Will ROUTETO work to an external domain that is one not held on Imail?
Example: Message addressed to [EMAIL PROTECTED] Sfdomain.com is not hosted
on Imail, but Imail is doing SF for it.
That message triggers a test called SFDOMAINREROUTE with a ROUTETO action to
[EMAIL PROTECTED] Again,
Title: RE: [Declude.JunkMail] Declude using 50% cpu
Where is your DNS server you are using
in Imail?
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Title: RE: [Declude.JunkMail] Declude using 50% cpu
BTW, with an average CPU usage of 44%
before Declude, you may be reaching the saturation point of the server. Not
critical, but from my understanding if average CPU usage is at 50%, you need to
start looking at things.
John
Here is what I am now doing to fight
problems with DNS servers going down.
I have installed DNS on the Imail
server. It has no zones and answers queries only from Imail and Declude. I have
set Imail DNS server to 127.0.0.1. I have then configured 4 forwarders in the
DNS server
I am not here. Your message was not delivered. Everyone went home.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of Sheldon Koehler
Sent:
I don't want to go home, I want a vacation!
Dear Mr. Sheldon Koehler;
It is with great pleasure that I can announce that you are hereby granted an
official vacation.
You MUST take this vacation immediately, or forfeit the right to use it
forever.
To claim your official vacation, you must call
Let me guess...the mode of transportation will be a short wheel base,
Diamond T w/Browning 4X4 tranny and no trailer!
Ah, there you are Jim. ;) But is has to have a chain drive.
There is something down though that is affecting a lot opf people.
Network
Solutions have 4 DNS servers that are
It's become blatantly apparent that there is a VERY STRONG NEED for an
application such as this. Are the Declude people listening?
With all the work that Scott and his interms do, I think this is perfectly
fine.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
I realize that a lot of e-mail goes to the spam folder that is addressed
to
non-existent (or not-anymore-existent) addresses. Is there any reason, why
Declude does not check the recipient's name before doing other tests?
Wouldn't it be better to return e-mail to non exiistent addresses instead
1. If you want no e-mail going out, configure Imail SMTP to send all via a
smart host, then point it at 127.0.0.1.
2. My program match can be used along with catchallmails in JM.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
Imail SMTP security
Imail Kill list
Declude Virus
Declude JM
Imail Rules
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of Robert Forsyth
Sent:
-
From: John Tolmachoff (Lists) [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, August 11, 2003 2:31 PM
Subject: RE: [Declude.JunkMail] Declude Virus Pro and Fprot (DOS)
I have Declude send out a vulnerablility.eml message. If the receiver
recognizes it, he replies and I put
What do you mean AutoWhitelist? Is this a declude product or custom
script?
I think he is referring to the add-on product for Declude JunkMail.
www.eservicesforyou.com/products/autowhite.html
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
---
[This
Sending messages from a hotmail address but not through a hotmail server may
not be allowed under the LA.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On
I have Declude send out a vulnerablility.eml message. If the receiver
recognizes it, he replies and I put the files back into the spool folder
letting them know to have the sender fix the problem.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
:40 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Ebay and Spamdomians
What is the LA?
- Original Message -
From: John Tolmachoff (Lists) [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, August 06, 2003 4:30 PM
Subject: RE: [Declude.JunkMail] Ebay
Seems like that would be dependent on the timing of the test order and when
that line was added.
Scott, can a variable be used in a filter with an equation like this:
HEADER 0 CONTAINS %REVDNS%=64.214.161.171
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
Title: Message
Kami, you have already used up your
quota of Mondays for the month of August. One more, and you get 50 lashes with
a wet noodle.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
From:
Do you mean as a Declude ONLY test?
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of Keith Johnson
Sent: Tuesday, August 19, 2003 7:18 PM
To:
As one of the earlier testers and helped develop the variable scale of
Alligate, I can understand your position. I have a client that gets a lot of
e-mail from the Far East and a lot of bcc broadcasts and lists. Many of
these show elements of spam, but are legit. That is what makes it hard.
There
I don't want to knock Alligate, it has some nice functionality,
especially when used without Declude (auto whitelisting and digest
notification), and it does what it says, but it has a relatively high
false positive rate in the default configuration and therefore it can't
be scored higher
That is not possible at this time with Declude, and has been discussed. Some
other tests maybe be looking at the ability to do that.
However, while the concept is interesting, your example has the potential to
delete legits.
The reason is taking action based on blacklisted keywords can be
That line sounds like part of the generic otherpostmaster.eml file, and
therefore is probably a Declude user. Post the full headers, or send off
list so we can pursue this and get this person to fix it.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
Lets see here. There is a way to do this.
Setup a filter:
MAILFROM50 ENDSWITHdomain.com
Then use program MATCH.
In the from file, list all valid addresses.
In the too file, list only @domain.com
Give the test a weight of -50.
Then, any message listed as a from address
The problem is when it comes to notifications
and requeing. If a message gets stopped by banned extension first, and it is
infected, you are going to be sending out a notice to the recipient of the
blocked message. He is going to tell you hey, I know that send, and such and
you are going
Yes, Declude Virus does this. Declude Virus is fired before Declude JM.
It is checked in this order by default:
Imail SMTP security
Declude Virus virus scan
Declude Virus banned extension
Declude Virus vulnerabilities
Declude JM
Imail Rules
Delivery
John Tolmachoff MCSE CSSA
Check what ftp server you are connecting to.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of Matthew Bramble
Sent: Monday, August 25, 2003 7:54
Yes, this has been reported both on Imail list and this list at 08/24.
news.prodigy.com
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of Chuck
You do not want Declude to stop at a certain
point. What if it stops, right before the next test which is a whitefilter type
test?
With the weighting system, it is
important to run all tests to get the final weight.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For
Yes, many of us are using Alligate.
Please see the discussion from last week:
http://www.mail-archive.com/[EMAIL PROTECTED]/msg10255.html
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
From: [EMAIL PROTECTED]
Please see the link to the archives in my earlier post on this.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of bill.maillists
Sent: Thursday,
-- Original Message --
From: John Tolmachoff \(Lists\) [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date: Thu, 28 Aug 2003 09:03:45 -0700
Please see the link to the archives in my earlier post on this.
John Tolmachoff MCSE CSSA
Engineer/Consultant
Have you tried opening one in notepad?
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of serge
Sent: Thursday, August 28, 2003 6:36 PM
To: [EMAIL
Please note, there are 2 different items:
AUTOWHITELIST is a Declude JunkMail option.
AutoWhite for Declude is a 3rd party add on.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
---
[This E-mail was scanned for viruses by Declude Virus
If the AUTOWHITE from John how much is it? I don't see a price on his
website.
It is in the information.pdf.
Standard, $75
Professional, $175
Enterprise, Pending
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
---
[This E-mail was scanned for viruses
Unless you send e-mail to your self, your e-mail address will not be listed
in your file.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of Keith
PROTECTED]
Subject: RE: [Declude.JunkMail] AUTO Whitelist question
This file you speak of, is it an ascii file that can be edited? What if
someone wants to remove an email address in it?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of John Tolmachoff
Have you checked the log?
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of serge
Sent: Friday, August 29, 2003 8:01 PM
To: [EMAIL PROTECTED]
Subject:
Entire log for that message please, not just a snippet. That does not show
total weight or final action and such.
What is your loglevel at?
You might want to send a copy of the message, with full headers, and your
Global.cfg file to Scott or someone else like me off list to further review
it.
I think you hit the nail on the head on the differences on how this is to be
done.
Some want to be able to load on the same machine not using IIS, some want
IIS.
Some want to be able to load on a different machine not using IIS, some want
IIS.
John Tolmachoff MCSE CSSA
Engineer/Consultant
and watch some TV with my spare time...
Matt
John Tolmachoff (Lists) wrote:
I think you hit the nail on the head on the differences on how this is to bedone.Some want to be able to load on the same machine not using IIS, some wantIIS.Some want to be able to load on a different machine not using
Configure a filter test looking for body words and HOLD on that test.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of Marc Catuogno
Sent:
Sharyn, I am a little surprised. You usually keep up on things.
Guess you have not seen any of the posts regarding OSRelay in the last 2
weeks?
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
From: [EMAIL PROTECTED]
There is a new PREWHITELIST ON option that will run some of the
whitelists before the tests are run.
Can you explain the some part?
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
---
[This E-mail was scanned for viruses by Declude Virus
Copy the new tests that I want to use to the old file?
That would probably be best, as replacing the file would undo any tweaks you
have done for your situation.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
---
[This E-mail was scanned for viruses
Is there a test that can be based on the results of 2 or more other
specific tests? ex: an email that fails both HELOBOGUS and
BADHEADERS would fail HELOHEAD and have x number of points
added/deducted to it?
No, that is not possible. It is something that has been requested, but it
looks
No, assuming that the CATCHALLMAILS catchallmails x x 0 0 line is in
there (it is in the default config file).
By default, it is commented out, no?
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
---
[This E-mail was scanned for viruses by Declude
Actually, it could be a minor change to the processing -- at the
$default$.junkmaillevel, rather than Global.cfg -- as this is not a
test, but a handling of the test results. It would mean order
dependence,
usually (or the processing of combining tests done first, then other
handling
You would need to block it before Imail receives it.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of James R. Skivers
Sent: Thursday, September 04, 2003 8:19 AM
To:
So, just a general question, does it appear to anyone else that the
challenge/response software at the consumer level, contributes to the
level
of spam anyone is receiving?
It is not really SPAM. (Well, sort of.)
It is the software trying to send a message to the from address for
validation.
-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff
(Lists)
Sent: Thursday, September 04, 2003 10:42 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Using Declude to block Sobig Virus
You would need to block it before Imail receives it.
John Tolmachoff
I kind of have mixed feelings about a post like this.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of Jeremy Marquardt
Sent: Thursday,
It is known that AOL, Hotmail and Yahoo will often fail NOABUSE,
NOPOSTMASTER and REVDNS, as they are not setup nor do they care.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
, 2003 9:53 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Warnings in HJ log
Are those the full headers? They do not include any Received: headers.
-Scott
At 12:46 PM 9/5/2003, John Tolmachoff \(Lists\) wrote:
Here is the header: (Retrieved from the Exchange
Question, if a test is defined for use in weighting only, and no action will
be performed based on that test, does it have to be listed in the
$default$.junkmail and action portion of Global.cfg?
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
---
[This
A feature that delays incoming mail from unfamiliar (new) source IPs would
allow heuristic tests (like Message Sniffer) and rbls time to add coding
for the messages before processing them. That is, if the connecting IP is
unknown then Declude could park the message in a folder for some amount
I would actually think that this should be an configuration option in Imail,
where if you wanted to, each incoming message, if to more than one recipient
on the local server, would be separated.
In other words, if Imail received a message destined to 3 people on the
server, instead of creating
Sharyn, if your DNS server is on the same box as Imail, set it up to use
127.0.0.1, not the public IP address.
Also, flush the cache on both Imail DNS cache and the W2K DNS.
Have you checked to see if the W2K DNS is passing both tests?
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For
How about a test like this:
NUMBERSINMAILFROM
It would be similar to SUBJECTSPACES but would count the amount of numbers
in the mail from address. You could then configure it for say if 10 or more,
add 5 to the weight and so forth.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices
I am sure I can do this but thought I would ask:
SUBJECTSPACES1 subjectspaces 15 x x 10 0
SUBJECTSPACES2 subjectspaces 30 x x 10 0
Any message with 30 or more spaces would get a weight of 20 added, correct?
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
Any thoughts, good or bad?
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists)
Sent: Tuesday, September 09, 2003 10:32 PM
OK, my suggested weights are too high.
Remember, the point of this test is to be used in the weighting system only.
Pagers have 10 numbers, so I would actually start at either 11 or 15.
An old CompuServe address will most likely not be failing other tests to
where this one would put it over.
In your examples, I only see 4 that would be FP under this, the ones from
microsoft.com, unitiedmedia.com, yahoo groups, and Travelocity.com.
newsletters.microsoft.com is already in a whitefilter.
Yahoo groups are already in a whitefilter for known problems.
Travelocity is a legit company, and
Thanks Andrew for the update.
I wonder if this behavior has been changed in Exchange 2003?
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of
] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists)
Sent: Thursday, September 11, 2003 7:59 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Cautionary note on BASE64
Thanks Andrew for the update.
I wonder if this behavior has been changed in Exchange 2003
Since Declude has nothing to do with messages being received or sent from
the server, or POP3 service and such, how could disabling Declude affect
this?
What version of Declude.exe are you using?
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
I believe all tests are still run, just no action taken.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of Matthew Bramble
Sent: Friday, September
Note the conspicuously missing Declude headers. Any idea what would be
causing Declude to not add it's headers to this persons messages? Scott,
if
you would like me to run debug logging, I can, but who know how long
before
this person posts to the list again.
Do you have Imgate striping
morning I'm going to spend a couple of hours with
the server offline looking deeper into the problem. It's
difficult to really get down to the problem when it's in a
production context.
-Original Message-
From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED]
Sent: Friday
It's working fine on all other servers that we manage.
-Original Message-
From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED]
Sent: Saturday, September 13, 2003 11:15 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Timing out with latest Microsoft patch
To continue the discussion on encoded subject lines, the ones I see as spam
always have a short body and is always HTML like the following: (Without the
extra spaces I through in there.
html body
cen te r !--pfuhja2jjk-- a href=http : //www . currency4.com
/host/d efault.asp?I D=omni img
Any one have an updated list to share?
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just
Is there a way to have a action of moving a D and Q file to a specified
folder, (not a mailbox.) something like the ROUTETO action?
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
---
[This E-mail was scanned for viruses by Declude Virus
Is there a way to have a action of moving a D and Q file to a specified
folder, (not a mailbox.) something like the ROUTETO action?
Do you mean a directory on the hard drive (that's why we had to rename the
FOLDER action to MAILBOX)? We're planning to change the HOLD action to
specify a
Keith, you have good stories.
I'm a novice in a group like this.
You must be doing something right to get MS to send an Engineer out to you.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
From: [EMAIL PROTECTED]
Open your sender.eml with notepad, then copy and paste into a new text
document.
Outlook treats this as an attached e-mail and messes with it.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
From: [EMAIL PROTECTED]
My program MATCH might help. It looks at the To address and the From
address, and they are both listed in the respective text files, it returns a
fail which you could then weight at say -100.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original
Local to local does not require authentication.
If you look at the logs or the Q file, I bet Imail treats it as such and
either does not add the authentication line to the Q file.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
Filter list for what?
I have 9 different filter lists that are very effective. Each serves a
different function.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL
NO. It only checks the servers for the DNS bassed tests. Each test is run
once. So if both servers fail the test, the test is counted as failed, not
failed twice.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
From: [EMAIL
Of serge
Sent: Saturday, September 20, 2003 4:16 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] HopHigh
and if only one server fails the test, the test is also counted as failed?
- Original Message -
From: John Tolmachoff (Lists) [EMAIL PROTECTED]
To: [EMAIL PROTECTED
Has nothing to do with AD. It has to do with you do not have fowarders
configured, instead relying on root servers, which of course are run by
you-know-who.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
From: [EMAIL
Ah yes, using an unregistered domain name with a real TLD is a no-no. When
are people using AD going to get this?
AD must be configured correctly or else problems will come up when you least
expect it.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
Title: Message
Maybe, just maybe, people will start to
realize that hiring someone to do their AD for cheap is not a good idea.
You get what you pay for.
I can not count the number of AD setup
jobs I did not get because they found some one that would do it for 1/3 the price.
I tried
I have come across legit messages that were caught by this because some
stupid person had lots of spaces after the last word or character.
Is there a way we can mitigate this by ignoring subject spaces after the
last character?
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
This comes up every few months. For some reason, it appears SpamCop goes
through a mean period and starts listing servers quickly.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
From: [EMAIL PROTECTED]
X-MimeOLE: Produced By Microsoft MimeOLE
V6.00.2800.1165
That is the line.
However, that is
an older version. Or is that OE in IE 6.0? That line does appear when using OE
in IE 6.0. However, OE inserts a line above that to where it should look like
this:
X-Mailer:
Microsoft
So, to review, the filter should look like this, correct:
FORGEDHELO-FILTER filter M:\IMail\Declude\ForgedHelo-Filter.txt x 0 0
# To deduct weight for the Netscape issue
HEADERS -7 CONTAINS mozilla
# In case you have mail gateways, deduct equal weight for these hosts
HELO -7 ENDSWITH
On that same subject, I wonder if the same computers affected with Sobig are
the ones sending out Swen?
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On
Actually, you want to apply the weight in the Global.cfg, 7 in this
case, and then all of your positives should be listed as 0 in the filter
file and the Mozilla exception should be scored as a -7. The way it is
now, it will credit 7 points to any message claiming to be Mozilla
generated,
With the loss in the last month of several spam lists, I am reviewing what I
have been using.
This is the current list. Any recommendations on additions?
DSBLip4rlist.dsbl.org *
6 0
ORDBip4rrelays.ordb.org *
despite the lack of scoring. I'm using some other tweaks such as doing
an IS instead of CONTAINS for the FQDN, and listing the addresses with
and without the mail. in front of my domains since my MX records use the
mail. subdomain.
Acutally, would it not be better to use ENDSWITH rather than
Can't the HELO contain both a FQDN and IP address?
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
In this filter test, will using HELO be the same if sending server uses
EHLO, or would we need a line EHLO also?
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL
But then that would cause a problem as I
believe Karen had pointed out of when you have a backup MX that sends to the
primary.
Then again, 7 is only about 1/3 of my
hold weight.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
It appears there is a division, those that fee CONTAINS or ENDSWITH should
be used, and those that fee IS should be used.
I am going to try using ENDSWITH while subtracting weight for my backup MX.
I do not whitelist that IP, as Scott has before recommended not doing that,
and I agree. Rather, I
Just an idea. In addition to negative scoring in NOLEGITCONTENT and
IPNOTINMX not failing (and crediting points in many configurations), could
it be possible that you have some negative weight tests in your WORDFILTER
file? Declude will only mark one instance of a filter line in the logs even
something??
Kevin Bilbee
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of John Tolmachoff
(Lists)
Sent: Thursday, September 25, 2003 2:57 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Another very effective filter test
Everybody's experiences with spam test, including DNS based tests, are
going
to be different. Why be so hesitant to try a test to see how it works for
you. Simply setup the test in your global.cfg and set the action to
IGNORE
or LOG, that way you can evaluate the test results without
In the Global.cfg file, add the
following line:
XINHEADER X-RBL-Warning: Total
weight: %WEIGHT%
XOUTHEADER X-RBL-Warning: Total weight:
%WEIGHT%
Put that above all other header lines.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
101 - 200 of 983 matches
Mail list logo