Re: [Declude.JunkMail] Spamhaus
FYI, from Steve Linford of spamhaus: http://groups-beta.google.com/group/news.admin.net-abuse.email/msg/2d050ab220faf931 http://www.spamhaus.org/zen/ Bill David Sullivan wrote the following on 11/15/2006 12:58 PM -0800: Does anyone have the proper setup in Declude to query sbl-xbl.spamhaus.org and interpret the result? I don't think I'm doing it correctly. Thanks -David --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: pgp in emails - can you read my emails?
There are a few e-mail encryption services out there (e.g, see Sigaba Zix, among others). We provide an encrypted e-mail service for our healthcare customers that encrypts messages, not only in transport, but while stored in their mailboxes, as well. We also provide a TLS/SSL gateway server that requires the e-mail client (Outlook, OE, Thunderbird, Opera, Eudora, etc.) to establish a TLS/SSL session to the server on either Port 25 (SMTP), 465 (SMTPS) or 587 (Submission) and once the encrypted session is established, then the SMTP Authentication challenge takes place before the server will accept a message for relaying (that way plain text passwords are encrypted in transport). Utilizing TLS/SSL over ports 465 and 587, as well as 25, enables us to also support those customers that may be using an ISP that blocks port 25 outbound. Port 25 inbound and outbound can be set to advertise its TLS/SSL support, and can either require it or accept it, if offered. Here is a sample header from a message delivered though one of our secure gateways by an e-mail client: Received: from SOMEHOST (unknown [xxx.xxx.xxx.xxx]) (using TLSv1 with cipher DES-CBC3-SHA (168/168 bits)) (No client certificate requested) by mail.example.com (Secure E-Mail Service) with ESMTP id 1234567 We do not publish the SMTP Auth header, but could if we wanted to trigger spam filtering bypass for authenticated users. However, in our case, only authenticated user can relay through these gateways, so the header is unnecessary. And if you wanted to be "real" secure, you could request or even require client certificates for two-way authentication. This same serveralso supports IMAPS (port 993), POP3S (port 995), and HTTPS (port 443). And best of all, it is all done with open source software, from the OS to all necessary e-mail applications, including spam filtering and virus scanning. It's a really nice setup and is very fast and efficient, as well. If you would like all of the gory details, e-mail me off-list. Bill - Original Message - From: Craig Edmonds To: declude.junkmail@declude.com Sent: Thursday, September 14, 2006 3:26 AM Subject: [Declude.JunkMail] OT: pgp in emails - can you read my emails? Hi All, Some clients have voiced some concern over the ability of me and my team having access to their mail whilst it passes through my mail network. Of course, I dont engage in reading peoples emails whilst performing email administration but nevertheless the opportunity is there and we do have access to it. I have been reading a little about PGP in relation to email and it looks like they (the clients) have to make the effort to secure their mail on their computer first before sending. Is there any guidance/tips/wording I can give my clients to give them the option to make thier emails secure? Is there a solution out their I can enable server side which automatically encrypts incoming emails? If emails are encryypted, can declude filter them? How does everyone else answer the question of "can you read my emails question"? I am using IMAIL, WIN 2003, Declude 4.3.7 if thats any help. Kindest RegardsCraig Edmonds123 Marbella InternetW: www.123marbella.comE : [EMAIL PROTECTED] ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] 4.3.7 3.1.1 Released
David, how does one go about finding and downloading v3.1.1 for Declude? I don't see it available for download on my download page at the Declude web site. Bill - Original Message - From: David Barker [EMAIL PROTECTED] To: declude.virus@declude.com; declude.junkmail@declude.com Sent: Friday, August 04, 2006 5:48 AM Subject: [Declude.JunkMail] 4.3.7 3.1.1 Released Declude Security Suite 4.3.7 JM ADD Added x-header for CommTouch RefID JM FIX COPYFILE not working correctly when COPYFILEACTIONWITHHEADERS ON directive JM FIX Declude crash fix. Buffer Overflow reading the From: line in the Headers SM FIX Failed .hdr to be DELETED rather than moved to the \error director HI FIX Spam messages set for HOLD and DELETE moved back to the Spool when intercepted by Hijack 3.1.1 JM FIX COPYFILE not working correctly when COPYFILEACTIONWITHHEADERS ON directive SM FIX QUEUEFILE_SAVEFILE the log is showing the correct directory path SM FIX Failed .hdr to be DELETED rather than moved to the \error director DEC FIX A Global variable being initialized more than once has been corrected HI FIX Spam messages set for HOLD and DELETE moved back to the Spool when intercepted by Hijack EVA FIX BANEXT buffer overflow EVA FIX ALLOWVULNERABILITIESFROM (for user) --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] 4.3.7 3.1.1 Released
David, I have not upgraded to any 4.x version of Declude yet, but I still do not see a link for downloading anything but a 4.x version on my downloads page. Please send me the link for the 3.1.1 upgrade download (I am currently running 3.1.0). Thanks, Bill - Original Message - From: David Barker [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Wednesday, August 09, 2006 11:48 AM Subject: RE: [Declude.JunkMail] 4.3.7 3.1.1 Released Bill, On the my account page your host record should have the download available if you are have not upgraded to 4.x David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Wednesday, August 09, 2006 2:42 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] 4.3.7 3.1.1 Released David, how does one go about finding and downloading v3.1.1 for Declude? I don't see it available for download on my download page at the Declude web site. Bill - Original Message - From: David Barker [EMAIL PROTECTED] To: declude.virus@declude.com; declude.junkmail@declude.com Sent: Friday, August 04, 2006 5:48 AM Subject: [Declude.JunkMail] 4.3.7 3.1.1 Released Declude Security Suite 4.3.7 JM ADD Added x-header for CommTouch RefID JM FIX COPYFILE not working correctly when COPYFILEACTIONWITHHEADERS ON directive JM FIX Declude crash fix. Buffer Overflow reading the From: line in the Headers SM FIX Failed .hdr to be DELETED rather than moved to the \error director HI FIX Spam messages set for HOLD and DELETE moved back to the Spool when intercepted by Hijack 3.1.1 JM FIX COPYFILE not working correctly when COPYFILEACTIONWITHHEADERS ON directive SM FIX QUEUEFILE_SAVEFILE the log is showing the correct directory path SM FIX Failed .hdr to be DELETED rather than moved to the \error director DEC FIX A Global variable being initialized more than once has been corrected HI FIX Spam messages set for HOLD and DELETE moved back to the Spool when intercepted by Hijack EVA FIX BANEXT buffer overflow EVA FIX ALLOWVULNERABILITIESFROM (for user) --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Fw: New ClamAV scam database
For anyone that is possibly running ClamAV for virus scanning, and is already taking advantage of the added phish detection provided by Steve Basford's phish.ndb, he has put together another database geared to tagging scam e-mails, including those pesky image spams. The new scam database is working great here, lots of catches so far and no FPs yet. If you want to give it a run, please do heed Steve's request at the end of this message about scripting the downloads for the new scam.ndb, at least for now... Thanks, Bill - Original Message - From: Steve Basford [EMAIL PROTECTED] To: Bill Landry [EMAIL PROTECTED] Sent: Monday, August 07, 2006 12:51 PM Subject: Re: scam database Hi Bill, Just to let you know I've done a big update to the scam database, which isn't publicily known about yet but it's working a treat this end, with a lot of those image spams :) If you want to give a manual trial run: http://www.sanesecurity.com/clamav/scam.ndb.gz Cheers, Steve Bill Landry wrote: Wow, Steve, this is working very well! Nice work. Do you mind if I let others know about the availability of this new scam database? That's great! It's working too, for me at work... and two other brave test sites :) Yep, you can let people know but... Please could you ask people to only *manually* download the file for the time being, no scripts, it'll only get updated once a day at the moment, when I see a big new image spam run: Main Site: http://www.sanesecurity.com/clamav/ Scam Database: http://www.sanesecurity.com/clamav/scam.ndb.gz Phishing Database: http://www.sanesecurity.com/clamav/phish.ndb.gz Glad it's helping :) Cheers, Steve --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Fw: New ClamAV scam database
For anyone that is possibly running ClamAV for virus scanning, and is already taking advantage of the added phish detection provided by Steve Basford's phish.ndb, he has put together another database geared to tagging scam e-mails, including those pesky image spams. The new scam database is working great here, lots of catches so far and no FPs yet. If you want to give it a run, please do heed Steve's request at the end of this message about scripting the downloads for the new scam.ndb, at least for now... Thanks, Bill - Original Message - From: Steve Basford [EMAIL PROTECTED] To: Bill Landry [EMAIL PROTECTED] Sent: Monday, August 07, 2006 12:51 PM Subject: Re: scam database Hi Bill, Just to let you know I've done a big update to the scam database, which isn't publicily known about yet but it's working a treat this end, with a lot of those image spams :) If you want to give a manual trial run: http://www.sanesecurity.com/clamav/scam.ndb.gz Cheers, Steve Bill Landry wrote: Wow, Steve, this is working very well! Nice work. Do you mind if I let others know about the availability of this new scam database? That's great! It's working too, for me at work... and two other brave test sites :) Yep, you can let people know but... Please could you ask people to only *manually* download the file for the time being, no scripts, it'll only get updated once a day at the moment, when I see a big new image spam run: Main Site: http://www.sanesecurity.com/clamav/ Scam Database: http://www.sanesecurity.com/clamav/scam.ndb.gz Phishing Database: http://www.sanesecurity.com/clamav/phish.ndb.gz Glad it's helping :) Cheers, Steve --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Fw: New ClamAV scam database
Sure, just drop the ndb files into the same directory where your daily.cvd and main.cvd files are located and then restart your clamd service (if you have it running as a service). Bill - Original Message - From: Craig Edmonds To: declude.junkmail@declude.com Sent: Monday, August 07, 2006 4:22 PM Subject: RE: [Declude.JunkMail] Fw: New ClamAV "scam" database I am using clamav on windows.Can I do this?Kindest RegardsCraig Edmonds123 Marbella InternetW: www.123marbella.comE : [EMAIL PROTECTED]-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of JohnDoyleSent: Tuesday, August 08, 2006 12:59 AMTo: declude.junkmail@declude.comSubject: RE: [Declude.JunkMail] Fw: New ClamAV "scam" databaseBillThank you for the heads up.In the process of reviewing this, I discovered I'd not updated my downloadscripts to reflect the .gz extension and my last update had occurred lastmonth. I vaguely recall someone pointing this out some time ago. I rewrotemy script to download asnd unzip the phish.ndb.gz and all is once againwell.I've had no problems with the phishing db and have come to rely on it.I look forward to the scam results.I'm pretty happy with my setup now.Declude (latest build)SnifferAGV, f-prot (soon to be gone) and clamAV invURIBLJohn-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of BillLandrySent: Monday, August 07, 2006 1:40 PMTo: declude.junkmail@declude.com; declude.virus@declude.comSubject: [Declude.JunkMail] Fw: New ClamAV "scam" databaseFor anyone that is possibly running ClamAV for virus scanning, and isalready taking advantage of the added "phish" detection provided by SteveBasford's phish.ndb, he has put together another database geared to tagging"scam" e-mails, including those pesky image spams.The new scam database is working great here, lots of catches so far and noFPs yet.If you want to give it a run, please do heed Steve's request atthe end of this message about scripting the downloads for the new scam.ndb,at least for now...Thanks,Bill- Original Message -From: "Steve Basford" [EMAIL PROTECTED]To: "Bill Landry" [EMAIL PROTECTED]Sent: Monday, August 07, 2006 12:51 PMSubject: Re: scam database Hi Bill, Just to let you know I've done a big update to the scam database, which isn't publicily known about yet but it's working a treat this end, with a lot of those image spams :) If you want to give a manual trial run: http://www.sanesecurity.com/clamav/scam.ndb.gz Cheers, Steve Bill Landry wrote: Wow, Steve, this is working very well!Nice work.Do you mind if I let others know about the availability of this new scam database? That's great!It's working too, for me at work... and two other brave "test" sites :) Yep, you can let people know but... Please could you ask people to only *manually* download the file for the time being, no scripts, it'll only get updated once a day at the moment, when Isee a big new image spam run: Main Site: http://www.sanesecurity.com/clamav/ Scam Database: http://www.sanesecurity.com/clamav/scam.ndb.gz Phishing Database: http://www.sanesecurity.com/clamav/phish.ndb.gz Glad it's helping :) Cheers, Steve---This E-mail came from the Declude.JunkMail mailing list.To unsubscribe,just send an E-mail to [EMAIL PROTECTED], and type "unsubscribeDeclude.JunkMail".The archives can be found athttp://www.mail-archive.com.---This E-mail came from the Declude.JunkMail mailing list.To unsubscribe,just send an E-mail to [EMAIL PROTECTED], and type "unsubscribeDeclude.JunkMail".The archives can be found athttp://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude 4.3 - Commtouch trial ?
Sound like Cloudmark (http://www.cloudmark.com/) and their free Razor service (http://razor.sourceforge.net/), which I have already been using successfully for a few years now. Bill - Original Message - From: David Barker [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Wednesday, July 19, 2006 9:33 AM Subject: RE: [Declude.JunkMail] Declude 4.3 - Commtouch trial ? Darrell, 1. Are components of the message hashed and some type of hash is sent to CommTouch for analysis? RPD extracts 2 types of patterns from the message, Distribution Patterns (from the header), and Structural Pattern (mathematical sample of the body and attachments. These patterns don't contain anything to violate privacy concerns. They don't use things like recipient information, and the structural patterns are a random sampling of the bytes of the message (not looking for the content or meaning of the words). These patterns make up what is called a digital signature, that is one way hashed using md5 and sent to CT detection centers where the hash is compared to CT DB hashes. A reply is sent back with the result classification. This process takes about 150ms. 2. What ports/protocol does it communicate with CommTouch back on? The CT Engine communicates to CT centers over port 80. A proprietary protocol is used for this communication, it is not standard HTTP. As long as the box can access the internet (with or without a proxy), CT can access our centers. There is also a built-in failover mechanism. 3. Is there a mechanism that if false positive is detected to do a what we call when using Sniffer a rule panic? There is a procedure that Declude or users can report FP's to CommTouch. I am having a KB article written on how to do this. 4. Is there a trial? Unfortunately not as every time CT is activated we pay a fee. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Wednesday, July 19, 2006 10:26 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Declude 4.3 - Commtouch trial ? David, Are components of the message hashed and some type of hash is sent to CommTouch for analysis? What ports/protocol does it communicate with CommTouch back on? How does one handle false positives? through Declude or directly to CommTouch? Is there a mechanism that if false positive is detected to do a what we call when using sniffer a rule panic? Is there a trial? Darrell David Barker writes: Darrell, It is not a DNS test. Commtouch analyzes large volumes of Internet traffic in real time. New spam and Malware outbreaks are identified as soon as emerge, and recorded in the Commtouch Detection Center. The Commtouch in Declude queries the Commtouch Detection Center and receives a message classification in real-time. The result is instant protection from new outbreaks. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Wednesday, July 19, 2006 7:32 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Declude 4.3 - Commtouch trial ? Also, to piggy back on this - we would like to know exactly how this works. Is something downloaded to your system is it DNS based etc? Darrell -- -- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Friday, July 14, 2006 5:26 PM Subject: Re: [Declude.JunkMail] Declude 4.3 - Commtouch trial ? -David, Just curious is there a free one-month test drive option for CommTouch or something similiar? As one of those pesky non-ISP's the $195 a year is pretty reasonable, but I'd really like to test drive it before I buy it. Not to be offensive, but I have no belief of the 100% no false positive pitch and the 99.99+% spam catch rate pitch. Trust me I get many a phone call hyping those terms. And I'll have to make that jump to Declude 4.x too. - Original Message - From: David Barker [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Tuesday, July 18, 2006 2:42 PM Subject: RE: [Declude.JunkMail] Declude 4.3 There are restrictions on CommTouch being used by Service Providers we had to ensure that NEW customers (ie. Service Providers After 1 June 06) understand the licensing restrictions. Current Service Providers (ie. Before 1 June 06) are under no restrictions for using Declude; only the CommTouch add-in component. However we have managed to come to an agreement with CommTouch to enable our legacy customers (ie. Service Providers Before 1 June 06) to take advantage of CommTouch under a revenue share program, this program is not being forced
Re: [Declude.JunkMail] Declude 4.3 - Commtouch trial ?
Also check out the free Distributed Checksum Clearinghouse (http://www.rhyolite.com/anti-spam/dcc/), which we have also been using successfully for a few years. Not to mention the old Pyzor service (http://pyzor.sourceforge.net/), which is still available and functioning (Razor spun off from this project) and we also use. And finally, see iXhash (http://wiki.apache.org/spamassassin/iXhash), which we also just started using about a month ago. I guess what I am getting at here is that there are lots of free choices/options/solutions available out there without having to resort to pricey and convoluted options like CommTouch. Had Declude queried its customer base before getting in bed with CommTouch, they might have come up with some better/cheaper/more acceptable solutions... Bill - Original Message - From: Bill Landry [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Wednesday, July 19, 2006 10:19 AM Subject: Re: [Declude.JunkMail] Declude 4.3 - Commtouch trial ? Sound like Cloudmark (http://www.cloudmark.com/) and their free Razor service (http://razor.sourceforge.net/), which I have already been using successfully for a few years now. Bill - Original Message - From: David Barker [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Wednesday, July 19, 2006 9:33 AM Subject: RE: [Declude.JunkMail] Declude 4.3 - Commtouch trial ? Darrell, 1. Are components of the message hashed and some type of hash is sent to CommTouch for analysis? RPD extracts 2 types of patterns from the message, Distribution Patterns (from the header), and Structural Pattern (mathematical sample of the body and attachments. These patterns don't contain anything to violate privacy concerns. They don't use things like recipient information, and the structural patterns are a random sampling of the bytes of the message (not looking for the content or meaning of the words). These patterns make up what is called a digital signature, that is one way hashed using md5 and sent to CT detection centers where the hash is compared to CT DB hashes. A reply is sent back with the result classification. This process takes about 150ms. 2. What ports/protocol does it communicate with CommTouch back on? The CT Engine communicates to CT centers over port 80. A proprietary protocol is used for this communication, it is not standard HTTP. As long as the box can access the internet (with or without a proxy), CT can access our centers. There is also a built-in failover mechanism. 3. Is there a mechanism that if false positive is detected to do a what we call when using Sniffer a rule panic? There is a procedure that Declude or users can report FP's to CommTouch. I am having a KB article written on how to do this. 4. Is there a trial? Unfortunately not as every time CT is activated we pay a fee. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Wednesday, July 19, 2006 10:26 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Declude 4.3 - Commtouch trial ? David, Are components of the message hashed and some type of hash is sent to CommTouch for analysis? What ports/protocol does it communicate with CommTouch back on? How does one handle false positives? through Declude or directly to CommTouch? Is there a mechanism that if false positive is detected to do a what we call when using sniffer a rule panic? Is there a trial? Darrell David Barker writes: Darrell, It is not a DNS test. Commtouch analyzes large volumes of Internet traffic in real time. New spam and Malware outbreaks are identified as soon as emerge, and recorded in the Commtouch Detection Center. The Commtouch in Declude queries the Commtouch Detection Center and receives a message classification in real-time. The result is instant protection from new outbreaks. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Wednesday, July 19, 2006 7:32 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Declude 4.3 - Commtouch trial ? Also, to piggy back on this - we would like to know exactly how this works. Is something downloaded to your system is it DNS based etc? Darrell -- -- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Friday, July 14, 2006 5:26 PM Subject: Re: [Declude.JunkMail] Declude 4.3 - Commtouch trial ? -David, Just curious is there a free one-month test drive option for CommTouch or something similiar? As one of those pesky non-ISP's the $195 a year is pretty
Re: Re[2]: [Declude.JunkMail] Declude 4.3 - Commtouch trial ?
Sandy, I was not suggesting that anyone move to SpamAssassin, rather, that Declude should have looked at these other options and possibly consider building in support for these services into Declude (since they are open source solutions, source code and specifications are available), or at least considered them against the CommTouch solution. And by convoluted, I should have been more clear, I was alluding to the revenue sharing model Declude it trying to introduce. It sounds like this requirement is being driven by CommTouch, and could have been avoided all together if they had gone with one or more of these open source options instead. Just as SA and other spam apps have built in support for these freely available and open source spam services, nothing would have prevented Declude from doing the same. Declude has stated that they will eventually be including support for URIBL checks within JunkMail. This has to be accomplished by reviewing open source specifications and then building support to the specs so that queries to the URIBL servers are delivered in the correct format and the returning responses can be correctly interpreted. Thus, no different then Declude looking at building in support to these various spam checksum services - send the query in the correct format, and properly interpret the returned response. Bill - Original Message - From: Sanford Whiteman [EMAIL PROTECTED] To: Bill Landry declude.junkmail@declude.com Sent: Wednesday, July 19, 2006 12:42 PM Subject: Re[2]: [Declude.JunkMail] Declude 4.3 - Commtouch trial ? I guess what I am getting at here is that there are lots of free choices/options/solutions available out there without having to resort to pricey and convoluted options like CommTouch. Bill, to be fair, DCC is plenty convoluted itself, if you follow the requirement to run your own DCC daemon when passing hosting-level traffic. Razor only became acceptable for hosting/reseller use extremely recently. And free use of Razor, i.e. using the razor-clients package instead of using a commercial Cloudmark product, either requires facility with *nix, or a full-fledged, non-spamd SpamAssassin fork (because I think there is no standalone razor-client package for Windows, though there is now a compiled SA binary that embeds a working Razor... but which has only a crippled/experimental Win32 spamd). Legally embedding or linking these products into a commercial engine such as Declude is next to impossible compared to using a product designed to be static-linked into commercial products. You probably know I already rely on SPAMC32/spamd for all content checks and I really enjoy having Razor and DCC in the mix (haven't dipped into iXHash yet, but I saw the announcement). But I think it's misleading to imply that CommTouch is convoluted in any technical way, compared to the learning curve of a Declude user going fully with SA. On the contrary: the reason this kind of commoditized, Windows-client distributed system is attractive is precisely _because_ getting dccd, razor-client, and so on working and performing well on Windows is very difficult. Same reason Sniffer is attractive: cross-platform, no dependencies or interpreters, etc. What _is_ convoluted and now-typically insulting is the introduction of an ambiguous, and certainly ominous-sounding, licensing system without feeling out the user base. I refer people to the fact that Declude is said to have made many new hires of late -- without once posting a job opening on a list composed of expert users of the product. And, um, the fact that Declude was for a time censoring (deleting without notice) posts to the list that even alluded to support failures, *and without later apology*, was a pretty big signal. But no one seemed to care about that but me (or perhaps everyone's agreement was similarly squelched, I guess). But now people are shocked, *shocked* that their input wasn't deemed valid on this latest dropped bomb. Gee, ya think? --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E
Re: Re[4]: [Declude.JunkMail] Declude 4.3 - Commtouch trial ?
Razor has always been free, even during that very short timeframe of like 6 months where they were considering charging for usage if you were using Razor in a revenue based model. However, as you probably know, that was very short lived and quickly reverted back to just plain free. A development effort is a development effort. If Declude can integrate CommTouch into JunkMail, or URIBL checks, then I am confident that could just as well integrate any or all of the spam hashing services as well. But maybe you know more about Declude's development staff and their capabilities than I do, so I'll admit that I could be wrong... Bill - Original Message - From: Sanford Whiteman [EMAIL PROTECTED] To: Bill Landry declude.junkmail@declude.com Sent: Wednesday, July 19, 2006 1:47 PM Subject: Re[4]: [Declude.JunkMail] Declude 4.3 - Commtouch trial ? Just as SA and other spam apps have built in support for these freely available and open source spam services, nothing would have prevented Declude from doing the same. Don't agree. Have you ever looked at the Rhyolite lists and looked at Vernon's opinion of commercial DCC sofware and appliances? And Razor just would've started being legal to integrate on May 5, 2006 -- and one could safely assume that Commtouch planning started quite a bit before that (don't know how far before, admittedly). Declude has stated that they will eventually be including support for URIBL checks within JunkMail. This has to be accomplished by reviewing open source specifications and then building support to the specs so that queries to the URIBL servers are delivered in the correct format and the returning responses can be correctly interpreted. Thus, no different then Declude looking at building in support to these various spam checksum services - send the query in the correct format, and properly interpret the returned response. Again, I disagree. That's like saying that coding a SpamAssassin client like SPAMC32 is no easier than Darrell's InvURIBL. Believe me, I'm proud of some of my bells and whistles, but I know enough to admit that performing URIBL checks efficiently *and* creatively is a much bigger development task. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: Re[6]: [Declude.JunkMail] Declude 4.3 - Commtouch trial ?
I thought this was due to a glitch in the transition from IMail to SmarterMail at Declude. Bill - Original Message - From: Sanford Whiteman [EMAIL PROTECTED] To: David Barker declude.junkmail@declude.com Sent: Wednesday, July 19, 2006 1:49 PM Subject: Re[6]: [Declude.JunkMail] Declude 4.3 - Commtouch trial ? If you have logs you can send me I will be glad to look at what happened for you. I will see if I have them around. Main question is, Why were posts getting silently dropped about a month or so ago? There's no question that they were getting dropped. Other people reported this as well. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Declude SPF Record
David, it looks like Declude needs to update its SPF record as posts from the list are failing both: SPF_HELO_SOFTFAIL SPF_SOFTFAIL DNSStuff is showing softfail for your mail delivery host IP address, as well: http://www.dnsstuff.com/tools/spf.ch?server=declude.comip=63.246.31.248 Bill --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: Re[6]: [Declude.JunkMail] Declude 4.3 - Commtouch trial ?
Hopefully my original point is not getting lost in this rather irrelevant minutia. However, if I were leading a development team that was going to integrate these spam hashing services into existing code running in a Windows environment, I would not attempt to convert/port from any other existing language (unless I had experts in both languages), I would simply start with the existing specifications and develop original code (in my programming language of choice) to those specs. Anyway, this is my final 2 cents on this person's (mine) personal opinion... Bill - Original Message - From: Sanford Whiteman [EMAIL PROTECTED] To: Bill Landry declude.junkmail@declude.com Sent: Wednesday, July 19, 2006 3:13 PM Subject: Re[6]: [Declude.JunkMail] Declude 4.3 - Commtouch trial ? Razor has always been free, even during that very short timeframe of like 6 months where they were considering charging for usage if you were using Razor in a revenue based model. However, as you probably know, that was very short lived and quickly reverted back to just plain free. But even as a permanently free product, it's distributed as a bunch of Perl modules -- to C++ coder, there's a HUGE difference between that and Static link this lib and pass it a filename. I've been through the same choices myself, and, yes, I have chosen commercial modules over free ones written in/for other languages and for different audiences. A development effort is a development effort. If Declude can integrate CommTouch into JunkMail, or URIBL checks, then I am confident that could just as well integrate any or all of the spam hashing services as well. Just as well? Well, I don't think you've proven that. CommTouch is made to be integrated into commercial apps. I don't think it's an if-then situation at all. But maybe you know more about Declude's development staff and their capabilities than I do, so I'll admit that I could be wrong... I know what Declude's done in the past, plus the difficulty of converting between languages, dealing with dubious open-and-closed-source-in-the-same-product distribution scenarios... that they went with this very positioned product doesn't surprise me at all. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] ClamAV Sanesecurity phish files
Thanks Nick, I forgot to mention that on the list a few weeks ago when this change was made. Here is a simple download script I use on my Fedora servers that I run via an hourly cron job. It checks to see if there are any changes to the file and only downloads if there are changes: == cd /var/lib/clamav/ cp --reply=yes phish.ndb phish.ndb-bak wget --tries=5 -N http://www.sanesecurity.com/clamav/phish.ndb.gz gunzip -dcf phish.ndb.gz phish.ndb chown clamav:clamav phish.* /usr/local/sbin/clamd reload == Modify to fit your particular configuration and file locations (cp is the UNIX/Linux copy command syntax and chown changes the file and directory ownership - probably not necessary on Window servers). Bill - Original Message - From: Nick Hayer [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Monday, May 15, 2006 11:03 AM Subject: [Declude.JunkMail] ClamAV Sanesecurity phish files fyi - Sanesecurity phish downloads have changed as of 5/10. The download file is gzip'ed and called phish.ndb.gz -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] image spam
You might also want to look at using the SARE rules at http://www.rulesemporium.com/rules.htm, particularly the SARE Stock rules (70_sare_stocks.cf). Also, a couple of Fred's rule sets at http://www.rulesemporium.com/other-rules.htm (88_FVGT_rawbody.cf 99_FVGT_meta.cf) can be quite helpful, as well. If you are running SA 3.1.1, you can also use the sa-update script to pull down the latest SA rules, which includes additional rules found in the 80_additional.cf rule set that are very good at tagging these kinds of image spams. And finally, Sniffer seems to successfully tag almost 100% of these image spams, and Razor tags a majority of them, as well. Bill - Original Message - From: Nick Hayer [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Thursday, May 04, 2006 7:39 AM Subject: [Declude.JunkMail] image spam fyi - I just found these 2 plugins for spamassassin http://wiki.apache.org/spamassassin/OcrPlugin http://antispam.imp.ch/patches/patch-ocrtext That will ocr the gifs, etc. These should help SA be even more effective within Declude.. -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] image spam
RulesDeJour is a script for pulling down the non-official SARE rules sets. The sa-update script is used to pull down official SA rule updates (updating the default rule sets that come with SA). Bill - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Thursday, May 04, 2006 2:00 PM Subject: RE: [Declude.JunkMail] image spam For what it's worth, SARE has their own download script (I'm not familiar with the sa-update script Bill mentioned) called RulesDuJour which is a bash shell script: http://www.exit0.us/index.php?pagename=RulesDuJour And that page contains a howto link for us Windows users who are running CygWin: http://www.exit0.us/index.php?pagename=InstallRdjOnCygwin Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Thursday, May 04, 2006 1:50 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] image spam Thanks Bill. I have been using the SARE stock rules but the others I was unaware of - as well as the update script! -Nick Bill Landry wrote: You might also want to look at using the SARE rules at http://www.rulesemporium.com/rules.htm, particularly the SARE Stock rules (70_sare_stocks.cf). Also, a couple of Fred's rule sets at http://www.rulesemporium.com/other-rules.htm (88_FVGT_rawbody.cf 99_FVGT_meta.cf) can be quite helpful, as well. If you are running SA 3.1.1, you can also use the sa-update script to pull down the latest SA rules, which includes additional rules found in the 80_additional.cf rule set that are very good at tagging these kinds of image spams. And finally, Sniffer seems to successfully tag almost 100% of these image spams, and Razor tags a majority of them, as well. Bill - Original Message - From: Nick Hayer [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Thursday, May 04, 2006 7:39 AM Subject: [Declude.JunkMail] image spam fyi - I just found these 2 plugins for spamassassin http://wiki.apache.org/spamassassin/OcrPlugin http://antispam.imp.ch/patches/patch-ocrtext That will ocr the gifs, etc. These should help SA be even more effective within Declude.. -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Madlibs as Bayesian algorithm frustrators
We have been seeing these for several weeks now, and SA's bayes implementation handles it quite well. This from the Matt Kettler on the SA list: == How well bayes poison works depends a lot on your bayes implementation. Some bayes implementations are fairly susceptible to this. (I put bayes in quotes because not all bayes implementations are really Bayesian at all. Actually, most are not, including SA.) In particular, the choice of combining algorithm seems to matter a lot. The use of chi-squared combining, instead of true Bayesian combining, seems to make SA's bayes rather resistant to this. (note: the use of chi-squared is not exclusive to SA.. many bayes implementations do this, but not all.) Another area of influence is the choice of tokens. Words vs chars, hapaxes, etc all change how a bayes implementation reacts to poisoning attempts. So spammers keep using bayes poison because it works in some cases. It also doesn't really hurt them much, and sometimes even helps them, against more resistant implementations. == Bill - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Wednesday, April 19, 2006 1:52 PM Subject: [Declude.JunkMail] Madlibs as Bayesian algorithm frustrators So... I had reason to dip into my spam folder today and found a message that is using some kind of tool to generate madlibs, presumably to pad the spam so that it seems like a normal message and perhaps to poison antispam systems that use Bayesian analysis. Assuming that your spam filter doesn't catch this message, check out this paragraph for it's sheer wackiness: If the self-loathing rattlesnake has a change of heart about the slyly frightened fruit cake, then a buzzard returns home. When the umbrella is unstable, a briar patch of the canyon accurately sells a pickup truck for an inferiority complex to a diskette near a bowling ball. A particle accelerator about a mastadon earns frequent flier miles, and a fruit cake reaches an understanding with the carpet tack. Andrew 8) --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Damaged Image Files
Gary, you should upgrade to 3.0.6, which has been out for about a week now, as 3.0.5.26 had serious problems with handling certain kinds of mime encapsulate messages. We actually had to roll back to 3.0.5.23 after reporting the issues with 3.0.5.26 to Declude. Version 3.0.6 fixed this issue. Bill - Original Message - From: Gary Steiner [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, February 28, 2006 11:06 AM Subject: RE: [Declude.JunkMail] Damaged Image Files I received a couple with the broken gif as late as yesterday. The Declude headers end up at the bottom of the message, but they are there. I'm running Declude 3.0.5.26 and SmarterMail 2.6. Gary Original Message From: Erik [EMAIL PROTECTED] Sent: Tuesday, February 28, 2006 1:53 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Damaged Image Files Yes, they are passing SNIFFER and Darrell's INV-URIBL at this time. But what Evans wrote is true. Either this spammer has corrected his image.. the fact remains that in the past when it was a corrupted; Declude failed in our version. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, February 28, 2006 7:34 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Damaged Image Files Ditto. I've received and held 24 messages with the same title. Re-queuing 3 of these to myself, they had an image that was intact. They fail the usual RBL tests plus Message Sniffer. Andrew 8) _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Tuesday, February 28, 2006 10:10 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Damaged Image Files Judgement is quick to pass for some around here. These are getting caught by my system X-Note: Spam Tests Failed: SBL [28], SORBS-DUHL [4], HELOBOGUS [3], SNIFFER [13] Harry Vanderzand inTown Internet Computer Services 519-741-1222 _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Erik Sent: Tuesday, February 28, 2006 12:49 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Damaged Image Files The problem that we've seen this spammer is that the image is corrupted as you mentioned... and Declude is exiting; thus why it's being allowed to be delivered. Smart coding on the spammer... Not so smart on Declude. -Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, February 28, 2006 6:41 PM To: Declude.JunkMail@declude.com Cc: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Damaged Image Files We're getting the same. Also using Declude with smartermail. Because Declude doesn't appear to be scanning the headers there is no way for us to stop them. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Evans Martin Sent: Tuesday, February 28, 2006 12:38 AM To: Declude.JunkMail@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Damaged Image Files I'm getting a lot of messages that have only a graphic in them. The graphic appears to have been damaged as only about ½ of it displays. Declude has not modified the headers at all so I'm not sure if these are being scanned or not. I don't know how it could be bypassing Declude. I have attached the .msg file. Anyone have any ideas what might be causing this? I'm running Declude 3.0.5.22 and SmarterMail 2.6. The header is as follows: Return-Path: [EMAIL PROTECTED] Tue Feb 28 00:24:32 2006 Received: from 225-65-10-72.planters.net [72.10.65.225] by matrix.martek.net with SMTP; Tue, 28 Feb 2006 00:24:32 -0600 Date: Tue, 28 Feb 2006 01:24:22 +0100 Return-path: [EMAIL PROTECTED] From: Abrahams[EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: C1alis 10 Pills 20 mg $89.95 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/related; type=multipart/alternative; boundary=ms020700070106060404020304 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thanks, Evans Martin EVANS MARTIN [EMAIL PROTECTED] HOSTING: http://www.martek.net http://www.martek.net/ PROGRAMMING: http://www.martekware.com http://www.martekware.com/ iPlus Info Browser - IPB's IMail Migration Tool, password browser, reporting suite make IPlus Info Browser something no IMail administrator should be without. http://www.martek.net/Default.aspx?tabid=96 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL
Re: [Declude.JunkMail] Banks (and Ebay) Phising Filters
- Original Message - From: Scott Fisher [EMAIL PROTECTED] You do need the Pro version to run more than one scanner. It's the best thing about Virus Pro... Also nice if you get a set of bad definitions or a scanner stops working, the other scanners will cover. With PRESCAN ON, Mcafee Virusscan catches some phish. Clamav catches most phish. Actually, you would need to have PRESCAN OFF in order to catch most phish e-mails with Declude. Otherwise, Declude Virus PRESCANs all messages and finds that most phish messages contain nothing worth scanning and thus bypasses the virus scanners. Bill --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Banks (and Ebay) Phising Filters
BTW, if you are running ClamAV, and want to take full advantage of it's phish catching capabilities, you might was to take a look at adding the phish signature file that Steve Basford put together (see the attached e-mail for details). I have been running them for a few weeks, and they are quite awesome. Steve periodically updates the phish signatures, as well, so check regularly for an updated file. Bill - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, February 21, 2006 10:14 AM Subject: Re: [Declude.JunkMail] Banks (and Ebay) Phising Filters Aaarrgg. Good catch Bill. - Original Message - From: Bill Landry [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, February 21, 2006 12:03 PM Subject: Re: [Declude.JunkMail] Banks (and Ebay) Phising Filters - Original Message - From: Scott Fisher [EMAIL PROTECTED] You do need the Pro version to run more than one scanner. It's the best thing about Virus Pro... Also nice if you get a set of bad definitions or a scanner stops working, the other scanners will cover. With PRESCAN ON, Mcafee Virusscan catches some phish. Clamav catches most phish. Actually, you would need to have PRESCAN OFF in order to catch most phish e-mails with Declude. Otherwise, Declude Virus PRESCANs all messages and finds that most phish messages contain nothing worth scanning and thus bypasses the virus scanners. Bill --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. ---BeginMessage--- Can someone please tell me how ClamAV goes about phishing detection? I presume it has something to do with libcurl going out to a web site and some checks being performed on whatever is returned. Not normally... most fishing detection is done by matching text/html that is common, looks odd or bad spelling in the email. We have had several phishes get through -- most appear to be Google, About, or Ebay redirects, such as: href=http://www.google.com/url?sa=Uq=http://81.196.204.130:82/webscr/index.php; (A PayPal phish.) Well, the above is just using Google to re-direct to the phishing site. I think they could on the people hovering the mouse over the link, seeing Google and then trusting the site, which you normally wouldn't do. Sites were hot at the time the messages were received, so either my concept of how ClamAV blocks phishing is wrong or the detection method is not as generic as I would have thought. Generic fishing signature can be done... but... they are very difficult to get right, without any false positives. Also, I would add that I have submitted a few of these phishes to ClamAV's virus submission and they all seem to get discarded without comment. Basically, ClamAV is there to project you from viruses, Trojans and then fishing attempts (roughly in that order). Signature makers are very busy doing virus signatures... after all, I'd much prefer to have a virus stopped than a fishing attempt. Having said that, I've come up with my own un-official signatures, designed to catch fishing attempts that ClamAV official signatures let through. Not everyone will want to use them... after all, do you trust me to do signatures? (Just in case this helps... I've been part of the Windows SpamPal Anti-Spam support team for the last two or three years, see: http://www.spampal.org/credits.html) Anyway, to grab the un-official signatures, go the the site here and download the phish.ndb file and place in the same directory as your daily.cvd file: http://www.sanesecurity.com/clamav/ There's also a pdf file there, showing how I put a signature together. For what it's worth, I would certainly still submit your fishing emails to the ClamAV team and I would also suggest submitting the emails to this fishing tracker site: http://www.dslreports.com/phishtrack Cheers, Steve ___ http://lurker.clamav.net/list/clamav-users.html ---End Message---
Re: [Declude.JunkMail] Changes @ Declude
Didn't get any notification here either. Bill - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, February 10, 2006 11:03 AM Subject: Re: [Declude.JunkMail] Changes @ Declude Barry, I didn't get the E-mail that you mentioned. I'm also wondering about what the terms are in 4.0 for new agreements. The terminology changes from Service Agreements to Subscription. Those things can have different meanings in this industry. A Subscription suggests expiration of the product, at least to me. If that is not the case, you might want to clarify that on your site. Thanks, Matt [EMAIL PROTECTED] wrote: In the last 10 days we have received a number of inquiries to the email sent to every customer explaining the changes that are happening here at Declude. To summarize the answers to those questions: * No existing customer is required to move to the new annual pricing. * Our current customers can continue to pay the annual Service Agreements. * No customer is required to move to 4.0 Over and above that we are continuing to enhance and support both 3.0 and 4.0 and we have provided great deals for customers wishing to move to the 4.0 version and also committed to keeping them on Service Agreements. I have responded to each and every customer who has contacted me since the email was sent out and if any one has any further questions they can contact me either by email or telephone (978) 499-2933. Barry --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] New 4.0 version of Declude?
I notice on the Declude web site that Declude 4.0.8 is available for download. I don't recall seeing any announcement of a new version, so what's new or changed in the 4.0 version? Bill --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Virus Scanning For Your Servers
I wouldn't recommend removing the /PACKED switch. Here are the switches I have been using on both of our IMail/Declude/F-Prot servers for the past couple of years without issue: C:\Progra~1\FSI\F-Prot\fpcmd.exe -AI -ARCHIVE=5 -DUMB -NOBOOT -NOBREAK -NOMEM -PACKED -SAFEREMOVE -SERVER -SILENT -REPORT=report.txt Bill - Original Message - From: David Barker [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Saturday, January 28, 2006 1:24 PM Subject: RE: [Declude.JunkMail] OT: Virus Scanning For Your Servers 1. You should be using fpcmd.exe which is the 32bit scanner of F-Prot not the f-prot.exe which is the 16 bit version. 2. Remove the /NOFLOPPY and /PACKED options from the switches 3. Ensure that the Real Time protector of F-Prot is not installed. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Evans Martin Sent: Saturday, January 28, 2006 4:05 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] OT: Virus Scanning For Your Servers If ClamWin doesn't do on access scanning and it is the only virus scanner running on my system, to what can I attribute the errors in this log segment? 01/22/2006 00:11:52.187 42470405 Vulnerability flags = 0 01/22/2006 00:11:52.234 42470405 Error 87 starting scanner [C:\Progra~1\FSI\F-Prot\F-Prot.exe /TYPE /SILENT /NOMEM /ARCHIVE=5 /NOFLOPPY /NOBOOT /DUMB /PACKED /REPORT=report.txt c:\SMARTE~1\Spool\proc\work\42470405.vir\]; NOT SCANNING ATTACHMENTS! Error String: [The parameter is incorrect.] 01/22/2006 00:11:52.234 42470405 1 [1 of 2 not deleted] files were deleted. You should not use an on-access virus scanner that scans the \IMail directory or sub-directories. 01/22/2006 00:11:52.234 42470405 Scanned: Error starting scanner 01/22/2006 00:12:32.312 42470406 Vulnerability flags = 0 01/22/2006 00:12:32.343 42470406 Error 87 starting scanner [C:\Progra~1\FSI\F-Prot\F-Prot.exe /TYPE /SILENT /NOMEM /ARCHIVE=5 /NOFLOPPY /NOBOOT /DUMB /PACKED /REPORT=report.txt c:\SMARTE~1\Spool\proc\work\42470406.vir\]; NOT SCANNING ATTACHMENTS! Error String: [The parameter is incorrect.] 01/22/2006 00:12:32.343 42470406 1 [1 of 2 not deleted] files were deleted. You should not use an on-access virus scanner that scans the \IMail directory or sub-directories. 01/22/2006 00:12:32.343 42470406 Scanned: Error starting scanner 01/22/2006 00:12:42.437 42470407 Vulnerability flags = 0 01/22/2006 00:12:42.453 42470407 Scanned: Virus Free [Prescan OK][MIME: 1 3031] 01/22/2006 00:12:47.593 42470408 Vulnerability flags = 0 01/22/2006 00:12:47.625 42470408 Error 87 starting scanner [C:\Progra~1\FSI\F-Prot\F-Prot.exe /TYPE /SILENT /NOMEM /ARCHIVE=5 /NOFLOPPY /NOBOOT /DUMB /PACKED /REPORT=report.txt c:\SMARTE~1\Spool\proc\work\42470408.vir\]; NOT SCANNING ATTACHMENTS! Error String: [The parameter is incorrect.] 01/22/2006 00:12:47.625 42470408 1 [1 of 2 not deleted] files were deleted. You should not use an on-access virus scanner that scans the \IMail directory or sub-directories. 01/22/2006 00:12:47.625 42470408 Scanned: Error starting scanner 01/22/2006 00:13:27.718 42470409 Vulnerability flags = 0 01/22/2006 00:13:27.734 42470409 MIME file: [text/html][*DEFAULT*; Length=2063 Checksum=158746] 01/22/2006 00:13:27.734 42470409 Scanned: Virus Free [Prescan OK][MIME: 2 3360] 01/22/2006 00:13:47.890 42470410 Vulnerability flags = 0 01/22/2006 00:13:47.906 42470410 Error 87 starting scanner [C:\Progra~1\FSI\F-Prot\F-Prot.exe /TYPE /SILENT /NOMEM /ARCHIVE=5 /NOFLOPPY /NOBOOT /DUMB /PACKED /REPORT=report.txt c:\SMARTE~1\Spool\proc\work\42470410.vir\]; NOT SCANNING ATTACHMENTS! Error String: [The parameter is incorrect.] 01/22/2006 00:13:47.906 42470410 1 [1 of 2 not deleted] files were deleted. You should not use an on-access virus scanner that scans the \IMail directory or sub-directories. 01/22/2006 00:13:47.906 42470410 Scanned: Error starting scanner Thanks, Evans Martin --- EVANS MARTIN [EMAIL PROTECTED] HOSTING: http://www.martek.net PROGRAMMING: http://www.martekware.com iPlus Info Browser - IPB's IMail Migration Tool, password browser, reporting suite make IPlus Info Browser something no IMail administrator should be without. http://www.martek.net/Default.aspx?tabid=96 -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of george Sent: Saturday, January 28, 2006 12:47 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] OT: Virus Scanning For Your Servers Evans, I use F-Prot, ClamWin, AVG and NOD32, in that order. I don't use ClamWin to do scheduled scans and it doesn't do on-access scanning, so it doesn't interfere with F-Prot in any way. George -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Evans Martin Sent: Friday, January 27, 2006 9:41 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] OT: Virus Scanning
Re: [Declude.JunkMail] MailPure?
Don't know if you would want to use them, even if they were available, as the writer was high on life and drunk with enthusiasm most of the time while concocting them... ;-) Bill - Original Message - From: Evans Martin To: Declude.JunkMail@declude.com Sent: Friday, January 27, 2006 3:28 PM Subject: [Declude.JunkMail] MailPure? I went to MailPure.Com to see if they had any new filter files today and noticed that the link is broken and that their main page is just a logo page without any links now. Are they still providing filter files? Evans Martin EVANS MARTIN [EMAIL PROTECTED] HOSTING: http://www.martek.net PROGRAMMING: http://www.martekware.com iPlus Info Browser – IPB’s IMail Migration Tool, password browser, reporting suite make IPlus Info Browser something no IMail administrator should be without. http://www.martek.net/Default.aspx?tabid=96
Re: [Declude.JunkMail] Earthlink/prodigy
I think you've got it backwards, SBC acquired ATT but is keeping the ATT name. Bill - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, January 24, 2006 4:23 PM Subject: RE: [Declude.JunkMail] Earthlink/prodigy And since ATT now owns SBC, aren't we getting back to Ma Bell? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Tuesday, January 24, 2006 3:56 PM To: JunkMail Declude Subject: [Declude.JunkMail] Earthlink/prodigy Is there a relationship here. I am getting legit email from this combo and would like to know. It looks to me like prodigy is now owned by SBC. Kevin Bilbee --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: Re[2]: [Declude.JunkMail] Declude v3 CPU usage and processing speed
We are running Declude Version 3.0.5.23 with JunkMail and Virus Pro on two dual-proc servers and are not seeing this. I often see the CPU at zero when no mail is being processes. Bill - Original Message - From: David Sullivan [EMAIL PROTECTED] To: Matt Declude.JunkMail@declude.com Sent: Friday, January 13, 2006 10:27 AM Subject: Re[2]: [Declude.JunkMail] Declude v3 CPU usage and processing speed Hello Matt, Friday, January 13, 2006, 12:29:25 PM, you wrote: M I would throw both logs into Debug and restart just to see if M there areany clues in there. Did this and couldn't come up with anything out of ordinary. M One other longshot that would be interesting would be to change M thedefault host in IMail to match the other box and use the keys on M theproperly functioning server just to see if there is any M difference. Good idea, we'll give this a shot. What about the 25% utilization under NO load. We see this on all boxes now with Declude 3.5.23. Are you seeing this behavior as well? -- Best regards, Davidmailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Blacklisted by Comcast
You can. Simply add a line to your hosts file on your current mail server like: ip.of.gate.waycomcast.com Then all mail destine for comcast.com will get sent directly to the gateway server and all other mail will still get delivered as usual. Bill - Original Message - From: Dave Doherty [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Wednesday, January 11, 2006 1:38 PM Subject: Re: [Declude.JunkMail] Blacklisted by Comcast It's a good idea. I had thought to change the IP of the server, but then I have to reconfigure the firewall and go through another episode with the CBL people. Using an outboard box would solve the problem until Comcast decides to block the new IP.. It would be nice if I could devise a way to send only mail for Comcast through the gateway. (((sigh))) -d - Original Message - From: Andy Schmidt [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Wednesday, January 11, 2006 4:26 PM Subject: RE: [Declude.JunkMail] Blacklisted by Comcast Have you determined whether you can just use one of your other C-Class networks to set up a simply IIS SMTP server as a smart host and then relay your outbound mail through that IP address? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Doherty Sent: Wednesday, January 11, 2006 04:21 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Blacklisted by Comcast Hi Matt- Thanks. I had already found that form. No response from them so far, so I did it again. Symantec apparently bought BrightMail and turned it into a box product. http://www.brightmail.com/ and http://www.symantec.com/Products/enterprise?c=prodinforefId=835 Symantec has managed to turn contacting BrightMail tech supoport into an even less joyful experience than dealing with Comcast. No, I don't have the product, so no, I can't contact them. Nice try, anyway... Thanks. -d - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Wednesday, January 11, 2006 3:45 PM Subject: Re: [Declude.JunkMail] Blacklisted by Comcast Maybe start here: http://www.comcast.net/help/contact/ I believe that Comcast uses BrightMail, so you might also want to try to contact them directly. Matt Dave Doherty wrote: For whatever reason, one of my mail servers has been blacklisted by Comcast. It's on no other blacklists that I can find. I have spent much of the day in a frustrating search for contact info that actually gets you to a human. So I don't know why they blacklisted my server and I have customers screaming at me. Anybody have any deas how to resolve this one? -Dave Doherty Skywaves, Inc. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude Hardware Issue
I doubt that the problems experienced by the Declude licensing server had anything to do with your DNS tests failing. I have been running version 3.0.5.22 since it was released and experienced no problems over the weekend, including DNS based tests. Bill - Original Message - From: Goran Jovanovic To: Declude.JunkMail@declude.com Sent: Monday, December 26, 2005 2:09 PM Subject: RE: [Declude.JunkMail] Declude Hardware Issue While my Declude continued to work as a Pro version what I did find is that my DNS test were failing during the hardware issue. During the problem period I saw: 12/26/2005 14:10:13.947 q3f72000100cac64e.smd Test 2-AHBL-RELAYS-ALL didn't get a response. 12/26/2005 14:10:13.947 q3f72000100cac64e.smd Test 22-AHBL-EXEMPT-DYNA didn't get a response. Then after the hardware problem was resolved (and without me doing anything) I got 12/26/2005 16:39:47.064 q63031dff006cd044.smd Test #2 [AHBL-RELAYS-ALL] is same as Test #2 [AHBL-RELAYS-ALL=127.0.0.2]. Answer=admins.sosdg.org.? 12/26/2005 16:39:47.064 q63031dff006cd044.smd Test #2 [AHBL-RELAYS-ALL] is same as Test #4 [AHBL-PROXY-ALL=127.0.0.3]. Answer=admins.sosdg.org.? 12/26/2005 16:39:47.064 q63031dff006cd044.smd Test #2 [AHBL-RELAYS-ALL] is same as Test #6 [AHBL-SOURCES-ALL=127.0.0.4]. Answer=admins.sosdg.org.? It was not just one message that the DNS tests failed on but all of them that I monitored. Now my over WEIGHT30 is back in the more appropriate rage of WEIGHT30117...74.05% And not what it was for the most of the day WEIGHT30...1,724...25.87% ç=== Way too low. I would like to know why the Declude hardware communications problem broke my DNS tests? Not sure if this info helps or not but it is what happened with my installation (3.0.5.22 junkmail and virus) Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Franco-RochaSent: Monday, December 26, 2005 4:01 PMTo: Declude.JunkMail@declude.comCc: Declude.Virus@declude.comSubject: [Declude.JunkMail] Declude Hardware Issue Please note that the hardware issue preventing communication with Declude has been resolved. Key authentication has resumed as normal. There appear to be some misconceptions on the lists regarding the key authentication system. In the event that your key cannot be authenticated (either due to communication failure or because the key was never issued): A) Your software will continue to function B) Your software is NEVER downgraded for any reason, either automatically or otherwise We have had a few reports from customers who have licensed versions of Pro, saying that they are receiving messages in their log files that they do not have the Pro version. We will identify the source of that issue tomorrow when the office reopens and will resolve it. It does not have any relation to the key authentication mechanism with the server, since the actual authentication with IMail versions of Declude continues to be via the old codes entered into the configuration files. David Franco-Rocha Declude Technical / Engineering
Re: [Declude.JunkMail] Decludeproc terminating unexpectedly
What version of decludeproc are your running? decludeproc -v Sounds like an old issue that has been resolved in more recent releases. Bill - Original Message - From: Harry Vanderzand [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, December 13, 2005 9:30 AM Subject: [Declude.JunkMail] Decludeproc terminating unexpectedly I have a situation where the decludeproc service terminates unexpectedly. It restarts, but I am concerned in that the system is not stable. Several messages are left in the review directory when this happens. Shortly after one of the decludeproc restarts this morning the SMTP service stopped and did NOT restart. The event log had the following error: The description for Event ID ( 0 ) in Source ( SMTPd32 ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: SMTPd32 error: 231, ERR 004 - Failed to create server Pipe.. This has happened a few times since going to imail V8.22 from 8.05. Should I install imail 2006? I have it but am holding off as I fear more problems if I am an early adopter. Any ideas? Imail V8.22, declude pro, sniffer, invuirbl Dual xeon 3.4Ghz, 2GB ram Thank you Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 519-741-1222 --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] declude.cfg threads procedure
It's not necessary to stop/start any IMail services, since IMail calls declude.exe (not decludeproc.exe), and all declude.exe does is move the queue files from the spool directory to the proc directory. Decludeproc checks the proc directory at whatever time interval you have set in you declude.cfg and processes whatever it finds there. Bill - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Wednesday, November 30, 2005 2:09 PM Subject: RE: [Declude.JunkMail] declude.cfg threads procedure Changes to the Declude.cfg file require a restart of the Decludeproc.exe service. Of course, I highly recommend first stopping the Imail SMTP and Queue Manager services before restarting the Decludeproc service but some one has posted that is not needed. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Bill Green dfn Systems Sent: Wednesday, November 30, 2005 1:40 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] declude.cfg threads procedure Hi, I recently upgraded to Declude 3.0.5.20. Everything is running well except for a backlog in the proc directory in the heavy part of the day. I began adjusting threads in declude.cfg. The original setting was 5. With my Dual 1.5 Ghz machine, I figured 75 was closer to the mark. Do I need to stop/start any services to make the change effective, or just change the number in declude.cfg? Bill --- [This E-mail scanned for viruses by Declude EVA] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Cryptic URL in source
Take a look at SpamAssassin or the SA plug-in for Declude. Bill - Original Message - From: Dave Beckstrom [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, November 11, 2005 8:56 AM Subject: RE: [Declude.JunkMail] Cryptic URL in source David, Could I suggest that you consider adding something along those lines or perhaps adding support for regular expressions? It would make the filters much more flexible and powerful. Sometimes spammers will vary only 1 or 2 characters in a URL and this would enable us to block their variations with one line in the filter. -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of David Franco-Rocha [ Declude ] Sent: Friday, November 11, 2005 10:46 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Cryptic URL in source Dave, There currently is no pattern matching in Declude filters. David Franco-Rocha Declude Technical / Engineering - Original Message - From: Dave Beckstrom [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Thursday, November 10, 2005 6:03 PM Subject: RE: [Declude.JunkMail] Cryptic URL in source Scott, Doesn't Declude support a wild card character for single character matching in filters? EG, let's say an * is a wild card. STOPATFIRSTHIT BODY 0 contains .google.*/url?q BODY 0 contains .google.**/url?q BODY 0 contains .google.***/url?q The above would then accomplish the same thing as the entire filter below. -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Thursday, November 10, 2005 4:38 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Cryptic URL in source I ran across this in one of my unused filters folders. Some great Declude user (not me) posted it in August. So the google redirect has been abused for months. STOPATFIRSTHIT BODY 0 contains .google.com/url?q BODY 0 contains .google.as/url?q BODY 0 contains .google.com.ar/url?q BODY 0 contains .google.com.au/url?q BODY 0 contains .google.at/url?q BODY 0 contains .google.az/url?q BODY 0 contains .google.by/url?q BODY 0 contains .google.be/url?q BODY 0 contains .google.com.br/url?q BODY 0 contains .google.vg/url?q BODY 0 contains .google.bi/url?q BODY 0 contains .google.ca/url?q BODY 0 contains .google.td/url?q BODY 0 contains .google.cl/url?q BODY 0 contains .google.com.co/url?q BODY 0 contains .google.co.cr/url?q BODY 0 contains .google.ci/url?q BODY 0 contains .google.com.cu/url?q BODY 0 contains .google.cd/url?q BODY 0 contains .google.dk/url?q BODY 0 contains .google.dj/url?q BODY 0 contains .google.com.do/url?q BODY 0 contains .google.com.ec/url?q BODY 0 contains .google.com.sv/url?q BODY 0 contains .google.ee/url?q BODY 0 contains .google.com.fj/url?q BODY 0 contains .google.fi/url?q BODY 0 contains .google.fr/url?q BODY 0 contains .google.gm/url?q BODY 0 contains .google.ge/url?q BODY 0 contains .google.de/url?q BODY 0 contains .google.com.gi/url?q BODY 0 contains .google.com.gr/url?q BODY 0 contains .google.gl/url?q BODY 0 contains .google.gg/url?q BODY 0 contains .google.hn/url?q BODY 0 contains .google.com.hk/url?q BODY 0 contains .google.co.hu/url?q BODY 0 contains .google.co.in/url?q BODY 0 contains .google.ie/url?q BODY 0 contains .google.co.il/url?q BODY 0 contains .google.it/url?q BODY 0 contains .google.co.jp/url?q BODY 0 contains .google.je/url?q BODY 0 contains .google.kz/url?q BODY 0 contains .google.lv/url?q BODY 0 contains .google.co.ls/url?q BODY 0 contains .google.com.ly/url?q BODY 0 contains .google.li/url?q BODY 0 contains .google.lt/url?q BODY 0 contains .google.lu/url?q BODY 0 contains .google.mw/url?q BODY 0 contains .google.com.my/url?q BODY 0 contains .google.com.mt/url?q BODY 0 contains .google.mu/url?q BODY 0 contains .google.com.mx/url?q BODY 0 contains .google.fm/url?q BODY 0 contains .google.ms/url?q BODY 0 contains .google.com.na/url?q BODY 0 contains .google.com.np/url?q BODY 0 contains .google.nl/url?q BODY 0 contains .google.co.nz/url?q BODY 0 contains .google.com.ni/url?q BODY 0 contains .google.com.nf/url?q BODY 0 contains .google.com.pk/url?q BODY 0 contains .google.com.pa/url?q BODY 0 contains .google.com.py/url?q BODY 0 contains .google.com.pe/url?q BODY 0 contains .google.com.ph/url?q BODY 0 contains .google.pn/url?q BODY 0 contains .google.pl/url?q BODY 0 contains .google.pt/url?q BODY 0 contains .google.com.pr/url?q BODY 0 contains .google.cg/url?q BODY 0 contains .google.ro/url?q BODY 0 contains .google.ru/url?q BODY 0 contains .google.rw/url?q BODY 0 contains .google.sh/url?q BODY 0 contains .google.com.vc/url?q BODY 0 contains .google.sm/url?q BODY 0 contains .google.co.yu/url?q BODY 0 contains .google.com.sg/url?q BODY 0 contains .google.sk/url?q BODY 0 contains .google.co.kr/url?q BODY 0 contains .google.es/url?q BODY 0
Re: [Declude.JunkMail] Declude 3.0.5.14 Posted
Mike, you cannot simply execute the Decludeproc30xxx.exe file to do the decludeproc upgrade, you need to stop the decludeproc service, delete the old decludeproc.exe file, then rename the Decludeproc30xxx.exe to decludeproc.exe and then restart the service. Bill - Original Message - From: Mike Wiegers [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Sunday, November 06, 2005 11:59 AM Subject: Re: [Declude.JunkMail] Declude 3.0.5.14 Posted David, I ran the decludeproc update and then ran the version command and it still showed the previous version. I then ran the decude_setup update, decludeproc update, ran the version command and it displayed the updated version. I will try it again on the next update (already did the .15 update running both updates). Thanks, Mike From: David Barker [EMAIL PROTECTED] Organization: Declude, Inc. Reply-To: Declude.JunkMail@declude.com Date: Sun, 6 Nov 2005 07:53:12 -0500 To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Declude 3.0.5.14 Posted Mike, I think you are confused or at least I am. Declude.exe should be 32k in size and you should be running decludeproc as a service. If this is true all you need to do is upgrade your Decludeproc30xxx.exe If your declude.exe is not 32k in size and/or you do not have the decludeproc service then use Declude_setup.exe David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Wiegers Sent: Sunday, November 06, 2005 5:17 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Declude 3.0.5.14 Posted David, I'm running the service and version 3 and this looks like what you are saying. etc, only thereafter can you upgrade just the decludeproc. So to get to the latest declude.exe release I would just need to run the Decludeproc30xxx.exe from the Declude Upgrades link from my account. Thanks for you help, Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Saturday, November 05, 2005 12:52 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Declude 3.0.5.14 Posted Mike, Best thing to do if you not sure is run Declude_setup.exe David Barker www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Wiegers Sent: Saturday, November 05, 2005 5:38 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Declude 3.0.5.14 Posted David, Question: The decludeproc upgrade will install the updated declude.exe file for me if I'm already running as a service? Thanks, Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Friday, November 04, 2005 2:20 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Declude 3.0.5.14 Posted Mike, If you are not already running the service you will need to run the Declude_setup.exe to get the service installed etc, only thereafter can you upgrade just the decludeproc. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Wiegers Sent: Friday, November 04, 2005 2:55 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Declude 3.0.5.14 Posted David, I only find a Delcude_Setup file that's 6MB. I was looking to just replace the declude.exe file. I will go this route. Thanks, Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Friday, November 04, 2005 10:14 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Declude 3.0.5.14 Posted Yes under the Declude Upgrade Section on the My Account Home Page David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Wiegers Sent: Friday, November 04, 2005 10:54 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Declude 3.0.5.14 Posted Is there a link we can just get the declude exe file instead of the complete install each time? Thanks, Mike --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found
Re: [Declude.JunkMail] V3.05.14 issue
I sent info to Declude support yesterday about this, but have not received a response yet. I also had to revert back to V3.0.5.12 yesterday because of this issue. Bill - Original Message - From: David Barker [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, November 01, 2005 10:09 AM Subject: RE: [Declude.JunkMail] V3.05.14 issue The review directory has it's purpose, if there is email that causes decludeproc to crash, messages that are currently being worked on go into the review directory, if the messages continue to cause the same problem, then the messages will again end up in the review. What I would suggest is sending a copy of the files that end up in the review directory so we can run them through our testing server to see if there is something about the message format that may be causing a problem. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Tuesday, November 01, 2005 12:23 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] V3.05.14 issue I was just checking my declude directories and found mail sitting in the review directory. 95 pieces with varying times since my update to 30514 yesterday. When I put them back into the proc directory the system slowed down and they ended up back in the review directory eventually. I then reverted to 30509, put the mail back into the proc directory and everything got processed fine. I then reverted back to 30514 and watched the flow of mail and again mail started collecting in the review directory. I have gone back to 30509 till there is a resolution for this Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 519-741-1222 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] V3.05.14 issue
David, I made the suggested change to my declude.cfg and within 3 minutes the orphaned .vir directories started showing up in the work sub-directory and messages were being moved into the review directory. I will send you and support the trace evidence off-line. Bill - Original Message - From: David Barker [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, November 01, 2005 12:28 PM Subject: RE: [Declude.JunkMail] V3.05.14 issue Bill, 3.0.5.12 WINSOCKCLEANUP was always ON whereas in 3.0.5.14 it is set to OFF by default, try setting WINSOCKCLEANUPON for 3.0.5.14 David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Tuesday, November 01, 2005 1:18 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] V3.05.14 issue I sent info to Declude support yesterday about this, but have not received a response yet. I also had to revert back to V3.0.5.12 yesterday because of this issue. Bill - Original Message - From: David Barker [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, November 01, 2005 10:09 AM Subject: RE: [Declude.JunkMail] V3.05.14 issue The review directory has it's purpose, if there is email that causes decludeproc to crash, messages that are currently being worked on go into the review directory, if the messages continue to cause the same problem, then the messages will again end up in the review. What I would suggest is sending a copy of the files that end up in the review directory so we can run them through our testing server to see if there is something about the message format that may be causing a problem. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Tuesday, November 01, 2005 12:23 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] V3.05.14 issue I was just checking my declude directories and found mail sitting in the review directory. 95 pieces with varying times since my update to 30514 yesterday. When I put them back into the proc directory the system slowed down and they ended up back in the review directory eventually. I then reverted to 30509, put the mail back into the proc directory and everything got processed fine. I then reverted back to 30514 and watched the flow of mail and again mail started collecting in the review directory. I have gone back to 30509 till there is a resolution for this Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 519-741-1222 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] V3.05.14 issue
Really, whoda thunk it... ;-) The file was actually updated while the service was stopped to change the decludeproc.exe file. It appears that the version 3.0.5.14 does not like something about winmail.dat attachments. Bill - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, November 01, 2005 1:16 PM Subject: RE: [Declude.JunkMail] V3.05.14 issue Remember, changes to the declude.cfg file call for a restart of the Decludeproc service. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Tuesday, November 01, 2005 12:53 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] V3.05.14 issue David, I made the suggested change to my declude.cfg and within 3 minutes the orphaned .vir directories started showing up in the work sub-directory and messages were being moved into the review directory. I will send you and support the trace evidence off-line. Bill - Original Message - From: David Barker [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, November 01, 2005 12:28 PM Subject: RE: [Declude.JunkMail] V3.05.14 issue Bill, 3.0.5.12 WINSOCKCLEANUP was always ON whereas in 3.0.5.14 it is set to OFF by default, try setting WINSOCKCLEANUPON for 3.0.5.14 David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Tuesday, November 01, 2005 1:18 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] V3.05.14 issue I sent info to Declude support yesterday about this, but have not received a response yet. I also had to revert back to V3.0.5.12 yesterday because of this issue. Bill - Original Message - From: David Barker [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, November 01, 2005 10:09 AM Subject: RE: [Declude.JunkMail] V3.05.14 issue The review directory has it's purpose, if there is email that causes decludeproc to crash, messages that are currently being worked on go into the review directory, if the messages continue to cause the same problem, then the messages will again end up in the review. What I would suggest is sending a copy of the files that end up in the review directory so we can run them through our testing server to see if there is something about the message format that may be causing a problem. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Tuesday, November 01, 2005 12:23 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] V3.05.14 issue I was just checking my declude directories and found mail sitting in the review directory. 95 pieces with varying times since my update to 30514 yesterday. When I put them back into the proc directory the system slowed down and they ended up back in the review directory eventually. I then reverted to 30509, put the mail back into the proc directory and everything got processed fine. I then reverted back to 30514 and watched the flow of mail and again mail started collecting in the review directory. I have gone back to 30509 till there is a resolution for this Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 519-741-1222 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail
[Declude.JunkMail] Testing upgrade to V3.0.5.9
I've tested the upgrade to Declude 3.0.5.9 on a test server and noted a couple of minor issues. First, Decludeproc -v shows: Declude Version 3.0.5.9 However, decludeproc -diag shows: Invalid command line parameter: -install Install Declude -diagPrint diagnostics Shouldn't -diag print out the diagnostics? Also found on the Declude upgrade web page under Operating Theory section the following: = If there are any problems with processing emails Declude will move these emails to the \review directory under the \proc directory for the administrator to check, to reprocess these emails move them back to the \proc or \spool directory. If emails cannot be moved to the appropriate directory Declude will move these emails to the \error directory under the \proc directory for the administrator to check, to reprocess these emails move them back to the \proc or \spool directory. = Above it talks about a \review directory, however, under imail\spool\proc I only have two sub-directories: \error \work. Do I need to create this \review sub-directory, or is Declude now using the \work sub-directory instead? Bill --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Wondering about Declude 3.x
Ditto, since we run dual-proc IMail servers, as well. What are the current declude.cfg entries and recommended settings. Are all of the documented issues now resolved? Bill - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Wednesday, October 19, 2005 12:24 PM Subject: Re: [Declude.JunkMail] Wondering about Declude 3.x I appreciate the others sharing their experiences, but I was also hoping that someone from Declude could comment on the current state, any known issues, and what the plans are related to bugs and/or tweaks to the newly introduced code. Thanks, Matt Matt wrote: Since things have been quite for some time, I just wanted to check up on what is happening with 3.x. The last that I heard, there were several people having issues with multi-processor systems. The thread settings also concern me in the way that they are being implemented. It appears from reports that these can greatly affect the performance of a system (and therefore it's stability/ability), and knowing how variable E-mail can be, I'm not sure that this is something that I would want to have hard coded on my system. I would hope that there would be another way to go about this. Right now I'm on 2.0.6.16 and have been for some time, but as bugs arise, and bug fixes are released, I would like to have the peace of mind to upgrade to the latest code, but I'm not sure that I have that yet. I know that the folks at Declude have been working long and hard at this for sometime now, and I don't want to disrespect that hard work, but I would appreciate an update on where things are, and where they are going as far as the service issues go. Thanks, Matt --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Command line file editor
- Original Message - From: John T (Lists) [EMAIL PROTECTED] I am looking for a way to edit a text file through command line for use in batch files, generally doing search and replace. If any one has suggestions, please let me know. Sed works well for this type of function: sed s/original text/new text/g old-file.txt new-file.txt Bill --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spam box
- Original Message - From: Goran Jovanovic To: Declude.JunkMail@declude.com Sent: Thursday, August 04, 2005 2:10 PM Subject: RE: [Declude.JunkMail] Spam box I have a question about these boxes that go in front of Declude, be they IMGATE or ORF or whatever. The way that I understand it from reading the threads here is that these front end boxes require the complete list of valid e-mail addresses for all domains that are being processed. Is that correct? If that is correct, then perhaps someone who is gatewaying mail to clients could answer this. How do you get all the e-mail addresses on the front end box and how do you keep it updated? I am doing gatewaying to various Exchange and other hosting providers and do not host any mail on my site. So am I correct in assuming that this solution will not work in my setup? If you use a newer version of Postfix, you can use recipient address verification. See http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipientfor details. However, the receiving mail server needs to respond properly. If Exchange is set to blindly accept all forwarded mail and then bounce mail sent to invalid accounts, then it will always respond positively to verification queries, thus defeating the purpose of recipient address verification. Bill
Re: [Declude.JunkMail] Spam box
- Original Message - From: Matt To: Declude.JunkMail@declude.com Sent: Thursday, August 04, 2005 3:18 PM Subject: Re: [Declude.JunkMail] Spam box One other note to add to this.ORF plugs-into MS SMTP. I have unfortunately found that MS SMTP doesn't appear to handle rejecting oversized attachments when sent with HELO (not EHLO). When messages don't get rejected properly, they are sent over and over again until they time out. I have a 20 MB limit currently, but I found yesterday that there were at least 4 messages being sent over and over and over again, all in excess of 20 MB. That's a lot of bandwidth, in fact these four or so messages chewed up about 4 times my normal bandwidth utilization. I also noted that this issue occurred with another server using the same version of MS SMTP, and others too of course.This issue with MS SMTP is quite serious as it requires manual intervention and lots of time to identify such messages, and therefore it is also one of the reasons why I am moving to Postfix. This would be true of any mail server. If the remote server does not announce the size of the message, which is only supported via ESMTP, then the receiving mail server must receive the message up to the set limit before it can reject the delivery. Bill
Re: [Declude.JunkMail] Header Removal
- Original Message - From: Chuck Cahill [EMAIL PROTECTED] The destination client is a Financial Organization who handles our electronic billing. They are complaining that the X-Mailer: header is causing a routing issue with their automation software and want us to remove it. Chuck, for what it's worth, Postfix can strip these headers very easily, if you are willing to setup a Linux server with Postfix and relay all outbound mail through it. Bill --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] 127.0.0.1 email loop
- Original Message - From: Adam Hobach [EMAIL PROTECTED] Hello, Does anyone have a way to automatically delete emails that have MX/mail records that point to 127.0.0.1? The email is currently in a loop on our mail server then eventually fails. The link below is an example domain that is clogging our filtering server: http://www.dnsstuff.com/tools/lookup.ch?name=mail.juridica.comtype=A FYI - I am still using Junkmail 1.82. Can I simply add 127.0.0.1 to the IP blacklist? I just want to stop these emails from clogging up our server with the email loop. Thoughts? Blocking the localhost address could possibly cause you problems. Why not simply blacklist the sending servers real IP address (the one that it connects to you with) in IMail and be done with it? Bill --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Header Filter
- Original Message - From: NIck Hayer [EMAIL PROTECTED] I do not think this will work. The imail headers are added after declude sees the email Actually, some IMail spam tests run before being passed to Declude and some after. The JunkMail archives will contain the gory details. Bill Spaminator wrote: Hi all, I have a need to use Declude to filter mail to a user's spambox based on X-IMAIL-SPAM in the headers (we're still using an imail filter that we don't want to give up). I created a custom filter file with the following: HEADERS 10 CONTAINS X-IMAIL-SPAM (separated by tabs) And created the corresponding rules in the declude config files: BANHEADER filter D:\IMail\Declude\CustomFilters\Headers.txt x 5 0 BANHEADER WARN The idea is that the imail rules run, add the X-IMAIL-SPAM header, then declude runs and matches this test against the imail-modified headers. I have the Weight10 test set to send to the user's spambox. The problem is, it doesn't seem to work. With declude logging set to debug, I see the test being called, but the test is always NOT triggered. Processing order problem? Any tips would be greatly appreciated (new Declude user). --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Header Filter
- Original Message - From: NIck Hayer [EMAIL PROTECTED] Bill Landry wrote: Actually, some IMail spam tests run before being passed to Declude and some after. The JunkMail archives will contain the gory details. Bill correct William - but the headers are after. I already tried to do this awhile ago without success.. Key here is though - awhile ago - maybe the order has been reshuffled in these later revs. Then IPSwitch has made some pretty radical changes in the spam processing since IMail V8 was first released with spam filtering capabilities, and made those changes in the wrong direction, as well. I do not use IMail spam filtering any longer, but here's the way IMail spam processing happen when V8 was released: Of all of the spam tests that IMail V8.0 now supports, all but the statistical content filtering test (which is the one that places the X-Imail-Spam entry into the header) run before being passed to Declude JunkMail. Unfortunately, the IMail statistical test does not run until JunkMail passes the message back to IMail for delivery. (http://www.mail-archive.com/declude.junkmail@declude.com/msg08970.html). If it's no longer this way, and is in fact even worse than before, that's a shame - but I don't care to prove or disprove it either way, since I couldn't be bothered to use their spam tests any longer anyway. Bill --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Header Filter
- Original Message - From: Spaminator [EMAIL PROTECTED] Bill, thanks-- this helps a lot. The imail statistics test was one I wanted to capture with declude, but mostly I'm looking for the phrase and URL tests (which we've spent years tweaking extensively). So, this is good news (although I still can't get it working-- maybe imail writes headers only at the end of all its processing?). Don't know, but if you hold any spam via Declude JunkMail, take a look at some of the messages in your hold directory to see what, if any, headers IMail has added (since these would have been added by IMail prior to delivering to Declude). Bill --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] IMail Server Vulnerabilities...
- Original Message - From: Michael L. Hardrick [EMAIL PROTECTED] Ipswitch IMail Server Multiple Unspecified Vulnerabilities http://www.securityfocus.com/bid/13727?ref=rss Though they don't report it, I'm assuming that 8.15 with HF2 is not vulnerable either, since the HF2 patches looks to be the same for both 8.15 and 8.2, with the exception of the SMTPD32 related fix, which probably was not an issue with 8.15. Bill --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spool and Overflow Folders...
I see three instances of "Using [im.decludekey.us]" every time I run the "declude -diag" command on my two IMail/Declude servers. I use the following setting in my declude.cfg files: DNS xxx.xxx.xxx.xxx because I don't use the same DNS setting for Declude as I have configure in IMail. I have added: DNSOVERRIDE xxx.xxx.xxx.xxx as well, and now the response to "declude -diag" is much quicker, and only one instance of "Using [im.decludekey.us]" shows up. Bill - Original Message - From: Ralph Krausse To: Declude.JunkMail@declude.com Sent: Wednesday, May 18, 2005 1:42 PM Subject: [Declude.JunkMail] Spool and Overflow Folders... We have had reports from some customers that their spool and overflow folders have been slowly backing up using Declude 2.0.6 If you are experiencing this kind of problem, type Declude -diag at the command prompt. SmarterMail If you see 'Using [sm.decludekey.us]' more than once, follow steps 1-5 Imail If you see 'Using [im.decludekey.us]' more than once, follow steps 1-5 1. Create a new txt file in your Declude folder and rename it to declude.cfg. If you already have a declude.cfg skip to step 2 2. Open the declude.cfg in notepad 3. Add DNSOVERRIDE xxx.xxx.xxx.xxx where xxx.xxx.xxx.xxx is your DNS server IP address (use the IP defined in your Smartermail or IMail administrator DNS field) 4. Save the declude.cfg file 5. Return to the command prompt and type Declude -diag you should see the 'Using' text being displayed only once. 6. Monitor the spool and the overflow to see if the situation has improved. Declude Engineering
Re: [Declude.JunkMail] German political spam
Here's another one: http://mailscanner.prolocation.net/german.cf Bill - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Sunday, May 15, 2005 9:07 AM Subject: RE: [Declude.JunkMail] German political spam The direct link for spamassassins filter file is http://www.filterregel.de.vu/rassistische_mails_2.cf Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Deleting emails based solely on Sniffer?
- Original Message - From: Joey Proulx [EMAIL PROTECTED] Can someone please explain to me why, if an email is flagged as spam by Sniffer, I shouldn't just delete it outright? Are there instances where Sniffer is wrong? Or is this the way you all use it already? Reason I ask is that I have Sniffer setup with a weight of 10...and I hold messages with a weight of 10-14. This morning I got a Nigerian-type scam that sniffer flagged, but it only scored a total weight of 5. I'll have to check through my global.cfg when I get back from my 9am meeting, but something added a weight of -5 somewhere, meaning the email got through. If I had deleted all Sniffer-found spam outright, this would not have happened. Thoughts? I wouldn't recommend doing that, since I typically submit a few false-positives each week to the Sniffer false@ address. The better thing to do, as you said, is determine what test(s) is/are reducing the weight and adjust it. Bill --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] LOGFILE Legal
- Original Message - From: Evans Martin [EMAIL PROTECTED] I wish to move my Declude log file out of the Imail\Spool directory and to a directory called \Program Files\SyslogD\Logs. However, when I set LOGFILE to c:\Program Files\SyslogD\Logs\dec.log, I get a log file in the root directory of my hard drive called program and no output in the target directory. What values are legal in the LOGFILE section? Do I need to format them as relative from the Imail directory like ..\..\ Program Files\SyslogD\Logs\dec.log? I simple use: LOGFILE L:\Spam\dec.log However, if you use a directory name with a space in it (like Program Files), you probably need to enclose the entire path in quotes: LOGFILEc:\Program Files\SyslogD\Logs\dec.log Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Imail 8.2 Beta
Yep, Declude really dropped the ball with their lack of URIBL support in their latest release. Bill - Original Message - From: Andy Schmidt [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, February 01, 2005 11:24 AM Subject: [Declude.JunkMail] Imail 8.2 Beta Don't know if everyone saw that. Looks as if for once, Imail may actually 'beat' Declude by supporting SURBL natively. I'm curious if they'll at least do SOME of those checks (such as SPF) during the SMTP session - instead of accepting mail first. New Features In Version 8.2 -- o Secure Socket Layer for POP The POP server will support SSL and TLS via the STLS extension and through a dedicated port. o Secure Socket Layer for IMAP The IMAP server will support SSL and TLS via the STARTTLS extension and through a dedicated port. o Secure Socket Layer for SMTP IMail Server will provide support for dedicated SSL and TLS negotiated sessions. o SPF - IMail connection filtering will support the draft RFC for Sender Policy Framework to enable administrators more control in stopping incoming mail from forged addresses. o Attachment Blocking - Attachment blocking will remove attachments based on attachment extension and MIME type o Major SMTPd Enhancements - SMTPd is now multi threaded and has been re-designed for better performance and stability. o Ability to block spam messages with bad/incorrect MIME headers and flag it as spam. o Ability to detect hyperlinks in plain text emails and check them against the spam URL blacklist table. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ http://www.hm-software.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Imail 8.2 Beta
All this and more is available via SpamAssassin. You may want to look at Sandy's SA plug-in to Declude, or possibly look at setting up SA on a Linux/Postfix/Amavisd-New/Sniffer gateway. Bill - Original Message - From: Darin Cox [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, February 01, 2005 1:04 PM Subject: Re: [Declude.JunkMail] Imail 8.2 Beta Hi Darrell, I already have RegExp white and blacklists, just want the ability to handle pattern matching against just the from address. Darin. - Original Message - From: Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, February 01, 2005 3:59 PM Subject: Re: [Declude.JunkMail] Imail 8.2 Beta MessageCertainly did...hopefully provide an impetus towards adding new features and tests to Junkmaillike SURBL, and other requested features like better pattern matching for black/whitelist files. I know this is not what you wan't to hear at this exact moment, but I have an external application that I am working on and a few others are testing it right now that allows you to use regular expressions/advanced pattern matching against the body or header of messages. If anyone is interested in working with the app as well just let me know offlist. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, URI/SURBL and MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Google and/or Earthlink failing subjectchars
- Original Message - From: [EMAIL PROTECTED] Is any one seeing Google and or Earthlink failing the subjectchars test on blank subject lines or even if there is a subject typed in ? Any one know of a reason for this. This was a know bug that I think has been fixed with the latest release. See: http://www.mail-archive.com/declude.junkmail@declude.com/msg21811.html and related tread for more info. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Sniffer vs. SURBL
- Original Message - From: Jonathan [EMAIL PROTECTED] I was just playing with this today - I'm not sure I'd put much faith in surbl.org. The first two messages I saw it tag in my own inbox, were very legitimate. In fact, one of them was from Wells Fargo (*really* from Wells Fargo, sent from Wells Fargo's own mail servers). I find this ironic, since one of their new features, is whitelisting publicly traded companies. :) SURBL's do not look at anything other that the URIs found in the message. So if Wells Fargo included a link to a site that is listed in one of the URIBLs, then it would get tagged. If you feel that the particular link that was tagged is to a legit site and should not included in one of the URIBLs supported by SURBL, then report it to them, and if confirmed, it will be whitelisted and/or removed (see the contacts link at www.surbl.org). Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Sniffer vs. SURBL
- Original Message - From: Matt [EMAIL PROTECTED] My fault for mixing up names in this case. I was thinking about the combined URIBL zone and not your version of the checker. The issue that I was really intending to speak to was the combined zone (multi.surbl.org) that some people are using over SURBL alone. Multi is a bit-masked URIBL. It will return a single response for a single test match or multiple test match. The only difference in using multi versus the individual tests is a single query versus multiple. If you don't want to use all of the tests available via multi, don't define them all. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Filter for blank subject lines
My read is that he is only attempting to enforce the subject requirement on his on users within his own domain. So if he builds his rules appropriately, either as a specific domain rule or a combo filter, he should be able to apply the subject requirement to his own users/domain without affecting or bouncing messages to anyone outside his userbase/domain. Bill - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Wednesday, January 05, 2005 12:34 PM Subject: Re: [Declude.JunkMail] Filter for blank subject lines Since a sizeable amount of blank subjects are spam and come from forged addresses, please don't bounce such messages. It's called backscatter, and it is a very large problem, typically amounting to 1% to 2% of my total mail volume. This is also common enough that you would also upset many customers. If you tweak your setup properly, you can tag blank subjects with a little weight and still not have issues with blocking legitimate E-mail while improving spam detection. Matt [EMAIL PROTECTED] wrote: Any previous talk on filtering for blank subject lines is 2 years old, so I'd like to present the question again, and/or make a new feature request. Within our corp, we have several employees who enjoy send their mails with no subject what-so-ever. Wrist slaps have done nothing to correct this problem. I'd like very much to bounce mails lacking subjects, informing the sender that to complete the delivery, they must resend with a completed subject line. I've tried using both SUBJECTCHARS and CONTSPACES, but they don't seem to work as I'd like. Is there a specific test or filter I can use to detect blank subject lines? TIA --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] 2005 SpamHeaders Glitch?
I agree with your comments, Matt. The other thing that has frustrated me is the fact that a bug will be fixed in an interim release and no mention of it will be made on the list until someone else complains about the problem on the list. Then there would come a response, oh, that was fixed two months ago in interim release x.xx. When bugs are reported to Declude that affect how the product functions, Declude should make it a point to report those issues to its user base, or at least to the list. They should also announce immediately when a bug has been fixed so that we don't sit around twiddling our thumbs waiting for a fix that's been available for two week or two months, or struggling with a problem that's been fixed. I held my tongue on this one, but was quite astounded that Declude did not send out a customer notification immediately after this bug was reported. Especially since this is a test that is enabled by default in the basic global.cfg. I would venture to guess that a lot of people have their tests pretty tightly configured, so that even a small weight addition could trigger hold, or worse, delete actions to be taken. User need to be notified right away about bugs like this so that they can decide if they need to make changes or not. Heck, we even had people thinking that there were problems with JunkMail plug-ins like Sniffer. Would have saved everyone time and frustration had a notification message been sent out immediately to all customers. The other thing that has bothered me about this particular situation is the rationalizing/excuses that have been posted as to why action was not taken sooner. I would feel much better if Declude would have just owned up to the fact that they dropped the ball on this one and promised to do better next time. Oh well, just my unsolicited opinion (they're a dime a dozen, you know)... Bill - Original Message - From: Matt [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Monday, January 03, 2005 3:38 PM Subject: Re: [Declude.JunkMail] 2005 SpamHeaders Glitch? R. Scott Perry wrote: The main reason this wasn't done was because it wasn't clear that this was going to be as big an issue for our customers as it turned out to be. The thought was that since this is normally a relatively minor test, anyone that it does affect adversely would just comment out the test. IMO, anything that has a measurable detrimental affect on all systems and all E-mail is very well within the bounds of what needs to be communicated from my perspective, even if it is only scored at one point in a default config. Not even a second thought. My issue was similar to Kami's where I was using the test is combinations to add extra weight, and the bug had the effect of making a false positive with a single test much worse. It would have taken me hours to clean everything up if I had not known about it until this morning. Even regarding other far more minor bugs; I've spent many wasted hours trying to diagnose what was going on with bugs that were already known to Declude. If such information was available to me by list or by site of known issues, I would certainly save myself time and also prevent other issues from occurring that I wasn't aware of. Take for example the Subject parsing bug that was discovered with the introduction of Yahoo's Domain Keys. I had two other people report to me issues with my GIBBERISHSUB filter because of this bug, and at first when presented with it, I didn't realize that this was the bug that was reported on this list until I looked at it for about 15 minutes and suddenly remembered. So something as minor as the bug that was primarily affecting only messages from Yahoo, and was mostly only causing issues with a somewhat common custom filter, in fact had some effect. I'm afraid that everyone running GIBBERISHSUB right now is scoring the majority of messages from Yahoo because of this, a fact probably completely overlooked at Declude when determining what to do with it. I think what is best is to allow us to determine what information is useful and what isn't, but naturally within a reasonable limit. I consider having access to brief descriptions of all known bugs upon discovery to be highly valuable, and a time saver for myself as well as something that will help me improve my QOS. I would prefer this information to be 'pushed' to me in E-mail, but I would be happy with it any way that I could get it. If you do decide to push it, you might want to include the option to join a list for this purpose as part of a more generalized announcement or in the footer for the listserv. I'll bet that if made aware of the option, a large number if not most Declude admins would choose it. Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/
Re: [Declude.JunkMail] 2005 SpamHeaders Glitch?
- Original Message - From: Dave Doherty [EMAIL PROTECTED] I had a couple of false positives this morning caused in part by SPAMHEADERS apparently objecting to 2005 as an invalid year. When I checked my normal mail, everything I checked failed SPAMHEADERS. Using Declude 1.79i7. Were there any warnings on this? Is anybody else seeing it? Yep, seeing it here too, with version 1.81. Declude so far is reporting two SpamHeader codes: = Code: 480e. The E-mail failed the SPAMHEADERS test. This E-mail has a bad year in the Date: header. = Code: 480f. The E-mail failed the SPAMHEADERS test. This E-mail has a bad year in the Date: header. = Time to disable the SpamHeaders test until this gets fixed. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] 2005 SpamHeaders Glitch?
- Original Message - From: Dave Doherty [EMAIL PROTECTED] I set it to zero weight temporarily. I also sent an email direct to Scott and Barry. Why run the test at all if you're going to set the weight to zero anyway - just comment out the test until it's fixed. I can see this causing some major problems for users that are not subscribers of this list, or who do not actively monitor it. I'm wondering if the only fix for this is a new declude.exe file? If that's the case, CPHZ has got their early New Year's work cut out for them... Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] tools/weights
- Original Message - From: Richard Lanard [EMAIL PROTECTED] I've been thinking about the Sniffer, but i had a few questions: Do i have to have Pro to run it, i.e. external tests? and How effective is it against Phishing? or would it be better to add Mcafee and Clam for this problem? We currently are limited to phrase filtering in Imail for the Phishing part. Sniffer does well at tagging phishing messages. However, adding ClamAV (clamd) is also a very good addition, both for detecting phish and virus laden messages. You can also use the MailPolice fraud list, which includes phish domains. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Fw: Declude 2.0b Install
Nice to know that Declude is listening to our requests. Thanks Ralph! Bill - Original Message - From: Ralph Krausse To: [EMAIL PROTECTED] Sent: Tuesday, December 21, 2004 10:57 AM Subject: Declude 2.0b Install Hello Bill, I wanted to let you know that I was monitoring the email thread on the Declude forums. I will add an option to the install (and all future installs) to be able to do a Â’manual installÂ’ where it will prompt you for a folder where the install will just copy the files into that folder and exit. Then you will be able to do the upgrades you are used to. We are trying to make installs and upgrades easier for users but I realize that some customers do like the hand on approach. I will try to accommodate everyone. Thank you, Ralph Krausse
Re: [Declude.JunkMail] mailpolice
- Original Message - From: Glen Harvy [EMAIL PROTECTED] Hi, Is anyone using mailpolice and if so what details are required in the global.cfg file? See http://rhs.mailpolice.com/usage.php. Here is an example of how to setup the MailPolice Block list as an RHSBL type test in the global.cfg. MAILPOLICE-BLOCK rhsbl block.rhs.mailpolice.com 127.0.0.2 5 0 Block is a combination list, including the bulk and porn lists. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] mailpolice
- Original Message - From: Scott Fisher [EMAIL PROTECTED] You can also use their rev dns list: MAILPOLICE-REVDNS dnsbl %REVDNS%.dynamic.rhs.mailpolice.com 127.0.0.2 50 0 Hmmm, do you actually catch anything with this test? And why would you go through the trouble of setting it this way? Since this is a classic RHS test, why wouldn't you just set it up like: MAILPOLICE-DYNA rhsbl dynamic.rhs.mailpolice.com 127.0.0.2 5 0 They also have a fraud list that will help catch phish type e-mails: MAILPOLICE-FRAUD rhsbl fraud.rhs.mailpolice.com 127.0.0.2 5 0 Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] mailpolice
Yeah, after Scott's reply I setup a couple of tests using HELO REVDNS to see what the results would be like. I'll monitor for a few days to see how they look, but I so far I am see pretty good results. Bill - Original Message - From: Matt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, December 17, 2004 3:08 PM Subject: Re: [Declude.JunkMail] mailpolice I test the MAILFROM, HELO and REVDNS on the primary list, and the increase in hit rates for using an RHSBL this was is about 1% to 2% on my system if I recall correctly. I also use the dynamic zone, but I have only applied it to the HELO because I found false positives early on while using it with REVDNS where they were tagging legitimate mail servers, and the patterns should have been detected as unreliable by who ever entered them. This works with a wildcard at only one end of the entry and is capable of only a single pattern match, and therefore it is limited. I decided to supplement my own DUL hits with custom filters built to tag single as well as multiple patterns necessary for proper identification. The idea of using it as a HELO test is designed to catch zombies, and I weight it low due to the false positives with mail servers, but add extra points when it combos with a DUL hit. Matt Scott Fisher wrote: dynamic.rhs.mailpolice.com - dynamic PPP/DSL/cable reverse DNS hostnames, useful for stopping spam from broadband proxies Because it targets the RevDNS is why I use the dnsbl with the revdns. I also test the HELO revdns 97.6% spam 3539/52891 emails helo 99.7% spam 2612/52891 emails combo of the above 98.2% spam 3556/52891 emails When I rhsbl the dynamic I would get too many false positives. I never got a hit off the fraud list so I stopped using it. - Original Message - From: Bill Landry mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] To: mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] Sent: Friday, December 17, 2004 9:28 AM Subject: Re: [Declude.JunkMail] mailpolice - Original Message - From: Scott Fisher mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] You can also use their rev dns list: MAILPOLICE-REVDNS dnsbl %REVDNS%.dynamic.rhs.mailpolice.com 127.0.0.2 50 0 Hmmm, do you actually catch anything with this test? And why would you go through the trouble of setting it this way? Since this is a classic RHS test, why wouldn't you just set it up like: MAILPOLICE-DYNA rhsbl dynamic.rhs.mailpolice.com 127.0.0.2 5 0 They also have a fraud list that will help catch phish type e-mails: MAILPOLICE-FRAUD rhsbl fraud.rhs.mailpolice.com 127.0.0.2 5 0 Bill --- [This E-mail was scanned for viruses by Declude Virus ( http://www.declude.com http://www.declude.com )] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] , and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com http://www.mail-archive.com . --- [This E-mail was scanned for viruses by Declude Virus ( http://www.declude.com http://www.declude.com )] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] , and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com http://www.mail-archive.com . -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Upgraded Declude Thurs night -- since then getting false positives on MessageSniffer
- Original Message - From: William Stillwell [EMAIL PROTECTED] Umm, Wouldn't the 0 9 setting put a Positive weight on a good clean email? shouldn't it be like SNIFFER external nonzero c:\sniffer\win32\licenseid.exe authcode 7 -7 which would put a Positive 7 on a nonzero return, and a -7 on a Zero Return ? Although Sniffer does exceptionally well at detecting spam, it is not perfect. I send missed spam to the Sniffer spam address daily, so appling a negative weight to non-Sniffer tagged e-mail will most likely result in reduced weight of some spam messages, as well. It's better to just leave the last field at zero. Also, when posting your global.cfg file, I would recommend DELETING your LicenseID and Authentication Code for Shiffer. Indeed! Katie, I accidentally did the same thing about a year ago. You will probably want to contact MicroNeil and ask them to issue you a new Sniffer LicenseID and AuthCode. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SURBL as RHSBL
Markus, if you want to test against all of the SURBLs, since it's only a single query to the multi zone, use: SURBL_ABrhsblmulti.surbl.org127.0.0.3210SURBL_JPrhsblmulti.surbl.org127.0.0.6410SURBL_OBrhsblmulti.surbl.org127.0.0.1610SURBL_PHrhsblmulti.surbl.org127.0.0.810SURBL_SCrhsblmulti.surbl.org127.0.0.210SURBL_WSrhsblmulti.surbl.org127.0.0.410 AB = AbuseButler data JP = Combination of Prolocation data Joe Wein's SpamSpy data OB = OutBlaze data PH = Combination of MailPolice "Fraud" list data MailSecurity "Phishing" list data SC = SpamCop top 200 hits data WS = William Stearns submitter data I have been testing this for about an hour, and am getting a few hits. We'll see how it goes over the next 24 hours... Bill - Original Message - From: Markus Gufler To: [EMAIL PROTECTED] Sent: Monday, November 22, 2004 11:41 PM Subject: RE: [Declude.JunkMail] SURBL as RHSBL Is this the correct configruation line for doing this?SURBLS-RHSBL rhsbl %MAILFROM%.sc.surbl.org 127.0.0.2 5 0Markus---[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] SURBL as RHSBL
Modification, since I was not thinking, but Declude JunkMail does not support bitmasked responses. So instead of using the multi zone, you will need to use: SURBL_AB rhsbl ab.surbl.org127.0.0.2 1 0 SURBL_JP rhsbl jp.surbl.org127.0.0.2 1 0 SURBL_OB rhsbl ob.surbl.org127.0.0.2 1 0 SURBL_PH rhsbl ph.surbl.org127.0.0.2 1 0 SURBL_SC rhsbl sc.surbl.org127.0.0.2 1 0 SURBL_WS rhsbl ws.surbl.org127.0.0.2 1 0 Which will require six different queries if you want to use all SURBL lists. Bill - Original Message - From: Bill Landry To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 12:47 AM Subject: Re: [Declude.JunkMail] SURBL as RHSBL Markus, if you want to test against all of the SURBLs, since it's only a single query to the multi zone, use: SURBL_AB rhsbl multi.surbl.org127.0.0.32 1 0 SURBL_JP rhsbl multi.surbl.org127.0.0.64 1 0 SURBL_OB rhsbl multi.surbl.org127.0.0.16 1 0 SURBL_PH rhsbl multi.surbl.org127.0.0.8 1 0 SURBL_SC rhsbl multi.surbl.org127.0.0.2 1 0 SURBL_WS rhsbl multi.surbl.org127.0.0.4 1 0 AB = AbuseButler data JP = Combination of Prolocation data Joe Wein's SpamSpy data OB = OutBlaze data PH = Combination of MailPolice Fraud list data MailSecurity Phishing list data SC = SpamCop top 200 hits data WS = William Stearns submitter data I have been testing this for about an hour, and am getting a few hits. We'll see how it goes over the next 24 hours... Bill - Original Message - From: Markus Gufler To: [EMAIL PROTECTED] Sent: Monday, November 22, 2004 11:41 PM Subject: RE: [Declude.JunkMail] SURBL as RHSBL Is this the correct configruation line for doing this? SURBLS-RHSBL rhsbl %MAILFROM%.sc.surbl.org 127.0.0.2 5 0 Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SURBL as RHSBL
It's info gleaned from several different lists. I always try to report anything new to this list anyway... Bill - Original Message - From: Darin Cox To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 6:02 AM Subject: Re: [Declude.JunkMail] SURBL as RHSBL Hi Bill,You seem to always be one of the first to share new blacklists. Where doyou find this info? Is there another list that would be worth joining?Thanks, man.Darin.- Original Message - From: "Bill Landry" [EMAIL PROTECTED]To: [EMAIL PROTECTED]Sent: Tuesday, November 23, 2004 5:04 AMSubject: Re: [Declude.JunkMail] SURBL as RHSBLModification, since I was not thinking, but Declude JunkMail does notsupport bitmasked responses. So instead of using the multi zone, you willneed to use:SURBL_AB rhsbl ab.surbl.org 127.0.0.2 1 0SURBL_JP rhsbl jp.surbl.org 127.0.0.2 1 0SURBL_OB rhsbl ob.surbl.org 127.0.0.2 1 0SURBL_PH rhsbl ph.surbl.org 127.0.0.2 1 0SURBL_SC rhsbl sc.surbl.org 127.0.0.2 1 0SURBL_WS rhsbl ws.surbl.org 127.0.0.2 1 0Which will require six different queries if you want to use all SURBL lists.Bill- Original Message - From: Bill LandryTo: [EMAIL PROTECTED]Sent: Tuesday, November 23, 2004 12:47 AMSubject: Re: [Declude.JunkMail] SURBL as RHSBLMarkus, if you want to test against all of the SURBLs, since it's only asingle query to the multi zone, use:SURBL_AB rhsbl multi.surbl.org 127.0.0.32 1 0SURBL_JP rhsbl multi.surbl.org 127.0.0.64 1 0SURBL_OB rhsbl multi.surbl.org 127.0.0.16 1 0SURBL_PH rhsbl multi.surbl.org 127.0.0.8 1 0SURBL_SC rhsbl multi.surbl.org 127.0.0.2 1 0SURBL_WS rhsbl multi.surbl.org 127.0.0.4 1 0AB = AbuseButler dataJP = Combination of Prolocation data Joe Wein's SpamSpy dataOB = OutBlaze dataPH = Combination of MailPolice "Fraud" list data MailSecurity "Phishing"list dataSC = SpamCop top 200 hits dataWS = William Stearns submitter dataI have been testing this for about an hour, and am getting a few hits.We'll see how it goes over the next 24 hours...Bill- Original Message - From: Markus GuflerTo: [EMAIL PROTECTED]Sent: Monday, November 22, 2004 11:41 PMSubject: RE: [Declude.JunkMail] SURBL as RHSBLIs this the correct configruation line for doing this?SURBLS-RHSBL rhsbl %MAILFROM%.sc.surbl.org 127.0.0.2 5 0Markus---[This E-mail was scanned for viruses by Declude Virus(http://www.declude.com)]---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.---[This E-mail was scanned for viruses by Declude Virus(http://www.declude.com)]---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.---[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] SURBL as RHSBL
- Original Message - From: Scott Fisher I don't believe the Jon Wein and the Phish are testable on their own. I haven't received an hits on jp.surbl.org. Yep, that does appear to be the case for the JP list - it was the last list added to SURBL, and since it was added after the creation of the MULTI bitmasked setup, it was apparently never setup as a separate zone. The PH list has a very low hit rate anyway, since it only contains a few hundred domains. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SURBL as RHSBL
WS is the heaviest hitter. You could add all of these lists as a single test which will hit on any response from any of the lists: SURBL rhsbl multi.surbl.org * 1 0 Bill - Original Message - From: Jason @ AreaTech To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 7:15 AM Subject: Re: [Declude.JunkMail] SURBL as RHSBL I would rather not add six new tests to my config. Would you recommend asingle SURBL test? Which one seems to work better?Regards,Jason- Original Message - From: "Darin Cox" [EMAIL PROTECTED]To: [EMAIL PROTECTED]Sent: Tuesday, November 23, 2004 8:02 AMSubject: Re: [Declude.JunkMail] SURBL as RHSBL Hi Bill, You seem to always be one of the first to share new blacklists. Where do you find this info? Is there another list that would be worth joining? Thanks, man. Darin. - Original Message - From: "Bill Landry" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 5:04 AM Subject: Re: [Declude.JunkMail] SURBL as RHSBL Modification, since I was not thinking, but Declude JunkMail does not support bitmasked responses. So instead of using the multi zone, you will need to use: SURBL_AB rhsbl ab.surbl.org 127.0.0.2 1 0 SURBL_JP rhsbl jp.surbl.org 127.0.0.2 1 0 SURBL_OB rhsbl ob.surbl.org 127.0.0.2 1 0 SURBL_PH rhsbl ph.surbl.org 127.0.0.2 1 0 SURBL_SC rhsbl sc.surbl.org 127.0.0.2 1 0 SURBL_WS rhsbl ws.surbl.org 127.0.0.2 1 0 Which will require six different queries if you want to use all SURBLlists. Bill - Original Message - From: Bill Landry To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 12:47 AM Subject: Re: [Declude.JunkMail] SURBL as RHSBL Markus, if you want to test against all of the SURBLs, since it's only a single query to the multi zone, use: SURBL_AB rhsbl multi.surbl.org 127.0.0.32 1 0 SURBL_JP rhsbl multi.surbl.org 127.0.0.64 1 0 SURBL_OB rhsbl multi.surbl.org 127.0.0.16 1 0 SURBL_PH rhsbl multi.surbl.org 127.0.0.8 1 0 SURBL_SC rhsbl multi.surbl.org 127.0.0.2 1 0 SURBL_WS rhsbl multi.surbl.org 127.0.0.4 1 0 AB = AbuseButler data JP = Combination of Prolocation data Joe Wein's SpamSpy data OB = OutBlaze data PH = Combination of MailPolice "Fraud" list data MailSecurity "Phishing" list data SC = SpamCop top 200 hits data WS = William Stearns submitter data I have been testing this for about an hour, and am getting a few hits. We'll see how it goes over the next 24 hours... Bill - Original Message - From: Markus Gufler To: [EMAIL PROTECTED] Sent: Monday, November 22, 2004 11:41 PM Subject: RE: [Declude.JunkMail] SURBL as RHSBL Is this the correct configruation line for doing this? SURBLS-RHSBL rhsbl %MAILFROM%.sc.surbl.org 127.0.0.2 5 0 Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus(http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.---[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] SURBL as RHSBL
Folks, apparently the PH and JP lists were never setup as separate SURBL zones, so I would recommend not querying those lists as you will never get a response from them until Declude JunkMail supports bitmasked responses. Bill - Original Message - From: Markus Gufler To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 7:32 AM Subject: RE: [Declude.JunkMail] SURBL as RHSBL I would rather not add six new tests to my config. Would you recommend a single SURBL test? Which one seems to work better?I've running it now on my servers and can report the first results after 24hours. I'll let you know how much and how accurate all 6 tests will perform.Markus---[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] SURBL as RHSBL
Hmmm, that could possibly render some decent results if spammers use the same domain in the MAIL FROM: address in the SMTP envelope as they us in the URI listed in the body of the message. How are the results stacking up against your other RHSBL tests? Bill - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 22, 2004 2:59 PM Subject: [Declude.JunkMail] SURBL as RHSBL I know it is not the intended use of the SURBL list, but is anyone else using the SURBL test as a RHSBL test? I just figured if the URL is used for spam, do I really want to be receiving e-mail from that domain? So far it has been 99.5% effective. I'm just curious to see if anyone else has tried it? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Is DNSStuff Down?
- Original Message - From: Serge [EMAIL PROTECTED] i set the following filter to collect spam messages that are not caught by sniffer not working does the testfailed work on weight test ? If not, how to change the filter to do what I need ? TESTFAILED END CONTAINS SNIFFER TESTFAILED 0 CONTAINS WEIGHT20 Serge, are you trying to setup automatic forwarding to SortMonster of spam messages over a certain weight that were not flagged by Sniffer? If so, I can tell you how I do this. If not, what are you trying to accomplish? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Is DNSStuff Down?
- Original Message - From: Serge [EMAIL PROTECTED] what i am trying is to copy these messages to a mailbox for further review to help me understand and fine tune my weighing, with the message still going to the final recipient. First, the TESTSFAILED location parameter is supported in filter files. I think your problem is that you are missing the second s in TESTS. but i am also interested in automaticaly forwarding to sniffer, now that you mention it :) The first thing you need to do before setting up auto-forwarding of messages to SortMonster is to ask them to setup a special spam-trap account for you that you can forward these messages to (they will assign you a specific e-mail address to use). In your global.cfg, setup a specific weight test for special handling of messages over a certain weight: WEIGHT-SPAMBOX weight x x 36 0 In your $declude$.junkmail file, create a new ROUTETO action for this weight test: WEIGHT-SPAMBOX ROUTETO [EMAIL PROTECTED] The configuration of the IMail spambox account is as follows: 1. Create the spambox e-mail account 2. Create two inbound filter rules for this account a. Click Add on the Inbound Rules tab i) Select Rule: If Header Text ii) Select Contains radial button III) Search Text: SNIFFER iv) Check Match Case v) Click Ok vi) Select the Delete radial button b. Click Add again on the Inbound Rules tab i) Select Rule: If Header Text ii) Select Does not Contain radial button III) Search Text: SNIFFER iv) Check Match Case v) Click Ok vi) Select the Forward radial button vii) Enter the special e-mail address SortMonster assigns to you in the Address field c. Click Apply All messages forwarded to this spambox account by Declude JunkMail that contain the work SNIFFER in the headers will be deleted. All messages that do not contain a the word SNIFFER in the headers will be forwarded to the special e-mail address assigned to you by SortMonster. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] habeas
- Original Message - From: Jeff Kratka [EMAIL PROTECTED] Has anyone had better luck with habeas lately. I turned things off since the spammers jumped on. Don't use the Declude JunkMail habeas whitelist feature: WHITELIST HABEAS nor HABEAS habeas x x -3 0 the watermark is used by way too many spammers now. Instead, use the habeas IP4R white/black lists: HABEAS-USER ip4r hul.habeas.com * -10 0 HABEAS-VIOLATOR ip4r hil.habeas.com * 10 0 which are controlled by habeas and are much more reliable. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] habeas
- Original Message - From: Scott Fisher [EMAIL PROTECTED] Habeas by itself was useless. A trivial amount of spammers using it. I turned Habeas-HIL off... Too few responses to be useful. Twice in the last year they were false positiving on AOL, so when I was using it, their weight kept dropping. I won't use Habeas-HUL because I refuse to complete their online agreement to use the list that would benefit their customers. Nothing to fill out, simply use their white/black lists: HABEAS-USER ip4r hul.habeas.com * -10 0 HABEAS-VIOLATOR ip4r hil.habeas.com * 10 0 Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] anyone know how to stop this? topic change
- Original Message -
From: Nick [EMAIL PROTECTED]
A little SpamAssassin help please -
It does, but it can also be used with Declude as an RHSBL now:
MAILPOLICE-FRAUDfraud.rhs.mailpolice.com 127.0.0.230
to see if I have this correct for SA 3x
In my local.cf
urirhsbl URIBL_MP fraud.rhs.mailpolice.com. A
# A reecord lookup
header URIBL_MP eval:check_uridnsbl('URIBL_MP')
describe URIBL_MP Contains a URL listed in the MP SURBL blocklist
tflags URIBL_MP net
score URIBL_MP 2.0
#value returned to SA
I can use and RHSBL I like - correct?
Not quite. Here's a sample of how to setup URIRHSBL support in SA:
urirhsbl URIBL_MP_RHSBL block.rhs.mailpolice.com. A
body URIBL_MP_RHSBL eval:check_uridnsbl('URIBL_MP_RHSBL')
describe URIBL_MP_RHSBL Contains a URL listed in the MP RHSBL blocklist
tflagsURIBL_MP_RHSBL net
score URIBL_MP_RHSBL 2.0
This is for the MailPolice block list, which also incorporate the fraud
list. If you want to use fraud only, change the hostname above from
block to fraud.
Bill
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
Re: [Declude.JunkMail] anyone know how to stop this? topic change
I should have clarified, the example I give below is for SA 3.0.1, since
they changed the action from header to the more appropriate body setting
between SA 3.0.0 3.0.1. So, you have it correct if you are using anything
before 3.0.1.
Bill
- Original Message -
From: Bill Landry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, November 09, 2004 11:12 AM
Subject: Re: [Declude.JunkMail] anyone know how to stop this? topic change
- Original Message -
From: Nick [EMAIL PROTECTED]
A little SpamAssassin help please -
It does, but it can also be used with Declude as an RHSBL now:
MAILPOLICE-FRAUDfraud.rhs.mailpolice.com 127.0.0.230
to see if I have this correct for SA 3x
In my local.cf
urirhsbl URIBL_MP fraud.rhs.mailpolice.com. A
# A reecord lookup
header URIBL_MP eval:check_uridnsbl('URIBL_MP')
describe URIBL_MP Contains a URL listed in the MP SURBL blocklist
tflags URIBL_MP net
score URIBL_MP 2.0
#value returned to SA
I can use and RHSBL I like - correct?
Not quite. Here's a sample of how to setup URIRHSBL support in SA:
urirhsbl URIBL_MP_RHSBL block.rhs.mailpolice.com. A
body URIBL_MP_RHSBL eval:check_uridnsbl('URIBL_MP_RHSBL')
describe URIBL_MP_RHSBL Contains a URL listed in the MP RHSBL blocklist
tflagsURIBL_MP_RHSBL net
score URIBL_MP_RHSBL 2.0
This is for the MailPolice block list, which also incorporate the
fraud
list. If you want to use fraud only, change the hostname above from
block to fraud.
Bill
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
Re: [Declude.JunkMail] SA help -
- Original Message -
From: Nick [EMAIL PROTECTED]
How do you handle if a particular rhsbl returns multiple return codes
like 127.0.0 2; 127.0.0 4, etc and you want to pick which one to use -
is it:
urirhsbl URIBL_EX multiple.example.com. A 127.0.0.4
or
urirhssub URIBL_EX multiple.example.com. A 127.0.0.4
or
urirhssub URIBL_EX multiple.example.com. A 8
I read the docs and am confused!
Nick, I cannot think of any RHSBLs that would be candidates for urirhssub,
other than the SURBLs that currently use bitmasked responses. However, if
there were an RHSBL that supported multi-quad responses (like DNSBLs do), I
would try setting it up like:
=
urirhssub URIBL_EX1 multiple.example.com. A 127.0.0.1
body URIBL_EX1 eval:check_uridnsbl('URIBL_EX1')
describe URIBL_EX1 Contains a URL listed in the EX1 blocklist
tflags URIBL_EX1 net
score URIBL_EX1 1.0
urirhssub URIBL_EX2 multiple.example.com. A 127.0.0.2
body URIBL_EX2 eval:check_uridnsbl('URIBL_EX2')
describe URIBL_EX2 Contains a URL listed in the EX2 blocklist
tflags URIBL_EX2 net
score URIBL_EX2 1.0
urirhssub URIBL_EX3 multiple.example.com. A 127.0.0.3
body URIBL_EX3 eval:check_uridnsbl('URIBL_EX3')
describe URIBL_EX3 Contains a URL listed in the EX3 blocklist
tflags URIBL_EX3 net
score URIBL_EX3 1.0
=
This checks out fine with spamassassin --lint, so I would think that it
should work fine.
Bill
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
Re: [Declude.JunkMail] anyone know how to stop this?
It does, but it can also be used with Declude as an RHSBL now: MAILPOLICE-FRAUDfraud.rhs.mailpolice.com 127.0.0.230 Bill - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 08, 2004 12:54 PM Subject: Re: [Declude.JunkMail] anyone know how to stop this? I think fraud.rhs.mailpolice.com would also work with the SURBL. - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 08, 2004 2:42 PM Subject: RE: [Declude.JunkMail] anyone know how to stop this? And if you *really* have horsepower to spare (and some of your own time), implement Sandy's spamc to hook into a SpamAssassin daemon and run SURBL. Me, I'm waiting for SURBL support in Declude, as the Outblaze and Phishing URI tests in the multi.surbl.org cover a lot of fresh phishing domains. Andrew 8) -Original Message- From: Scott Fisher [mailto:[EMAIL PROTECTED] Sent: Monday, November 08, 2004 12:31 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] anyone know how to stop this? If you have the horsepower to spare... Use ClamAv and Turn PreScan off with Declude Virus Pro. 131 Phish detections this month through yesterday (33271 total e-mails). You are going to be scanning a lot lot more stuff. But not too many phish are going to get through. ClamAv seems to be going after the phish pretty well. If you still want to burn even more horsepower up. I have an anti-phish filter that uses lots of body searches posted in the multiline filter part of my Declude website: http://it.farmprogress.com/declude/declude.htm - Original Message - From: System Administrator [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 08, 2004 1:46 PM Subject: [Declude.JunkMail] anyone know how to stop this? A single .gif with the standard phish. Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] LOG Levels
Andrew, thanks for sharing your scripts, however, I would bet that few list
member will actually see them.
Log entries:
==
11/07/2004 01:00:46 Qe43e56af00464c1b MIME file: Scripts.zip [base64;
Length=5925 Checksum=655492]
11/07/2004 01:00:46 Qe43e56af00464c1b Banning .ZIP file with cmd extension.
11/07/2004 01:00:47 Qe43e56af00464c1b Scanned: Banned file extension. [MIME:
2 11189]
11/07/2004 01:00:47 Qe43e56af00464c1b From:
[EMAIL PROTECTED] To: [EMAIL PROTECTED]
11/07/2004 01:00:47 Qe43e56af00464c1b Subject: RE: [Declude.JunkMail] LOG
Levels
==
I just happened to retrieve the QD files from of my virus folder so I could
view the message. For future reference, it's best to change the extension
of .cmd files to .txt for delivery, with a note to recipients to change the
extension back to .cmd once they have received the message.
Bill
- Original Message -
From: Colbeck, Andrew [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Sunday, November 07, 2004 12:55 AM
Subject: RE: [Declude.JunkMail] LOG Levels
Hey, fun-seekers, I was feeling left out.
Necessity being the mother of invention, I cobbled a bunch of scripts
together that I find useful. I just extended one a bit to do what Serge
was
looking for.
I make good use of the GNU Utilities that Bill has advised us on. Thanks,
Bill!
Often, I just care about the weight lines, or the from lines, or the
subject
lines, so I've got 3 scripts that pull just those lines out into
weight.txt,
from.txt and subject.txt, and just because, another one called build3.cmd
that builds all three of those files. The count is output; the
discrepancy
between the line counts is based on the repetition of lines in the log
when
there are multiple recipients.
There's a 4th script that I don't use much, called Action, that does a
count
of the actions I care about. I'm including a script that Bill put forward
here, called MessagesPerHour that does what you'd expect. I use it for
those are we getting a lot of mail questions.
I found that for Help Desk calls, it was usually a matter of finding:
User X reports that they don't get email from [garbled name]
or
Company X reports that some of their mail doesn't get to our users
So I took the next step and wrote: ShowFrom and ShowTo. They do what
you'd
expect; they filter the From: lines, but these scripts go the next step as
well and show you the Last Action for each of those messages too, and put
that action early in the columns so that they're easy to spot.
For Serge, I added: ShowAll, which will take some snippet of a Declude
log,
and based on the Q column, will find all other lines in a different
file
(presumably the full decMMDD.log).
Saving the output of a ShowTo and using it as input to ShowAll would be
quite useful.
Likewise, for work on new or old tests, I have ShowWeight. It outputs the
Total Weight lines, where they include a certain test like SORBS. Because
I
take the command line as input for the gnutils, it's regexp friendly (YMMV
... I always use capitals). You can add an extra parameter to this one
that
specifies the action, which lets you, say, find all lines that matched
SPAMCOP for which the action was IGNORE.
I also use 2 little batch files that call textpad (my preferred text
editor)
with a D*.SMD value, and copy the ?*.SMD files from the spam folder back
to
the queue. They work for me because I simply mouse the * part right off
the screen of my command line session. I tell myself that I'll get around
to parsing the input, and taking the right action if a whole Qx is
passed instead of the part... they're called T and Q.
Lastly, I should mention that I find it too slow to work on the files at
the
server, and too slow to work on them over a file share, so I pull them
over
to a temp folder on my desktop with RoboCopy from the Microsoft Windows
Server Resource Kit. So I've got two scripts that parse the date and pull
down the correct decMMDD.log (or sysMMDD.txt) for today, and another for
yesterday. They're called Today and Yesterday :)
Enjoy!
Andrew 8)
-Original Message-
From: Bill Landry [mailto:[EMAIL PROTECTED]
Sent: Saturday, November 06, 2004 3:27 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] LOG Levels
- Original Message -
From: Serge [EMAIL PROTECTED]
Sorry, i may not expressed myself
I need to
grep %variable% ...
Where the variable takes all the values generated by the first grep:
grep MAIL FROM:[EMAIL PROTECTED] D:\log1104.txt | gawk {print $5}
|
uniq
Should i use some kind of
FOR instruction in a Windows batch file ?
Or is there a way to achieve that in unix util ?
Suppose the first grep gives
(71c80106004a8af1)
(7202010b004a8b02)
(7206010d004a8b05)
(72b70136004a8b35)
(72f300fb004c8b48)
(732f015e067a8b5a)
(736c00f5002a8b6e)
(74d201f4069c8bbc)
(7587038a063c8beb)
(758b0181067a8bed)
How do I automate grepping all
Re: [Declude.JunkMail] LOG Levels
- Original Message -
From: Serge [EMAIL PROTECTED]
Here is a line that will give me all sessions from a user:
grep MAIL FROM:[EMAIL PROTECTED] D:\log1104.txt | gawk {print $5} |
uniq
test.txt
Now how do I use a pipe or a batch file to get all the lines for all these
sessions in a single file ?
(this is Imail syslog logs)
Use a double pipe and each additional like will be appended to the end
of the file:
grep MAIL FROM:[EMAIL PROTECTED] D:\log1104.txt | gawk {print $5} | uniq
test.txt
Bill
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
Re: [Declude.JunkMail] LOG Levels
- Original Message -
From: Serge [EMAIL PROTECTED]
Sorry, i may not expressed myself
I need to
grep %variable% ...
Where the variable takes all the values generated by the first grep:
grep MAIL FROM:[EMAIL PROTECTED] D:\log1104.txt | gawk {print $5} |
uniq
Should i use some kind of
FOR instruction in a Windows batch file ?
Or is there a way to achieve that in unix util ?
Suppose the first grep gives
(71c80106004a8af1)
(7202010b004a8b02)
(7206010d004a8b05)
(72b70136004a8b35)
(72f300fb004c8b48)
(732f015e067a8b5a)
(736c00f5002a8b6e)
(74d201f4069c8bbc)
(7587038a063c8beb)
(758b0181067a8bed)
How do I automate grepping all the lines for the above sessions from the
log files ? (without manually running a grep for each one)
You will need a two line batch file to do this. Try:
grep MAIL FROM:[EMAIL PROTECTED] D:\log1104.txt | gawk {print $5} |
cut -b 6- | uniq temp.txt
grep -f temp.txt f:\imail\spool\spam\log\dec1105.log results.txt
Bill
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
Re: [Declude.JunkMail] LOG Levels
- Original Message -
From: Serge [EMAIL PROTECTED]
Sorry, i may not expressed myself
I need to
grep %variable% ...
Where the variable takes all the values generated by the first grep:
grep MAIL FROM:[EMAIL PROTECTED] D:\log1104.txt | gawk {print $5} |
uniq
Should i use some kind of
FOR instruction in a Windows batch file ?
Or is there a way to achieve that in unix util ?
Suppose the first grep gives
(71c80106004a8af1)
(7202010b004a8b02)
(7206010d004a8b05)
(72b70136004a8b35)
(72f300fb004c8b48)
(732f015e067a8b5a)
(736c00f5002a8b6e)
(74d201f4069c8bbc)
(7587038a063c8beb)
(758b0181067a8bed)
How do I automate grepping all the lines for the above sessions from the
log files ? (without manually running a grep for each one)
Oops, disregard my last post, accidentally included some of my own path info
in the post. Instead:
grep MAIL FROM:[EMAIL PROTECTED] D:\log1104.txt | gawk {print $5} |
cut -b 6- | uniq temp.txt
grep -f temp.txt D:\log1104.txt results.txt
Bill
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
Re: [Declude.JunkMail] LOG Levels
- Original Message - From: DLAnalyzer Support [EMAIL PROTECTED] Those are both great tools. My only complaint with BareTail is I get a lot of flicker under TS. However, their older wintail has no flicker... Try the grep and tail tools included with the GNU Win32 UNIX utilities (http://unxutils.sourceforge.net/). I use them via RCMD all of the time without issue. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: expanding beyond one mailhost
- Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] On various domains I administer, a single point of failure mailhost has been good enough, but I'm shortly going to add a second host on a second network for redundancy. Now, I understand *how* to do that, but what I would like to hear from those who've been there before me is *what* you preferred to implement, whether you choose to talk about bandwidth, administrivia, or spam control. For example I could keep my single MX record and have round robin on the A records. Or I could make a separate MX record and A record for each mailhost, or do a classic MX = 10 and MX = 20 with a separate A record for each. I would go with two MX hosts of equal preference: example.comMX10gw1.example.com example.comMX10gw2.example.com gw1.example.comAxxx.xxx.xxx.xxx gw2.example.comAyyy.yyy.yyy.yyy Then you can easily change the preferences if you need to, or add gateways at the same preference. This is a nice way to balance the load across all of you mail exchangers, and if one drops out of services for some reason, no sweat, since sending mail servers will simply try the next one. This is exactly how we have our gateways setup, and it allows us to drop them in and out of service for maintenance whenever necessary without disrupting anything. My two cents... Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] LOG Levels
- Original Message - From: Scott Fisher [EMAIL PROTECTED] I constantly use this batch file to find in the Declude logs. I change the V_logday to the day of the log to search and the V_find to the term to find. (It's usual a specific mail id (Q7172144401ba4a6b or such) and I'll get all log pieces for that mail item. set v_path=c:\declude\logs set v_logpath=c:\declude\logs rem - rem - set v_logday to 05* to search all May logs Rem - set V_logday to * to search all logs Rem - set v_logday to 0511 to search May 11 log set V_logday=1029 Rem - set v_find to what to search for. Use a period a wildcard in place of a space (Triggered.IS.Filter) set v_find=MAILFROM-REVDNS-MATCH cd /d %v_path% if exist findlog.txt del findlog.txt grep -i -U %v_find% %v_logpath%\dec%v_logday%.log FindinDecludeLog.txt Wow, if you are looking for a specific Q-ID, why go to so much trouble. Why not just search for the Q-ID (minus the Q and extension in the Q-ID), for example: grep e508201c008e3423 m:\imail\spool\spam\log\dec1104.log That will give you every line for the Q-ID searched on, in the order they were written to the log. If you also want all of the virus log entries for that same Q-ID: grep e508201c008e3423 m:\imail\spool\virus\log\vir1104.log And if you want to find all of the IMail log entries for that Q-ID, as well: grep e508201c008e3423 m:\imail\spool\sys1104.txt Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Invalid WHITELIST type: AUTH
- Original Message - From: Michael Graveen [EMAIL PROTECTED] Scott, What does the line Invalid WHITELIST type: AUTH? I thought WHITELIST AUTH allowed me to white list my users that authenticate. You're correct, that's what it does. But like Scott said, you have to be running something newer that version 1.75 in order to use that feature. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Specific filter for one domain
- Original Message - From: Mark E. Smith [EMAIL PROTECTED] Is there a way to have a filter run for only one domain you're hosting? I'm running Junkmail Pro Sure, create a subdirectory under the Declude directory with the domain name (e.g., example.com) and place a $default$.junkmail file in this subdirectory with specific actions that will only be applied to this particular domain. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SURBL Lists.
- Original Message - From: R. Scott Perry [EMAIL PROTECTED] SURBL has a list of TLD's that they use in creating their list. IMO, this should be quite easy to provide, and if you don't intend to just say the word and someone here will I'm sure gladly offer up their own. I'm just going by what I heard from the person who was looking into this -- I'll pass on the information that Bill posted to the appropriate person. Scott, you might also have that person take a look at http://spamassassin.apache.org/full/3.0.x/dist/doc/Mail_SpamAssassin_Plugin_URIDNSBL.html. SpamCop has added so nice additional functionality to their URIDNSBL plug-in that would also be nice to include in Declude JunkMail. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Stopping Emails with Nul sendor
Yes, but why would you want to? Most postmaster messages and bounce notifications come from null. But if you must, and you are running the Pro version of JM, in a filter file use: MAILFROM 50 IS However, it's not recommended... Bill - Original Message - From: Cody Wilson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 29, 2004 1:07 PM Subject: [Declude.JunkMail] Stopping Emails with Nul sendor Is there a test I can setup with Declude to catch all emails from Null senders From: I looked in the archives with no success. I know I can setup a rule in Imail to do it, but that's per domain. I want this to be global for the server. Thanks, Cody Wilson 469.828.4700 PH 469-828-4702 FX intercityweb.com --- [Scanned by Intercity Antivirus - www.intercityweb.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SURBL Lists.
- Original Message - From: Mark E. Smith [EMAIL PROTECTED] I recently added Roger Eriksson's SURBL filter and was wondering if anyone was using this to also pull the other SURBL lists at http://www.surbl.org/ Currently Roger's script only uses the sc.surbl.org.rbldnsd list. http://www.botany.gu.se/download/decludescript/SURBL_filter.zip I wouldn't even consider it, unless you want to bring you server to its knees trying to process all of those thousands of body searches. Frankly, I am quite surprised that Declude has not implemented support for URIBL queries yet, since I notified Scott in early April of the availability of the URI blacklists, and because they are such a great spam fighting tool. SpamAssassin has been supporting URIBLs for over six months, and many other spam tools are supporting them now, as well. It has greatly increased my SpamAssassin spam detection rates. Scott, is support for URIBLs even on the JunkMail development schedule? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SURBL Lists.
- Original Message - From: R. Scott Perry [EMAIL PROTECTED] Scott, is support for URIBLs even on the JunkMail development schedule? It's something that we looked into. But there was some sort of major issue supporting it, which I believe had to do with third-level domains (such as example.co.uk). Those are addressed in the SURBL whitelist. See item 2 at http://www.surbl.org/implementation.html, which states in part: = Extract base (registrar) domains from those URIs. This includes removing any and all leading host names, subdomains, www., randomized subdomains, etc. In order to determine the base domain it may be necessary to use a table of country code TLDs (ccTLDs) such as this partially-incomplete one SURBL uses. For example, any domain found in the two level ccTLD list should have a three-level domain name extracted (like foo.co.uk) for matching against a SURBL. Domains not in the ccTLD list should have two levels checked (such as foo.com). = There is a link there to the current list of two-level TLDs that are whitelisted, and more are added as they are found. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SURBL Lists.
Please excuse the wrong terminology usage, I meant the TLDs are extracted not whitelisted. Bill - Original Message - From: Bill Landry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 29, 2004 3:20 PM Subject: Re: [Declude.JunkMail] SURBL Lists. - Original Message - From: R. Scott Perry [EMAIL PROTECTED] Scott, is support for URIBLs even on the JunkMail development schedule? It's something that we looked into. But there was some sort of major issue supporting it, which I believe had to do with third-level domains (such as example.co.uk). Those are addressed in the SURBL whitelist. See item 2 at http://www.surbl.org/implementation.html, which states in part: = Extract base (registrar) domains from those URIs. This includes removing any and all leading host names, subdomains, www., randomized subdomains, etc. In order to determine the base domain it may be necessary to use a table of country code TLDs (ccTLDs) such as this partially-incomplete one SURBL uses. For example, any domain found in the two level ccTLD list should have a three-level domain name extracted (like foo.co.uk) for matching against a SURBL. Domains not in the ccTLD list should have two levels checked (such as foo.com). = There is a link there to the current list of two-level TLDs that are whitelisted, and more are added as they are found. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Best Practices for handing legit email flagged as spam?
- Original Message - From: Mark E. Smith [EMAIL PROTECTED] Rick, I was looking at your filter -- great idea. One question (which falls under the processing order) If you have: BODY STOPALLTESTS CONTAINS Content-Type: application/x-zip-compressed I think Declude Virus will still grab this correct? By default, virus scanning happens before spam filtering, unless you use AVAFTERJM in either of your Virus or JunkMail config files. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] What is L# Message OK???
- Original Message - From: David Bryden [EMAIL PROTECTED] I see these (see below) statements for every message and can't figure out what they are for. At first I thought they were how deep they IP tests were digging into the header but then I looked at this message header and found that there was only 1 server in the header before the message was delivered to us. Does anybody know what these mean? 10/23/2004 21:56:09 Q35d900de00f80871 L1 Message OK 10/23/2004 21:56:09 Q35d900de00f80871 L2 Message OK 10/23/2004 21:56:09 Q35d900de00f80871 L3 Message OK That simply defines the number of local recipients the message was addressed to. L1 = one local recipient L2 = two local recipients L3 = three local recipients etc... Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] regEx question
- Original Message - From: Matt [EMAIL PROTECTED] Ok, I'm a bit of a newbit with regEx and I could really use some help with this one. I know how to detect all of the HTML in a file by using [^]*, but I'm not sure how to detect everything but the HTML. Could someone please help me with this. If it matters, I am using VBScript to pull this off. Matt, you might try using the invert-match flag: -v -v, --invert-match Invert the sense of matching, to select non-matchÂing lines. Also, see VBScript sample at: http://www.planet-source-code.com/vb/scripts/ShowCode.asp?lngWId=4txtCodeId=6269 Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Somewhat OT question...
- Original Message - From: Mark E. Smith [EMAIL PROTECTED] Does anyone know if there's a plug-in for Outlook that lets you easily see the SMTP header? We're doing massive re-tuning to our Declude Gateway system which sits in front of a 15,000 user Exchange system which moves about 420,000 messages through our 4 Declude inbound MX gateways a day. For now we've added a COPYTO rule for all of the SUBJECT actions and are moving them to a special mailbox. The problem with COPYTO is that the only way to see what test might need to be adjusted is to look at the SMTP header. So, when I'm blowing through 13,000 messages just in one afternoon, you can imagine how old Right click, Options gets. :) Take a look at Pocketknife Peek at http://www.xintercept.com/pkpeek.htm Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] regEx question
- Original Message - From: Matt [EMAIL PROTECTED] Unfortunately that isn't an option in VBScript. What I was really trying to do is return a string with just the HTML and not what is before, after or in between it. When you execute a regEx expression in VBScript, it returns the matches in an object similar to an array, and by adding a loop to take each value and add that to a string does work, but there's probably a better way. Doing the inverse as was shown in that script that you linked to is easy due to the replace method, but it seems strange that there isn't a more simple way to return just the matches. I'm still weak on the syntax and having issues with doing and/or/not stuff, but I'm sure that I'll pick it up in time, and maybe some help. Hmmm, does VBScript support sed type command syntax? Is this the kind of output you're looking for?: alt= td td tr tr 7 alt= td tr tr 33 alt= td tr tr 7 alt= td tr tr 33 alt= td tr table footer -- td tr table body -- td tr table td tr table body html Which is partical output from an html e-mail that I got from the following script: sed s/\/\\n\/g html-mail.txt | egrep [^]* You would need to add a few clean-up commands, but that's roughly it. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
