specially true when people's mailboxes or PC have been infiltrated (millions 
of them are) and the malware will send it's infected messages (or links to 
phishing site) to everyone in THAT person's address book - so that their 
friends trust the email was being from their friend/acquaintance.

All these messages will now be trusted by Imail just because they CLAIM to come 
from the "friend".

So - it does open a potentially big garage door for malware link and infected 
emails to make it past Declude.

-Original Message-
From: Dave Beckstrom [mailto:db...@atving.com]
Sent: Thursday, February 17, 2011 9:20 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] Idea for new Declude add-on

I couldn't think of any specific instances where you would not want to
whitelist a recipient's address.  Obviously nobody should be emailing a
spammer.

I was tryng to cover the bases for those instances that exist but can't be
foreseen yet.

Pondering it a little more  -- one type of an exclusion that would be needed
is if you had a forum where users register and your server sends out a
confirmation/activation email.  Or you send an email as a result of someone
submitting a contact form on your site. In those cases, the "from" address
for your forum or "from" address from your submission form would be the
excluder so that no recipient of email from those automated systems would be
given any credit.



-Original Message-
From: David Barker [mailto:dbar...@declude.com]
Sent: Thursday, February 17, 2011 7:49 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] Idea for new Declude add-on

Great idea Dave thanks. Question. If a user emails a recipient in what
scenario would we not want to whitelist the recipients address ?

-Original Message-
From: Dave Beckstrom [mailto:db...@atving.com]
Sent: Thursday, February 17, 2011 8:45 AM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] Idea for new Declude add-on



I have an idea for something I think would be a useful add-on for declude. 

Every time someone sends an outbound SMTP email to someone, the add-on would
add an entry to a filter giving the recipient's "to" address a weight of
minus one.  Therefore, giving the recipient a credit.  Any time the
recipient sends an email to my server, minus one gets subtracted from the
total score of their email.

If a user on my server sends a second email to the same recipient, another
minus one credit is added to the filter.  Now that recipient has a credit of
minus two.

The add-on would be configurable to limit the maximum credit a single
address could reach.  It would also have an exclusion ability where you
could enter a list of email addresses that would never receive any credit.

The idea being that the more frequently you email someone, the less likely
that email from them would be spam.

I know some will argue that "from" addresses can be forged and that perhaps
its not a good idea to give credit based on a "from" address.  But its not
very often at all I ever receive a spam that came from a friend's forged
"from" address.  I think something along the lines of this type of system
could be useful.





---
[This E-mail was scanned by Declude]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned by Declude]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.






---
[This E-mail was scanned by Declude]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.





---
[This E-mail was scanned by Declude]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Blocking on no REV DNS?

[Andy Schmidt]

Not sure if you're asking how to "trap" items without reverse DNS?

 

It would be a line like this in the GLOBAL.CFG:

 

WHITELIST   AUTH

REVDNS   revdnsexists  x  x  5
0

 

(which would add a weight of 5 if there is no reverse DNS - but whitelist
your clients who have no reverse DNS but still should be permitted to
connect to your SMTP relay).

 

Then, you could pick up on that test name in your $default$.junkmail, and
decide what action you might want, e.g.:

 

REVDNS   ALERT

 

or

 

REVDNS   HOLD

 

Or

 

REVDNS   LOG

 

Etc.

 

 

 

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave
Beckstrom
Sent: Monday, February 14, 2011 2:07 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Blocking on no REV DNS?

 

 

Headers from a typical email with missing reverse DNS:

 

Received: from UnknownHost [208.94.247.117] by xx

 

X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA
208.94.247.117 with no reverse DNS entry.

 

 

What is the best way to filter on no reverse DNS?




---
[This E-mail was scanned by Declude]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Blocking on no REV DNS?

[Andy Schmidt]

I suppose it depends on your clients. I host mostly small to medium business
sites, bounce on reverse DNS at my gateway and only get a question once or
twice a year, where I assist some clueless Email Admin about contacting his
ISP to set up the proper reverse DNS.

 

I explain to them that we are in line with AOL, Hotmail, Google and others
that have policies against missing Reverse DNS to show that he may have
FOUND the problem by trying to email US, but that in fact, his emails to
most places on the Internet are being silently deleted, held or flagged as
SPAM - without giving him a warning as WE do.

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave
Beckstrom
Sent: Monday, February 14, 2011 9:22 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Blocking on no REV DNS?

 

Years ago it was recommended not to block mail on a missing reverse DNS
because many legitimate mail servers were mis-configured.  

 

We know services like AOL block on missing DNS.  Just wondering, do you
block on missing REV DNS?  If not, do you at least add weight?  

 

I'm getting to the point where if a mail server doesn't have a reverse DNS
then I'm thinking the heck with them


---
[This E-mail was scanned by Declude] 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 




---
[This E-mail was scanned by Declude]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Spam Routing and IP 6?

[Andy Schmidt]

Hi,

 

I may be barking up the wrong tree. But since the following email only had a
single IP v4 hop to our Imail, I can't see how this could possibly be caught
by "spamrouting" - unless there is some confusion on how to treat the IP v6
address address:

 

Received: from SDKENG01.dkeng.co.uk [81.143.158.102] by hm-software.com with
ESMTP

  (SMTPD-11.02) id 3f5e0001d39c4dd5; Fri, 8 Oct 2010 04:44:53 -0400

Received: from SDKENG01.dkeng.co.uk ([::1]) by SDKENG01.dkeng.co.uk ([::1])

 with mapi; Fri, 8 Oct 2010 09:43:21 +0100

.

X-RBL-Warning: This E-mail was routed in a poor manner consistent with spam
[211f]. See: http://tools.declude.com/headercode.php?code=211f 

X-Declude: Version 4.10.51; Code 0x211f from
host81-143-158-102.in-addr.btopenworld.com [81.143.158.102]

 

The only other server uses the standard IP v6 loopback address
(0:0:0:0:0:0:0:1), equivalent to the 127.0.0.1 in IP v4 - which clearly is
internal and thus should not be evaluated for the Spamrouting test.

 

If Spamrouting (or Declude?) does not handle IP v6, then it probably should
at least SKIP those headers entirely? 

 

Best Regards,

Andy




---
[This E-mail was scanned by Declude]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Spam Routing and IP 6?

[Andy Schmidt]

Hi,

 

I may be barking up the wrong tree. But since the following email only had a
single IP v4 hop to our Imail, I can't see how this could possibly be caught
by "spamrouting" - unless there is some confusion on how to treat the IP v6
address address:

 

Received: from SDKENG01.dkeng.co.uk [81.143.158.102] by hm-software.com with
ESMTP

  (SMTPD-11.02) id 3f5e0001d39c4dd5; Fri, 8 Oct 2010 04:44:53 -0400

Received: from SDKENG01.dkeng.co.uk ([::1]) by SDKENG01.dkeng.co.uk ([::1])

 with mapi; Fri, 8 Oct 2010 09:43:21 +0100

.

X-RBL-Warning: This E-mail was routed in a poor manner consistent with spam
[211f]. See: http://tools.declude.com/headercode.php?code=211f 

X-Declude: Version 4.10.51; Code 0x211f from
host81-143-158-102.in-addr.btopenworld.com [81.143.158.102]

 

The only other server uses the standard IP v6 loopback address
(0:0:0:0:0:0:0:1), equivalent to the 127.0.0.1 in IP v4 - which clearly is
internal and thus should not be evaluated for the Spamrouting test.

 

If Spamrouting (or Declude?) does not handle IP v6, then it probably should
at least SKIP those headers entirely? 

 

Best Regards,

Andy




---
[This E-mail was scanned by Declude]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Imail vs. Smartermail

[Andy Schmidt]

Release 4.10.42What is blah- vs. blah+ for incoming mails?

Are you referring to subfolders/submailboxes that Imail automatically generates?

If Imail does DomainKeys and has the mailbox handling you need, why drop it?
The next update to Imail will allow dropping connections for certain spam 
checks (we'll see which ones they are starting with.)  I've been asking for 
that for 10 years - so hopefully I'll be able to reject (some) spam outright 
during the SMTP conversation.

Best Regards
Andy Schmidt

Tel. +1 201-934-9411, x20
Fax +1 201-934-9206


From: Eddie 
Sent: Saturday, August 28, 2010 7:00 AM
To: declude.junkmail@declude.com 
Subject: RE: [Declude.JunkMail] Imail vs. Smartermail


I am not sure about this.  So I am opening this up for discussion..

 

What would happen if you just ran Smartermail as an Outbound email gateway.  
Wouldn't Domainkeys/Dkim still work without needing to change everyone's email 
address?

 

Cheers,

Eddie

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Robert 
Grosshandler
Sent: Friday, August 27, 2010 9:17 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Imail vs. Smartermail

 

Hi All -

 

We're currently using Imail v2006.  We had no need to upgrade and the iMail 
versions until this year didn't support some features we needed (primariy 
DomainKey / DKIM signing of outbound mail. )  We'd considered moving to 
Smartermail, but it didn't (and doesn't) support a feature we needed 
(blah-x...@igive.com) formatting of incoming mail.  Smartermail does 
(blah+x...@igive.com) and we'd have to get 250,000 folks to change the e-mail 
address we assigned them.

 

Pricing between the two for our needs is almost the same (Smartermail would be 
slightly cheaper in the long run).

 

I know that people left iMail in droves over the past several years.  Any 
current info on Ipswitch that should make me go through the pain of a switch to 
Smartermail?

 

Thanks ahead of time.

 

Rob

--- [This E-mail was checked by Declude] 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 

--- [This E-mail was checked by Declude] 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Server AV Scanner

[Andy Schmidt]

Server AV ScannerDave,

ClamAV works perfectly fine with Declude - runs as a service and thus is fast.

A native Windows version has been available for quite a while.

Best Regards
Andy Schmidt

Tel. +1 201-934-9411, x20
Fax +1 201-934-9206


From: Dave Beckstrom 
Sent: Thursday, August 12, 2010 9:51 AM
To: declude.junkmail@declude.com 
Subject: [Declude.JunkMail] Server AV Scanner


Hi Everyone,


I sold off the lion's share of my web business 3 years.  I still host a few 
sites for some people who have been with me for a really long time.  But I 
don't have the revenue I once did and hence can't afford to renew Declude (I'm 
running an older version) or buy any software.

I used to use F-prot (command line version) to virus scan email at the server 
via Declude.  They no longer offer the signature files for that version of 
F-prot. 

I haven't found anything in my searches so I thought I'd ask here -- is there a 
free antivirus scanner available that will run on 2003 server and which I could 
tie into Declude?

Thanks,



Dave

--- [This E-mail was checked by Declude] 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] RE: A small Junkmail enhancement suggestion

[Andy Schmidt]

Hi,

 

Yes - the "From" header is just for the mail client (such as Outlook). The
"real" sender is typically provided in the Sender or X-Sender header.

 

Here is an example using different versions of CDO:

 

a)  Up to Win 2000 Server and prior

 

Reply-To: 

From: 

Sender: 

To: 

 

The MAIL FROM was: 

postmas...@anamera.net

 

b)  Win 2003 and up (Win 2000 Server supports either)

 

Reply-To: 

From: 

X-Sender: 

To: 

 

The MAIL FROM was: 

postmas...@anamera.net

 

 

So - the most appropriate logic for FROMNOMATCH would have been:

 

-  if X-Sender header exists, compare THAT against MAIL FROM

-  if Sender header exists, compare THAT against MAIL FROM

-  else, compare From header against MAIL FROM

 

Best Regards,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Colbeck,
Andrew
Sent: Thursday, July 15, 2010 2:36 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] A small Junkmail enhancement suggestion

 

David, are you there?

 

The FROMNOMATCH test introduced in 2006 checks whether the MAILFROM matches
the From: header.

 

I suggest an enhancement to reduce false positives: that the FROMNOMATCH is
suppressed if the Sender: header line is present.

 

The Sender: header line is used to indicate that the sending mail system
knows that the actual sender is different from the cosmetic From: line.

 

The result in, say, Microsoft Outlook, is that the From: line will show
"%MAILFROM% on behalf of %From: field contents%".

 

The Sender: line receives a bare mention here:
http://en.wikipedia.org/wiki/E-mail_header

 

The FROMNOMATCH should also be suppressed if the MAILFROM is <>.

 

I suspect that VERP addresses should also be excerpted, because as with the
Sender: header, the envelope/MAILFROM is expected to not match the From:
header. Here's the Wikipedia article on VERP:
http://en.wikipedia.org/wiki/Variable_envelope_return_path

 

There may be a problem with VERP if there is no clear winner or winners in
the formatting; if there are VERP formats that are intended to be
interpreted by software instead of humans, then those formats make good
exceptions to FROMNOMATCH.

 

As an example of what is too vague and relies on the human being is the huge
variety of mailing list, return, and bounce formats in the MAILFROM.

 

I see a lot of bounces that begin the MAILFROM with "bounces", "bounce",
"bo-" or put bounce in the fully qualified domain name.

 

The only one I know of that is consistent is the "prvs=.+=" prefix by BATV:
http://en.wikipedia.org/wiki/Bounce_Address_Tag_Validation

 

Reducing the incidence of FROMNOMATCH in the subjective bounce formattings
may be too much of a custom configuration to maintain, and would make a
decent "combo" test.

 

I have been using FROMNOMATCH with a tiny weight since its inception, adding
more weight in combination tests. I recently looked at my Declude logs, and
found that FROMNOMATCH triggered 10:1 on ham:spam, that is, the spammers are
now more likely to match the envelope and From: header (even though it's
probably a fake address anyway).

 

My statistic has to be taken with a grain of salt; I use Alligate in front
of my Declude, so my results are skewed by omitting lots of the spam from
zombie hosts.

 

tldnr: Exclude from the FROMNOMATCH test when the MAILFROM is "<>", or when
the valid Sender: line is also in the header, or MAILFROM is in BATV or
recognizable VERP format.

 

 

Andrew.

 

 

 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Blocking domains by DNS server?

[Andy Schmidt]

Hi Dave,

Unless that name server is listed in one of the RBLs already, you'd have to
set up your own RBL zone on your name server and then check against that.

Here's the appropriate section of the config file:



 

















-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave
Beckstrom
Sent: Thursday, July 01, 2010 5:31 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Blocking domains by DNS server?


There is a pervasive spammer out there, where the common denominator in the
jerk's spam is the fact that all of the domains in the body of the email are
served by DNS servers NS1.domainsite.com - NS4.domainsite.com.

I want to block all email where a link in the body is resolved by one of
those DNS servers.  I haven't looked at my invURIBL config for some time,
but isn't that one of the things that it can do?  If so, how do I set that
up?   Otherwise, is there another way to achieve the above?

 





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] FTC Permanently Shuts Down Notorious Rogue Internet Service Provider

[Andy Schmidt]

http://www.ftc.gov/opa/2010/05/perm.shtm



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Interim 4.10.51

[Andy Schmidt]

Hi Dave,

 

Thanks. Question, assuming that some folks have likely defined actions based
on "ZEROHOUR", or referred to that name in Filters, etc. - wouldn't it be
more appropriate for everyone to configure the new test as:

 

ZEROHOUR  ZEROHOURxx 12
0

 

to maintain backward compatibility with the rest of their configuration(s).
Otherwise, your instructions would have to warn to mass-replace all
occurrences of "ZEROHOUR" to "COMMTOUCH" in their various files?

 

Or do I understand the impact wrong?

 

Best Regards,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Monday, May 24, 2010 11:51 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Interim 4.10.51

 

Change the way ZEROHOUR works so to be consistent with the other test
including filters etc. 

 

Remove from the global.cfg:

 

ZEROHOUR 12

 

Add new configuration:

 

COMMTOUCH  ZEROHOURxx 12
0

 

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
  dbar...@declude.com

 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] SORBS Website Down?

[Andy Schmidt]

Nah - I wasn't imaging things - they really ARE having problems, e.g., when
trying to query an IP address.

 

Software error:

Open DB Handle needed at /home/dnsbl/htdocs/cgi-bin/db line 190

For help, please send mail to the webmaster (supp...@support.sorbs.net),
giving this error message and the time and date of the error. 

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Colbeck,
Andrew
Sent: Wednesday, May 12, 2010 5:29 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] SORBS Website Down?

 

It may have been down when you looked, Andy. It's up now.

 

Also, I like to use this 3rd party for an instant second opinion:

 

http://downforeveryoneorjustme.com

 

 

Andrew 8)

 

 

 

  _  

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Wednesday, May 12, 2010 1:15 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] SORBS Website Down?

Hi,

 

Does anyone have a URL that works? I haven't been able to get
www.sorbs.net/lookup.shtml, or www.au.sorbs.net/lookup.shtml to come up?

 

I remember reading something last year that they had trouble getting a
hosting sponsor - but later they were acquired by GFI.

 

Best Regards,

Andy

 

 

 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] SORBS Website Down?

[Andy Schmidt]

Thanks Andrew - it was down for a long time - but now I can get it. Thanks
for reassuring me.

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Colbeck,
Andrew
Sent: Wednesday, May 12, 2010 5:29 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] SORBS Website Down?

 

It may have been down when you looked, Andy. It's up now.

 

Also, I like to use this 3rd party for an instant second opinion:

 

http://downforeveryoneorjustme.com

 

 

Andrew 8)

 

 

 

  _  

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Wednesday, May 12, 2010 1:15 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] SORBS Website Down?

Hi,

 

Does anyone have a URL that works? I haven't been able to get
www.sorbs.net/lookup.shtml, or www.au.sorbs.net/lookup.shtml to come up?

 

I remember reading something last year that they had trouble getting a
hosting sponsor - but later they were acquired by GFI.

 

Best Regards,

Andy

 

 

 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Fine tuning Declude

[Andy Schmidt]

Hi Darin,

 

I have been fortunate that my customers (or their network consultants) were
able to open the LDAP port and add a user without trouble. Either they were
big enough to have their own IT staff, or small enough to have an external
IT consultant. But I understand that this might be different for everyone
else. 

 

As far as adding/deleting accounts - this script is designed to add/delete
records in the live database (that is actively used by ORF) - instead of
deleting and then "refreshing" the entire list. This way, there is no
downtime.  Of course, if your gateway does not support ODBC lookups (ORF
supports ODBC, LDAP and AD lookups), then you're out of luck.

 

Anyway - I'm just sharing the code in case it helps Michael.

 

Best Regards,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Darin
Cox
Sent: Wednesday, May 12, 2010 4:32 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Fine tuning Declude

 

This is about 1/3 of the process to sync the servers.  Then there's the
processing of the file on the gateway to add/delete accounts as needed, and
the minor Exchange config changes to accept mail from a subdomain.

 

In our implementations, and due to often insufficient access/knowledge on
the part of most customers, it's a two-part batch sync.  I like the
all-in-one process you have by connecting through the firewall, Andy, but
it's been hard enough getting access to customer servers to place the
extraction script. Trying to get access to LDAP through firewalls for an
external process would take a lot longer to coordinate on a per-customer
basis.


Darin.

 

 

----- Original Message - 

From: Andy Schmidt <mailto:andy_schm...@hm-software.com>  

To: declude.junkmail@declude.com 

Sent: Wednesday, May 12, 2010 4:05 PM

Subject: RE: [Declude.JunkMail] Fine tuning Declude

 

Not sure that this list supports attachments - but here it is.

 

Here's how I launch it every half hour:

 

cscript //Nologo ExtractLDAP.wsf 70.255.255.84 "ou=Their
Staff,dc=TheirCompany,dc=local" logon.u...@theircompany.local mypassword
"domainalias1.com domainalias2.com domainalias3.com" TheirCompany

 

I usually use the LDAP Explorer tool to make sure I can connect to their
LDAP port through their firewall, that they have set up a valid
user/password for me, etc. Then I navigate through their LDAP hierarchy to
determine the correct OU/DC/DC, CN/DC/DC, etc path to their email users.
Once that succeeds I can simply take that info and use it as the parameters
to my script.

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael
Cummins
Sent: Wednesday, May 12, 2010 3:25 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Fine tuning Declude

 

That sounds like it would be fun to review, regardless.  I can dig up my old
script and post it, too.  Mine is pretty primitive: spew and parse.

 

Does it reach out to LDAP from the internet side of things, through a
properly configured firewall, I imagine?  Mine was a local script that
uploaded.  I like your idea better, if I am reading it right.  With your
idea, I provide minimum requirements instead of installation steps.

 

 

Very Respectfully, 

 

Michael Cummins 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] SORBS Website Down?

[Andy Schmidt]

Hi,

 

Does anyone have a URL that works? I haven't been able to get
www.sorbs.net/lookup.shtml, or www.au.sorbs.net/lookup.shtml to come up?

 

I remember reading something last year that they had trouble getting a
hosting sponsor - but later they were acquired by GFI.

 

Best Regards,

Andy

 

 

 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Fine tuning Declude

[Andy Schmidt]

Not sure that this list supports attachments - but here it is.

 

Here's how I launch it every half hour:

 

cscript //Nologo ExtractLDAP.wsf 70.255.255.84 "ou=Their
Staff,dc=TheirCompany,dc=local" logon.u...@theircompany.local mypassword
"domainalias1.com domainalias2.com domainalias3.com" TheirCompany

 

I usually use the LDAP Explorer tool to make sure I can connect to their
LDAP port through their firewall, that they have set up a valid
user/password for me, etc. Then I navigate through their LDAP hierarchy to
determine the correct OU/DC/DC, CN/DC/DC, etc path to their email users.
Once that succeeds I can simply take that info and use it as the parameters
to my script.

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael
Cummins
Sent: Wednesday, May 12, 2010 3:25 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Fine tuning Declude

 

That sounds like it would be fun to review, regardless.  I can dig up my old
script and post it, too.  Mine is pretty primitive: spew and parse.

 

Does it reach out to LDAP from the internet side of things, through a
properly configured firewall, I imagine?  Mine was a local script that
uploaded.  I like your idea better, if I am reading it right.  With your
idea, I provide minimum requirements instead of installation steps.

 

 

Very Respectfully, 

 

Michael Cummins 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.










<![CDATA[

// 
===
// Extract Email Addresses from Active Directory
// 
--- 
//
//  Author:  © 2005, Andy Schmidt
//  Email:   a...@argos.net
//  Runtime: Windows Scripting Host 5.6
//
//
// 
--- 
//
//  CHANGE HISTORY
//
//  1.0.0 05-Apr-05 (AS)  Initial Development.
//  1.1.0 17-Jan-07 (AS)  Generalization and SQL sanitizing
//  1.2.0 19-Feb-07 (AS)  Set Page Size ADO property for large query results
//  1.3.0 15-Apr-08 (AS)  Allow for CommandLine Parameters
//  1.3.1 22-Apr-08 (AS)  Reliable detection of DupRec return code from JET
//Permit Origin length of 15, check for max length
//
// 
===


// --
//   Global Constants
// --

var nPageSize = 2000;   // (LDAP)

var strMDBFileName ='ImailAdr.mdb';
var strMDBConn ='Provider=Microsoft.Jet.OLEDB.4.0;Data Source=';

var strTable =  'UserList';
var strTableCreate = "CREATE TABLE [" + strTable + "] ( [Domain] CHARACTER(255) 
NOT NULL, [Host] CHARACTER(255) CONSTRAINT [HostKey] NOT NULL, [User] 
CHARACTER(255) NOT NULL, [Email] CHARACTER(255) NOT NULL CONSTRAINT 
[PrimaryKey] PRIMARY KEY, [Current] BIT, [Origin] CHARACTER(15) NOT NULL );";
var strIndexCreate = "CREATE INDEX HostKey ON [" + strTable + "] ( [Host] ) 
WITH DISALLOW NULL;";


// --
//   Global Variables
// --

var retCode =   0;
var bListOnly = false;
var nAddresses =0;
var nInserted = 0;
var nUpdated =  0;
var nRecordsEffected =  0;

var i, tempstr, temparr;
var strDomain, strEmail;


// ==
//   Prolog
// ==

// Instantiate core objects
var objShell = WScript.CreateObject("WScript.Shell");
var objCat = WScript.CreateObject("ADOX.Catalog");
var objConn = WScript.CreateObject("ADODB.Connection");
var objRS = WScript.CreateObject("ADODB.Recordset");

// Get Command Line Parameters
if ( WScript.Arguments.Unnamed.Length < 6 || WScript.Arguments.Unnamed.Length > 
7  )
{
WScript.Echo( 'Incorrect number of command line parameters: ' + 
WScript.Arguments.Unnamed.Length + '. ');
WScript.Arguments.ShowUsage();
WScript.Quit( -4 );
}

var strComputer =   WScript.Arguments.Unnamed.Item(0);
var adBase =WScript.Arguments.Unnamed.Item(1);
var adUser =WScript.Arguments.Unnamed.Item(2);
var adPwd = WScript.Arguments.Unnamed.Item(3);
var strDomains =" " + WScript.Arguments.Unnamed.Item(4) + " ";
var strOrigin = WScript.Arguments.Unnamed.Item(5);

if ( WScript.Arguments.Unnamed.Length > 6 )
bListOnly = ( WScript.Arg

RE: [Declude.JunkMail] Fine tuning Declude

[Andy Schmidt]

Hi Michael:

 

I have a Windows script that I use with a whole bunch of different Exchange
customers to pull their email addresses from their servers and dump them
into a small JET (.mdb = Access) Database.  It does have a few input
parameters where you configure the LDAP path to the mail domain (because
many Exchange customers have different schemes), the LDAP user/pwd, and
which alias domain names to generate.

 

I uses that list in a SQL query that my ORF gateway uses to block invalid
email address and outright terminate connections that have too many invalid
email addresses. If you have any use for it, I'll be happy to let you have
it. Instead of outputting database rows, you could certainly expand the
script to output a flat file instead or add "alias" items to the IMAIL
registry, etc.

 

Best Regards,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael
Cummins
Sent: Wednesday, May 12, 2010 2:14 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Fine tuning Declude

 

I wrote a batch file once on a number of the exchange servers that used VBS
and LDAP to generate a list of valid exchange recipients and then FTP them
to the server where a CF script parsed it clean.  I didn't quite know what
to do with them when they got there though (I was originally going to use
them in Alligate, but never got that up and going) and I don't have the full
"granular" cooperation of all the Exchange network peeps, only most of them,
so it was difficult to implement a one-size-fits-all policy regardless.

 

I'll put my thinking cap on.  

 

Another one of the problems is that most all of my clients don't want to
disable NDRs with whatever solution I come up with, which makes it fairly
impossible to avoid backscatter.  It goes in me one way, and out another :p

 

 

Very Respectfully, 

 

Michael Cummins 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Sniffer Integration -> Multiple Exit Codes

[Andy Schmidt]

Thanks Pete.

 

Hopefully these discussions (and seeing your responsiveness) will convince
more folks decide to give Sniffer a try!

 

>> I'm not completely sure what you are asking <<

 

The golden rule for external tests and for RBLs is - if you have multiple
lines using the SAME "command" (e.g., the 18 "SNF" lines), or referring to
the same external program (e.g., 5 invURIBL lines), or referring to the same
blacklist (10 lines checking different return values), THEN only the FIRST
line will actually "run" the test against that resource (e.g., run the
external program, lookup the IP in the RBL). The OTHER lines will just
evaluate the return code differently without rerunning the test.

 

Now with the internal Sniffer implementation, we have three DIFFERENT
commands (SNF, SNFIP, SNFIPREP). So it's worthwhile confirming whether the
same golden rule applies here even though these are NOT multiple lines of
the SAME command.

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete
McNeil
Sent: Wednesday, May 05, 2010 3:47 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Sniffer Integration -> Multiple Exit Codes

 

On 5/5/2010 3:24 PM, Andy Schmidt wrote: 

Hi Dave (just in case this got overlooked - or I missed the answer),

 

>> Also even though there are multiple entries the test only runs once and
the resulted exit code is the triggered. <<

I know that all 18 "SNF" rule lines only require one invocation of Sniffer -
which are then evaluated 18 different way. Fair enough.

I also know that the 3 "SNFIP" rule lines are only one invocation - which is
evaluated 3 different ways.

And then there is the "SNFIPREP" rule.

 

So I need to clarify this in my head. Will all 22 "SNF." rules (even though
they are using 3 different commands) evaluate ONE invocation of Sniffer
(just different return fields) or is EACH of these 3 command groups (SNF,
SNFIP, SNFIPREPS) a separate entity that requires additional overhead?


If I may -- I'm not completely sure what you are asking -- but if your
concern is that the test for SNFIP and SNFIPREPS represent additional
overhead then I can answer that. The amount of code that is run to execute
these tests is vanishingly small. You should consider the overhead required
to run all three tests as being no more than running the SNF pattern scan.
The other two (SNFIP and SNFIPREPS) require so little work that their
overhead is virtually impossible to measure.

_M




-- 
President
MicroNeil Research Corporation
www.microneil.com


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Sniffer IP Reputation -- Graduated Weight Scheme

[Andy Schmidt]

Yes, Declude already has TWO weights associated with SNFIPREP (one for
positive, one for negative). 

 

Just as you said, but multiplying with the positive or negative weight, as
need be, one would get two linear slopes from the center point.

 

On top of that, Dave has a "basepoint" option that can shift the center
point left or right.

 

So - it's 99% there. It just needs to "prorate" the +/- weights (=
multiplying) rather than use them absolute values.

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete
McNeil
Sent: Wednesday, May 05, 2010 3:14 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Sniffer IP Reputation -- Graduated Weight
Scheme

 

On 5/5/2010 1:30 PM, Andy Schmidt wrote: 

Hi Dave,

 

Hm - yes,I think if you added 21 lines (from -10 to 0 and to +10) to the
config file, you would have could cover the reputation range from -1 to +1
in 0.1 step increments.

 

Not elegant - but would have the same effect as multiplying the reputation
range with the defined max weight.


I hate to muddy the waters further -- but we solved this problem once when
developing the envelope management bit of GBUdb.
It might be complicated to explain, but suppose you define the slope at a
given point for each line you specify and then have the resulting weight be
a linear transform (as was discussed before).

Then you would need only two entries by default...
One that describes full-scale + and another that defines full scale -.
If you find the need to alter the slope then you can add additional points
in between.
The math works by drawing a straight line from 0 to the next defined point,
and from that point to the extreme, and so on.

Personally I think it is overkill -- but if you're going to talk about
making many many lines for this then the multi-point curve interpolation is
the way to go.

In practice the best way _seems_ to be to provide only two slopes -- one
positive going, one negative going -- and to establish a weight based on
those slopes. Theoretically that could be defined on a single Declude test
definition line.

Is there some constraint that I don't know about causing folks to consider
more complexity?

Hope this is helpful,

_M





-- 
President
MicroNeil Research Corporation
www.microneil.com


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Sniffer Integration -> Multiple Exit Codes

[Andy Schmidt]

Hi Dave (just in case this got overlooked - or I missed the answer),

 

>> Also even though there are multiple entries the test only runs once and
the resulted exit code is the triggered. <<

I know that all 18 "SNF" rule lines only require one invocation of Sniffer -
which are then evaluated 18 different way. Fair enough.

I also know that the 3 "SNFIP" rule lines are only one invocation - which is
evaluated 3 different ways.

And then there is the "SNFIPREP" rule.

 

So I need to clarify this in my head. Will all 22 "SNF." rules (even though
they are using 3 different commands) evaluate ONE invocation of Sniffer
(just different return fields) or is EACH of these 3 command groups (SNF,
SNFIP, SNFIPREPS) a separate entity that requires additional overhead?

Since there is some possible overhead between:

SNFIPREP (which evaluates the GDUdb) and SNFIP (which also evaluates the
GDUdb) and SNF-IP-RULES and SNFTRUNCATE (which also evaluate the GDUdb) -
and I'm wondering if eliminating the SNFIP and SNFIPREP and just sticking
with the SNF rules (which already has exit codes 20 and 63) will reduce the
Sniffer overhead by 2/3?

 

Best Regards,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Friday, April 30, 2010 11:14 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer Integration -> Global Exit Code
"nonzero"?

 

The test works as an internal test and not as an external test. The main
difference being the location of the exit code. See external is the 1st
variable whereas the internal it is the 2nd variable and the NONZERO does
not work for that.

 

SNIFFER   external   nonzero
"C:\Smartermail\Declude\Sniffer\xxx.exe xxxabc123"12
0

SNIFFER-TRAVEL  SNFx
47
12   0

 

Also even though there are multiple entries the test only runs once and the
resulted exit code is the triggered.

David

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Friday, April 30, 2010 10:31 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer Integration -> Global Exit Code
"nonzero"?

 

Hi Dave,

 

Thanks for taking the time to explain it. I see that the sample on your web
site has already been corrected to read "IPREPUTATIONSNFIPREP " and I
was simply working off an earlier copy.

 

For the "SNF" test type, is there a way to have a "global" match (e.g.,
NONZERO), instead of having to specify each of the 18 (current) return codes
one at a time? The external Sniffer simply allow me to code:

 

SNIFFER   external   nonzero
"D:\IMAIL\Declude\SNF\SNFClient.exe"10   0

 

Best Regards,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Friday, April 30, 2010 10:05 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer Integration

 

SNFIPBLACK  SNFIP   the 2nd variable value is 5 = Block and works as
an exit code.

 

IPREPUTATION works differently.

 

Note: IPREPUTATIONSNFIP  please update this to IPREPUTATIONSNFIPREP
x   0   10  -5 this should be the default.

 

SNFIPREP  represents a scale of   -1- 0 - 1  when the 2nd variable
(BASEPOINT) is set to 0 this will convert the IP reputation to this scale as
the examples below:

 

If final score is 0 no score is added to the email

dec0430.log1842   04/30/2010 00:01:20.700 49319588 SNFIPRep the
Value of Result = 0.00

 

If final score is + the 3rd variable score is used in this case 10

dec0430.log7351   04/30/2010 00:07:14.043 49319625 SNFIPRep the
Value of Result = 0.267262

 

If final score is - the 4th variable score is used in this case -5

dec0430.log1192604/30/2010 00:08:50.340 49319647 SNFIPRep the
Value of Result = -0.267262

 

The BASEPOINT is the point value at which an email will be considered "Good"
if the result is to the left or "Bad" if to the right.

 

(SNIFFER RETURN) x 10 - (BASEPOINT) = Result

 

Example:

 

0.267262  x 10 - 0 = 2 This is positive then the test is triggered for 10
points.

0.267262  x 10 - 1 = 1 This is positive then the test is triggered for 10
points.

0.267262  x 10 - 2 = 0 Not Triggered.

0.267262  x 10 - 3 = -1 This is negative then the test is not-triggered for
-5 points.

0.267262  x 10 - 4 = -2 This is negative then the test is not-triggered for
-5 points.

 

-0.267262  x 10 - 0 = -2 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 1 = -1 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 2 = 0 Not Triggered.

-0.267262  x 10 - 3 = -1 This is negative then the test is not-triggered 

RE: [Declude.JunkMail] Sniffer IP Reputation -- Graduated Weight Scheme

[Andy Schmidt]

Hi Dave,

 

Hm - yes,I think if you added 21 lines (from -10 to 0 and to +10) to the
config file, you would have could cover the reputation range from -1 to +1
in 0.1 step increments.

 

Not elegant - but would have the same effect as multiplying the reputation
range with the defined max weight.

 

Best Regards,

Andy

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Wednesday, May 05, 2010 12:12 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer IP Reputation -- Graduated Weight
Scheme

 

Just a thought. We would have to test it but do you think the same thing
could be achieved using:

 

IPREPUTATION-3   SNFIPREP   x   -3   0  -5

IPREPUTATION-2   SNFIPREP   x   -2   0  -5

IPREPUTATION-1   SNFIPREP   x   -1   0  -5

IPREPUTATION-0SNFIPREP   x   0   5   -5

IPREPUTATION+1SNFIPREP   x  1   5   -5

IPREPUTATION+2SNFIPREP   x  2   5   -5

IPREPUTATION+3   SNFIPREP   x   3   5   -5

 

This way the further an IP is on the scale the greater the credit or
additional score. This would have to wait till we implement the - negative
for the BASEPOINT.

David

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Monday, May 03, 2010 4:52 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer IP Reputation -- Graduated Weight
Scheme

 

Hi Dave,

 

I'm breaking this into two discussions as they are two different topics.

 

The REAL point of Pete's input (and my suggestion) for SNFIPREP is that the
reputation scale of -1 through +1 should NOT just result in either ONE
positive or ONE negative weight option.  

 

Your example:

 

IPREPUTATIONSNFIPREP   x   0   10  -5

 

only result in either a "10" being added or  a "5" being subtracted. So you
are turning a continuous scale of -1 to +1 into two discrete values - losing
all the key benefits of having the reputation scale in the first place. 

 

You already have the SNFIP return codes, if someone wanted a "fix" value for
a particular "level" of reputation.

 

 

To really make use of the GBUdb, there should be a continuous weight from 0
to 10 for "bad" reputation and 0 through -5 for "good" reputation (using
your sample of 10 and -5).

 

Basically, for positive GBUdb values, multiply with the "10" (getting a
value from 0 to 10 depending on "how bad" the reputation is), for negative
values multiply with "-5" to get a weight from 0 to -5 (depending on "how
good" the IP is).

 

This would make the test really useful because it would only cause BIG
weight changes for BIG GBUdb values.

 

Best Regards,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Monday, May 03, 2010 3:40 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer IP Reputation for "white" listing

 

As Pete already provided input on this. I am not going to prolix the answer
other than to say when implementing Message Sniffer we abided by the Pete's
advice "Since many legitimate ISPs also produce a lot of spam it might be
useful to apply a bias to this weight so that these systems appear closer to
zero." So currently we do not allow for a negative value as a BASEPOINT,
with that said if you think it is really important to be able to use a
negative value as you have described in your post, let me know and I can add
it to the dev list.

 

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
 <mailto:dbar...@declude.com> dbar...@declude.com

 

 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Sniffer Integration - Bad snf_engine.xml

[Andy Schmidt]

Dave,

 

Pete has helped me figure out that your XML samples, e.g.:

 

http://interim.declude.com/41048/Scanners/SNF/snf_engine.xml

 

is NOT a valid XML file.

 

Specifically, the closing tag for the "node" element is invalid.

 

It MUST be:

 



 

(Currently it is "").

 

Consequently, opening this file with an xml parser (even just IE) will
result in parser errors.

 

I suppose everyone should double-click that XML file and see if it actually
opens (assuming that this bug has been there since day 1).

 

Best Regards,

Andy

 

 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Sniffer IP Reputation -- Graduated Weight Scheme

[Andy Schmidt]

Hi Dave,

 

I'm breaking this into two discussions as they are two different topics.

 

The REAL point of Pete's input (and my suggestion) for SNFIPREP is that the
reputation scale of -1 through +1 should NOT just result in either ONE
positive or ONE negative weight option.  

 

Your example:

 

IPREPUTATIONSNFIPREP   x   0   10  -5

 

only result in either a "10" being added or  a "5" being subtracted. So you
are turning a continuous scale of -1 to +1 into two discrete values - losing
all the key benefits of having the reputation scale in the first place. 

 

You already have the SNFIP return codes, if someone wanted a "fix" value for
a particular "level" of reputation.

 

 

To really make use of the GBUdb, there should be a continuous weight from 0
to 10 for "bad" reputation and 0 through -5 for "good" reputation (using
your sample of 10 and -5).

 

Basically, for positive GBUdb values, multiply with the "10" (getting a
value from 0 to 10 depending on "how bad" the reputation is), for negative
values multiply with "-5" to get a weight from 0 to -5 (depending on "how
good" the IP is).

 

This would make the test really useful because it would only cause BIG
weight changes for BIG GBUdb values.

 

Best Regards,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Monday, May 03, 2010 3:40 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer IP Reputation for "white" listing

 

As Pete already provided input on this. I am not going to prolix the answer
other than to say when implementing Message Sniffer we abided by the Pete's
advice "Since many legitimate ISPs also produce a lot of spam it might be
useful to apply a bias to this weight so that these systems appear closer to
zero." So currently we do not allow for a negative value as a BASEPOINT,
with that said if you think it is really important to be able to use a
negative value as you have described in your post, let me know and I can add
it to the dev list.

 

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
  dbar...@declude.com

 

 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Sniffer "BasePoint"

[Andy Schmidt]

Hi Dave,

 

Let's keep the BasePoint a separate discussion.

 

Here's what you sent on 4/30:

 

(SNIFFER RETURN) x 10 - (BASEPOINT) = Result

 

So - since "left" of zero (negative) are the good reputation and "right" of
zero (positive) are bad reputation, and you are subtracting the basepoint
(lowering a positive Sniffer Score) - so effectively you are moving the
center further to the RIGHT. A basepoint of "3" will have the effect that
-1.0 though +0.3 is "good reputation", +0.3 is "the null point" and +0.3 to
+1.0 is now "bad" reputation, right?

 

But your sample math doesn't match your formula:

 

0.267262  x 10 - 0 = 2 This is positive then the test is triggered for 10
points.

0.267262  x 10 - 1 = 1 This is positive then the test is triggered for 10
points.

0.267262  x 10 - 2 = 0 Not Triggered.

0.267262  x 10 - 3 = -1 This is negative then the test is not-triggered for
-5 points.

0.267262  x 10 - 4 = -2 This is negative then the test is not-triggered for
-5 points.

 

-0.267262  x 10 - 0 = -2 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 1 = -1 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 2 = 0 Not Triggered.

-0.267262  x 10 - 3 = -1 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 4 = -2 This is negative then the test is not-triggered for
-5 points.

 

 Using math rules (assuming you are simply truncating any decimals, not
rounding), you SHOULD be getting:

 

-0.267262  x 10 - 0 = -2 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 1 = -3 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 2 = -4 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 3 = -5 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 4 = -6 This is negative then the test is not-triggered for
-5 points.

 

In any case, if you ONLY allow a "positive" base point that is being
subtracted then you can only use the SNFIPREP test to reduce the number of
IPs that are considered "bad".  But, if you are trying to use SNFIPREP for
"whitelisting" and want to limit that number of IPs that are considered
"good" then you need to be able to add the basepoint - which moves the
center further to the LEFT.

 

So I think a negative basepoint would be useful (but not urgent in light of
the fact that you just send me earlier SNFIP return codes that allow testing
for "white").

 

Best Regards,

Andy

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Monday, May 03, 2010 3:40 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer IP Reputation for "white" listing

 

As Pete already provided input on this. I am not going to prolix the answer
other than to say when implementing Message Sniffer we abided by the Pete's
advice "Since many legitimate ISPs also produce a lot of spam it might be
useful to apply a bias to this weight so that these systems appear closer to
zero." So currently we do not allow for a negative value as a BASEPOINT,
with that said if you think it is really important to be able to use a
negative value as you have described in your post, let me know and I can add
it to the dev list.

 

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
 <mailto:dbar...@declude.com> dbar...@declude.com

 

 

 

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Saturday, May 01, 2010 1:51 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer IP Reputation for "white" listing

 

Hi Pete,

 

Funny - our messages overlapped. But I'm glad I was on the right track with
my suspicions. Hopefully this will help Declude to refine things.

 

>> a better way to do it would be to scale the result so that from 0 to -1
the "negative" weight (let's pick a 

factor of 5) would rise linearly from 0 to -5 and similarly a positive going
reputation would scale linearly from 0 to +5 as the API result scaled from 0
to +1. <<

 

Right - that's the same scheme I just pointed out to Dave myself - except in
my case you could pick a distinct factor for the "-" vs. the "+" side of the
scale (because Declude already has that option anyhow)

 

(( Abs(Reputation Value) * 10 ) - Base Value) * [Pos or
Neg]WeightFactor = Final Weight

 

For this line in the Declude config:

 

IPREPUTATION SNFIPREP x 0 2 -1

 

it would results in weights between +20 and -10, e.g.:

 

Reputation 0.0: ( ( 0.0 * 10 ) - 0 ) * 2   =   0

 

Reputation 0.3: ( ( 0.3 * 10 ) - 0 ) * 2   =6

Reputation 1.0: ( ( 1.0 * 10 ) - 0 ) * 2   =  

RE: [Declude.JunkMail] SNFIP option for "WHITE"?

[Andy Schmidt]

Excellent - THANKS!

-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Monday, May 03, 2010 2:44 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] SNFIP option for "WHITE"?

The exit codes are as follows:

Unknown = 0
White = 1
Normal = 2
New = 3
Caution = 4
Black = 5
Truncate = 6

The format in Declude would be.

TESTNAMETESTTYPEX   EXITCODEWEIGHT-TRIGGERED
WEIGHT-NOTTRIGGED  

SNFIPWHITE  SNFIP   X  1  -50


David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
dbar...@declude.com



-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Saturday, May 01, 2010 2:19 PM
To: declude.junkmail@declude.com
Subject: FW: [Declude.JunkMail] SNFIP option for "WHITE"?

Dave,

Pete confirmed that in addition to the "Caution", "Black" and "Truncate"
categories, there is a "WHITE" category (which was also mentioned in the
Sniffer documentation).

So, I seems as if besides the existing three "SNFIP" options:

  SNFIPCAUTION   SNFIP x 4  5 0
  SNFIPBLACK SNFIP x 5 10 0
  SNFIPTRUNCATE  SNFIP x 6 10 0

there should/could be a:

  SNFIPWHITE SNFIP x ??? -5 0

Best Regards,
Andy

-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete
McNeil
Sent: Saturday, May 01, 2010 11:57 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Sniffer IP Reputation for "white" listing

> But your documentation of the reputation system has a graph that shows
that
> there is yet another category: "WHITE".
   

I don't know the details of Declude's impelementation. Presumably they 
could (or maybe even do) implement WHITE.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Reporting of Tests Failed Incomplete?

[Andy Schmidt]

Hi Dave,

 

Thanks - I don't want to upset your development schedule (naturally, I can
cope with things as they are) - just wanted to make sure it's on someone
else list .

 

Best Regards,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Monday, May 03, 2010 1:19 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Reporting of Tests Failed Incomplete?

 

I will check with engineering. If this is an easy change I will get it in an
interim soon, also with the "nonzero" for SNF as we discussed in an earlier
thread. 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Monday, May 03, 2010 1:10 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Reporting of Tests Failed Incomplete?

 

Hi Dave,

 

I agree with you that the total weight of 9 is correct (I had already
"piecemealed" that arithmetic together in my msg). 

 

>> As Commtouch Zerohour was implemented differently that regular tests
(because it runs as part of the AV code) it is not listed in this log line.
Agreed it should be <<

 

Good - because, if your programmer was able to add "ZeroHour" to the "Tests
Failed" line, and also to the "SMTP Headers" variable, in the various
sections of the program flow - then I'd say it was merely an oversight that
it was omitted from the ONE log line that "should be the complete list of
tests used in calculating the score", as you already confirmed.

 

>> I believe this is the list of  "non-zero" tests you are looking for with
the exception of Commtouch ZEROHOUR. <<

 

Right - so all we need is to get the missing ZEROHOUR included, so that it
truly IS a list of non-zero tests.

 

Thanks for checking into this.

 

Best Regards,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Monday, May 03, 2010 12:10 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Reporting of Tests Failed Incomplete?

 

The Tests failed (Triggered) showing tests that ARE triggered. In this case:

 

Tests failed [weight=9]: 

 

SPFPASS=IGNORE[-2] 

CONTENT=IGNORE[7] 

ZEROHOUR=WEIGHT[6]

 

Total: 11

 

As nIPNOTINMX:-2 is NOT triggered it cannot be in the same list of emails
that ARE triggered, providing the -2 to the final equation we have a correct
Total of.

 

Total: 9

 

As Commtouch Zerohour was implemented differently that regular tests
(because it runs as part of the AV code) it is not listed in this log line.
Agreed it should be, but this line should be the complete list of tests used
in calculating the score. I believe this is the list of  "non-zero" tests
you are looking for with the exception of Commtouch ZEROHOUR.

 

q4d2f8f571d69.smd nIPNOTINMX:-2 SPFPASS:-2 CONTENT:7 .  Total weight =
9.

 

nIPNOTINMX:-2 

SPFPASS:-2 

CONTENT:7

 

Total: 3

 

ZEROHOUR=6

 

Total: 9

 

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
 <mailto:dbar...@declude.com> dbar...@declude.com

 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Sniffer Integration -> Multiple Exit Codes

[Andy Schmidt]

Hi Dave (just in case this one got lost),

 

>> Also even though there are multiple entries the test only runs once and
the resulted exit code is the triggered. <<

I know that all 18 "SNF" rule lines only require one invocation of Sniffer -
which are then evaluated 18 different way. Fair enough.

I also know that the 3 "SNFIP" rule lines are only one invocation - which is
evaluated 3 different ways.

And then there is the "SNFIPREP" rule.

 

So I need to clarify this in my head. Will all 22 "SNF." rules (even though
they are using 3 different commands) evaluate ONE invocation of Sniffer
(just different return fields) or is EACH of these 3 command groups (SNF,
SNFIP, SNFIPREPS) a separate entity that requires additional overhead?

Since there is overlap between:

SNFIPREP (which evaluates the GDUdb) and SNFIP (which also evaluates the
GDUdb) and SNF-IP-RULES and SNFTRUNCATE (which also evaluate the GDUdb) -
and I'm wondering if eliminating the SNFIP and SNFIPREP and just sticking
with the SNF rules (which already has exit codes 20 and 63) would further
reduce the Sniffer overhead by 2/3?

 

Best Regards,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Friday, April 30, 2010 11:14 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer Integration -> Global Exit Code
"nonzero"?

 

The test works as an internal test and not as an external test. The main
difference being the location of the exit code. See external is the 1st
variable whereas the internal it is the 2nd variable and the NONZERO does
not work for that.

 

SNIFFER   external   nonzero
"C:\Smartermail\Declude\Sniffer\xxx.exe xxxabc123"12
0

SNIFFER-TRAVEL  SNFx
47
12   0

 

Also even though there are multiple entries the test only runs once and the
resulted exit code is the triggered.

David



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Reporting of Tests Failed Incomplete?

[Andy Schmidt]

Hi Dave,

 

I agree with you that the total weight of 9 is correct (I had already
"piecemealed" that arithmetic together in my msg). 

 

>> As Commtouch Zerohour was implemented differently that regular tests
(because it runs as part of the AV code) it is not listed in this log line.
Agreed it should be <<

 

Good - because, if your programmer was able to add "ZeroHour" to the "Tests
Failed" line, and also to the "SMTP Headers" variable, in the various
sections of the program flow - then I'd say it was merely an oversight that
it was omitted from the ONE log line that "should be the complete list of
tests used in calculating the score", as you already confirmed.

 

>> I believe this is the list of  "non-zero" tests you are looking for with
the exception of Commtouch ZEROHOUR. <<

 

Right - so all we need is to get the missing ZEROHOUR included, so that it
truly IS a list of non-zero tests.

 

Thanks for checking into this.

 

Best Regards,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Monday, May 03, 2010 12:10 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Reporting of Tests Failed Incomplete?

 

The Tests failed (Triggered) showing tests that ARE triggered. In this case:

 

Tests failed [weight=9]: 

 

SPFPASS=IGNORE[-2] 

CONTENT=IGNORE[7] 

ZEROHOUR=WEIGHT[6]

 

Total: 11

 

As nIPNOTINMX:-2 is NOT triggered it cannot be in the same list of emails
that ARE triggered, providing the -2 to the final equation we have a correct
Total of.

 

Total: 9

 

As Commtouch Zerohour was implemented differently that regular tests
(because it runs as part of the AV code) it is not listed in this log line.
Agreed it should be, but this line should be the complete list of tests used
in calculating the score. I believe this is the list of  "non-zero" tests
you are looking for with the exception of Commtouch ZEROHOUR.

 

q4d2f8f571d69.smd nIPNOTINMX:-2 SPFPASS:-2 CONTENT:7 .  Total weight =
9.

 

nIPNOTINMX:-2 

SPFPASS:-2 

CONTENT:7

 

Total: 3

 

ZEROHOUR=6

 

Total: 9

 

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
  dbar...@declude.com

 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Reporting of Tests Failed Incomplete?

[Andy Schmidt]

Hi Dave,

 

I do have SOME tests suppressed from the SMTP headers:

 

HIDETESTS   CATCHALLMAILS IPNOTINMX NOLEGITCONTENT WEIGHTKILL2
WEIGHT8 WEIGHT10 WEIGHTHDR WEIGHTFOOTER NJABL AHBL SORBS SENDERDB
WEIGHTGATEWAY

 

So the SMTP header looks correct - and the weight of 9 is accurate:

 

X-Declude-RefID: str=0001.0A020203.4BDEB008.02BD,ss=3,sh,fgs=0

X-Declude: Version 4.10.48; Code 0xe from www.mailglobal.net [64.27.0.60]

X-Declude: Triggered [9] SPFPASS, SNIFFER-GENERAL, ZEROHOUR [6] 

X-IMail-ThreadID: 4d2f8f571d69

 

However, in the log file, there is not ONE line that actually adds up to the
total weight of 9 (in this case: [Content] 7 + [ZeroHour] 6 = 13; minus
[IpNotInmx] 2 minus [SPFpass] 2 = [total] 9

 

One log line misses the "ZeroHour" test, the other misses the IpNotInMx.  I
think ONE of these two lines should be implemented in a way so that it lists
everything that is "non-zero" so that a user can easily see HOW the total
weight was derived - otherwise, what's the point of logging any tests.

 

q4d2f8f571d69.smd nIPNOTINMX:-2 SPFPASS:-2 CONTENT:7 .  Total weight =
9.

q4d2f8f571d69.smd NOT bypassing whitelisting of E-mail with weight >=19
(9) and at least 1 recipients (1).

q4d2f8f571d69.smd NOT bypassing whitelisting of E-mail with weight >=14
(9) and at least 4 recipients (1).

q4d2f8f571d69.smd NOT bypassing whitelisting of E-mail with weight >=12
(9) and at least 6 recipients (1).

q4d2f8f571d69.smd Did not find [ smartcouponsa...@tillcrashing.com ] in
[ andy_schm...@hm-software.com ] address book

q4d2f8f571d69.smd Finish Address Book WhiteList

q4d2f8f571d69.smd Tests failed [weight=9]: NOLEGITCONTENT=IGNORE[0]
SPFPASS=IGNORE[-2] SNIFFER-GENERAL=IGNORE[0] CONTENT=IGNORE[7]
WEIGHT8=SUBJECT[8] ZEROHOUR=WEIGHT[6] 

q4d2f8f571d69.smd L1 Message OK

q4d2f8f571d69.smd Subject: May 2010 local coupon deals.

q4d2f8f571d69.smd From: smartcouponsa...@tillcrashing.com To:
andy_schm...@hm-software.com  IP: 64.27.0.60 ID: 

q4d2f8f571d69.smd Action(s) taken for [andy_schm...@hm-software.com] =
IGNORE SUBJECT  [LAST ACTION=SUBJECT]

q4d2f8f571d69.smd Cumulative action(s) on this email = IGNORE SUBJECT
[LAST ACTION=SUBJECT]

 

Best Regards,

Andy



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

FW: [Declude.JunkMail] SNFIP option for "WHITE"?

[Andy Schmidt]

Dave,

Pete confirmed that in addition to the "Caution", "Black" and "Truncate"
categories, there is a "WHITE" category (which was also mentioned in the
Sniffer documentation).

So, I seems as if besides the existing three "SNFIP" options:

  SNFIPCAUTION   SNFIP x 4  5 0
  SNFIPBLACK SNFIP x 5 10 0
  SNFIPTRUNCATE  SNFIP x 6 10 0

there should/could be a:

  SNFIPWHITE SNFIP x ??? -5 0

Best Regards,
Andy

-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete
McNeil
Sent: Saturday, May 01, 2010 11:57 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Sniffer IP Reputation for "white" listing

> But your documentation of the reputation system has a graph that shows
that
> there is yet another category: "WHITE".
   

I don't know the details of Declude's impelementation. Presumably they 
could (or maybe even do) implement WHITE.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Sniffer IP Reputation for "white" listing

[Andy Schmidt]

Hi Pete,

 

Funny - our messages overlapped. But I'm glad I was on the right track with
my suspicions. Hopefully this will help Declude to refine things.

 

>> a better way to do it would be to scale the result so that from 0 to -1
the "negative" weight (let's pick a 

factor of 5) would rise linearly from 0 to -5 and similarly a positive going
reputation would scale linearly from 0 to +5 as the API result scaled from 0
to +1. <<

 

Right - that's the same scheme I just pointed out to Dave myself - except in
my case you could pick a distinct factor for the "-" vs. the "+" side of the
scale (because Declude already has that option anyhow)

 

(( Abs(Reputation Value) * 10 ) - Base Value) * [Pos or
Neg]WeightFactor = Final Weight

 

For this line in the Declude config:

 

IPREPUTATION SNFIPREP x 0 2 -1

 

it would results in weights between +20 and -10, e.g.:

 

Reputation 0.0: ( ( 0.0 * 10 ) - 0 ) * 2   =   0

 

Reputation 0.3: ( ( 0.3 * 10 ) - 0 ) * 2   =6

Reputation 1.0: ( ( 1.0 * 10 ) - 0 ) * 2   =  20

  

Reputation -0.3: ( ( 0.3 * 10 ) - 0 ) * -1 =   -3

Reputation -1.0: ( ( 1.0 * 10 ) - 0 ) * -1 = -10

 

 

Here's an important question, though:

 

Do you have a distribution chart for the reputation scale? It of course
makes a HUGE different, whether the distribution of reputations reported for
the inflow of email is evenly distributed between -1.0 and 0.1, or whether
it is a bell curve where 80% are in the "center" area, or whether it's some
sort of exponential curve that has very few with "good" reputation, a modest
amount around the 0 point, and then expentionally increasing towards the bad
and turn reputations?

 

This way one could decide what factors to use for the + and - sides and
where to set the "mid" point (Declude allows you to shift the mid-point left
and right.

 

>> I'm guessing on how that test is implemented, but if I've guessed
correctly then -0.8 would certainly be a good WHITE set point.<<

 

Thank you - that means in their "default" (sample) config file, they really
should adjust the midpoint away from "0" to "-8" (they multiply the
reputation scale by 10 to be able to work with integers) 

 

IPREPUTATION  SNFIPREP  x  0  2   -1

 

probably to

 

IPREPUTATION   SNFIPREP   x -8  2 -1

 

but I'd have to check with Dave to see if "-8" will indeed set the midpoint
to -0.8 or if the sign has to be reversed.

 

Thanks for taking the time to help all of us understand Sniffer in the
context of the Declude integration.

 

I'm very happy that Declude took the time and integrated the product. I just
would like to make sure it comes with an implementation sample that is a
good enough compromise for "day-to-day" use.

 

Best Regards,

Andy

 

 

 

-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete
McNeil
Sent: Saturday, May 01, 2010 11:57 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Sniffer IP Reputation for "white" listing

 

On 4/30/2010 9:32 PM, Andy Schmidt wrote:

 

 



 

> But your documentation of the reputation system has a graph that shows
that

> there is yet another category: "WHITE".

>

 

I don't know the details of Declude's impelementation. Presumably they 

could (or maybe even do) implement WHITE.

 

> The SNFIPREP tests does offer the ability to define at what decimal value

> (between -1 and +1, in .1 increments) a weight can be subtracted. But the

> question is - is that SENSIBLE use of your reputation database? Per
example,

> could -0.8 be a sensible threshold to give an email "credit" for coming
from

> a reputable IP source?

>

 

I'm guessing on how that test is implemented, but if I've guessed 

correctly then -0.8 would certainly be a good WHITE set point.

 

My guess is based on using a combined score value from the IP reputation 

that combines the confidence figure and the probability figure. In that 

case only a strongly negative p coupled with a strong c would result in 

a -0.8.

 

> Or is it better to let the "good" reputation be considered AFTER the
content

> scan and then use the "combined" exit code?

>

 

As I understand it Declude uses a wheighting system --- except for some 

short-circuit abilities that means all tests are run, their scores are 

added together, and then the total is used to determine the disposition 

of the message. I don't think there is an 'AFTER' in this case.

 

The IP reputation test is useful in cases where a message might be too 

new to hit a pattern match and where the IP reputation is not quite 

strong enough to be in one of the

RE: [Declude.JunkMail] Statistic programs for Junkmail

[Andy Schmidt]

I happen to run Invariant Software's "Declude Analyzer" (for Declude Virus
and Declude Spam).

-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Dodell
Sent: Saturday, May 01, 2010 12:39 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Statistic programs for Junkmail

Curious what programs everyone is using to generate the nice reports showing
what Junkmail tests are being activated?

Thanks

David

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Sniffer IP vs. Sniffer IP Reputation vs. Sniffer Truncate -- SUGGESTION

[Andy Schmidt]

lieve it
triples the score I think the max would be 2 tests based on the same
information) Unfortunately a large portion of our customers today do not
understand or even care about the details. The beauty of  Declude is that
you are welcome to score tests however you feel appropriate for your email
server. 

I do agree with you that it could be made more clear, but to advise the list
NOT to use the current declude settings is your opinion. What would be
helpful is making a suggestion to what settings you use based on your
results. 

David



  _  

From: "Andy Schmidt" 
Sent: Friday, April 30, 2010 9:26 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer IP vs. Sniffer IP Reputation vs.
Sniffer Truncate

Thanks Pete - that confirms what I feared.

Declude's own sample should NOT be used "as is" because it duplicates the IP
results (at minimum)

>> The SNFIPREP test gives you a variable weight based on the IP reputation 
in GBUdb. This allows you to get some weighting positively or negatively 
based on the reputation even when that reputation is not in one of the 
defined GBUdb envelopes. <<

Yes - according to Dave's explanation earlier today, Declude will get a
decimal number between -1 and +1. Their Sample/Default configuration treats
"0" as normal, treats anything negative as "GOOD" (and subtracts 5 points)
and anything positive as "BAD" (and adds 10 points).

So - even though Sniffer returns information on a vary graduated scale,
Declude then returns 3 discrete numbers. In fact, 0 is only returned for 10%
of the range - 90% of the range returns either "-5" or "10".

>> I presume that even when SNFIP does return Caution, Black, or Truncate
that SNFIPREP continues to work and in that case will provide some shading
to those values... so, if you will, more or less Black, etc.<<

Based on Dave's explanation, "Caution", "Black" and "Truncate" would
certainly always return a value > 0. Consequently, "10" would ALWAYS be
added to the weight for those 3 reputations.

Their default example basically TRIPLES the "10" weight that is assigned in
many cases (once for SNFIP, once for SNFIPREP, and once for SNF).

Let's see if Dave's chips in - but it certainly seems to me that Declude's
Sniffer sample/default config should NOT be used (because it doesn't do what
an "innocent" user might expect). It's not at all clear that after all
their Sniffer rules, 30 would be added to the weight in several cases.



-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete
McNeil
Sent: Friday, April 30, 2010 7:07 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Sniffer IP vs. Sniffer IP Reputation vs.
Sniffer Truncate

On 4/30/2010 5:16 PM, Andy Schmidt wrote:
> Hi Pete,
>
> I'm look over Decludes recommended Sniffer configuration and trying to
> understand how much overlap there is between these options:
>
> IPREPUTATION SNFIPREP x 0 10 -5
>
> SNFIPCAUTION SNFIP x 4 5 0
> SNFIPBLACK SNFIP x 5 10
> 0
> SNFIPTRUNCATE SNFIP x 6 10 0
>
> SNFTRUNCATE SNF x 20 10
> 0
> SNIFFER-IP-RULES SNF x 63 10
> 0
>
> Looking at the Sniffer documentation IP test result codes
>
http://www.armresearch.com/support/articles/software/snfClient/resultCodes.j
> sp
> it seems that the SNFIP tests for "4", "5" and "6" (SNFIPCAUTION,
> SNFIPBLACK, SNFIPTRUNCATE) might coincide with 40, 63 and 20.
> 

I am not intimately familiar with Declude's configuration and SNF 
integration --- not like I used to be anyway (s many platforms now).

I _think_ these tests work like this:

The SNFIPREP test gives you a variable weight based on the IP reputation 
in GBUdb. This allows you to get some weighting positively or negatively 
based on the reputation even when that reputation is not in one of the 
defined GBUdb envelopes. It's a subtle nudge in the right direction.

The SNFIP test gives you a hard result code based only on the IP 
reputation when that reputation is within one of the envelopes defined 
for GBUdb. So if the IP reputation is in the Caution, Black, or Truncate 
range then that test will fire.

Presumably all of the IP tests happen before SNF scans the message -- 
because they can -- I don't know that they do, but I know that IP 
reputations can be queried before and separately from a scan. (Scans 
MUST happen in order for GBUdb to build up reputation data however).

Finally the SNF test responds to the normal blended result codes that 
SNFClient would return.
So result code 20 is Truncate- meaning that the IP reputation was so bad 
that SNF stopped the scan and returned the result code.

Result code 63 is Black which could mean that an SNF IP rule fi

RE: [Declude.JunkMail] Sniffer IP Reputation for "white" listing

[Andy Schmidt]

Hi Pete, 

Other question. 

The SNFIP tests return Caution or Black or Caution.
And the SNF client exit codes also have Truncate/Black.

But your documentation of the reputation system has a graph that shows that
there is yet another category: "WHITE".

I don't see this represented as an SNFIP or SNF rule? Any reason why "WHITE"
was left out?

The SNFIPREP tests does offer the ability to define at what decimal value
(between -1 and +1, in .1 increments) a weight can be subtracted. But the
question is - is that SENSIBLE use of your reputation database? Per example,
could -0.8 be a sensible threshold to give an email "credit" for coming from
a reputable IP source?

Or is it better to let the "good" reputation be considered AFTER the content
scan and then use the "combined" exit code?

-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete
McNeil
Sent: Friday, April 30, 2010 7:07 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Sniffer IP vs. Sniffer IP Reputation vs.
Sniffer Truncate

On 4/30/2010 5:16 PM, Andy Schmidt wrote:
> Hi Pete,
>
> I'm look over Decludes recommended Sniffer configuration and trying to
> understand how much overlap there is between these options:
>
> IPREPUTATION  SNFIPREPx   0   10  -5
>
> SNFIPCAUTION  SNFIP   x   4   5   0
> SNFIPBLACKSNFIP   x   5   10
> 0
> SNFIPTRUNCATE SNFIP   x   6   10  0
>
> SNFTRUNCATE   SNF x   20  10
> 0
> SNIFFER-IP-RULES  SNF x   63  10
> 0
>
> Looking at the Sniffer documentation IP test result codes
>
http://www.armresearch.com/support/articles/software/snfClient/resultCodes.j
> sp
> it seems that the SNFIP tests for "4", "5" and "6" (SNFIPCAUTION,
> SNFIPBLACK, SNFIPTRUNCATE) might coincide with 40, 63 and 20.
>

I am not intimately familiar with Declude's configuration and SNF 
integration --- not like I used to be anyway (s many platforms now).

I _think_ these tests work like this:

The SNFIPREP test gives you a variable weight based on the IP reputation 
in GBUdb. This allows you to get some weighting positively or negatively 
based on the reputation even when that reputation is not in one of the 
defined GBUdb envelopes. It's a subtle nudge in the right direction.

The SNFIP test gives you a hard result code based only on the IP 
reputation when that reputation is within one of the envelopes defined 
for GBUdb. So if the IP reputation is in the Caution, Black, or Truncate 
range then that test will fire.

Presumably all of the IP tests happen before SNF scans the message -- 
because they can -- I don't know that they do, but I know that IP 
reputations can be queried before and separately from a scan. (Scans 
MUST happen in order for GBUdb to build up reputation data however).

Finally the SNF test responds to the normal blended result codes that 
SNFClient would return.
So result code 20 is Truncate- meaning that the IP reputation was so bad 
that SNF stopped the scan and returned the result code.

Result code 63 is Black which could mean that an SNF IP rule fired (rare 
these days) or that no pattern matched but the IP was in the Black range 
in GBUdb so GBUdb took over and forced the result code from 0 (no 
pattern found) to 63 (Black).

Other result codes are also possible:

http://www.armresearch.com/support/articles/software/snfClient/resultCodes.j
sp#msgScan

David -- if I got any of this wrong please correct me.
> However, Declude ALSO tests for your Rule Group Result Codes "20" and "63"
> which are documented here:
> http://www.armresearch.com/support/articles/software/snfServer/core.jsp
>
> 1. It seems to me, as if their SNFTRUNCATE is the same as their
> SNFIPTRUNCATE, and their SNIFFER-IP-RULES is the same as their SNFIPBLACK
--
> effectively artificially inflating (doubling) the weights for these tests?
>

Yes -- if you have them configured that way. Some of the results are 
predictable.

If SNFIP is Black or Caution then you are virutally guaranteed to get a 
Black or Caution result from SNF -- Unless SNF matches a pattern in 
which case you will get a pattern result code from the SNF test.

If SNFIP is Truncate then SNF should also return Truncate.

The weights you assign to these should be set accordingly.

> 2. How do those Caution/Black/Truncate exit codes relate to SNFIPREP.
> There, any reputation>  0 (up to 1) is given an extra weight of 10. But
> doesn't SNFIPREP report from the same reputation data as the SNFIP (and
> possibly even group result codes 20 and 63)? In other words,

RE: [Declude.JunkMail] Sniffer IP vs. Sniffer IP Reputation vs. Sniffer Truncate

[Andy Schmidt]

Thanks Pete - that confirms what I feared.

Declude's own sample should NOT be used "as is" because it duplicates the IP
results (at minimum)

>> The SNFIPREP test gives you a variable weight based on the IP reputation 
in GBUdb. This allows you to get some weighting positively or negatively 
based on the reputation even when that reputation is not in one of the 
defined GBUdb envelopes. <<

Yes - according to Dave's explanation earlier today, Declude will get a
decimal number between -1 and +1. Their Sample/Default configuration treats
"0" as normal, treats anything negative as "GOOD" (and subtracts 5 points)
and anything positive as "BAD" (and adds 10 points).

So - even though Sniffer returns information on a vary graduated scale,
Declude then returns 3 discrete numbers. In fact, 0 is only returned for 10%
of the range - 90% of the range returns either "-5" or "10".

>> I presume that even when SNFIP does return Caution, Black, or Truncate
that SNFIPREP continues to work and in that case will provide some shading
to those values... so, if you will, more or less Black, etc.<<

Based on Dave's explanation, "Caution", "Black" and "Truncate" would
certainly always return a value > 0. Consequently, "10" would ALWAYS be
added to the weight for those 3 reputations.

Their default example basically TRIPLES the "10" weight that is assigned in
many cases (once for SNFIP, once for SNFIPREP, and once for SNF).

Let's see if Dave's chips in - but it certainly seems to me that Declude's
Sniffer sample/default config should NOT be used (because it doesn't do what
an "innocent" user might expect).  It's not at all clear that after all
their Sniffer rules, 30 would be added to the weight in several cases.



-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete
McNeil
Sent: Friday, April 30, 2010 7:07 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Sniffer IP vs. Sniffer IP Reputation vs.
Sniffer Truncate

On 4/30/2010 5:16 PM, Andy Schmidt wrote:
> Hi Pete,
>
> I'm look over Decludes recommended Sniffer configuration and trying to
> understand how much overlap there is between these options:
>
> IPREPUTATION  SNFIPREPx   0   10  -5
>
> SNFIPCAUTION  SNFIP   x   4   5   0
> SNFIPBLACKSNFIP   x   5   10
> 0
> SNFIPTRUNCATE SNFIP   x   6   10  0
>
> SNFTRUNCATE   SNF x   20  10
> 0
> SNIFFER-IP-RULES  SNF x   63  10
> 0
>
> Looking at the Sniffer documentation IP test result codes
>
http://www.armresearch.com/support/articles/software/snfClient/resultCodes.j
> sp
> it seems that the SNFIP tests for "4", "5" and "6" (SNFIPCAUTION,
> SNFIPBLACK, SNFIPTRUNCATE) might coincide with 40, 63 and 20.
>

I am not intimately familiar with Declude's configuration and SNF 
integration --- not like I used to be anyway (s many platforms now).

I _think_ these tests work like this:

The SNFIPREP test gives you a variable weight based on the IP reputation 
in GBUdb. This allows you to get some weighting positively or negatively 
based on the reputation even when that reputation is not in one of the 
defined GBUdb envelopes. It's a subtle nudge in the right direction.

The SNFIP test gives you a hard result code based only on the IP 
reputation when that reputation is within one of the envelopes defined 
for GBUdb. So if the IP reputation is in the Caution, Black, or Truncate 
range then that test will fire.

Presumably all of the IP tests happen before SNF scans the message -- 
because they can -- I don't know that they do, but I know that IP 
reputations can be queried before and separately from a scan. (Scans 
MUST happen in order for GBUdb to build up reputation data however).

Finally the SNF test responds to the normal blended result codes that 
SNFClient would return.
So result code 20 is Truncate- meaning that the IP reputation was so bad 
that SNF stopped the scan and returned the result code.

Result code 63 is Black which could mean that an SNF IP rule fired (rare 
these days) or that no pattern matched but the IP was in the Black range 
in GBUdb so GBUdb took over and forced the result code from 0 (no 
pattern found) to 63 (Black).

Other result codes are also possible:

http://www.armresearch.com/support/articles/software/snfClient/resultCodes.j
sp#msgScan

David -- if I got any of this wrong please correct me.
> However, Declude ALSO tests for your Rule Group Result Codes "20" and "63"
> whi

RE: [Declude.JunkMail] Sniffer Integration -> Multiple Exit Codes

[Andy Schmidt]

Hi Dave,

 

>> Also even though there are multiple entries the test only runs once and
the resulted exit code is the triggered. <<

I know that all 18 "SNF" rule lines only require one invocation of Sniffer -
which are then evaluated 18 different way. Fair enough.

I also know that the 3 "SNFIP" rule lines are only one invocation - which is
evaluated 3 different ways.

And then there is the "SNFIPREP" rule.

 

So I need to clarify this in my head. Will all 22 "SNF." rules (even though
they are using 3 different commands) evaluate ONE invocation of Sniffer
(just different return fields) or is EACH of these 3 command groups (SNF,
SNFIP, SNFIPREPS) a separate entity that requires additional overhead?

Since there is some possible overhead between:

SNFIPREP (which evaluates the GDUdb) and SNFIP (which also evaluates the
GDUdb) and SNF-IP-RULES and SNFTRUNCATE (which also evaluate the GDUdb) -
and I'm wondering if eliminating the SNFIP and SNFIPREP and just sticking
with the SNF rules (which already has exit codes 20 and 63) will reduce the
Sniffer overhead by 2/3?

 

Best Regards,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Friday, April 30, 2010 11:14 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer Integration -> Global Exit Code
"nonzero"?

 

The test works as an internal test and not as an external test. The main
difference being the location of the exit code. See external is the 1st
variable whereas the internal it is the 2nd variable and the NONZERO does
not work for that.

 

SNIFFER   external   nonzero
"C:\Smartermail\Declude\Sniffer\xxx.exe xxxabc123"12
0

SNIFFER-TRAVEL  SNFx
47
12   0

 

Also even though there are multiple entries the test only runs once and the
resulted exit code is the triggered.

David

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Friday, April 30, 2010 10:31 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer Integration -> Global Exit Code
"nonzero"?

 

Hi Dave,

 

Thanks for taking the time to explain it. I see that the sample on your web
site has already been corrected to read "IPREPUTATIONSNFIPREP " and I
was simply working off an earlier copy.

 

For the "SNF" test type, is there a way to have a "global" match (e.g.,
NONZERO), instead of having to specify each of the 18 (current) return codes
one at a time? The external Sniffer simply allow me to code:

 

SNIFFER   external   nonzero
"D:\IMAIL\Declude\SNF\SNFClient.exe"10   0

 

Best Regards,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Friday, April 30, 2010 10:05 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer Integration

 

SNFIPBLACK  SNFIP   the 2nd variable value is 5 = Block and works as
an exit code.

 

IPREPUTATION works differently.

 

Note: IPREPUTATIONSNFIP  please update this to IPREPUTATIONSNFIPREP
x   0   10  -5 this should be the default.

 

SNFIPREP  represents a scale of   -1- 0 - 1  when the 2nd variable
(BASEPOINT) is set to 0 this will convert the IP reputation to this scale as
the examples below:

 

If final score is 0 no score is added to the email

dec0430.log1842   04/30/2010 00:01:20.700 49319588 SNFIPRep the
Value of Result = 0.00

 

If final score is + the 3rd variable score is used in this case 10

dec0430.log7351   04/30/2010 00:07:14.043 49319625 SNFIPRep the
Value of Result = 0.267262

 

If final score is - the 4th variable score is used in this case -5

dec0430.log1192604/30/2010 00:08:50.340 49319647 SNFIPRep the
Value of Result = -0.267262

 

The BASEPOINT is the point value at which an email will be considered "Good"
if the result is to the left or "Bad" if to the right.

 

(SNIFFER RETURN) x 10 - (BASEPOINT) = Result

 

Example:

 

0.267262  x 10 - 0 = 2 This is positive then the test is triggered for 10
points.

0.267262  x 10 - 1 = 1 This is positive then the test is triggered for 10
points.

0.267262  x 10 - 2 = 0 Not Triggered.

0.267262  x 10 - 3 = -1 This is negative then the test is not-triggered for
-5 points.

0.267262  x 10 - 4 = -2 This is negative then the test is not-triggered for
-5 points.

 

-0.267262  x 10 - 0 = -2 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 1 = -1 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 2 = 0 Not Triggered.

-0.267262  x 10 - 3 = -1 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 4 = -2 This is negative then

RE: [Declude.JunkMail] Sniffer IP vs. Sniffer IP Reputation vs. Sniffer Truncate

[Andy Schmidt]

Hi Pete,

I'm look over Decludes recommended Sniffer configuration and trying to
understand how much overlap there is between these options:

IPREPUTATIONSNFIPREPx   0   10  -5

SNFIPCAUTIONSNFIP   x   4   5   0
SNFIPBLACK  SNFIP   x   5   10
0
SNFIPTRUNCATE   SNFIP   x   6   10  0

SNFTRUNCATE SNF x   20  10
0
SNIFFER-IP-RULESSNF x   63  10
0

Looking at the Sniffer documentation IP test result codes
http://www.armresearch.com/support/articles/software/snfClient/resultCodes.j
sp
it seems that the SNFIP tests for "4", "5" and "6" (SNFIPCAUTION,
SNFIPBLACK, SNFIPTRUNCATE) might coincide with 40, 63 and 20.

However, Declude ALSO tests for your Rule Group Result Codes "20" and "63"
which are documented here:
http://www.armresearch.com/support/articles/software/snfServer/core.jsp

1. It seems to me, as if their SNFTRUNCATE is the same as their
SNFIPTRUNCATE, and their SNIFFER-IP-RULES is the same as their SNFIPBLACK --
effectively artificially inflating (doubling) the weights for these tests?

2. How do those Caution/Black/Truncate exit codes relate to SNFIPREP.
There, any reputation > 0 (up to 1) is given an extra weight of 10. But
doesn't SNFIPREP report from the same reputation data as the SNFIP (and
possibly even group result codes 20 and 63)? In other words, are those IP
addresses that generate a reputation factor of > 0 ALSO reported as
Caution/Black or Truncate - if so, we'd now TRIPLE count that score.

Best Regards,
Andy




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] We have opened up truncate.gbudb.net

[Andy Schmidt]

It is - and I agree with you!

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Matt
Sent: Friday, April 30, 2010 12:53 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] We have opened up truncate.gbudb.net

 

Is the result code really 127.0.0.1?  That is totally non-standard.  It
should be 127.0.0.2 or higher.

Matt


On 4/30/2010 11:31 AM, Nick Hayer wrote: 

you can test the bl directly with nslookup, to see what Declude is doing
turn on debug log level.

MadRiverAccess.com|Skywaves.com Tech Support 
US/Canada 877-873-6482 or International +1-802-229-6574 
Emergency Support 24/7: supp...@skywaves.net 
General and Non-Emergency support ticket: 
https://www.skywaves.com/content/secure/support_ticket.htm

 

  _  

From: "Michael Cummins"  

Sent: Friday, April 30, 2010 11:20 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] We have opened up truncate.gbudb.net

That's odd.  This is what I already configured it for on my first guess:

 

TRUNCATE-GBUDB  IP4Rtruncate.gbudb.net
127.0.0.120

 

But I haven't gotten any hits yet.

 

Is there any way to test this from a command prompt, like you can with the
invaluement RBLs and nslookup?

 

- Michael Cummins

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick
Hayer
Sent: Friday, April 30, 2010 11:00 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] We have opened up truncate.gbudb.net

 

here ya go

IP4R.GBUBD   ip4r   truncate.gbudb.net   127.0.0.1   9   0

Above scores a 9 on a hit..

-Nick

MadRiverAccess.com|Skywaves.com Tech Support 
US/Canada 877-873-6482 or International +1-802-229-6574 
Emergency Support 24/7: supp...@skywaves.net 
General and Non-Emergency support ticket: 
https://www.skywaves.com/content/secure/support_ticket.htm

 

  _  

From: "Michael Cummins"  

Sent: Friday, April 30, 2010 9:36 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] We have opened up truncate.gbudb.net


I don't think I set it up properly as an ip4r test in Declude.

What would the line look like, if written properly?

Thanks for your time and effort.

-- Michael Cummins



-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete
McNeil
Sent: Thursday, April 29, 2010 5:06 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] We have opened up truncate.gbudb.net

Hi Declude folks,

We have been testing a blacklist based on real-time GBUdb data 
(generated from Message Sniffer).

We have decided to experiment with opening up the blacklist for a wider 
audience and so as of now you can use truncate.gbudb.net as an ip4r test.

You should get a result of 127.0.0.1 if the IP is well into the truncate 
range -- That is: truncate.gbudb.net is designed to be 
ultra-conservative so that it should be safe to reject connections based 
on the test in most cases. This also means that it won't block 
everything -- only the worst of the worst. That said, the folks who have 
been testing it have reported that it did drop a significant amount of 
traffic from their systems on average.

Please keep us all posted about how it's working for you.

Thanks,

_M



---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Sniffer Integration -> Global Exit Code "nonzero"?

[Andy Schmidt]

Speed (and stability) and additional test options.

 

The external test runs as a command line, each email is a new instance that
needs an environment to be instantiated and later broken down. On top of
that, it burns up some of that not-well documented heap memory for command
line programs - which CAN cause stability problems in some problems if one
runs several command line tools in Declude (although there are some registry
settings in Windows to allocate "some" extra heap).

 

The internal test offers additional tests (such as the reputation test) and
other IP based tests that the external test does not - and it runs as "part"
of Declude (not by starting another  command line session for each email).

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Jim
Comerford
Sent: Friday, April 30, 2010 12:02 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer Integration -> Global Exit Code
"nonzero"?

 

So what's the difference between the SNIFFER test as Internal vs External?
Is one faster than the other?  Assuming you did not want to check the
individual tests (ie SNIFFER-TRAVEL) is there an advantage to using one over
the other?

 

Internal:

SNIFFER   external   nonzero
"C:\Smartermail\Declude\Sniffer\xxx.exe xxxabc123"12
0

SNIFFER-TRAVEL  SNFx
47
12   0

 

External 

SNIFFER   external   nonzero
"D:\IMAIL\Declude\SNF\SNFClient.exe"12   0

 

-Jim

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Friday, April 30, 2010 11:14 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer Integration -> Global Exit Code
"nonzero"?

 

The test works as an internal test and not as an external test. The main
difference being the location of the exit code. See external is the 1st
variable whereas the internal it is the 2nd variable and the NONZERO does
not work for that.

 

SNIFFER   external   nonzero
"C:\Smartermail\Declude\Sniffer\xxx.exe xxxabc123"12
0

SNIFFER-TRAVEL  SNFx
47
12   0

 

Also even though there are multiple entries the test only runs once and the
resulted exit code is the triggered.

David

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Friday, April 30, 2010 10:31 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer Integration -> Global Exit Code
"nonzero"?

 

Hi Dave,

 

Thanks for taking the time to explain it. I see that the sample on your web
site has already been corrected to read "IPREPUTATIONSNFIPREP " and I
was simply working off an earlier copy.

 

For the "SNF" test type, is there a way to have a "global" match (e.g.,
NONZERO), instead of having to specify each of the 18 (current) return codes
one at a time? The external Sniffer simply allow me to code:

 

SNIFFER   external   nonzero
"D:\IMAIL\Declude\SNF\SNFClient.exe"10   0

 

Best Regards,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Friday, April 30, 2010 10:05 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer Integration

 

SNFIPBLACK  SNFIP   the 2nd variable value is 5 = Block and works as
an exit code.

 

IPREPUTATION works differently.

 

Note: IPREPUTATIONSNFIP  please update this to IPREPUTATIONSNFIPREP
x   0   10  -5 this should be the default.

 

SNFIPREP  represents a scale of   -1- 0 - 1  when the 2nd variable
(BASEPOINT) is set to 0 this will convert the IP reputation to this scale as
the examples below:

 

If final score is 0 no score is added to the email

dec0430.log1842   04/30/2010 00:01:20.700 49319588 SNFIPRep the
Value of Result = 0.00

 

If final score is + the 3rd variable score is used in this case 10

dec0430.log7351   04/30/2010 00:07:14.043 49319625 SNFIPRep the
Value of Result = 0.267262

 

If final score is - the 4th variable score is used in this case -5

dec0430.log1192604/30/2010 00:08:50.340 49319647 SNFIPRep the
Value of Result = -0.267262

 

The BASEPOINT is the point value at which an email will be considered "Good"
if the result is to the left or "Bad" if to the right.

 

(SNIFFER RETURN) x 10 - (BASEPOINT) = Result

 

Example:

 

0.267262  x 10 - 0 = 2 This is positive then the test is triggered for 10
points.

0.267262  x 10 - 1 = 1 This is positive then the test is triggered for 10
points.

0.267262  x 10 - 2 = 0 Not Triggered.

0.267262  x 10 - 3 = -1 This is negative then the test is

RE: [Declude.JunkMail] Sniffer Integration -> Global Exit Code "nonzero"?

[Andy Schmidt]

Thanks for clearing up that it doesn't work for the 2nd variable (I'm aware
that it is an internal and not and external test, and that it is the SECOND
variable, and that it only executes once, etc.)

 

As a suggestion, you might consider enabling the "nonzero" option for the
second variable as well. The reasons for preferring one "nonzero" exit code
of (currently 18) individual exit codes are

 

a)  The config file will be more compact,

b)  Fewer lines mean few chances of errors/omissions

c)   No need to keep worrying about missing the announcement for a new
"exit code" whenever Peter decides to extend the list 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Friday, April 30, 2010 11:14 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer Integration -> Global Exit Code
"nonzero"?

 

The test works as an internal test and not as an external test. The main
difference being the location of the exit code. See external is the 1st
variable whereas the internal it is the 2nd variable and the NONZERO does
not work for that.

 

SNIFFER   external   nonzero
"C:\Smartermail\Declude\Sniffer\xxx.exe xxxabc123"12
0

SNIFFER-TRAVEL  SNFx
47
12   0

 

Also even though there are multiple entries the test only runs once and the
resulted exit code is the triggered.

David



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Sniffer Integration -> Global Exit Code "nonzero"?

[Andy Schmidt]

Hi Dave,

 

Thanks for taking the time to explain it. I see that the sample on your web
site has already been corrected to read "IPREPUTATIONSNFIPREP " and I
was simply working off an earlier copy.

 

For the "SNF" test type, is there a way to have a "global" match (e.g.,
NONZERO), instead of having to specify each of the 18 (current) return codes
one at a time? The external Sniffer simply allow me to code:

 

SNIFFER   external   nonzero
"D:\IMAIL\Declude\SNF\SNFClient.exe"10   0

 

Best Regards,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Friday, April 30, 2010 10:05 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer Integration

 

SNFIPBLACK  SNFIP   the 2nd variable value is 5 = Block and works as
an exit code.

 

IPREPUTATION works differently.

 

Note: IPREPUTATIONSNFIP  please update this to IPREPUTATIONSNFIPREP
x   0   10  -5 this should be the default.

 

SNFIPREP  represents a scale of   -1- 0 - 1  when the 2nd variable
(BASEPOINT) is set to 0 this will convert the IP reputation to this scale as
the examples below:

 

If final score is 0 no score is added to the email

dec0430.log1842   04/30/2010 00:01:20.700 49319588 SNFIPRep the
Value of Result = 0.00

 

If final score is + the 3rd variable score is used in this case 10

dec0430.log7351   04/30/2010 00:07:14.043 49319625 SNFIPRep the
Value of Result = 0.267262

 

If final score is - the 4th variable score is used in this case -5

dec0430.log1192604/30/2010 00:08:50.340 49319647 SNFIPRep the
Value of Result = -0.267262

 

The BASEPOINT is the point value at which an email will be considered "Good"
if the result is to the left or "Bad" if to the right.

 

(SNIFFER RETURN) x 10 - (BASEPOINT) = Result

 

Example:

 

0.267262  x 10 - 0 = 2 This is positive then the test is triggered for 10
points.

0.267262  x 10 - 1 = 1 This is positive then the test is triggered for 10
points.

0.267262  x 10 - 2 = 0 Not Triggered.

0.267262  x 10 - 3 = -1 This is negative then the test is not-triggered for
-5 points.

0.267262  x 10 - 4 = -2 This is negative then the test is not-triggered for
-5 points.

 

-0.267262  x 10 - 0 = -2 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 1 = -1 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 2 = 0 Not Triggered.

-0.267262  x 10 - 3 = -1 This is negative then the test is not-triggered for
-5 points.

-0.267262  x 10 - 4 = -2 This is negative then the test is not-triggered for
-5 points.

 

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
  dbar...@declude.com

 

, April 30, 2010 1:26 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Sniffer Integration

 

Hi,

 

1.   I'm confused about the Sniffer integration sample:

 

SNFIPBLACK  SNFIP   x   5   10  0

IPREPUTATIONSNFIP   x   5   10  -5


It seems to me as if BOTH lines test the SAME Sniffer return code of "5" -
but one line assigns adds a weight of 10 when found, the other also adds a
weight of 10, but subtracts 5 when NOT found?

 

So will this add "20" when found? Why use TWO lines to accomplish that?

 

2.   In the past I could simply configure:

 

SNIFFER   external   nonzero
"D:\IMAIL\Declude\SNF\SNFClient.exe"10   0

 

if I didn't want to duplicate 18 lines - and risk that at some point a
return code will be added that I will miss unless I add another line to the
config file.

 

So, does the "SNF" test have some way to configure ONE line for "nonzero" to
create a baseline weight, and then just add "SNF" tests for specific return
code if I want those specific ones treated with a higher weight?

 

Best Regards,

Andy



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] We have opened up truncate.gbudb.net

[Andy Schmidt]

It's looking very promising!

 

1.   So far, it detects about 10% as SPAM in emails that SORBS, SPAMCOP,
SpamHaus Zen and BRBL have let through.

 

2.   In that, it does 20 times better than the total of these AHBL
tests:

 

DNS A RR 127.0.0.2: Open Relay

DNS A RR 127.0.0.3: Open Proxy

DNS A RR 127.0.0.4: Spam Source

DNS A RR 127.0.0.5: Provisional Spam Source Listing block (will be removed
if spam stops)

DNS A RR 127.0.0.6: Formmail Spam

DNS A RR 127.0.0.9: End User (non mail system)

DNS A RR 127.0.0.14: Compromised System: DDoS

DNS A RR 127.0.0.15: Compromised System: Relay

DNS A RR 127.0.0.16: Compromised System: Autorooter/Scanner

DNS A RR 127.0.0.17: Compromised System: Worm or mass mailing virus

DNS A RR 127.0.0.18: Compromised System: Other virus

DNS A RR 127.0.0.127: Other

 

and 12 times better than the total of these NJABL tests:

 

NJABL: DNS A RR 127.0.0.2. Open relays and known spam sources.

NJABLDUL: DNS A RR 127.0.0.3. Dial-up/dynamic IP ranges.

NJABLSOURCES: DNS A RR 127.0.0.4. Lists spam sources. Will include
commercial spammers, direct-to-MX, and proxies. IP ranges will be added only
if they can be identified with the spammer. 

NJABLMULTI: DNS A RR 127.0.0.5. Lists multi-stage open relays. Will notify
the appropriate NIC one week in advance of listing, to allow them to correct
the problem.

NJABLFORMMAIL: DNS A RR 127.0.0.8. Lists servers with insecure formmail
scripts.

NJABLPROXIES: DNS A RR 127.0.0.9. Lists open proxy servers.

 

3.   I don't have a big enough sample, but an EARLY trend is indicating
that it possible significantly cuts the amounts of email that Sniffer still
has to scan.

 

4.   >> all of the TXT records say "GBUdb Cloud Truncate c > 0.2, p >
0.9" <<

 

Thanks - so there ARE TXT records. This way I can configure to pick those up
(even if they are generic right now)

 

5.   >> When we bring the gbudb.com site online we will explain how the
IPs are listed. We may develop a link mechanism to look up specific data on
each IP after a time.<<

 

Thanks, specially the first part (a static page explaining the listing
method/policy - and that de-listing is automatic once spam stops) will be
important so that we can include that link in 5.7.1 rejection string. Don't
want to have to start answering individual inquiries.

 

Best Regards,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete
McNeil
Sent: Friday, April 30, 2010 4:49 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] We have opened up truncate.gbudb.net

 

On 4/29/2010 10:06 PM, Andy Schmidt wrote: 

Thanks - I activated it in my gateway and will report back after a day or
so.

Question:

Does it have TXT records that holds additional info that can be returned in
the 5.7.1 message to the sender?


Right now all of the TXT records say "GBUdb Cloud Truncate c > 0.2, p > 0.9"
As we continue to develop this that may change to provide other (better?)
information.




Is there a lookup URL that can be included in the 5.7.1 message that people
can use to learn about your service, learn about the listing/de-listing
policy (and determine the status of their IP address in case of a false
positive)?


When we bring the gbudb.com site online we will explain how the IPs are
listed. We may develop a link mechanism to look up specific data on each IP
after a time.

As for listing and de-listing -- that is automatic and is generally
described in the Message Sniffer documentation about GBUdb. If the general
population of Message Sniffer nodes are reporting that a message source
produces virtually nothing but spam then it will be listed. If those reports
go away or their character changes then the listing will change also - and
fairly quickly: days if traffic for the IP disappears; hours or perhaps
minutes if the character of the traffic from the source changes.

Best,

_M


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Sniffer Integration

[Andy Schmidt]

Hi,

 

1.   I'm confused about the Sniffer integration sample:

 

SNFIPBLACK  SNFIP   x   5   10  0

IPREPUTATIONSNFIP   x   5   10  -5




It seems to me as if BOTH lines test the SAME Sniffer return code of "5" -
but one line assigns adds a weight of 10 when found, the other also adds a
weight of 10, but subtracts 5 when NOT found?

 

So will this add "20" when found? Why use TWO lines to accomplish that?

 

2.   In the past I could simply configure:

 

SNIFFER   external   nonzero
"D:\IMAIL\Declude\SNF\SNFClient.exe"10   0

 

if I didn't want to duplicate 18 lines - and risk that at some point a
return code will be added that I will miss unless I add another line to the
config file.

 

So, does the "SNF" test have some way to configure ONE line for "nonzero" to
create a baseline weight, and then just add "SNF" tests for specific return
code if I want those specific ones treated with a higher weight?

 

Best Regards,

Andy

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Monday, January 04, 2010 9:54 AM
To: declude.vi...@declude.com; declude.junkmail@declude.com;
declude.relea...@declude.com
Subject: [Declude.JunkMail] Release 4.10.42

 

Declude 4.10.42

JM  ADD Add IMail support for SQL Database. Declude can check the
SQL DB for Autowhitelist

JM  ADD IPNOSCAN for IMail

JM  ADD Add a new directive POSTINIFIX uses either ON or OFF in the
declude.cfg file. Postini is a large managed email service which amends the
header structure. The   Postini fix helps Declude correctly identify
Postini headers. To configure use POSTINIFIX  ON

JM  ADD Add the Recipient, mailfrom and subject information to the
blklst.txt file. The format blklst.txt file is

 
Date|time|spool#|IP|TotalWeight|LastAction|RecpList|mailfrom|subject|testsfa
iled

JM  ADD IPBYPASS can be configured with CIDR

JM  ADD New Header directive XWHITELIST ON in the global.cfg
will give the reason for why the email was WHITELISTED in the header of the
email.

JM  ADD Integrated Message Sniffer with Declude. Will use Declude
rulebase. (If you are a current Message Sniffer user this does not apply to
you unless you want toswitch and use the Declude rulebase) To
configure the SNF files need to be edit by the user, where the [PATH] needs
to be the actual path on your server.

getRulebase.cmd

SET SNIFFER_PATH=[PATH]\declude\scanners\SNF\

Snf_engine.xml file









Global.cfg

SNFIPCAUTIONSNFIP   x   4   5   0

SNFIPBLACK  SNFIP   x   5   10  0

SNFIPTRUNCATE   SNFIP   x   6   10  0

   
IPREPUTATIONSNFIP   x   5   10  -5

   
SNIFFER-TRAVEL  SNF x   47  10  0

SNIFFER-INSURANCE   SNF x   48  10
0  
SNIFFER-AV-PUSH SNF x   49  10  0

SNIFFER-WAREZ   SNF x   50  10  0

SNIFFER-SPAMWARESNF x   51  10
0  
SNIFFER-SNAKEOILSNF x   52  12
0  
SNIFFER-SCAMS   SNF x   53  10  0

SNIFFER-PORNSNF x   54  10  0

SNIFFER-MALWARE SNF x   55  10  0

SNIFFER-ADVERTISING SNF x   56  10
0  
SNIFFER-SCHEME  SNF x   57  10  0

SNIFFER-CREDIT  SNF x   58  10  0

SNIFFER-GAMBLINGSNF x   59  10
0  
SNIFFER-GENERAL SNF x   60  10  0

SNIFFER-SPAMSNF x   61  10  0

SNIFFER-OBFUSCATION SNF x   62  10
0  
SNIFFER-IP-RULESSNF x   63  10
0  
   
SNFTRUNCATE SNF x   20  10  0


EVA FIX Fix for Virus test not catching the eicar test due to e-mail
formatting

HJ  ADD Added a function to send a notify e-mail when hijack is
triggered and e-mails are being held in the Hold2 folder To turn the Hijack
e-mail notify on add thefollowing directive to the hijack.cfg. 

  

RE: [Declude.JunkMail] We have opened up truncate.gbudb.net

[Andy Schmidt]

Thanks - I activated it in my gateway and will report back after a day or
so.

Question:

a)  Does it have TXT records that holds additional info that can be
returned in the 5.7.1 message to the sender?

b)  Is there a lookup URL that can be included in the 5.7.1 message that
people can use to learn about your service, learn about the
listing/de-listing policy (and determine the status of their IP address in
case of a false positive)?

Best Regards,

Andy

 

  _  

From: "Pete McNeil" 
Sent: Thursday, April 29, 2010 5:15 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] We have opened up truncate.gbudb.net


Hi Declude folks,

We have been testing a blacklist based on real-time GBUdb data 
(generated from Message Sniffer).

We have decided to experiment with opening up the blacklist for a wider 
audience and so as of now you can use truncate.gbudb.net as an ip4r test.

You should get a result of 127.0.0.1 if the IP is well into the truncate 
range -- That is: truncate.gbudb.net is designed to be 
ultra-conservative so that it should be safe to reject connections based 
on the test in most cases. This also means that it won't block 
everything -- only the worst of the worst. That said, the folks who have 
been testing it have reported that it did drop a significant amount of 
traffic from their systems on average.

Please keep us all posted about how it's working for you.

Thanks,

_M



---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] AllLists.DAT in RAR Format?

[Andy Schmidt]

Thanks Dave, I appreciate that. I’ve zipped hundreds of megabytes – so I don’t 
think this is going to be an issue.

 

Generally, live is hard enough – it’s nice if I don’t  have to worry about 
monitoring even more vendors/authors about vulnerabilities, security fixes, 
version updates etc to a various freeware products.

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker
Sent: Friday, February 19, 2010 12:04 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] AllLists.DAT in RAR Format?

 

No justification other than I was working with RAR because it does not have the 
size limitations of ZIP.  Anyways it is now a .zip 

 

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
 <mailto:dbar...@declude.com> dbar...@declude.com

 

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt
Sent: Friday, February 19, 2010 11:22 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] AllLists.DAT in RAR Format?
Importance: High

 

Hi,

 

Obviously, I know that I can download third party tools to “unrar” the file – 
but I REALLY hate nothing more, but than cluttering up production systems with 
unnecessary shareware/freeware.

 

Windows has built-in ZIP support (“compressed folders”).  Is there any 
justification to pick a NON compatible format for compression the all-lists.dat 
file?

 

If it was compressed using the native Windows format (considering that Declude 
is a Windows application), the file could be used instantly!

 

Best Regards,

Andy


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] CommTouch False Positive

[Andy Schmidt]

Thanks – done.

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker
Sent: Friday, February 19, 2010 11:35 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] CommTouch False Positive

 

You can send us at supp...@declude.com the X-Declude-RefID: and we can report 
it to Commtouch. 

 

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
 <mailto:dbar...@declude.com> dbar...@declude.com

 

 

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt
Sent: Friday, February 19, 2010 11:19 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] CommTouch False Positive

 

Hi,

 

How do I go about reporting ZeroHour false positives?

 

For the past few days, one of my cliens has been trying to email a (legitimate) 
ZIP file with a DLL that keeps getting blocked by CommTouch.

 

How do I submit these D/Q files to get this problem fixed?

 

Best Regards,

Andy


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] AllLists.DAT in RAR Format?

[Andy Schmidt]

Hi,

 

Obviously, I know that I can download third party tools to “unrar” the file – 
but I REALLY hate nothing more, but than cluttering up production systems with 
unnecessary shareware/freeware.

 

Windows has built-in ZIP support (“compressed folders”).  Is there any 
justification to pick a NON compatible format for compression the all-lists.dat 
file?

 

If it was compressed using the native Windows format (considering that Declude 
is a Windows application), the file could be used instantly!

 

Best Regards,

Andy



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] CommTouch False Positive

[Andy Schmidt]

Hi,

 

How do I go about reporting ZeroHour false positives?

 

For the past few days, one of my cliens has been trying to email a (legitimate) 
ZIP file with a DLL that keeps getting blocked by CommTouch.

 

How do I submit these D/Q files to get this problem fixed?

 

Best Regards,

Andy



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Conditional Whitelist - Good Use of SPF!

[Andy Schmidt]

A true WHITELIST would mean that:

a) it could skip over all the other tests right from the start
b) it would work even if you have some tests that "DELETE" emails!

Your scheme would not prevent emails from being killed outright by Sniffer
or similar content tests.

-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dean
Lawrence
Sent: Wednesday, January 20, 2010 9:24 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Conditional Whitelist - Good Use of SPF!

Andy,

Since there is already an SPF Pass, Fail, and Neutral result, couldn't
you just create a rule that if the sender passes SPF that you apply a
large negative point value? Then you could apply that rule to only the
domains that you want to whitelist.

Dean

On Wed, Jan 20, 2010 at 8:47 AM, Andy Schmidt
 wrote:
> Hi,
>
>
>
> Despite all the shortcomings of SPF, there may be one GOOD use:
>
>
>
> Every once in a while I receive requests to whitelist certain sender email
> addresses or domains - then I explain that we don't like to do that
because
> it would allow any spam that PRETENDS to come from that domain to pass.
>
>
>
> What WOULD be a good feature, would be an SPF based domain whitelist!
>
>
>
> It would be a conditional whitelist of senders that will ONLY be applied,
if
> SPF for that domain PASSES.
>
>
>
> Best Regards,
>
> Andy
>
>
>
>
>
> ---
> This E-mail came from the Declude.JunkMail mailing list. To
> unsubscribe, just send an E-mail to imail...@declude.com, and
> type "unsubscribe Declude.JunkMail". The archives can be found
> at http://www.mail-archive.com.



-- 
__
Dean Lawrence, CIO/Partner
Internet Data Technology
888.GET.IDT1 ext. 701 * fax: 888.438.4381
http://www.idatatech.com/
Corporate Internet Development and Marketing Specialists


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Conditional Whitelist - Good Use of SPF!

[Andy Schmidt]

Hi,

 

Despite all the shortcomings of SPF, there may be one GOOD use:

 

Every once in a while I receive requests to whitelist certain sender email
addresses or domains - then I explain that we don't like to do that because
it would allow any spam that PRETENDS to come from that domain to pass.

 

What WOULD be a good feature, would be an SPF based domain whitelist!

 

It would be a conditional whitelist of senders that will ONLY be applied, if
SPF for that domain PASSES. 

 

Best Regards,

Andy

 

 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Release 4.10.42

[Andy Schmidt]

Thanks. I'm very happy to see that you took the time to implement the
Sniffer API directly. That's great!

 

As far as the usage - I'm a little confused. It's using your rule page - but
cost is not included. So where do I specify my Sniffer license information
so that Declude can make sure I'm a licensed Sniffer user? I would have
expected some sort of Global.cfg option where I have to provide my license
ID that the API is then using?

 

Also:

Can you elaborate on IPNOSCAN please?

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Monday, January 04, 2010 11:38 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Release 4.10.42

 

Hi Andy,

 

Happy New Year.

 

>>Is the annual cost of Sniffer now included with Declude? 

 

The cost of Message Sniffer is not included in Declude Service Agreements.

 

>>If we have no "custom" rule-base, there would be no reason not to use the
Declude rule-base?

 

Correct, if you have not custom rules you could certainly use the integrated
Message Sniffer which should have better performance as it is integrated.

 

>>What's the technical implementation of the SNF and SNFIP directives? In
the past, this was a "command line" launch of the Sniffer.exe from Declude.
Have you implemented this as a call to their API DLL directly from within
Declude? If so, one would >>expect better performance and reliability -
making it another reason to switch?

 

Yes we use an API call to the Message Sniffer DLL directly from Declude,
which means better performance and realibility as this is no longer an
external call.

 

>>Can we use the new SNF and SNFIP directives - but still use our own
rulebase, if we chose too?

 

Currently you cannot use your own rulebase with the integrated Declude, if
it is possible to do so in a future release we will work towards this, I
will have to check with Message Sniffer to verify.

 

>>Finally, POSTINIFIX is a poor name for that directive, since it has
absolutely nothing to do with Postini - the problem has existed for a long
time. I think in November we had all determined that the problem was an
age-old problem with Declude >>correctly parsing valid (standards compliant)
Received headers that contain more than one IP address. 

 

I agree with you that this is a Declude parsing issue and that POSTINIFIX
was not the best name, however I did not want to delay this release because
of this, this was a resource/time issue rather than a disagreement with the
lists.  The discuission from the list last Novemeber were every helpful and
we plan to make the change as suggested.  

 

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
 <mailto:dbar...@declude.com> dbar...@declude.com

 

 

 

 

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Monday, January 04, 2010 11:18 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Release 4.10.42

 

Happy New Year:

 

Can you elaborate on the Sniffer implementation please?

 

a)   Is the annual cost of Sniffer now included with Declude? 

b)   If we have no "custom" rule-base, there would be no reason not to
use the Declude rule-base?

c)   What's the technical implementation of the SNF and SNFIP
directives? In the past, this was a "command line" launch of the Sniffer.exe
from Declude. Have you implemented this as a call to their API DLL directly
from within Declude? If so, one would expect better performance and
reliability - making it another reason to switch?

d)   Can we use the new SNF and SNFIP directives - but still use our own
rulebase, if we chose too?

 

Can you elaborate on IPNOSCAN please?

 

Finally, POSTINIFIX is a poor name for that directive, since it has
absolutely nothing to do with Postini - the problem has existed for a long
time. I think in November we had all determined that the problem was an
age-old problem with Declude correctly parsing valid (standards compliant)
Received headers that contain more than one IP address. 

 

According to the standard it seems perfectly VALID for a single RECEIVED
header to contain TWO IP addresses, one in the FROM clause and one in the BY
clause? Obviously, Declude would need to inspect the IP address in the
"FROM" clause and ignore any IP addresses that it encounters in/after the
"BY" clause?

 

I think retiring the "postinifix" name and picking a more general directive
name 'RcvHdrFix' would avoid that people leave this turned off just because
they are not using Postini.

 

Best Regards,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Monday, January 04, 2010 9:54 AM
To: declude.vi...@declude.com; declude.junkmail@declude.com;
declude.relea..

RE: [Declude.JunkMail] Release 4.10.42

[Andy Schmidt]

Happy New Year:

 

Can you elaborate on the Sniffer implementation please?

 

a)   Is the annual cost of Sniffer now included with Declude? 

b)   If we have no "custom" rule-base, there would be no reason not to
use the Declude rule-base?

c)   What's the technical implementation of the SNF and SNFIP
directives? In the past, this was a "command line" launch of the Sniffer.exe
from Declude. Have you implemented this as a call to their API DLL directly
from within Declude? If so, one would expect better performance and
reliability - making it another reason to switch?

d)   Can we use the new SNF and SNFIP directives - but still use our own
rulebase, if we chose too?

 

Can you elaborate on IPNOSCAN please?

 

Finally, POSTINIFIX is a poor name for that directive, since it has
absolutely nothing to do with Postini - the problem has existed for a long
time. I think in November we had all determined that the problem was an
age-old problem with Declude correctly parsing valid (standards compliant)
Received headers that contain more than one IP address. 

 

According to the standard it seems perfectly VALID for a single RECEIVED
header to contain TWO IP addresses, one in the FROM clause and one in the BY
clause? Obviously, Declude would need to inspect the IP address in the
"FROM" clause and ignore any IP addresses that it encounters in/after the
"BY" clause?

 

I think retiring the "postinifix" name and picking a more general directive
name 'RcvHdrFix' would avoid that people leave this turned off just because
they are not using Postini.

 

Best Regards,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Monday, January 04, 2010 9:54 AM
To: declude.vi...@declude.com; declude.junkmail@declude.com;
declude.relea...@declude.com
Subject: [Declude.JunkMail] Release 4.10.42

 

Declude 4.10.42

JM  ADD Add IMail support for SQL Database. Declude can check the
SQL DB for Autowhitelist

JM  ADD IPNOSCAN for IMail

JM  ADD Add a new directive POSTINIFIX uses either ON or OFF in the
declude.cfg file. Postini is a large managed email service which amends the
header structure. The   Postini fix helps Declude correctly identify
Postini headers. To configure use POSTINIFIX  ON

JM  ADD Add the Recipient, mailfrom and subject information to the
blklst.txt file. The format blklst.txt file is

 
Date|time|spool#|IP|TotalWeight|LastAction|RecpList|mailfrom|subject|testsfa
iled

JM  ADD IPBYPASS can be configured with CIDR

JM  ADD New Header directive XWHITELIST ON in the global.cfg
will give the reason for why the email was WHITELISTED in the header of the
email.

JM  ADD Integrated Message Sniffer with Declude. Will use Declude
rulebase. (If you are a current Message Sniffer user this does not apply to
you unless you want toswitch and use the Declude rulebase) To
configure the SNF files need to be edit by the user, where the [PATH] needs
to be the actual path on your server.

getRulebase.cmd

SET SNIFFER_PATH=[PATH]\declude\scanners\SNF\

Snf_engine.xml file









Global.cfg

SNFIPCAUTIONSNFIP   x   4   5   0

SNFIPBLACK  SNFIP   x   5   10  0

SNFIPTRUNCATE   SNFIP   x   6   10  0

   
IPREPUTATIONSNFIP   x   5   10  -5

   
SNIFFER-TRAVEL  SNF x   47  10  0

SNIFFER-INSURANCE   SNF x   48  10
0  
SNIFFER-AV-PUSH SNF x   49  10  0

SNIFFER-WAREZ   SNF x   50  10  0

SNIFFER-SPAMWARESNF x   51  10
0  
SNIFFER-SNAKEOILSNF x   52  12
0  
SNIFFER-SCAMS   SNF x   53  10  0

SNIFFER-PORNSNF x   54  10  0

SNIFFER-MALWARE SNF x   55  10  0

SNIFFER-ADVERTISING SNF x   56  10
0  
SNIFFER-SCHEME  SNF x   57  10  0

SNIFFER-CREDIT  SNF x   58  10  0

SNIFFER-GAMBLINGSNF x   59  10
0  
SNIFFER-GENERAL SNF x   60  10  0

SNIFFER-SPAMSNF x   61  10  0

SNIFFER-OBFUSCATION SNF x   62  10
0  
SNIFFER-IP-RULESSNF

RE: [Declude.JunkMail] How to Correctly Parse RECEIVED Headers for IP Address

[Andy Schmidt]

Hi,

 

Yes, Matt. I concur with your parsing algorithm!

 

Dave - please take notice:

 

"So you first throw out all data before the FROM up till the next descriptor
BY/WITH/FOR or end of the header, then you search for square brackets with
an IP inside and nothing else, and take the last value that appears in that
format in the trimmed piece of the Received header.  If you don't get any
result from that, you search for all IP's that are either surrounded by
spaces or parenthesis, and you take the last such value found.  

Note that the delimiters are very important in getting the correct IP. "

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Matt
Sent: Thursday, November 05, 2009 5:31 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes

 

You are right that I messed up on three of these.  The following ones were
definitely entirely forged:

Received: from admd.net ([:::187.3.43.120])
  (AUTH: LOGIN audito...@vazemaia.com.br)
  by mail4.task.com.br with esmtp; Wed, 04 Nov 2009 01:53:07 -0200
  id 006788A4.4AF0FAA3.242C

Received: from  (])
  by mx1.businessprocessware.com [66.232.102.164] (8.13.8/8.13.8)
STMP id mzqbrzhqqbq;
  for  <mailto:jul...@websterwatch.com> ;
Wed, 04 Nov 2009 14:40:40 -0500


All but one of the connecting servers in the other 5 examples forged the
HELO value (which is where my brain farted), which some servers don't
properly bracket.

Regardless, my recommendation on how to parse the proper IP would work in
every example except for the forged Received headers above (which is fake
data anyway and should be ignored if at all possible, so that is better).
The problem is that not all servers properly bracket and order the actual
IP, which means that HELO's that come as IP's can be misleading.  This is
why you have to start off with the best method, and if that doesn't produce
results, fall back to another method that is just simply guessing (which is
what Declude actually does now).

So you first throw out all data before the FROM up till the next descriptor
BY/WITH/FOR or end of the header, then you search for square brackets with
an IP inside and nothing else, and take the last value that appears in that
format in the trimmed piece of the Received header.  If you don't get any
result from that, you search for all IP's that are either surrounded by
spaces or parenthesis, and you take the last such value found.  Note that
the delimiters are very important in getting the correct IP.  Also note that
legitimate headers are rare where the IP is neither bracketed or enclosed at
the boundary with parenthesis, but it does happen.

Matt



Andy Schmidt wrote: 

Hi Matt,

 

Sorry - but some of these are actually headers inserted by my OWN server. So
they are NOT forged.

 

Most of them are "spam", but some of them were even false positives.

 

Best Regards,

Andy

 

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Matt
Sent: Thursday, November 05, 2009 4:14 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes

 

Andy,

One important thing of note here is that the first 5 examples you gave are
in fact forged headers, and the information contained within them is fake
and not at all useful.  While I don't expect Declude to figure out that
these are forged Received headers, one shouldn't worry about how they are
parsed as they can be malformed anyway (as was the case in several examples
shown).

As a good rule of thumb, you def-old the entire Received header and then
take the data in between the FROM and the BY/WITH/FOR or the end of the
header, whichever appears first, and then take the last braketed IP value.
If you can't find a bracketed IP value, you should take the last IP shown
(which won't be perfect, but this would not be RFC compliant anyway).

I would guess that this would take a programmer maybe an hour to code up and
test.

Matt




Andy Schmidt wrote: 

Hi Dave, just sent you a zip file - hope it made it past your virus check.

 

It has a few "interesting" cases to see if your new code picks up the
CORRECT IP address. Always picking the "first" or the "last" IP address is
not at all necessarily reliable.

 

Received: from unknown (HELO 192.168.10.1) (72.167.113.99)

  by k2smtpout02-01.prod.mesa1.secureserver.net (64.202.189.90) with ESMTP;
04 Nov 2009 08:29:08 -

 

Received: from 58.92.178.208 ([208.178.92.58]) by
smtp.webhost.hm-software.com with Microsoft SMTPSVC(5.0.2195.6713);

 Mon, 2 Nov 2009 10:43:37 -0500

 

Received: from admd.net ([:::187.3.43.120])

  (AUTH: LOGIN audito...@vazemaia.com.br)

  by mail4.task.com.br with esmtp; Wed, 04 Nov 2009 01:53:07 -0200

  id 006788A4.4AF0FAA3.242C

 

Received: from

RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes

[Andy Schmidt]

Hi Matt,

 

Sorry - but some of these are actually headers inserted by my OWN server. So
they are NOT forged.

 

Most of them are "spam", but some of them were even false positives.

 

Best Regards,

Andy

 

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Matt
Sent: Thursday, November 05, 2009 4:14 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes

 

Andy,

One important thing of note here is that the first 5 examples you gave are
in fact forged headers, and the information contained within them is fake
and not at all useful.  While I don't expect Declude to figure out that
these are forged Received headers, one shouldn't worry about how they are
parsed as they can be malformed anyway (as was the case in several examples
shown).

As a good rule of thumb, you def-old the entire Received header and then
take the data in between the FROM and the BY/WITH/FOR or the end of the
header, whichever appears first, and then take the last braketed IP value.
If you can't find a bracketed IP value, you should take the last IP shown
(which won't be perfect, but this would not be RFC compliant anyway).

I would guess that this would take a programmer maybe an hour to code up and
test.

Matt




Andy Schmidt wrote: 

Hi Dave, just sent you a zip file - hope it made it past your virus check.

 

It has a few "interesting" cases to see if your new code picks up the
CORRECT IP address. Always picking the "first" or the "last" IP address is
not at all necessarily reliable.

 

Received: from unknown (HELO 192.168.10.1) (72.167.113.99)

  by k2smtpout02-01.prod.mesa1.secureserver.net (64.202.189.90) with ESMTP;
04 Nov 2009 08:29:08 -

 

Received: from 58.92.178.208 ([208.178.92.58]) by
smtp.webhost.hm-software.com with Microsoft SMTPSVC(5.0.2195.6713);

 Mon, 2 Nov 2009 10:43:37 -0500

 

Received: from admd.net ([:::187.3.43.120])

  (AUTH: LOGIN audito...@vazemaia.com.br)

  by mail4.task.com.br with esmtp; Wed, 04 Nov 2009 01:53:07 -0200

  id 006788A4.4AF0FAA3.242C

 

Received: from  (])

  by mx1.businessprocessware.com [66.232.102.164] (8.13.8/8.13.8)
STMP id mzqbrzhqqbq;

  for  <mailto:jul...@websterwatch.com> ;
Wed, 04 Nov 2009 14:40:40 -0500

 

Received: from 105.188.233.220.static.exetel.com.au [220.233.188.105] by
Mail.Webhost.HM-Software.com with ESMTP

  (SMTPD-11.0) id 0afd0fb0197a; Thu, 5 Nov 2009 06:45:55 -0500

 

Received: from mail.headquarters.qts.local ([192.168.0.103]) by

 mail.headquarters.qts.local ([70.99.176.211]) with mapi; Thu, 5 Nov 2009

 09:40:05 -0600

 

Received: from [195.248.173.117] (HELO 192.168.1.75)

  by mail.alkar.net (CommuniGate Pro SMTP 5.2.16)

  with SMTP id 2124311918 for abus...@ultirisk.com; Tue, 03 Nov 2009
14:58:19 +0200

 

Best Regards,

Andy

 

 

-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Thursday, November 05, 2009 10:57 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes

 

Hi Andy,

 

Great suggestion. Can you send some full header examples to me directly so

we can review this, if you have the matching pair files even better as we

can use them to test specifically.

 

Thanks

 

David Barker

VP Operations Declude

Your Email security is our business

978.499.2933 office

978.988.1311 fax

dbar...@declude.com

 

 

 

-Original Message-

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy

Schmidt

Sent: Thursday, November 05, 2009 10:50 AM

To: declude.junkmail@declude.com

Subject: RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes

 

Hi Dave,

 

You might want to test this new option very carefully!

 

>> You could be right, the original Declude code may have had an issue

parsing the second IP. I do not know if this was by design or just bad code.

<< 

 

I think the explanation/reason was, that Scott was having issues with

RECEIVED Headers where the sender's reverse DNS was set up to point to an

apparent IP address or where the HELO/EHLO string was using an IP address.

He might have encountered RECEIVED headers like this:

 

Received: from 192.168.0.1 [10.1.20.1] (helo=192.168.0.1)

   by mx-out-manc2.simplymailsolutions.com with esmtp (Exim 4.63)

   (envelope-from  <mailto:fredrik.karlb...@jameslist.com>
)

   id 1N5zih-0005FR-15

   for andy_schm...@hm-software.com; Thu, 05 Nov 2009 10:37:35 +

 

And eventually decided to ignore the "first" IP address and go for the last

IP address in the first line - or something like that.

 

 

This parsing problem is rather old and reported occasionally. I even recall

this being an issue with "spamrouting" causing false positives if the header

had more than one IP

RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes

[Andy Schmidt]

Hi Dave, just sent you a zip file - hope it made it past your virus check.

 

It has a few "interesting" cases to see if your new code picks up the
CORRECT IP address. Always picking the "first" or the "last" IP address is
not at all necessarily reliable.

 

Received: from unknown (HELO 192.168.10.1) (72.167.113.99)

  by k2smtpout02-01.prod.mesa1.secureserver.net (64.202.189.90) with ESMTP;
04 Nov 2009 08:29:08 -

 

Received: from 58.92.178.208 ([208.178.92.58]) by
smtp.webhost.hm-software.com with Microsoft SMTPSVC(5.0.2195.6713);

 Mon, 2 Nov 2009 10:43:37 -0500

 

Received: from admd.net ([:::187.3.43.120])

  (AUTH: LOGIN audito...@vazemaia.com.br)

  by mail4.task.com.br with esmtp; Wed, 04 Nov 2009 01:53:07 -0200

  id 006788A4.4AF0FAA3.242C

 

Received: from  (])

  by mx1.businessprocessware.com [66.232.102.164] (8.13.8/8.13.8)
STMP id mzqbrzhqqbq;

  for ; Wed, 04 Nov 2009 14:40:40 -0500

 

Received: from 105.188.233.220.static.exetel.com.au [220.233.188.105] by
Mail.Webhost.HM-Software.com with ESMTP

  (SMTPD-11.0) id 0afd0fb0197a; Thu, 5 Nov 2009 06:45:55 -0500

 

Received: from mail.headquarters.qts.local ([192.168.0.103]) by

 mail.headquarters.qts.local ([70.99.176.211]) with mapi; Thu, 5 Nov 2009

 09:40:05 -0600

 

Received: from [195.248.173.117] (HELO 192.168.1.75)

  by mail.alkar.net (CommuniGate Pro SMTP 5.2.16)

  with SMTP id 2124311918 for abus...@ultirisk.com; Tue, 03 Nov 2009
14:58:19 +0200

 

Best Regards,

Andy

 

 

-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Thursday, November 05, 2009 10:57 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes

 

Hi Andy,

 

Great suggestion. Can you send some full header examples to me directly so

we can review this, if you have the matching pair files even better as we

can use them to test specifically.

 

Thanks

 

David Barker

VP Operations Declude

Your Email security is our business

978.499.2933 office

978.988.1311 fax

dbar...@declude.com

 

 

 

-Original Message-

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy

Schmidt

Sent: Thursday, November 05, 2009 10:50 AM

To: declude.junkmail@declude.com

Subject: RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes

 

Hi Dave,

 

You might want to test this new option very carefully!

 

>> You could be right, the original Declude code may have had an issue

parsing the second IP. I do not know if this was by design or just bad code.

<< 

 

I think the explanation/reason was, that Scott was having issues with

RECEIVED Headers where the sender's reverse DNS was set up to point to an

apparent IP address or where the HELO/EHLO string was using an IP address.

He might have encountered RECEIVED headers like this:

 

Received: from 192.168.0.1 [10.1.20.1] (helo=192.168.0.1)

   by mx-out-manc2.simplymailsolutions.com with esmtp (Exim 4.63)

   (envelope-from )

   id 1N5zih-0005FR-15

   for andy_schm...@hm-software.com; Thu, 05 Nov 2009 10:37:35 +

 

And eventually decided to ignore the "first" IP address and go for the last

IP address in the first line - or something like that.

 

 

This parsing problem is rather old and reported occasionally. I even recall

this being an issue with "spamrouting" causing false positives if the header

had more than one IP address - because it would pick up wrong IP addresses

and think the routing was suspicious.

 

 

If I can make a (VERY important) suggestion. Since this clearly is NOT at

all a "Postini" issue and certainly NOT LIMITED to Postini - how about NOT

giving that feature/directive a totally misleading/inappropriate name:

 

   POSTINIFIXON

 

Example - out of 10 emails in my current inbox, I instantly found THIS

(non-Postini) sample:

 

   Received: from sha-exch9.shared.ifeltd.com ([10.1.20.9]) by

  sha-exch9.shared.ifeltd.com ([10.1.20.9]) with mapi; Thu, 5

Nov 2009 10:36:21 +

 

Calling it "PostiniFix" implies to people who don't use a Postini gateway,

that they don't need that option. In reality this is an attempt at (finally)

making Declude's Received header parsing RFC-compliant and should be the

default way that Declude works all the time so that spamrouting and other

features pick up the CORRECT ( "from" clause IP address ) and not get

confused by any optional "by" clause IP address.

 

If you want to make it an "option" (that propbably should default to "ON" if

ommitted), I would suggest naming it something like:

 

   USEFROMCLAUSEIP  ON

 

or

 

   IGNOREBYCLAUSEIP ON

 

depending on how your new parsing logic is set up (I would look for the 'BY'

RE: [Declude.JunkMail] Declude 4.9.39 "Postini Received Header Fix"

[Andy Schmidt]

Thanks David for taking the time and helping us gain a better understanding.
Always looking to learn. Although, in this case, I still must be missing
something.

 

To me, the chain of Received Headers looks intact:

 

1.  Mail received from dnsstuff by declude, apparently forwarded to be
relayed to final recipient

 

Received: from 65.newburyport.dnsstuff.com [173.9.86.65] by smtp.declude.com
with SMTP;

   Wed, 30 Sep 2009 11:16:11 -0500

 

2.  Mail handed off to Postini, received by their incoming server:

 

Received: from source ([216.144.195.81]) by exprod5mx277.postini.com
([64.18.4.10]) with SMTP;

   Wed, 30 Sep 2009 11:16:38 CDT

 

3.  Mail sent from Postini to recipient's mail server (with the clock off by
a few minutes):

 

Received: from exprod5mx277.postini.com [64.18.0.101] by mail3.xx.net
with SMTP;

   Wed, 30 Sep 2009 12:12:56 -0400

 

Header #1 is created by Declude's server - and appears to be intact?

Header #3 is created by recipient's mail server after Postini was done?

 

Header #2 is created by Postini's mail server - as it should?

 

So I really don't understand where supposedly Postini "changed or deleted a
Received header that had been added previously" by the Declude server?
Header #2 seems to be a header that was prepended by Postini when it
received the email - just as it should?

 

I then looked up the reference you cited to see if there was anything wrong
with the FORMATTING of Header #2:
http://tools.ietf.org/html/rfc5321#section-4.4

 

Can you tell me where the formatting of header #2 violates which specific
aspect of the RFC?

 

-According to the standard it seems perfectly VALID for a single
RECEIVED header to contain TWO IP addresses, one in the FROM clause and one
in the BY clause? Obviously, Declude would need to inspect the IP address in
the "FROM" clause and ignore any IP addresses that it encounters in/after
the "BY" clause?

 

-It sounds like you're saying that Declude has a general problem with
correctly interpreting Received Headers that happen to have two IP
addresses? As I'm typing this, I do recall having run into this problem in
the past.  But, if my understanding is correct, then this would be a problem
in the Declude parser, if indeed the headers is formatted in accordance with
the RFCs? 

 

Best Regards,

Andy

 

-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Wednesday, November 04, 2009 3:57 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes

 

Here is a message going through a Postini server.

 

---EXAMPLE

1---

--

Received: from .x.local ([127.0.0.1]) by xx.xom with Microsoft

SMTPSVC(6.0.3790.1830);

 Wed, 30 Sep 2009 12:18:03 -0400

Return-Path: 

Received: from exprod5mx277.postini.com [64.18.0.101] by mail3.xx.net

with SMTP;

   Wed, 30 Sep 2009 12:12:56 -0400

Received: from source ([216.144.195.81]) by exprod5mx277.postini.com

([64.18.4.10]) with SMTP;

Wed, 30 Sep 2009 11:16:38 CDT

Received: from 65.newburyport.dnsstuff.com [173.9.86.65] by smtp.declude.com

with SMTP;

   Wed, 30 Sep 2009 11:16:11 -0500

Reply-To: 

From: "David Barker" 

To: "xxx '" 



---

 

This line is good.

 

Received: from exprod5mx277.postini.com [64.18.0.101] by mail3.xx.net

with SMTP;

 

However this line is a problem.

 

Received: from source ([216.144.195.81]) by exprod5mx277.postini.com

([64.18.4.10]) with SMTP;

 

This IP exprod5mx277.postini.com ([64.18.4.10]) should be on its own line.

The problem occurs when there are two IP addresses on the same line. The

first IP is considered as BOGUS and Declude picks up the second IP address

on this line. 

 

For more information please review RFC 5321: [4.4]

 

 

David Barker

VP Operations Declude

Your Email security is our business

978.499.2933 office

978.988.1311 fax

dbar...@declude.com

 

 

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy

Schmidt

Sent: Wednesday, November 04, 2009 3:11 PM

To: declude.junkmail@declude.com

Subject: RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes

 

Hi David:

 

I'm interested to better understand this feature. The line you posted looks

like a legit received header that Postini indeed should add to the top of

the headers when it receives the message from the source?

 

Received: from source ([209.85.221.110]) by exprod5mx260.postini.com

([64.18.4.10]) with SMTP;

Wed, 25 Mar 2009 14:45:20 CDT

 

Isn't the MX of the recipient domain pointed to Postini's server? So Postini

would be the first "received" header 

RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes

[Andy Schmidt]

Hi David:

 

I'm interested to better understand this feature. The line you posted looks
like a legit received header that Postini indeed should add to the top of
the headers when it receives the message from the source?

 

Received: from source ([209.85.221.110]) by
 exprod5mx260.postini.com ([64.18.4.10])
with SMTP;
Wed, 25 Mar 2009 14:45:20 CDT



Isn't the MX of the recipient domain pointed to Postini's server? So Postini
would be the first "received" header to be inserted before relaying the
message to the client's internal mail server?

 

It might help if you actually posted what a header looked like before
Postini mangled it and what it looked like after Postini mangled it? I
guess, what I'm not grasping is, who inserted the "original" header that
Postini has tampered with - if Postini is the domain's MX?

 

Best Regards,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Wednesday, November 04, 2009 2:54 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes

 

Hi Scott,

 

Postini is violating RFC RFC 5321: [4.4]

" An Internet mail program MUST NOT change or delete a Received: line that
was previously added to the message header section. SMTP servers MUST
prepend Received lines to messages; they MUST NOT change the order of
existing lines or insert Received lines in any other location. "

Postini is changing the headers received line by adding the additional IP as
the example below.

Received: from source ([209.85.221.110]) by exprod5mx260.
 postini.com ([64.18.4.10]) with SMTP;
Wed, 25 Mar 2009 14:45:20 CDT

The problem is that a changed received line is an indication of a forged
header and is a flag for a bogus received line (a technique often used by
spammers).  Because of this, the actual IP of the sender is not where it
should be, so we are giving our customers the option:

 

POSTINIFIXON

 

Will identify the sending IP as 209.85.221.110

 

By Default if not present POSTINIFIXOFF 

 

Will identify the sending IP as 64.18.4.10

 

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
  dbar...@declude.com

 

 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Suggestion: Quarantine problematic Q/D files to match GP1/GP2 files

[Andy Schmidt]

Hi David,

 

Thanks - we are running the 11.01 Preview - and did have SMTP problems. It
hasn't occurred since - so if it looks like an external issue, then it might
not be worth too deep an investigation.

 

Thanks for your response.

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Wednesday, August 26, 2009 12:12 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Suggestion: Quarantine problematic Q/D files
to match GP1/GP2 files
Sensitivity: Personal

 

Correct. And from the looks of the gp1 file it may be something external. I
have our engineer looking to see what we can gather from the file. And will
get back to you asap.

 

David

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Wednesday, August 26, 2009 11:59 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Suggestion: Quarantine problematic Q/D files
to match GP1/GP2 files
Sensitivity: Personal

 

Thanks Dave - I have AutoReview on. So I suppose if that folder is empty, it
means that the file processed successfully a second time around.

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Wednesday, August 26, 2009 11:48 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Suggestion: Quarantine problematic Q/D files
to match GP1/GP2 files
Sensitivity: Personal

 

Hi Andy,

 

In Declude \proc directory there is a directory called REVIEW which is
exactly for this purpose. In the Declude.cfg there is a directive that can
override this functionality called AUTOREVIEWON

 

If the decludeproc service is unexpectedly stopped email in the \work
directory is moved to the \review directory.  If AUTOREVIEW is ON then the
user has opted to reprocess these files,  if the AUTOREVIEW is commented out
then the \Review directory will have a copy of the offending file set and we
can use these file to try and isolate the problem.

 

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
 <mailto:dbar...@declude.com> dbar...@declude.com

 

 

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Wednesday, August 26, 2009 11:04 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Suggestion: Quarantine problematic Q/D files to
match GP1/GP2 files
Sensitivity: Personal

 

Hi,

 

Doesn't make much sense to ask a user to submit "debug" logs AFTER a GP
fault that only happens sporadically.

 

How about Declude quarantining the Q/D files in question whenever the
C:/Declude.GP* files are written? This way, the customer can attempt to
reproduce the problem (using the same Q/D files) after setting the log to
"Debug" mode.

 

Best Regards,

Andy


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Suggestion: Quarantine problematic Q/D files to match GP1/GP2 files

[Andy Schmidt]

Thanks Dave - I have AutoReview on. So I suppose if that folder is empty, it
means that the file processed successfully a second time around.

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Wednesday, August 26, 2009 11:48 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Suggestion: Quarantine problematic Q/D files
to match GP1/GP2 files
Sensitivity: Personal

 

Hi Andy,

 

In Declude \proc directory there is a directory called REVIEW which is
exactly for this purpose. In the Declude.cfg there is a directive that can
override this functionality called AUTOREVIEWON

 

If the decludeproc service is unexpectedly stopped email in the \work
directory is moved to the \review directory.  If AUTOREVIEW is ON then the
user has opted to reprocess these files,  if the AUTOREVIEW is commented out
then the \Review directory will have a copy of the offending file set and we
can use these file to try and isolate the problem.

 

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
 <mailto:dbar...@declude.com> dbar...@declude.com

 

 

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Wednesday, August 26, 2009 11:04 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Suggestion: Quarantine problematic Q/D files to
match GP1/GP2 files
Sensitivity: Personal

 

Hi,

 

Doesn't make much sense to ask a user to submit "debug" logs AFTER a GP
fault that only happens sporadically.

 

How about Declude quarantining the Q/D files in question whenever the
C:/Declude.GP* files are written? This way, the customer can attempt to
reproduce the problem (using the same Q/D files) after setting the log to
"Debug" mode.

 

Best Regards,

Andy


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Suggestion: Quarantine problematic Q/D files to match GP1/GP2 files

[Andy Schmidt]

Hi,

 

Doesn't make much sense to ask a user to submit "debug" logs AFTER a GP
fault that only happens sporadically.

 

How about Declude quarantining the Q/D files in question whenever the
C:/Declude.GP* files are written? This way, the customer can attempt to
reproduce the problem (using the same Q/D files) after setting the log to
"Debug" mode.

 

Best Regards,

Andy



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Imail 11

[Andy Schmidt]

Imail 11 supports ActiveSync (e.g., I'm using it from my regular cell phone) to 
synch contacts, emails, appointments, notes,...


From: Nick Hayer 
Sent: Tuesday, August 11, 2009 6:43 PM
To: declude.junkmail@declude.com 
Subject: RE: [Declude.JunkMail] Imail 11


SmarterMail. Its the way to go. Ver 6 will support ActiveSync [ as an addon] 
and the web interface is excellent.

I have one remaining Imail server - 9x version  - to convert..

-Nick



From: "Chuck Schick" 
Sent: Tuesday, August 11, 2009 1:07 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Imail 11


Sorry William I did not catch your sarcasm.  I don't see those problems with 
Imail and we have people with 1000s of messages in their inbox but that is 
version 8.22, I know they had a lot of web mail problems with later versions..  
I think roundcube is better than squirrel mail but I don't know if it will work 
on a windows machine - have never tried to do that.

That being said, I am still looking for recommendations on a Mail 
Serveranyone have thoughts.

Chuck Schick
Warp 8, Inc.
(303)-421-5140
www.warp8.com 





From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of William 
Stillwell
Sent: Tuesday, August 11, 2009 10:33 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Imail 11


You didn't understand my sarcasm did you?



I gave up w/Imail on fixing my imail webmail issues, on my servers, if there is 
more than 1000 messages in a mail box, users get "Access Denied" when going to 
different pages in there preview window.



If they have less then 500 messages it works fine for them..



It's by no means "OWA" . 



William Stillwell





---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Imail 11

[Andy Schmidt]

Hi,

been using Imail 11 since May. Several annoying bugs - bug fixes for each one 
within a few days. Looks good now - but it's not worth for anyone installing 
NOW because 11.0.1 is in technical preview and saves you the hassle of having 
to ask for 5 or 6 DLL updates (because they are not being made available 
proactively)

Best Regards,
Andy


From: Michael Graveen 
Sent: Tuesday, August 11, 2009 7:43 PM
To: declude.junkmail@declude.com 
Subject: RE: [Declude.JunkMail] Imail 11


I went to SmarterMail 4.x a few years ago (from IMail 8.05).  I like the web 
interface.  Is it perfect?  No.  But for the most part the Smarttools folks are 
pretty responsive with bug fixes (especially compared to Ipswitch's past 
performance).  Version 6 has just been released and I will probably upgrade to 
that.  Hope this helps.

Mike




Sorry William I did not catch your sarcasm.  I don't see those problems with 
Imail and we have people with 1000s of messages in their inbox but that is 
version 8.22, I know they had a lot of web mail problems with later versions..  
I think roundcube is better than squirrel mail but I don't know if it will work 
on a windows machine - have never tried to do that.

That being said, I am still looking for recommendations on a Mail 
Serveranyone have thoughts.

Chuck Schick
Warp 8, Inc.
(303)-421-5140
www.warp8.com 





From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of William 
Stillwell
Sent: Tuesday, August 11, 2009 10:33 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Imail 11


You didn't understand my sarcasm did you?



I gave up w/Imail on fixing my imail webmail issues, on my servers, if there is 
more than 1000 messages in a mail box, users get "Access Denied" when going to 
different pages in there preview window.



If they have less then 500 messages it works fine for them..



It's by no means "OWA" . 



William Stillwell





---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] RE: [Declude.Virus] Commtouch ZeroHour - no longer active? What's the best procedure everyone uses to renew it?

[Andy Schmidt]

Hi Dave,

 

The Diags.txt I had sent was created from THIS MORNING (I had made a point
of restarting DecludeProc to get a "current" status). So CommTouch was
definitely reported as "OFF" at that time.  It had been reported as "ON" in
June, the previous time that the server had been started (for security
fixes).

 

I cleared the DNS cache and restarted DecludeProc and now Diags.txt reports
"ON" for CommTouch. So thanks for re-activating it.

 

So - that leaves a whole bunch of new concerns:

 

-  If you ONLY migrated servers THIS week, then THIS was NOT the
reason.
CommTouch had stopped after 6/27, which is 11 days ago. (That's the last
date your log files showed any CommTouch hits!) However, it's the exact date
of my new renewal term! So what precisely happened on 6/28 at midnight?



-  Irregardless, if you switched IP addresses for some of your
servers, that you obviously would have to FIRST update your OWN DNS a week
prior (or whatever the old TTL was) to change the TTL for that DNS record to
something extremely short (e.g., hours). A week later, after the old TTL had
expired, you could THEN change the DNS record to the NEW IP address and
update the TTL to the longer period again. 
If you simply switched IP addresses without prior TTL adjustments, then your
customers would NOT see the new IP until the old TTL had run out. Although
this was not the problem I my case - which host name are we talking about
and how was this migration executed if you feel that your customers have to
flush their DNS cache to obtain the new server address?

 

Best Regards,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Wednesday, July 08, 2009 11:04 AM
To: declude.vi...@declude.com
Subject: RE: [Declude.Virus] Commtouch ZeroHour - no longer active? What's
the best procedure everyone uses to renew it?
Sensitivity: Personal

 

We just migrated servers this week. It is possible your DNS is using cached
information. Remember a diags.txt is only created on startup so you may have
old information.  Can you flush your DNS cache and restart Declude to see if
it resolves the problem. 

 

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
 <mailto:dbar...@declude.com> dbar...@declude.com

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Wednesday, July 08, 2009 10:20 AM
To: declude.vi...@declude.com; declude.junkmail@declude.com
Subject: [Declude.Virus] Commtouch ZeroHour - no longer active? What's the
best procedure everyone uses to renew it?
Sensitivity: Personal

 

Hi,

 

I noticed that ZeroHour stopped catching any viruses after 6/28 - and, after
investigating, I now realize it no longer traps any Spam. There were NO
changes to any .CFG (or other Declude files). I'm enclosing the most recent
Diags.txt (from 6/18, where CommTouch was ON) and then one from today after
I made a point of manually restarting DecludeProc.  Suddenly, it reports
CommTouch as OFF?

 

My customer screen shows:

 


 

Host Information


 Declude Imail Perpetual Lic.

[omitted] 

28 Jun 2010 


 AVG 

Activated

Current



 CommTouch 

Activated



 

It can't be a coincidence that CommTouch stopped working 3 weeks ago,  on
the exact anniversary date of my (renewed) agreement?

 

Since I only purchased CommTouch a few weeks ago, I'm new to this. So, what
do Declude customers have to do after purchasing CommTouch or after renewing
their service agreements to make sure that the software will continue to
work with a complete function set? This way, I can add yet another reminder
to my calendar (besides monitoring the AVG licensing renewal date).

 

 


Overall Server Virus Summary Report


Total Messages Processed: 21,868
Virus Infected Messages: 60
Percentage Infected: 0.27%


VIRUS

# INFECTED

PERCENTAGE



OUTLOOK 'BLANK FOLDING' VULNERABILITY

33

0.15%



OUTLOOK 'CR' VULNERABILITY

11

0.05%



OUTLOOK 'MIME SEGMENT IN MIME PREAMBLE' VULNERABILITY

8

0.04%



I-WORM/MYDOOM.O

3

0.01%



I-WORM/MYDOOM.BE

1

0.00%



I-WORM/MYDOOM.N

1

0.00%



NON STANDARD HEADER VULNERABILITY

1

0.00%



TROJAN.IFRAME-3

1

0.00%



WORM.BAGLE-ZIPPWD-35

1

0.00%



 


Virus Scanner Summary Report (Integrated AVG Scanner)


Total Messages Processed: 21,868
Virus Infected Messages: 5
Percentage Infected: 0.02%


VIRUS

# INFECTED

PERCENTAGE



I-WORM/MYDOOM.O

3

0.01%



I-WORM/MYDOOM.BE

1

0.00%



I-WORM/MYDOOM.N

1

0.00%



 


Virus Scanner Summary Report (ClamAV)


Total Messages Processed: 21,868
Virus Infected Mes

[Declude.JunkMail] RE: Database error after upgrading & Incorrect HELO in Received Header

[Andy Schmidt]

Hi,

a) As far as the HELOBOGUS test - you likely are missing the various IMAIL
11 fixes that Ipswitch created but only gives out when you ask:
http://kb.imailserver.com/cgi-bin/imail.cfg/php/enduser/std_adp.php?p_faqid=
691
With the latest fixed SMTP service and Imail_API DLL, my HELOBOGUS test does
not seem to trigger for all messages (but certainly for lots of spam that
has 3 times the hold weight).

b) Is that Imail domain using the registry or SQL for its user database.

All my domains are using the registry and my Declude log appears to look
normal, e.g.:

06/24/2009 23:59:58.680 q93ea0001414e0aa2.smd Did not find [
alifeedb...@service.alibaba.com ] in [ merchand...@dollardays.com ] address
book
06/24/2009 23:59:58.680 q93ea0001414e0aa2.smd Finish Address Book WhiteList

Best Regards,
Andy


-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Kevin
Rogers
Sent: Thursday, June 25, 2009 2:35 PM
To: declude.vi...@declude.com
Subject: Re: [Declude.Virus] Database error after upgrading

So I emailed David about this issue and he had me turn off AUTOWHITELIST 
and that seemed to get rid of the error.  It seems that Imail 11 changed 
the database it uses for contacts and this is why Declude was generating 
that error. 

But I'd really like to turn AUTOWHITELIST back on. 

And, since the upgrade all emails are failing the DYNHELO and HELOBOGUS 
tests so I've had to reduce their weights for the time being.  Has 
anyone seen this or have any ideas how to correct?

Thanks.


Kevin Rogers wrote:
> I upgraded to 4.6.35 because of the AVG scanner issue, but now in my 
> declude logs I am seeing error messages like this:
>
> 06/23/2009 00:38:48.986 q8f0c00670096.smd DataBase Error = 
> ['(unknown)' is not a valid path.  Make sure that the path name is 
> spelled correctly and that you are connected to the server on which 
> the file resides.
> Driver's SQLSetConnectAttr failed
> ]
>
> I didn't have these errors before my upgrade.  Any ideas?
>
>
>
> ---
> This E-mail came from the Declude.Virus mailing list.  To
> unsubscribe, just send an E-mail to imail...@declude.com, and
> type "unsubscribe Declude.Virus".The archives can be found
> at http://www.mail-archive.com.
>
>
>



---
This E-mail came from the Declude.Virus mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.Virus".The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] All_list.dat

[Andy Schmidt]

Hi Dave:

 

Good to see that this is (apparently) now an automated procedure that keeps
a current file online for us.

 

Thank you!

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Monday, June 08, 2009 4:56 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] All_list.dat

 

The all_list .dat file located in the \Declude directory. This file contains
all the IP address geo-locations, this is used by Declude to identify the
country chain displayed as part of the X-Country-Chain within the header.

 

A new all_list.dat will be available every day from the My Account page
under the downloads section of declude.com. It has been compressed using
.rar, you will need to uncompress the file to replace your existing
all_list.dat

 

You do not need to update this file everyday, however it is there for your
convenience. We suggest updating this file on a periodic basis of about once
every 30-90 days.

 

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
  dbar...@declude.com

 

 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] ZEROHOUR vs. TESTSFAILED

[Andy Schmidt]

Hi,

 

Seems as if ZEROHOUR is not at all handled correctly vis-à-vis the
TESTSFAILED variable?

 

1.   Example: I have defined

 

XINHEADERX-Declude: Triggered [%WEIGHT%] %TESTSFAILED%

 

However, since activating ZEROHOUR I know see SMTP headers like this:



X-Declude: Triggered [-2] None, ZEROHOUR [0]

 

There are two things wrong with this:

 

a)  If “Testsfailed” returns “None”, why is the string “ZEROHOUR”
appended?  If it’s “None” then it should be “None” – and nothing else.



b)  If “ZEROHOUR” didn’t fail and thus has a weight of “0”, then it
shouldn’t appear in the TESTSFAILED list at all.

 

2.   In one of my filters, I have the line
TESTSFAILED  5  CONTAINS  ZEROHOUR
However, it fails to add “5” to the weight – as if it doesn’t detect
“ZEROHOUR” in the TestsFailed string – which would be consistent with items
“a)” and “b)” – because apparently there is a bug where ZEROHOUR is not
correctly included in the “TESTSFAILED” variable, but instead it is somehow
“appended” behind it!

 

The power of Declude is to be able to tightly configure (through various
options) how weights are assigned and (with the help of “TESTSFAILED”
filters) which groupings of tests might be testing/triggering on the same
“aspect” of a message. Currently ZEROHOUR appears to negate all the other
advantages of Declude!

 

Best Regards
Andy Schmidt

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] CommTouch ZeroHour

[Andy Schmidt]

Oh? In that case - what's the purchase cost to add CommTouch to our account
at this point?

-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Friday, June 05, 2009 11:36 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] CommTouch ZeroHour

Yes Internet access provider is a better description of ISP and how it is
understood by Commtouch.

David

-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Friday, June 05, 2009 11:30 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] CommTouch ZeroHour

Uh - okay, that was the reason, why I wasn't able to purchase CommTouch back
when. 

As a hosting provider (which includes providing mailboxes for the clients'
domains), that would fall under the umbrella "primary function is to provide
Internet service".   

If they would define ISP as Internet ACCESS provider - then this would be a
different story. Because we don't provide Internet access and our primary
function is not clean-and-forward MX services.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] CommTouch ZeroHour

[Andy Schmidt]

Uh - okay, that was the reason, why I wasn't able to purchase CommTouch back
when. 

As a hosting provider (which includes providing mailboxes for the clients'
domains), that would fall under the umbrella "primary function is to provide
Internet service".   

If they would define ISP as Internet ACCESS provider - then this would be a
different story. Because we don't provide Internet access and our primary
function is not clean-and-forward MX services.

-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Friday, June 05, 2009 10:49 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] CommTouch ZeroHour

Commtouch does have a restriction. The condition is:

a.  "ISP" shall mean an internet service provider or managed solution
provider.

What this means - if you are an ISP as defined by Commtouch, your primary
function is to provide Internet service to your customers (like Comcast) or
your business provides managed services (Like MXlogic) clean-and-forward of
emails. 

Secondly, if your business is part of the ISP category you can use Commtouch
with the added cost of $3.60 per user per year.

And finally, the yearly cost and payments to Commtouch for NON-ISP perpetual
license Declude customers is being absorbed by Declude. 

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
dbar...@declude.com




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Upgrade 4.6.35 AVG not scanning - FIX

[Andy Schmidt]

That's semantics - either are "Malicious" emails (Phishing are the new
"Viruses" - or sometimes just a precursor). Most "malicious email" scanners
now include "phishing" in their realm of responsibility. Bottom line: You
need to run a "scanner", it will find malicious emails, whether you
technically would consider them viruses, Trojans, phishing URLs etc.

 

What's bad is, if the scanner suddenly stops working for 2 months. Specially
with those really bad Trojans going around 4 weeks ago. So - either AVG had
an update to their interface, and it took Declude until now to finally catch
up - OR, Declude introduced a bug 2 months ago.  I haven't seen an
explanation on how this could have happened and go unnoticed until I finally
persisted.

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick
Hayer
Sent: Tuesday, June 02, 2009 10:10 AM
To: declude.junkmail@declude.com
Subject: re: [Declude.JunkMail] Upgrade 4.6.35 AVG not scanning - FIX

 

Was it not working? yawn. Never noticed. On my end AVG is superfluous behind
Alligate. We just do not see a virii leakage.  We run ClamD for phishing and
I do not see in its logs any virus captures.

-Nick

  _  

From: "David Barker" 
Sent: Monday, June 01, 2009 3:50 PM
To: declude.junkmail@declude.com, declude.vi...@declude.com
Subject: [Declude.JunkMail] Upgrade 4.6.35 AVG not scanning - FIX

If your AVG is not scanning emails, please upgrade immediately to 4.6.35
which is available from the Declude website.

 

If you are unsure whether this means you, we suggest you upgrade, if you
need any assistance in this matter please contact supp...@declude.com

 

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
  dbar...@declude.com

 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Declude 4.5.29 Released

[Andy Schmidt]

Hi, is the jump from 4.4.25 ( release 4.4 ) to 4.5.26 (release 4.5)
intentional or a typo?  If 4.5 is a new release, one would have expected it
to start at 4.5.) - and thus this latest build be referred to as 4.5.3 ?

-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Tuesday, February 24, 2009 9:21 AM
To: declude.junkmail@declude.com; declude.vi...@declude.com
Subject: [Declude.JunkMail] Declude 4.5.29 Released

4.5.29 Hijack logging error fixed

4.5.28 Fix memory leak in SPF test

4.5.27 Diags.txt, shows if AVG and CommTouch are ON or OFF

4.5.26 Change Request Skip AUTOWHITELIST when the sender matches the
recipient.
   Updated Diags.txt, shows the copyright 2009 and the products,
Junkmail, Hijack and EVA as either ON or OFF 

4.4.25 Fixed IPBYPASS > 0 triggered inconsistencies with the IPFILE test 

4.4.24 Increased number of Tests run in global.cfg

4.4.23 Bug fix when virus.cfg is not found. EVA code is still executed and
vulnerabilities are placed in the root of C:\ directory.
 With this fix Virus code will not execute if no virus.cfg is found.
E-mail will not be scanned for any virus or vulnerabilities
 A virus log will be created in declude\logs and will inform the
user that virus test is OFF.

4.4.22 Removed all reference to versions PRO/STD/LITE. 

4.4.21 Removed all reference to EVA versions PRO/STD/LITE. 

4.4.20 Fixed Declude leaving an open socket during avg update. Also fixed
for possibility of an early terminating thread in the transfer file
function.  

4.4.19 Temporary fix for CATCHALLMAIL not holding the e-mail when the e-mail
is whitelisted and when COPYFILEACTIONWITHHEADER = ON


4.4.18 WHITELIST TO Removed the restriction of "abuse@",  "noc@",
"postmaster@" and  updated ROUTING the foreign IP address list

4.4.17 In "fullmsg" the header part of the message was being stored and
printed twice. 

4.4.16 Changed critical section to when accessing the Address book for
autowhitelisting to resolve a thread hanging issue with Imail. 

4.4.14 Added critical section before opening the Imail MS Access DataBase to
prevent crashes

4.4.13 Changed the CommTouch Temp Directory from the default (the machine
default tempdir) to ...\Declude\scanners\commTouch\Temp

4.4.12 Updated GP1 files to be amended rather than overwritten. Information
will be appended with the system Date and time.
   Fixed a crash issue, due to decoding of the subject line.
   Fixed issue of TXT files being left in the work directory. Requires
replacement of the avgsdk.dll.

4.4.11 Update Declude encoding of winmail.data (TNEF) and storing the
attachment file and its corresponding file name. Improved detection of the
Invalid zip vulnerability.

4.4.10 Added error message in logs for additional information as to why txt
file could not be moved back to virus directory

4.4.8 Invalid zip vulnerability; updated Declude to be compatible with '7z'
file archived compressor 

4.4.7 Updated Declude to report on ODBC access issues in IMail.

4.4.6 Updated PCRE to better handle PCRE .dll exceptions

4.4.5 If ZEROHOUR weight value cannot be converted to an integer it will be
ignored. This is a fix for a bug reported when ZEROHOUR test action was set,
ZEROHOUR wasscoring a value of zero. 

4.4.4 Updated FROMNOMATCH test failing when e-mail is sent as an NDR


4.4.3 Updated FROMNOMATCH test failing. According RFC-822 the angle bracket
is not a requirement for FROM: in the header part of the email. Changed to
handle   the angle bracket and without.

4.4.2 Fixed CATCHALLMAIL to be triggered on whitelisted e-mail 

4.4.1 Removed references to previous Versions (PRO/STD/LITE). 

4.4.0 Release

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 office
978.988.1311 fax
dbar...@declude.com




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Errorlevel not working

[Andy Schmidt]

Because it does a >= comparison, you  need to start with the greatest value
and work your way lower.

-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Serge
Sent: Sunday, February 08, 2009 7:58 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Errorlevel not working

found a solution

This works on both cases
if errorlevel 1 goto gziperr1
if errorlevel 0 goto gziperr0

but this does not work
if errorlevel 0 goto gziperr0
if errorlevel 1 goto gziperr1

but WHY ???


- Original Message - 
From: "Serge" 
To: 
Sent: Monday, February 09, 2009 12:49 AM
Subject: Re: [Declude.JunkMail] Errorlevel not working


> Hello sandy
>
> Not true
> even if i comment echo line, i still get "gzip OK errorlevel 0, Unzipping 
> "
> even if the file if corrupted
>
>
> gzip -d -f -t zydt3crn.snf.gz
> if errorlevel 0 goto gziperr0
> if errorlevel 1 goto gziperr1
> GOTO END
>
> :gziperr0
> Echo gzip OK errorlevel 0, Unzipping
> GOTO END
>
> :gziperr1
> Echo gzip errorlevel 1
> Echo gzip .gz file did not test OK
> GOTO END
>
> :END
>
>
> - Original Message - 
> From: "Sanford Whiteman" 
> To: "Serge" ; "Message Sniffer Community" 
> 
> Sent: Monday, February 09, 2009 12:39 AM
> Subject: Re: [Declude.JunkMail] Errorlevel not working
>
>
>> I have a problem with the branching in the batch below
>> even when the test fails and "echo %errorlevel% " shows 1
>> the branching still goes to gziperr0
>> Does enyone knows why and how to fix ?
>
> When  you  echo  the  errorlevel, the errorlevel is reset to the value
> returned by echo().
>
> --Sandy
>
>
>
> 
> Sanford Whiteman, Chief Technologist
> Broadleaf Systems, a division of
> Cypress Integrated Systems, Inc.
> e-mail: sa...@cypressintegrated.com
>
> SpamAssassin plugs into Declude!
> 
>
http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release
/
>
> Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail 
> Aliases!
> 
>
http://www.imprimia.com/products/software/freeutils/exchange2aliases/downloa
d/release/
> 
>
http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/re
lease/
>
>
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to imail...@declude.com, and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>
>
>
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to imail...@declude.com, and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>
> 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] DNS lookup fail, yet e-mail passes spam tests

[Andy Schmidt]

I wouldn't add anything to the score because it's very common (specially for
larger organizations) to have dedicated outbound servers, while all MX
records point to their anti-spam/anti-virus gateways!

 

The better approach would be to REDUCE the weight score if you receive mail
from a mail server hat also DOES appear in the domain's MX records. This way
you give credit for a more "tight" configuration without penalizing
perfectly valid/common configurations.

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Harry
vanderzand
Sent: Tuesday, February 03, 2009 11:15 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] DNS lookup fail, yet e-mail passes spam
tests

 

I would agree.  However if a record exists but the server does not, I would
want to add a bit to my weight score.  It certainly shows that something is
not right

 

However, thank you for the explanation

 

Thank you

Harry Vanderzand

 

Intown Internet

117 Ruskview Road

Kitchener, ON, N2M 4S1

519-741-1222

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Tuesday, February 03, 2009 10:57 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] DNS lookup fail, yet e-mail passes spam
tests

 

Some  email server has the task of sending out email and not receiving
email, (eg. An online order system)  it would not require and MX record as
it does not need to receive email, therefore the fact that an MX record does
not exist is not a good indicator for spam.

 

David B

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Harry
vanderzand
Sent: Tuesday, February 03, 2009 10:28 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] DNS lookup fail, yet e-mail passes spam
tests

 

Sorry but I am not sure what you mean by outbound in the sample below.  I
also do not know what specific test should be triggered other than something
should be.

 

Here I have mail coming in from a domain.  DNS lookup on their MX record
fails.  Is that not a big flag that this is likely Spam?

 

Maybe I am misunderstanding something here.  In the sample below we got mail
from an orderlinenews address and the MX record does not exist

 

Thank you

Harry Vanderzand

 

Intown Internet

117 Ruskview Road

Kitchener, ON, N2M 4S1

519-741-1222

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Tuesday, February 03, 2009 10:11 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] DNS lookup fail, yet e-mail passes spam
tests

 

Hi Harry,

 

As far as I know mail servers that are strictly outbound don't need to use
an MX record. What test do you think this should trigger ?


David B

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Harry
vanderzand
Sent: Tuesday, February 03, 2009 10:03 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] DNS lookup fail, yet e-mail passes spam
tests

 

Anyone have any ideas on this topic?

 

Thank you

Harry Vanderzand

 

Intown Internet

117 Ruskview Road

Kitchener, ON, N2M 4S1

519-741-1222

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Harry
vanderzand
Sent: Friday, January 30, 2009 4:04 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] DNS lookup fail, yet e-mail passes spam tests

 

Please see the log entry below.  The DNS lookup for the MA and A record
failed.  Why would that not add weight to any of my tests.  Am I missing
some?  Seems to me that if these fail that it should be weighted as spam

 

 

 

01/30/2009 08:21:53.312 qfeea02ad6d67.smd Start: doprewhitelist

01/30/2009 08:21:53.312 qfeea02ad6d67.smd END: doprewhitelist

01/30/2009 08:21:55.265 qfeea02ad6d67.smd WARNING: DNS server
nnn.nnn.nnn.nnn returned a SERVER FAILURE error for MX or A for
mail.orderlinenews.ca.

01/30/2009 08:22:01.265 qfeea02ad6d67.smd WARNING: DNS server
nnn.nnn.nnn.nnn returned a SERVER FAILURE error for MX or A for
orderline.ca.

01/30/2009 08:22:03.437 qfeea02ad6d67.smd Tests failed [weight=0]:
FILTER-COUNTRY=IGNORE[0] CATCHALLMAILS=IGNORE[0] 

01/30/2009 08:22:03.437 qfeea02ad6d67.smd Action(s) taken for
[x...@domain.com] = IGNORE  [LAST ACTION=IGNORE]

01/30/2009 08:22:03.437 qfeea02ad6d67.smd Cumulative action(s) on this
email = IGNORE  [LAST ACTION=IGNORE]

 

 

Thank you

Harry Vanderzand

 

Intown Internet

117 Ruskview Road

Kitchener, ON, N2M 4S1

519-741-1222

 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.Ju

RE: [Declude.JunkMail] DNS lookup fail, yet e-mail passes spam tests

[Andy Schmidt]

Hi,

 

I think there are two different issues:

 

a)   As stated by others, the mail SERVER is NOT required to have an MX
record (seldomly will!) and is not required to be referenced in the domain's
MX record (in case it's an "outbound" server only).

 

b)   However, I reject mails from domains that don't have ANY MX or A
records. If I can't respond to a domain by mail, then I certainly don't want
their mail. Never had a false positive in all these years.

 

Example:

 

@A 200.200.200.200

@MX  10   incoming.domain.com

IncomingA 200.200.200.201

OutgoingA 200.200.200.202

 

It's perfectly fine for you to receive mail from "Outgoing.domain.com", even
if there is no MX record for "Outgoing" and even if "outgoing.domain.com" is
not referenced in the domains MX record.

 

However, if the two "@" records were missing - THEN this domain cannot be
reached by email and I would refuse any mail from any "domain.com".

 

Best Regards,

Andy

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Harry
vanderzand
Sent: Tuesday, February 03, 2009 10:28 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] DNS lookup fail, yet e-mail passes spam
tests

 

Sorry but I am not sure what you mean by outbound in the sample below.  I
also do not know what specific test should be triggered other than something
should be.

 

Here I have mail coming in from a domain.  DNS lookup on their MX record
fails.  Is that not a big flag that this is likely Spam?

 

Maybe I am misunderstanding something here.  In the sample below we got mail
from an orderlinenews address and the MX record does not exist

 

Thank you

Harry Vanderzand

 

Intown Internet

117 Ruskview Road

Kitchener, ON, N2M 4S1

519-741-1222



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] "New" Blacklist / Whitelist (Barracuda)

[Andy Schmidt]

Hi,

I very much feel it's worth it - as long as you combine it with other tests.
Other than Sniffer, it flags MORE emails (about 55 to 60%) than CBL Dyna,
Spamcop, InvURIBL, Sorbs, SenderDB etc.

Many times when I looked at NEW spam (or a Virus), then Barracuda (besides
Sniffer) was the ONLY one detecting it - so it has helped "pushing" emails
beyond the threshold until the other black-lists catch up.

Some claim that it MAY be less reliable - but I haven't seen any increase in
overall false positive reports, maybe because it's only one of multiple
tests that have to fail before an email is actually held.

Best Regards,
Andy

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Imail
Admin
Sent: Friday, December 05, 2008 8:56 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] "New" Blacklist / Whitelist (Barracuda)

Hi,

A couple of months ago I read the discussion about the new Barracuda BRBL. 
Then I went to the archives to see how people were implementing it into 
Declude.  I have Declude 4.2.x, so I don't have the features of 4.4.  I was 
unable from reviewing the archives to figure out the best way to implement 
this.  Can someone give me the lines for global.cfg?  And do you still think

it's worth it?

Thanks,

Ben

- Original Message - 
From: "David Dodell" <[EMAIL PROTECTED]>
To: 
Sent: Wednesday, October 15, 2008 9:28 PM
Subject: Re: [Declude.JunkMail] "New" Blacklist / Whitelist


> b)   http://www.barracudacentral.org/rbl
> Hadn't seen this one mentioned? Any experiences? Effective? False 
> Positives?


I'm giving this one a try ... I know Barracuda is a large manufacturer
of hardware spam "firewalls" ... reputable company

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] No Reverse DNS in Header?

[Andy Schmidt]

Hi,


I never noticed this scenario before, so I figured I ask:

 

One of the emails I investigated was had a "null string" RevDNS in the
XINHEADER:

 

X-Declude: Version 4.4.20; Code 0xe from  [38.108.41.55]

 

The global config defines the following:

 

XINHEADERX-Declude: Version %VERSION%; Code 0x%HEADERCODE% from
%REVDNS% [%REMOTEIP%]

 

I can't remember ever seeing a header without a RevDNS - and without any
RevDNS tests failing?

 

Here the SMTP and Declude log snippet, as well as the CURRENT Reverse DNS
lookup (which matches the HELO string). Of course, we don't know what the
DNS information was at the time that Declude saw it - but if it resulted in
a null string, then I wonder if we shouldn't see any DNS timeout errors, or
similar indication in the Declude log?

 

 

11:01 16:18 SMTPD(b9ad01c21fc9) [63.107.174.78] connect 38.108.41.55
port 9176

11:01 16:18 SMTPD(b9ad01c21fc9) [38.108.41.55] EHLO
mail.cashcosmetics.info

 

11/01/2008 16:18:56.820 qb9ad01c21fc9.smd Start: doprewhitelist

11/01/2008 16:18:56.820 qb9ad01c21fc9.smd END: doprewhitelist

11/01/2008 16:19:00.242 qb9ad01c21fc9.smd nIPNOTINMX:-2 SPFPASS:-2 .
Total weight = -4.

11/01/2008 16:19:00.242 qb9ad01c21fc9.smd NOT bypassing whitelisting of
E-mail with weight >=19 (-4) and at least 1 recipients (1).

11/01/2008 16:19:00.242 qb9ad01c21fc9.smd NOT bypassing whitelisting of
E-mail with weight >=14 (-4) and at least 4 recipients (1).

11/01/2008 16:19:00.242 qb9ad01c21fc9.smd NOT bypassing whitelisting of
E-mail with weight >=12 (-4) and at least 6 recipients (1).

11/01/2008 16:19:00.367 qb9ad01c21fc9.smd Did not find [
[EMAIL PROTECTED] ] in [EMAIL PROTECTED] address book

11/01/2008 16:19:00.367 qb9ad01c21fc9.smd Finish Address Book WhiteList

11/01/2008 16:19:00.367 qb9ad01c21fc9.smd Tests failed [weight=-4]:
NOLEGITCONTENT=IGNORE[0] SPFPASS=IGNORE[-2] 

11/01/2008 16:19:00.367 qb9ad01c21fc9.smd L1 Message OK

11/01/2008 16:19:00.367 qb9ad01c21fc9.smd Subject: Mineral Makeup

11/01/2008 16:19:00.367 qb9ad01c21fc9.smd From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED] IP: 38.108.41.55 ID: h1isqe01g74o

11/01/2008 16:19:00.367 qb9ad01c21fc9.smd Action(s) taken for
[EMAIL PROTECTED] = IGNORE  [LAST ACTION=IGNORE]

11/01/2008 16:19:00.367 qb9ad01c21fc9.smd Cumulative action(s) on this
email = IGNORE  [LAST ACTION=IGNORE]

 

> set type=ptr

> 38.108.41.55

Non-authoritative answer:

55.41.108.38.in-addr.arpa   canonical name =
55.0-63.41.108.38.in-addr.arpa

55.0-63.41.108.38.in-addr.arpa  name = mail.cashcosmetics.info

> 

 

Best Regards,

Andy



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] URIBL vs. SURBL

[Andy Schmidt]

Hi,

 

Thanks - yep, I found out they are blocking both my DNS servers - my other
systems can query their test points.  Oh well...

 

If you mail volume is low, we really don't care if you query the public
mirrors. But if your hardware or software is hammering our public mirrors
with 100's of thousands of queries, then we will ACL off your host. At that
point you can either do without our service, or request a data feed. Feel
free to raise your concerns with your vendor, as we would be happy to work
with them to provide their own resolvers for their customers to hit.

The same applies for free software. If you are using SpamAssassin, then
great. Since URIBL is part of default SpamAssassin installs, you
automatically benefit from our service. However, if you run a large mail
system with SpamAssassin, then there is a chance we will block your queries
on the public mirrors. We understand you may not realize you are querying
URIBL since it is enabled by default, and we will take the necessary steps
to notify you, if possible, before blocking your queries from our public
mirrors. 

So my option is their commercial (for fee) feed service.

 

Best Regards,

Andy

 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell
([EMAIL PROTECTED])
Sent: Friday, October 17, 2008 3:29 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] URIBL vs. SURBL

 

I get good hits from both lists with invURIBL.  uribl.com is more 

aggressive (IMO) than surbl.

 

I query SURBL first and than uribl second.  Even with that config (and 

skip weights set) I still get more hits on URIBL.

 

F:\Logs\invURIBL>grep -i "message body found in multi.uribl.com" 

uribl-logfile1017.txt | wc -l

2030

 

F:\Logs\invURIBL>grep -i "message body found in multi.surbl.org" 

uribl-logfile1017.txt | wc -l

1328

 

Check your test points for URIBL.com.  They have been know to block dns 

serves that have high query rates since they now offer a data feed service.

 

Darrell

-- 

--

Check out http://www.invariantsystems.com for utilities for Declude, 

Imail, mxGuard, and ORF.  IMail/Declude Overflow Queue Monitoring, 

SURBL/URI integration, MRTG Integration, and Log Parsers.

 

 

Andy Schmidt wrote:

> Hi,

> 

> I checked two of my systems and noticed that apparently multi.uribl.com
does

> not have any hits for its black and red lists EVER? I find that hard to

> believe.

> 

> My systems DOES check SURBL first, and only would pass a good message to

> URIBL. Is it really possible that URIBL is fully redundant to SURBL (I
would

> have expected SOME overlap, but not 100%).

> 

> Does anyone have any experience with multi.uribl.com?

> 

> Best Regards,

> Andy

> 

> 

> 

> ---

> This E-mail came from the Declude.JunkMail mailing list.  To

> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and

> type "unsubscribe Declude.JunkMail".  The archives can be found

> at http://www.mail-archive.com.

> 

 

 

 

 

---

This E-mail came from the Declude.JunkMail mailing list.  To

unsubscribe, just send an E-mail to [EMAIL PROTECTED], and

type "unsubscribe Declude.JunkMail".  The archives can be found

at http://www.mail-archive.com.

 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] URIBL vs. SURBL

[Andy Schmidt]

Hi,

I checked two of my systems and noticed that apparently multi.uribl.com does
not have any hits for its black and red lists EVER? I find that hard to
believe.

My systems DOES check SURBL first, and only would pass a good message to
URIBL. Is it really possible that URIBL is fully redundant to SURBL (I would
have expected SOME overlap, but not 100%).

Does anyone have any experience with multi.uribl.com?

Best Regards,
Andy



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] "New" Blacklist / Whitelist

[Andy Schmidt]

a)   Pay $20.00 for another flavor of SPF - or do I see this wrong?

http://www.emailreg.org/

 

b)   http://www.barracudacentral.org/rbl

Hadn't seen this one mentioned? Any experiences? Effective? False Positives?



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] http://tools.declude.com/headercode.php?code=8000004e

[Andy Schmidt]

That really does NOT help. I know it failed the BADHEADERS test, otherwise I
wouldn't use the BADHEADERS tool to look up the cause. The explanation
doesn't need to tell me what's okay, I need to know what's NOT. After
reading the explanation I'm just as smart as before:

 


Results


The E-mail failed the BADHEADERS test. This means the email failed with a
violation of the RFC. Your Mailserver accepted this message however it is
more than likely a SPAM or Virus message.

A proper Date was found - this is a good thing.

A proper To Address was found - this is a good thing.

A proper From Address was found - this is a good thing.

 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] country chain

[Andy Schmidt]

Hi,

I think that counting countries is not necessarily helpful - specially if
you think of other continents. In Europe, many AOL IP blocks are registered
to the U.K. Knowing that an email went through two or three countries before
reaching you does not really imply anything, specially for corporate emails.

I also would think that, by now, spammers don't need to bother to relay
through many hops any more. With zombies they have the benefit of sending
mails from through just 1 or two relays. 

So, counting countries is likely to trap more legitimate corporate mail than
today's spam.

The old ROUTING test is the correct approach, in my opinion.

If we're looking to add more tests, then I'm sure there are better
candidates to be discussed to see if they are worth the investment in time:
DomainKeys, Sniffer-API (to avoid command line calls and heap limitations),
OCR, ...

Best Regards,
Andy

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Wednesday, October 08, 2008 9:47 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] country chain

If we look at the definition of the ROUTING Test. 

This test will analyze the route that an E-mail takes, and look for highly
inefficient routing that is very common in spam. For example, an E-mail
might get caught if it is sent from a dialup in the U.S. to another account
in the U.S., but is routed through a server in China, but not if it goes
from a mail server in China directly to a U.S. mail server. This may
occasionally produce false positives, especially if a mailing list is hosted
outside of the United States. This test will probably not work well if your
mail server is located outside of the United States.

In other words the test is triggered if the following routing occurs:

US --> CN --> US

Or 

CN --> US --> NG --> US

The other issue faced is that CANADA is part of the US IP block and this too
may include EL SALVADOR which in effect is

US --> US --> US which would not trigger the test.

We may want to create a new test which would trigger if multiple countries
are in the routing. Any thoughts would be welcome.

David Barker
VP Operations Declude
Your Email security is our business
978.499.2933 x 7007 office
978.988.1311 fax
[EMAIL PROTECTED]

 






-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry
vanderzand
Sent: Wednesday, October 08, 2008 7:03 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] country chain

Anybody have any idea why the ROUTING test is not adding to my weight.

Here is another sample of where the ROUTING  test should have added to the
score

X-Country-Chain: UNITED STATES->EL SALVADOR->CANADA->destination
X-Spam-Tests-Failed: UCEPROTECT-LEVEL2-, NOABUSE, NOPOSTMASTER,
FILTER-COUNTRY [6]

Harry Vanderzand
NEW ADDRESS Effective Jan 24, 2008
Intown Internet
117 Ruskview Road
Kitchener, ON, N2M 4S1
519-741-1222


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry
vanderzand
Sent: Monday, October 06, 2008 11:24 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] country chain


I am still trying to figure this out

I have the following command in my global.cfg:

ROUTING spamrouting x   x   6   0

Yet the following sample did not trigger it:

X-Country-Chain: NIGERIA->UNITED STATES->CANADA->destination
X-Spam-Tests-Failed: FILTER-COUNTRY, WEIGHT10, WEIGHT11 [11]

Should there not have been another 6 points added for the path the mail
took?

Thank you

Harry Vanderzand
NEW ADDRESS Effective Jan 24, 2008
Intown Internet
117 Ruskview Road
Kitchener, ON, N2M 4S1
519-741-1222


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary
Steiner
Sent: Thursday, October 02, 2008 11:21 AM
To: declude.junkmail@declude.com
Subject: re: [Declude.JunkMail] country chain


The ROUTING test was meant for this.  It checks for spam that was sent 
through multiple countries.

Another way is to add weight to individual countries using a filter and the 
COUNTRIES test which will fail based on a country code:
COUNTRIES  10  CONTAINS  CN

If you wanted to get really complicated, you could create an IP4R test for 
each country using the blacklist at http://countries.nerd.dk/




 Original Message 
> From: "Harry vanderzand" <[EMAIL PROTECTED]>
> Sent: Wednesday, October 01, 2008 11:35 AM
> To: declude.junkmail@declude.com
> Subject: [Declude.JunkMail] country chain
> 
> When spam goes through several countries as in:
> 
>  
> 
> X-Country-Chain: UNITED ARAB EMIRATES->POLAND->CANADA->destination
> 
>  
> 
>  
> 
> Is there a way to add weight to mail that would have travelled this way?
> 
>  
> 
> Harry Vanderzand
> 
> NEW ADDRESS Effective Jan 24, 2008
> 
> Intown Internet
> 
> 117 Ruskview Road
> 
> Kitchener, ON, N2M 4S1
> 
> 519-741-1222
> 
>  
> 
> 
> 
> ---
> This E-mail came from the Declu

RE: [Declude.JunkMail] country chain

[Andy Schmidt]

I believe the routing test looks for emails hopping back and forth across
major regions. So, if the email was sent from the U.S. to China and then
back to the U.S., it should trigger. But, if a multinational company has I/T
resources (or registered IP addresses) south or north of the border, or if
European consumers have ISP accounts in a neighboring country and use their
SMTP servers, it probably should not trigger.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry
vanderzand
Sent: Wednesday, October 08, 2008 7:03 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] country chain

Anybody have any idea why the ROUTING test is not adding to my weight.

Here is another sample of where the ROUTING  test should have added to the
score

X-Country-Chain: UNITED STATES->EL SALVADOR->CANADA->destination
X-Spam-Tests-Failed: UCEPROTECT-LEVEL2-, NOABUSE, NOPOSTMASTER,
FILTER-COUNTRY [6]

Harry Vanderzand
NEW ADDRESS Effective Jan 24, 2008
Intown Internet
117 Ruskview Road
Kitchener, ON, N2M 4S1
519-741-1222


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry
vanderzand
Sent: Monday, October 06, 2008 11:24 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] country chain


I am still trying to figure this out

I have the following command in my global.cfg:

ROUTING spamrouting x   x   6   0

Yet the following sample did not trigger it:

X-Country-Chain: NIGERIA->UNITED STATES->CANADA->destination
X-Spam-Tests-Failed: FILTER-COUNTRY, WEIGHT10, WEIGHT11 [11]

Should there not have been another 6 points added for the path the mail
took?

Thank you

Harry Vanderzand
NEW ADDRESS Effective Jan 24, 2008
Intown Internet
117 Ruskview Road
Kitchener, ON, N2M 4S1
519-741-1222


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary
Steiner
Sent: Thursday, October 02, 2008 11:21 AM
To: declude.junkmail@declude.com
Subject: re: [Declude.JunkMail] country chain


The ROUTING test was meant for this.  It checks for spam that was sent 
through multiple countries.

Another way is to add weight to individual countries using a filter and the 
COUNTRIES test which will fail based on a country code:
COUNTRIES  10  CONTAINS  CN

If you wanted to get really complicated, you could create an IP4R test for 
each country using the blacklist at http://countries.nerd.dk/




 Original Message 
> From: "Harry vanderzand" <[EMAIL PROTECTED]>
> Sent: Wednesday, October 01, 2008 11:35 AM
> To: declude.junkmail@declude.com
> Subject: [Declude.JunkMail] country chain
> 
> When spam goes through several countries as in:
> 
>  
> 
> X-Country-Chain: UNITED ARAB EMIRATES->POLAND->CANADA->destination
> 
>  
> 
>  
> 
> Is there a way to add weight to mail that would have travelled this way?
> 
>  
> 
> Harry Vanderzand
> 
> NEW ADDRESS Effective Jan 24, 2008
> 
> Intown Internet
> 
> 117 Ruskview Road
> 
> Kitchener, ON, N2M 4S1
> 
> 519-741-1222
> 
>  
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com. 




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.