[Declude.JunkMail] OT: IMail vs. Merak

[Dan Geiser]

Hello, All,
We are re-architecting our e-mail hosting and are going to be upgrading from 
IMail 6.06 to a new e-mail platform.  We are familiar with IMail can do so 
we are currently evaluating Merak e-mail server to see what else is out 
there.  Has anyone on this list done a similiar evaluation between IMail and 
Merak?  If so, did you find any clear benefits that IMail had over Merak or 
vice versa?


We already know that Merak is going to be a more expensive upgrade then 
IMail.  And obviously the current version of Declude doesn't support Merak. 
Anything else that made the decision to stay with IMail easier for you?


Thanks In Advance,
Dan Geiser
[EMAIL PROTECTED] 


---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Declude and IMail 2006

[Dan Geiser]

I never said that anyone said that it is not compatible.  I just wanted to 
know if it was compatible and, if so, what should be the minimum version 
number of Declude that we should be running.


- Original Message - 
From: "John T (Lists)" <[EMAIL PROTECTED]>

To: 
Sent: Tuesday, December 13, 2005 12:05 PM
Subject: RE: [Declude.JunkMail] Declude and IMail 2006



Who ever said it is not compatible?

John T
eServices For You


-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of Dan Geiser
Sent: Tuesday, December 13, 2005 8:14 AM
To: DECLUDE.JUNKMAIL@DECLUDE.COM
Subject: [Declude.JunkMail] Declude and IMail 2006

Hello, All,
Does CHZ have intentions of making a version of Declude which is

compatible

with IMail 2006?  We are currently running Declude 2.06 JM Pro and Virus
Standard.  Is their a particular version of Declude we should upgrade to

to

take advantage of IMail 2006 integration?

Thanks In Advance,
Dan Geiser
[EMAIL PROTECTED]


---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)




---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Declude and IMail 2006

[Dan Geiser]

Hello, All,
Does CHZ have intentions of making a version of Declude which is compatible 
with IMail 2006?  We are currently running Declude 2.06 JM Pro and Virus 
Standard.  Is their a particular version of Declude we should upgrade to to 
take advantage of IMail 2006 integration?


Thanks In Advance,
Dan Geiser
[EMAIL PROTECTED]


---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] OT: Mail Building up in IMail Spool Directory

[Dan Geiser]

Hello, All,
Starting at about 7:51am this morning there's been an inordinate amount of 
e-mail building up in my imail/spool directory.  I've checked the logs and 
it appears that we are accepting all e-mail in to the server but not all of 
it is being sent out.  I haven't been able to 100% confirm it but it appears 
that all of the e-mail which is being held so far is incoming e-mail for our 
Store and Forward spam filtering customers.  The weird thing about it is I'm 
finding lots of e-mail in the spool directory that are clearly spam and will 
probably be identified as spam if it ever reached Declude.  It's almost as 
if the SMTP server hasn't even attempted delivering any of this e-mail even 
once.


Does anyone know what could possibly be going on here?  I'm aware of the 
IMail forum but I thought I'd try here first.


Thanks In Advance,
Dan Geiser
[EMAIL PROTECTED] 


---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Inserting "Filtered" Text in Headers

[Dan Geiser]

Hello, All,
If I have a message which triggers a subject filter, e.g...

SUBJECT  275 CONTAINS rolex

...is there anyway I can have the "triggered text" placed in the headers of 
the message in a similiar manner to the X-Spam-Tests-Failed header?


Has anyone figured out a way to to this?

It would be great if I could even place the filter snippet right next to the 
test name, e.g...


X-Spam-Tests-Failed: IPNOTINMX, NOLEGITCONTENT, WEIGHT-HOLD, KROPKA-IP, 
PSBL, UCEPROTECTL1, FILTER-SUBJECT ('olex') [148]


...or something similar to that.

It would help troubleshooting greatly if I didn't have to comb through the 
250 MB log files to figure out when a small piece of text inadvertently 
pushes legit e-mail over my HOLD threshold.


Thanks In Advance,
Dan Geiser
[EMAIL PROTECTED] 


---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
[This E-mail was scanned for viruses by Declude EVA www.declude.com]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] OT: Store and Forward Spam Filtering to Multiple IPs

[Dan Geiser]

Hello, All,
I realize that this might be better asked in the IMail Forum but this group 
has a little better signal-to-noise ratio so I thought I'd try here first.


We are doing Store and Forward mail filtering for a customer.  We use the 
"hosts" file to define what IP to Forward mail to after we process it for 
spam and viruses.  In the last week or so this customer has added a 2nd ISP 
to the mix so they can now receive e-mail on 2 different public IP addresses 
associated with 2 different ISPs.


If one ISP goes down we would like to be able to foward to the other IP.  If 
I put 2 entries in the "hosts" file, e.g.


66.148.217.251  domain.com
70.60.133.251  domain.com

will this mechanism rotate through both IPs or will it also just use 
whichever it hits first when reading from the top of the list down?  Or is 
it just a bad idea in general to do this and we will just have to change the 
IP manually if one ISP goes down?


Thanks, Much!
Dan 



---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Latest ALL_LIST.DAT

[Dan Geiser]

Hello, All,
I think it's possible that my ALL_LIST.DAT needs to be updated because I'm 
starting to receive legit e-mails from Yahoo IPs that come up as ARIN
Unlisted.  My current ALL_LIST.DAT is dated 4/08/2005.  Is there a newer 
copy that we can download somewhere?


Thanks, Much!
Dan Geiser
[EMAIL PROTECTED] 



---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Decreasing CPU Usage with Declude 2.0.6

[Dan Geiser]

Thanks, Richard.  That sort of makes sense assuming that AVAFTERJM means the 
e-mail is going to be scanned for viruses after it is scanned for spam.  It 
means that many fewer messages will be scanned for viruses.  And if AV is 
hogging the CPU that could make a big difference.


Do you know whereabouts I implement this directive?

Thanks In Advance,
Dan

- Original Message - 
From: "Richard Farris" <[EMAIL PROTECTED]>

To: 
Sent: Monday, September 12, 2005 1:10 PM
Subject: Re: [Declude.JunkMail] Decreasing CPU Usage with Declude 2.0.6


The same thing was happening to me and I was told to try   AVAFTERJM 
command and it made a world of difference...the only draw back I have seen 
is more spam in spamreview...


Richard Farris
Ethixs Online
1.270.247. Office
1.800.548.3877 Tech Support
"Crossroads to a Cleaner Internet"

- Original Message - 
From: "Dan Geiser" <[EMAIL PROTECTED]>

To: 
Sent: Monday, September 12, 2005 9:30 AM
Subject: [Declude.JunkMail] Decreasing CPU Usage with Declude 2.0.6



Hello, All,
We are using Declude 2.0.6 with JunkMail Pro and Virus Standard.

We are getting killed on the CPU usage front.  I'm pretty sure that it's 
not a bug in Declude but rather has to do with the sheer amount of e-mail 
that the spammers are now sending into the machine we are running IMail 
and Declude on.


I'm using a pretty straightforward Declude config which can be viewed 
here...


http://declude.ntg-hosting.com/

I've got a bunch of "ip4r" tests, some "rhsbl" tests, most of the custom 
Declude tests and a number of "filters" that I've created. Since I know 
that filtering on BODY and HEADERS can be very CPU intensive I've 
intentionally avoided as much of that as possible.


I'm wondering if there is any way that I can decrease the CPU Usage 
without actually decreasing the functionality of Declude?


For example, 250 is my DELETE weight and 100 is my HOLD weight.  If I 
were to turn off the DELETE and just view what was being held I would see 
some messages being flagged with weights in the 1200 point range.  It 
seems a little silly that I'm spending all of those CPU cycles 
calculating 1200 point for a message that would've been deleted past 250 
points.


Is their anyway I can issue a directive to Declude to stop calculating 
additional points past a certain threshold, e.g. 500 points?


If there's a known issue with CPU Usage and Declude 2.0.6 I'd definitely 
be interested in knowing about it otherwise I'm just looking for ways to 
decrease the CPU Usage.


Thanks In Advance,
Dan Geiser
[EMAIL PROTECTED]

---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)





---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Decreasing CPU Usage with Declude 2.0.6

[Dan Geiser]

Hello, All,
We are using Declude 2.0.6 with JunkMail Pro and Virus Standard.

We are getting killed on the CPU usage front.  I'm pretty sure that it's not 
a bug in Declude but rather has to do with the sheer amount of e-mail that 
the spammers are now sending into the machine we are running IMail and 
Declude on.


I'm using a pretty straightforward Declude config which can be viewed 
here...


http://declude.ntg-hosting.com/

I've got a bunch of "ip4r" tests, some "rhsbl" tests, most of the custom 
Declude tests and a number of "filters" that I've created. Since I know that 
filtering on BODY and HEADERS can be very CPU intensive I've intentionally 
avoided as much of that as possible.


I'm wondering if there is any way that I can decrease the CPU Usage without 
actually decreasing the functionality of Declude?


For example, 250 is my DELETE weight and 100 is my HOLD weight.  If I were 
to turn off the DELETE and just view what was being held I would see some 
messages being flagged with weights in the 1200 point range.  It seems a 
little silly that I'm spending all of those CPU cycles calculating 1200 
point for a message that would've been deleted past 250 points.


Is their anyway I can issue a directive to Declude to stop calculating 
additional points past a certain threshold, e.g. 500 points?


If there's a known issue with CPU Usage and Declude 2.0.6 I'd definitely be 
interested in knowing about it otherwise I'm just looking for ways to 
decrease the CPU Usage.


Thanks In Advance,
Dan Geiser
[EMAIL PROTECTED] 



---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Un-"Obfuscating" Subjects

[Dan Geiser]

Hello, All,
When reviewing caught spam I usually have a handful of messages with 
subjects that are "obfuscated".  I know they aren't really "obfuscated" but 
instead are using a different encoding.


Does anyone have a web site or tool where I could go and drop in the text, 
e.g...


=?iso-8859-1?B?SG9ybnkgcGlsbHMgLSA3NSUgT0ZG?=

so I can see exactly what the user would be seeing if the e-mail actually 
made it all the way to the e-mail client?


Thanks In Advance,
Dan Geiser
[EMAIL PROTECTED] 



---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] WAY OT: Anti- Identity theft advice

[Dan Geiser]

And here's the obligatory page from Snopes, 
http://www.snopes.com/inboxer/scams/credit.htm.


- Original Message - 
From: "Marc Catuogno" <[EMAIL PROTECTED]>

To: 
Sent: Thursday, July 07, 2005 10:25 AM
Subject: [Declude.JunkMail] WAY OT: Anti- Identity theft advice


I have a great deal of respect for the people on this list and I hope you
don't feel this is a waste of time. I got this e-mail from one of my agents
and I am going to share it with the entire company - I thought maybe some of
you would care to do the same. I searched Hoasbusters.org first and called
the numbers and they are legit.


ATTORNEY'S ADVICE -- NO CHARGE Read this and make a copy for your files in
case you need to refer to it someday. Maybe we should all take some of his
advice!

A corporate attorney sent the following out to the employees in his company

1. The next time you order checks have only your initials (instead of first
name) and last name put on them. If someone takes your checkbook, they will
not know if you sign your checks with just your initials or your first name,
but your bank will know how you sign your checks.

2. Do not sign the back of your credit cards. Instead, put "PHOTO ID
REQUIRED."

3. When you are writing checks to pay on your credit card accounts, DO NOT
put the complete account number on the "For" line Instead, just put the last
four numbers. The credit card company knows the rest of the number, and
anyone who might be handling your check as it passes through all the check
processing channels won't have access to it

4. Put your work phone # on your checks instead of your home phone. If you
have a PO Box use that instead of your home address. If you do not have a PO
Box, use your work address. Never have your SS# printed on your checks.
(DUH!) You can add it if it is necessary. But if you have it printed, anyone
can get it.

5. Place the contents of your wallet on a photocopy machine. Do both sides
of each license, credit card, etc. You will know what you had in your wallet
and all of the account numbers and phone numbers to call and cancel. Keep
the photocopy in a safe place. I also carry a photocopy of my passport when
I travel either here or abroad. We've all heard horror stories about fraud
that's committed on us in stealing a name, address, Social Security number,
credit cards.

Unfortunately, I, an attorney, have firsthand knowledge because my wallet
was stolen last month. Within a week, the thieve(s) ordered an expensive
monthly cell phone package, applied for a VISA credit card, had a credit
line approved to buy a Gateway computer, received a PIN number from DMV to
change my driving record information online, and more. But here's some
critical information to limit the damage in case this happens to you or
someone you know:

1. We have been told we should cancel our credit cards immediately. But the
key is having the toll free numbers and your card numbers handy so you know
whom to call. Keep those where you can find them.

2. File a police report immediately in the jurisdiction where your credit
cards, etc., were stolen. This proves to credit providers you were diligent,
and this is a first step toward an investigation
(if there ever is one.)

But here's what is perhaps most important of all : (I never even thought to
do this.)

3. Call the 3 national credit reporting organizations immediately to place a
fraud alert on your name and Social Security number. I had never heard of
doing that until advised by a bank that called to tell me an application for
credit was made over the Internet in my name. The alert means any company
that checks your credit knows your information was stolen, and they have to
contact you by phone to authorize new credit.

By the time I was advised to do this, almost two weeks after the theft, all
the damage had been done There are records of all the credit checks
initiated by the thieves' purchases, none of which I knew about before
placing the alert. Since then, no additional damage has been done, and the
thieves threw my wallet away This weekend (someone turned it in). It seems
to have stopped them dead in their tracks.

Now, here are the numbers you always need to contact about your wallet, etc,
has been stolen:
1.) Equifax: 1-800-525-6285
2.) Experian (formerly TRW): 1-888-397-3742
3.) Trans Union: 1-800-680-7289
4.) Social Security Administration (fraud line): 1-800-269-0271

We pass along jokes on the Internet; we pass along just about everything.
But if you are willing to pass this information along, it could really help
someone that you care about.

---
[This E-mail scanned for viruses by Declude Virus]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

Re: [Declude.JunkMail] Ignoring "Boundary Space Gap" Vulnerability

[Dan Geiser]

Sorry, everyone.  I sent this question to the wrong list.

- Original Message - 
From: "Dan Geiser" <[EMAIL PROTECTED]>

To: 
Sent: Tuesday, June 28, 2005 3:41 PM
Subject: [Declude.JunkMail] Ignoring "Boundary Space Gap" Vulnerability



Hello, All,
We are running...

Declude 1.82
Declude JunkMail Status: PRO version registered.
Declude Virus Status:Standard Version Registered.

We have a customer who has an important e-mail which is being blocked by 
our virus protection with the "Outlook 'Boundary Space Gap' 
Vulnerability".


Is there anyway that I can turn off checking for the "Outlook 'Boundary 
Space Gap' Vulnerability" on either a specific incoming e-mail address or 
a specific incoming e-mail domain?


Thanks In Advance,
Dan Geiser
[EMAIL PROTECTED]

---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)






---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Ignoring "Boundary Space Gap" Vulnerability

[Dan Geiser]

Hello, All,
We are running...

Declude 1.82
Declude JunkMail Status: PRO version registered.
Declude Virus Status:Standard Version Registered.

We have a customer who has an important e-mail which is being blocked by our 
virus protection with the "Outlook 'Boundary Space Gap' Vulnerability".


Is there anyway that I can turn off checking for the "Outlook 'Boundary 
Space Gap' Vulnerability" on either a specific incoming e-mail address or a 
specific incoming e-mail domain?


Thanks In Advance,
Dan Geiser
[EMAIL PROTECTED] 



---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] German political spam

[Dan Geiser]

Has anyone but me noticed that the "german spam" subjects appear to be 
changing?

We just blocked on that has the subject "Armenian Genocide Plagues Ankara 90 
Years On" but that's not on any of the lists that I have seen.

Thanks,
Dan
- Original Message - 
From: "Markus Gufler" <[EMAIL PROTECTED]>
To: 
Sent: Monday, May 16, 2005 5:49 PM
Subject: RE: [Declude.JunkMail] German political spam


If someone is interested in, I've updated my sober-q filter files.
I've split the patterns in two files: SUBJECT and BODY lines. They will 
not
catch more but:

1.) The SUBJECT filterfile will be processed only if CMDSPACE has failed
before. This will save resources and as some subject lines can be used 
also
in legit german messages it will prevent FP's.

2.) The BODY-file is primary there to filter out bounces so it cannot be
combined with CMDSPACE but at least it can be skipped if the SUBJECT-based
filterfile has already failed.
In addition both filterfiles will now STOPATFIRSTHIT.
Here are the config lines for both filterfiles:
SOBERQ filter C:\[filter_path]\filter_soberq.txt x 0
0
SOBERQBODY filter C:\[filter_path]\filter_soberq-body.txt x 0
0
Markus

---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Layman's Explanation of E-Mail Spoofing

[Dan Geiser]

Hello, All,
I'm having a hard time explaining to some of our customers why there is 
nothing that we can do to stop some unscrupulous spammer or anti-virus 
author from using their e-mail address and spoofing messages to look like 
they are sent "from" them.

It seems that no matter how many times I explain it they just don't get it.
Does anyone know of a good reputable source on the Internet which explains 
how e-mail addresses are spoofed which I can point them to?  If it was in 
layman's terms all the better but I think just showing them an outside 
resource might be good enough as they seem to think we should be able to 
control it and are shirking our duties.

Thanks,
Dan Geiser
[EMAIL PROTECTED] 

---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Punish E-Mail Based on Number of Recipients

[Dan Geiser]

Hello, All,
I've noticed that some of the "german spam" have tons of recipients showing 
up in the headers.  Here is an example of what I'm seeing in the headers 
with the domains replaced...

X-Note: Recipient(s):  [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]

I am currently running Declude 1.82.  Does the version I am running have the 
ability to count the number of recipients in an e-mail and "punish" the 
e-mail based on a "number of recipients" threshold?

Thanks In Advance,
Dan Geiser
[EMAIL PROTECTED]
---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Whitelisting our Domain

[Dan Geiser]

I think it uses STP...The Racer's Edge.

- Original Message - 
From: "Imail Admin" <[EMAIL PROTECTED]>
To: 
Sent: Monday, April 04, 2005 6:18 PM
Subject: Re: [Declude.JunkMail] Whitelisting our Domain


> Just curious: does SmarterMail use SMTP or something similar?
>
> Ben
>
> - Original Message - 
> From: "Darin Cox" <[EMAIL PROTECTED]>
> To: 
> Sent: Monday, April 04, 2005 7:39 AM
> Subject: Re: [Declude.JunkMail] Whitelisting our Domain
>
>
> > Yes.
> >
> > If all users send through your server, then use SMTP AUTH on all clients
> and
> > configure Junkmail to whitelist AUTHing users.  If not, but all mail
comes
> > in from static IPs, you could use an IP whitelist to bypass for those
IPs.
> >
> > Darin.
> >
> >
> > - Original Message - 
> > From: "Kevin Stanford" <[EMAIL PROTECTED]>
> > To: 
> > Sent: Monday, April 04, 2005 10:25 AM
> > Subject: [Declude.JunkMail] Whitelisting our Domain
> >
> >
> > If we whitelist our domain will Spam that spoofs our email addresses and
> > domain also be whitelisted? If so, how can I circumvent it?
> >
> > Thanks,
> >
> > Kevin
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.JunkMail".  The archives can be found
> > at http://www.mail-archive.com.
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.JunkMail".  The archives can be found
> > at http://www.mail-archive.com.
> >
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> ---
> E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)
>
>
>


---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Latest ALL_LIST.DAT

[Dan Geiser]

Hello, CPHZ?
Is there any word on this?

Thanks,
Dan Geiser
[EMAIL PROTECTED]

- Original Message - 
From: "Dan Geiser" <[EMAIL PROTECTED]>
To: 
Sent: Wednesday, March 23, 2005 10:01 AM
Subject: [Declude.JunkMail] Latest ALL_LIST.DAT


> Hello, All,
> I think it's possible that my ALL_LIST.DAT needs to be updated because I'm
> starting to receive legit e-mails from Yahoo IPs that come up as ARIN
> Unlisted.  My current ALL_LIST.DAT is dated 10/01/2004.  Is there a newer
> copy that we can download somewhere?
>
> Thanks, Much!
> Dan Geiser
> [EMAIL PROTECTED]
>
>
> ---
> E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> ---
> E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)
>
>


---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] bounce unwanted email - should be interesting....

[Dan Geiser]

I personally think it's b*llsh*t.

First of all to send a spam message back to the "spammers computer" you need
to properly identify all spam messages.  No one has come up with a good way
of always identifing only spam as spam and only legit e-mail as legit
e-mail.

Also, what constitues the "spammer's computer"?

Is that the IP address of the computer that sent the e-mail?  Well, since
there are millions of zombied computers out there and if you were acually
able to correlate that IP address with an e-mail address to send the message
"back to them" you'd basically be sending it back to some poor schmuck who
doesn't even know enough to apply windows updates.

In the case, that it's being sent from an IP address of an actual spammers
server (and not a zombied computer) I can picture them coming up with a way
of correlating those ROKSO IP addresses with possibly legit e-mail address
but what's to stop the spammer from just changing the e-mail address.  Of
maybe they aren't sending to the e-mail address but just hammering the IP
address of the ROKSO spammer.  Well, that's network abuse, too, just as much
as spam is.

The 3rd case of the "spammer's computer" could be the computer on which the
web site mentioned in the spam message is housed.  What about messages that
have the URL in an image?  How do you figure out that computer?  Well, those
URLs won't get discovered.  Even if it's a plain text spam message with a
working SPAM URL and you are able to correlate an e-mail address with that
IP then you might end up bombarding the unknowing ISP of that spammer and
not the spammer themself.

I don't know everything there is to know about e-mail and the TCP/IP
protocol but I do know alot and unless IBM has invented some "really big
deal" that's going to revolutionize the technology in fighting this problem,
I see it as just another press release tainted by their marketing people.

- Original Message - 
From: "Don Schreiner" <[EMAIL PROTECTED]>
To: 
Sent: Wednesday, March 23, 2005 8:28 AM
Subject: RE: [Declude.JunkMail] bounce unwanted email - should be
interesting


> Last year there was a thread about a similar technology, but was shot down
> by many on this list as contributing to the Spam problem and questionable
> legalities. If memory serves me, you installed an app from one of the
large
> ISPs and your PC was part of a network sending e-mails to spam servers. A
> concern was innocent forged servers getting attacked.
>
> IBM's approach seems different sending back what was sent to you. I am not
> absolutely sure because they reference use of a database? I wonder if IBM
> has already been using this technology in-house? The article references a
> reduction via a February report. Do others here think their approach has
> merit?
>
> -Don
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Frederick
Samarelli
> Sent: Tuesday, March 22, 2005 8:53 AM
> To: Declude.JunkMail@declude.com
> Subject: [Declude.JunkMail] bounce unwanted email - should be
> interesting
>
> Spamming spammers?
> Report: IBM to offer service to bounce unwanted e-mail back to the
computers
> that sent them.
> March 22, 2005: 7:00 AM EST
>
>
>
> NEW YORK (CNN/Money) - IBM is set to unveil a service Tuesday that will
send
> unwanted e-mail back to the spammers who send them, according to a
published
> report Tuesday.
>
>
>
> http://money.cnn.com/2005/03/22/technology/ibm_spam/index.htm?cnn=yes
>
>
>
>
>
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> ---
> E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)
>
>
>


---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Latest ALL_LIST.DAT

[Dan Geiser]

Hello, All,
I think it's possible that my ALL_LIST.DAT needs to be updated because I'm
starting to receive legit e-mails from Yahoo IPs that come up as ARIN
Unlisted.  My current ALL_LIST.DAT is dated 10/01/2004.  Is there a newer
copy that we can download somewhere?

Thanks, Much!
Dan Geiser
[EMAIL PROTECTED]


---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Off Topic.

[Dan Geiser]

Fred,
Are you looking for a Control Panel which allows customers to manage both
web sites and e-mail sites?

Dan

- Original Message - 
From: "Frederick Samarelli" <[EMAIL PROTECTED]>
To: 
Sent: Friday, March 18, 2005 11:24 AM
Subject: [Declude.JunkMail] Off Topic.


> I am looking for recommendations of software that allows users to manage
> there own web domain. We host websites for many people and we are looking
to
> give them more control. Some sort of Portal/Control Panel. We are a
windows
> shop.
>
> Thanks.
>
> Fred Samarelli
>
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> ---
> E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)
>
>


---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Beginner configuration?

[Dan Geiser]

Joey,
If you go here http://declude.mydomain.com/ (where mydomain.com is the
domain I use in my from address) you can see the part of our Declude
JunkMail Config which we make public.

Thanks,
Dan

- Original Message - 
From: "Joey Proulx" <[EMAIL PROTECTED]>
To: 
Sent: Friday, March 04, 2005 8:13 AM
Subject: [Declude.JunkMail] Beginner configuration?


> Hello,
>
> Just downloaded the demo version of Junkmail Pro, and I was curious about
> the basic setup.  For the last two days I've monitored and tweaked and
held
> and redirected and spent hours upon hours looking over the junkmail setup
> and rules and whatnot.  I'm wondering if I'm reinventing the wheel.  I
work
> for a school district with a big spam problem, but as any of you in gov't
> know, if I tell them we should buy something I need to make sure it
> works.  I was just wondering if there are any tried and true setups that
> any of you are using to cut down on the spam.  I'm seeing that this system
> works, but I'm also still running the built-in Imail filter, and I've seen
> quite a few messages that get caught by Imail, but have a Declude score of
> 0, that should NOT have made it through.  Do you all still run the builtin
> Imail spam as well?  Any filters I should definitely setup?
>
> I'm seeing a lot of CMDSPACE and SPAMHEADERS (missing MessageID header)
> from some local clients (I don't control all my clients, so I don't think
I
> can make them authenticate).  Should I do away with these tests, or can I
> fix these two issues on the server side?
>
> Thanks for all your help.
>
> _
> Joey Proulx
> SAU #21 Technology Support Staff
> 2 Alumni Drive
> Hampton, NH 03842
> (603) 926-8992, ext 115
> [EMAIL PROTECTED]
>
>
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> ---
> E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)
>
>
>


---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Is declude.com down?

[Dan Geiser]

I can't reach their web site site from here.  It's 11:39am EST right now.

- Original Message - 
From: "Che Vilnonis" <[EMAIL PROTECTED]>
To: "Declude Email List" 
Sent: Thursday, March 03, 2005 11:24 AM
Subject: [Declude.JunkMail] Is declude.com down?


> anyone?
>
> Che Vilnonis
> Application Developer
> Advertising Systems Incorporated
> 8470C Remington Avenue
> Pennsauken, NJ 08110
> p: 856.488.2211
> f: 856.488.1990
> www.asitv.com
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> ---
> E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)
>
>
>


---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Diagnosing "from Reverse DNS [[No Reverse DNS]]"

[Dan Geiser]

Hello, All,
If a spam message has a header entry like...

X-Note: Sent with HELO [worldvillage.com] from Reverse DNS [[No Reverse
DNS]]

Does that mean that the message truly had no reverse dns ptr?  Or was the
Reverse DNS ptr of the message "[No Reverse DNS]"?

It if matters the custom line in GLOBAL.CFG that adds this header is...

XINHEADER X-Note: Sent with HELO [%HELO%] from Reverse DNS [%REVDNS%]

Thanks In Advance,
Dan Geiser
[EMAIL PROTECTED]


---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] OT: Lengthening Time for Store and Forward Retry

[Dan Geiser]

Hello, All,
I had a question about IMail.

We do store and forward spam filtering for a lot of customers.  If a
customer's incoming SMTP server is down, e.g. because of a power outage,
IMail will only try 20 times before returning the messages to the sender.
This equates to about 10 hours.  Is there any way to lengthen the amount of
time or number of retries that IMail will attempt to resend Store and
Forwarded e-mail?

Thanks In Advance,
Dan Geiser
[EMAIL PROTECTED]


---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Massive DJM Logs and DLAnalyzer

[Dan Geiser]

Hello, All,
I've noticed that my DJM logs have been growing progressively bigger until
yesterday I had one top out at over 380+ MB.  I think these might be
effecting the performance of Declude but I don't have any proof.  As these
logs grow bigger is there any correlation between log size and performance?

I'm currently running with LOG LEVEL set to HIGH so I can get the most out
of Invariant Systems DLAnalyzer.  So this 2nd question might be better
directed towards them.  Really the only report I generate every month is a
Test Summary Report so I can see the effectiveness of tests and a Domain
Summary Report so I can tell how spam filtering customers how much spam we
are blocking for them.

Do I need to have the LOG LEVEL set to HIGH to get accurate reports for
those?

Thanks,
Dan Geiser
[EMAIL PROTECTED]


---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Multiple Duplicate Recipients

[Dan Geiser]

Hello, All,
A type of "obvious" spam that we receive has the same recipient listed
multiple times in the X-Note: Recipient(s): field, e.g.

X-Note: Recipient(s):  [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED]

When I see this in the headers I know immediatelty that is spam.  It would
be great if Declude could have a test built into it in which you could
punish e-mail if it had x number of multiple duplicate recipients.  If this
functionality does not exist I would like to put in a development request
for it.

Thanks In Advance,
Dan Geiser
[EMAIL PROTECTED]


---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] OT-Microsoft Exchange Tools

[Dan Geiser]

Echo!!!

- Original Message - 
From: "Mark E. Smith" <[EMAIL PROTECTED]>
To: 
Sent: Wednesday, February 09, 2005 6:41 AM
Subject: RE: [Declude.JunkMail] OT-Microsoft Exchange Tools


> Before we moved to HP Openview (very pricy) we used a combination of Big
> Brother and IpSwitch What's Up Gold with the Exchange add-in.
>
>
>
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Tim Buenz
> > Sent: Monday, February 07, 2005 4:57 PM
> > To: Declude.JunkMail@declude.com
> > Subject: [Declude.JunkMail] OT-Microsoft Exchange Tools
> >
> > Good afternoon-
> >
> > I was curious for those people using Microsoft Exchange if
> > they had any neat tools for monitoring and management of your
> > Exchange server. Looking for anything, hopefully to tell me
> > about my resource utilization, top users, top hosts, normal
> > things that are useful in using. Would appreciate any
> > information if you are using something and it is working well
> > for you. Haven't begun looking, so I thought I would ask
> > before I re-invent the search for a good tool.
> >
> > Thanks for any information.
> >
> > --
> > Tim Buenz
> > Director of Technology
> > Jefferson-Scranton Comm. Schools
> > 204 W. Madison Street
> > Jefferson, IA 50129
> > (515)386-9256
> > Fax (515)386-3591
> > http://www.jefferson-scranton.k12.ia.us
> > "...if we teach today's students as we taught yesterday's, we
> > rob them of tomorrow." John Dewey
> >
> > ---
> > [This E-mail Scanned For Viruses By Declude Virus Scanner]
> > [This E-mail Scanned For Spam By Declude JunkMail]
> >
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> > (http://www.declude.com)]
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.JunkMail".  The archives can be
> > found at http://www.mail-archive.com.
> >
>
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> ---
> E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)
>
>


---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Spam tests by months

[Dan Geiser]

No, I mean what does Ham mean?  Does Ham mean legit e-mail?  Or is that like
mail from BulkSenders which some people might consider Spam and some might
consider legit?

- Original Message - 
From: "Scott Fisher" <[EMAIL PROTECTED]>
To: 
Sent: Monday, February 07, 2005 5:32 PM
Subject: Re: [Declude.JunkMail] Spam tests by months


> My weighting system is this:
> <100 No action (27.7% of all mail in Jan 2005)
> 100 Subject tag  (.5% of all mail) (1/3 of this weight range tend to be
> spam)
> 200 Hold  (.5% of all mail)  (I average 1 a month of Ham in hold)
> 300 Delete  (71.3% of all mail)
>
> As I have to draw a line somewhere, I drew the line at 200. Everything
held
> or deleted is considered spam.
> Everything under 200 is considered ham, I think this is fairly
conservative.
>
>
> - Original Message - 
> From: "Dan Geiser" <[EMAIL PROTECTED]>
> To: 
> Sent: Monday, February 07, 2005 4:06 PM
> Subject: Re: [Declude.JunkMail] Spam tests by months
>
>
> > Scott,
> > How do you define Ham?
> >
> > Thanks,
> > Dan
> >
> > - Original Message - 
> > From: "Scott Fisher" <[EMAIL PROTECTED]>
> > To: 
> > Sent: Monday, February 07, 2005 4:14 PM
> > Subject: [Declude.JunkMail] Spam tests by months
> >
> >
> > I've compiled my spam test results over the last year to look at test
> > effectiveness trends.
> >
> > If anyone is interested I've posted them on my website. I've never
really
> > seen test effectiveness trended over a year period anywhere else.
> >
> > All tests spam vs. ham based on all emails.
> > http://it.farmprogress.com/declude/Testsbymonth.html
> > Spam tests based on all spam emails.
> > http://it.farmprogress.com/declude/spamtestbymonth.html
> > Ham tests based on all ham emails.
> > http://it.farmprogress.com/declude/hamtestsbymonth.html
> >
> > Warning these are large HTML files.
> >
> > Some examples:
> > Spamcop triggered on 83% of my Feb 2004 spam emails and has downward
> trended
> > to 57% of my January 2005 spam emails.
> > Message Sniffer has stayed at 95-96% detection of all spam emails from
> June
> > 2004 to Jan 2005.
> >
> >
> > ---
> > E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)
> >
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.JunkMail".  The archives can be found
> > at http://www.mail-archive.com.
> >
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> ---
> E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)
>
>


---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Spam tests by months

[Dan Geiser]

Scott,
How do you define Ham?

Thanks,
Dan

- Original Message - 
From: "Scott Fisher" <[EMAIL PROTECTED]>
To: 
Sent: Monday, February 07, 2005 4:14 PM
Subject: [Declude.JunkMail] Spam tests by months


I've compiled my spam test results over the last year to look at test
effectiveness trends.

If anyone is interested I've posted them on my website. I've never really
seen test effectiveness trended over a year period anywhere else.

All tests spam vs. ham based on all emails.
http://it.farmprogress.com/declude/Testsbymonth.html
Spam tests based on all spam emails.
http://it.farmprogress.com/declude/spamtestbymonth.html
Ham tests based on all ham emails.
http://it.farmprogress.com/declude/hamtestsbymonth.html

Warning these are large HTML files.

Some examples:
Spamcop triggered on 83% of my Feb 2004 spam emails and has downward trended
to 57% of my January 2005 spam emails.
Message Sniffer has stayed at 95-96% detection of all spam emails from June
2004 to Jan 2005.


---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Legit message failing COMMENTS test.

[Dan Geiser]

Hello, All,
I have an issue where a legit e-mail is failing the COMMENTS test.
According to the comments test description...

"The COMMENTS test will catch spam that uses HTML comments to bypass
filters. It is a very effective test, since it will not catch standard
comments that occasionally appear in legitimate bulk mail; it only catches
comments that are designed to bypass filters."

so I don't understand why, if that description is accurate, that it is
failing because there's no way in heck this customer would be trying to
bypass any filters.  In fact this isn't even a bulk mail message.  It's
handwritten.

How can I tell what part of the message is failing the COMMENTS test?

Thanks, In Advance,
Dan Geiser
[EMAIL PROTECTED]


---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Add Points if Domain Name IS Hello

[Dan Geiser]

Andy,
That is not what typically what I see on most legit incoming e-mails.

For example here is a legit customer e-mail I picked it random (with a few
things obfuscated)...

X-Declude-Sender: [EMAIL PROTECTED] [152.63.54.131]
X-Note: This E-mail was scanned & filtered by Declude [1.82] for SPAM &
viruses.
X-Country-Chain: UNITED STATES->destination
X-Note: Recipient(s):  [EMAIL PROTECTED]
X-Note: Sent with HELO [mail13.somedepartment.state.oh.us] from Reverse DNS
[mail13.somedepartment.state.oh.us]
X-Spam-Tests-Failed: NOABUSE [-76]

In this example the HELO contains "somedepartment.state.oh.us".  That is
true, but what I am seeing is where the HELO IS "somedepartment.state.oh.us"
which in this case is NOT true.  The HELO is "mail13.somedepartment.oh.us".
And in fact 99% of legit e-mails that I see the whole string used in the
HELO is NOT identical to the string after the '@' symbol.  Especially when
you are talking about the big free web mail providers.  The only 2 that I
know of that use a simple HELO, e.g. domain.com, are HOTMAIL.COM and
EXCITE.COM.  Everybody else uses a long host name, e.g. subnet.domain.com,
and I can easily put exceptions in for HOTMAIL.COM and EXCITE.COM.

What I've been seeing, using the same headers as above, is...

X-Declude-Sender: [EMAIL PROTECTED] [152.63.54.131]
X-Note: This E-mail was scanned & filtered by Declude [1.82] for SPAM &
viruses.
X-Country-Chain: UNITED STATES->destination
X-Note: Recipient(s):  [EMAIL PROTECTED]
X-Note: Sent with HELO [somedepartment.state.oh.us] from Reverse DNS
[mail13.somedepartment.state.oh.us]
X-Spam-Tests-Failed: NOABUSE [-76]

If the text after the @ symbol was broken out into it's own variable, e.g.
FROMHOST = "somedepartment.state.oh.us", and the helo was broken out into
it's own variable, e.g. HELO = "somedepartment.oh.us", then if I could do
the following...

FROMHOST 50 IS %HELO%

then I could add to the weight of a bunch of e-mails that are currently
making it through.

Regardless I wasn't looking for feedback on the likelihood of this idea
working well.  All I wanted to know if it was technically feasible.  In a
weight based system even if I can add a few points, if only enough to raise
the weight a little yet not enough to push legit e-mail over my HOLD weight,
then that's what I'm looking to do.

Thanks,
Dan

- Original Message - 
From: "Andy Schmidt" <[EMAIL PROTECTED]>
To: 
Sent: Monday, January 31, 2005 10:29 AM
Subject: RE: [Declude.JunkMail] Add Points if Domain Name IS Hello


Dan,

May be I misunderstand - but is this exactly what you SHOULD see, e.g.,
unless it's a virtual hosting environment or shared SMTP server you SHOULD
see that the sender domain and HELO domain is identical?

This would be equivalent to testing if headers are RFC compliant - and if
so, to throw out most of the good mail with the bad because it too happens
to comply with RFCs?

Best Regards
Andy Schmidt

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser
Sent: Monday, January 31, 2005 10:13 AM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] Add Points if Domain Name IS Hello


Hello, All,
I've been getting tons of spam where the domain name used in the sender,
e.g. [EMAIL PROTECTED], exactly matches the helo, e.g. justasailor.com.

Is there any way to set up a test to add points if these 2 are identical?  I
was thinking there might be a way to do it using the variables that Declude
creates but I don't know exactly what the syntax would be and I don't know
if Declude parses out the domain name into it's own variable.  But if there
were such a variable I'm thinking something along the lines of...

FROMDOMAIN  50  IS  %HELO%

Thanks In Advance,
Dan Geiser




---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)



---
E-mail scanned for viruses by Nexus (htt

[Declude.JunkMail] Add Points if Domain Name IS Hello

[Dan Geiser]

Hello, All,
I've been getting tons of spam where the domain name used in the sender,
e.g. [EMAIL PROTECTED], exactly matches the helo, e.g. justasailor.com.

Is there any way to set up a test to add points if these 2 are identical?  I
was thinking there might be a way to do it using the variables that Declude
creates but I don't know exactly what the syntax would be and I don't know
if Declude parses out the domain name into it's own variable.  But if there
were such a variable I'm thinking something along the lines of...

FROMDOMAIN  50  IS  %HELO%

Thanks In Advance,
Dan Geiser




---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] MyWay.com and ExciteNetwork.com Ownership

[Dan Geiser]

Yeah, I saw that in WHOIS.  But I received some legit e-mail from a
MYWAY.COM user which was routed through an EXCITENETWORK.COM server and if
you look up the A record for each the IPs are right next to each other...

http://www.dnsstuff.com/tools/lookup.ch?name=myway.com&type=A ->
208.45.133.133
http://www.dnsstuff.com/tools/lookup.ch?name=excitenetwork.com&type=A ->
208.45.133.134

I just now did a WHOIS on the MYWAY.COM IP,
http://www.dnsstuff.com/tools/whois.ch?ip=208.45.133.133, and it's a Excite
IP.

It looks like Excite, MyWay.com, iWon, Ask Jeeves are all somehow
intermingled.

Thanks,
Dan

- Original Message - 
From: "Dave Doherty" <[EMAIL PROTECTED]>
To: 
Sent: Wednesday, January 26, 2005 1:41 PM
Subject: Re: [Declude.JunkMail] MyWay.com and ExciteNetwork.com Ownership


> Hi Dan-
>
> They do not appear to be registered to the same organizations. See below:
>
> -d
>
> ---
>
> MYWAY.COM
>
> Ask Jeeves, Inc. (56N74PTT1)
> 555 12th Street Suite 500
> Oakland,, CA 94607
> United States
> Phone:  Inc." Fax: 510-985-7400
> E-Mail: [EMAIL PROTECTED]
> Updated: 1/21/2005 3:37:00 AM
> Created: 12/8/2004 6:10:00 AM
>
> 
>
> EXCITENETWORK.COM
>
> The Excite Network, Inc
>1 Bridge St - Suite 42
>Irvington, NY 10533
>US
>
>Domain Name: EXCITENETWORK.COM
>
>Administrative Contact:
> Domain Admins [EMAIL PROTECTED]
> The Excite Network, Inc.
> 1 Bridge Street - Suite 42
> Irvington, NY 10533
> US
> Phone: 914-591-2000
> Fax:
>Technical Contact:
> Domain Admins [EMAIL PROTECTED]
> The Excite Network, Inc.
> 1 Bridge Street - Suite 42
> Irvington, NY 10533
> US
> Phone: 914-591-2000
> Fax:
>Billing Contact:
> Domain Admins [EMAIL PROTECTED]
> The Excite Network, Inc.
> 1 Bridge Street - Suite 42
> Irvington, NY 10533
> US
> Phone: 914-591-2000
> Fax:
>
>Record updated on 2003-02-12 13:36:59
>Record created on 2001-08-26
>Record expires on 2005-08-26
>Database last updated on 2005-01-26 13:37:43 EST
>
>Domain servers in listed order:
>
>DNS4.IMGFARM.COM  208.45.133.230
>DNS5.IMGFARM.COM  208.45.133.231
>
>
>
> - Original Message - 
> From: "Dan Geiser" <[EMAIL PROTECTED]>
> To: 
> Sent: Wednesday, January 26, 2005 1:21 PM
> Subject: [Declude.JunkMail] MyWay.com and ExciteNetwork.com Ownership
>
>
> > Hello, All,
> > Does anyone know if MyWay.com and ExciteNetwork.com are owned by the
same
> > entity?
> >
> > Thanks,
> > Dan Geiser
> > [EMAIL PROTECTED]
> >
> >
> > ---
> > E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)
> >
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> > (http://www.declude.com)]
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.JunkMail".  The archives can be found
> > at http://www.mail-archive.com.
> >
> >
>
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> ---
> E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)
>
>


---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] MyWay.com and ExciteNetwork.com Ownership

[Dan Geiser]

Hello, All,
Does anyone know if MyWay.com and ExciteNetwork.com are owned by the same
entity?

Thanks,
Dan Geiser
[EMAIL PROTECTED]


---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Difference Between MAILFROM and FROMFILE

[Dan Geiser]

Scott,
I'm sorry.  I didn't mean the MAILFROM test.  I mean the MAILFROM entry that
you put in the filter file, e.g.  MAILFROM  50  CONTAINS  suspect.

All I need to know is if the MAILFROM I describe above looks at the whole
address in X-Declude-Sender, e.g. [EMAIL PROTECTED], or if it just
looks at the stuff before the @ character or just looks after the @
character.

Also with the FROMFILE test if I put in an entry...

hotmail.com

would the FROMFILE test add points if the X-Declude Sender was
[EMAIL PROTECTED]  Does FROMFILE look at the whole
address or just stuff after but inclusive of the @ character?

Sorry about that.

Thanks,
Dan

- Original Message - 
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: 
Sent: Tuesday, January 25, 2005 9:41 AM
Subject: Re: [Declude.JunkMail] Difference Between MAILFROM and FROMFILE


>
> >I apologize for asking such a silly question but I'm suffering from a
mental
> >roadblock.  What is the difference between the MAILFROM and FROMFILE
tests?
> >I understand the difference from a Declude configuration syntactical
> >standpoint but I don't understand the intended benefit of having two
tests
> >which seem to do essentially the same thing, other than the fact that all
> >entries in a FROMFILE would have the same number of points added whereas
> >MAILFROM you can specify individual number of points.
>
> The MAILFROM test simply checks to see if the return address is on a valid
> domain.  So if I sent an E-mail from "[EMAIL PROTECTED]", it would
> fail the MAILFROM test.  You do not give the MAILFROM test any data (you
> don't give it an address, domain, list of addresses, etc.).  It will work
> the same for everyone who uses the test.
>
> The "fromfile" test type is called a Sender Blacklist.  It lets you enter
a
> list of E-mail addresses that will cause the E-mail to fail that test.  It
> will work differently depending on what E-mail addresses you list.
>
> So if you have "@made_up_domain.com" or "[EMAIL PROTECTED]" in your
> blacklist, an E-mail from [EMAIL PROTECTED] would fail both the
> MAILFROM and sender blacklist tests.  But if you did not happen to list
> that user/domain, the E-mail would only fail the MAILFROM test.
>
> -Scott
> ---
> Declude JunkMail: The advanced anti-spam solution for IMail mailservers
> since 2000.
> Declude Virus: Ultra reliable virus detection and the leader in mailserver
> vulnerability detection.
> Find out what you've been missing: Ask for a free 30-day evaluation.
>
>
> 
> This outgoing message is guaranteed to be authentic by Message Level
users.
> Guarantee the authenticity of your email @ http://www.messagelevel.com.
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> ---
> E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)
>
>


---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Difference Between MAILFROM and FROMFILE

[Dan Geiser]

Hello, All,
I apologize for asking such a silly question but I'm suffering from a mental
roadblock.  What is the difference between the MAILFROM and FROMFILE tests?
I understand the difference from a Declude configuration syntactical
standpoint but I don't understand the intended benefit of having two tests
which seem to do essentially the same thing, other than the fact that all
entries in a FROMFILE would have the same number of points added whereas
MAILFROM you can specify individual number of points.

Do search strings used with MAILFROM and FROMFILE both search the entire
X-Declude-Sender address?  Or does one search the whole address and the
other only look at stuff after the @ character?

BTW, I have searched the archives and I'm still seeking clarification.

Thanks In Advance,
Dan Geiser
[EMAIL PROTECTED]


---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Way OT: Threaded Client Support

[Dan Geiser]

Hello, All,
I know this is way off-topic fore the usual fare on this list but I know the
readers of this list have a lot of experience with e-mail so I thought maybe
this issue had crossed the mind of more than a few people before.

First let me explain how our incoming and outgoing e-mail flows...

Our MX record points to the IP address of our IMail server.  We are running
IMail 6.06.  From there it is scanned for viruses and filtered for spam by
Declude 1.82.  After Declude is forwarded to the static IP address of our T1
on which is listening out Microsoft Exchange 2000 server.  From here it
drops into our Exchange inboxes and subsequently our e-mail clients, Outlook
and Outlook Express, mostly.

When we reply to an e-mail it goes back to Exchange which relays it back to
our IMail server and IMail takes care of delivering the mail to the
appropriate recipient mail host on the Internet.

That being said...

We would like to set up a threaded support structure on our Exchange server,
possibly via NNTP, where each customer would have their own NNTP newsgroup
(by domain name(s)?) and copies of all incoming and outgoing e-mails would
be routed into the appropriate newsgroup and would be threaded into
conversations based on the subject of these e-mails.  We would still
communicate back and forth with our customers via e-mail but this NNTP
structure would allow everyone in the company to view the ongoing and
archived conversations, both what was sent and what was received.

Do you think using the CATCHALLMAILS feature of Declude would be a perfect
fit for this?  If so, I can see how CATCHALLMAILS would work with incoming
e-mail but I don't see if for outgoing.  Besides using Declude's
CATCHALLMAILS can you think of any other features of IMail or Exchange which
would enable this?

Does this idea even have any merit to it?

Thanks for your feedback!
Dan Geiser
[EMAIL PROTECTED]


---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Interesting tactic..

[Dan Geiser]

Yes, but Dennis Fisher is a senior editor at eWeek.  Don't they have someone
give these article the once over before printing them?

- Original Message - 
From: "Matt" <[EMAIL PROTECTED]>
To: 
Sent: Tuesday, January 11, 2005 4:09 PM
Subject: Re: [Declude.JunkMail] Interesting tactic..


> This sounds like an urban legend to me.  Keep in mind that there was
> some news release a few weeks ago that indicated AOL was seeing
> dramatically less spam traffic.  I think it is likely that AOL has
> succeeded in blocking more spam, and the article was rehashed by someone
> that didn't understand the topic and assumed that this meant a drop in
> spam.  This used to happen all the time, even in industry mags, back
> when the Internet was becoming a big deal.  Same thing with spam now.
> I'm sure that they mess up articles about medicine, astronomy, etc., and
> we just don't know enough to see through the mistakes.
>
> Matt
>
>
>
> Dan Geiser wrote:
>
> >I don't get this article at all.  How is this any different then sending
> >e-mails with using domains that you have no intention of ever using?  Why
> >would you want to register the domain name and then associated yourself
with
> >a domain used in a spam mailing?  And from a technical standpoint why
would
> >a distributed DNS system be overloaded by trying to lookup bogus domain
> >names?
> >
> >- Original Message - 
> >From: "Kami Razvan" <[EMAIL PROTECTED]>
> >To: 
> >Sent: Tuesday, January 11, 2005 2:50 PM
> >Subject: [Declude.JunkMail] Interesting tactic..
> >
> >
> >
> >
> >><http://www.eweek.com/article2/0,1759,1749328,00.asp>
> >>http://www.eweek.com/article2/0,1759,1749328,00.asp\
> >>
> >>"One troublesome technique finding favor with spammers involves sending
> >>
> >>
> >mass
> >
> >
> >>mailings in the middle of the night from a domain that has not yet been
> >>registered. After the mailings go out, the spammer registers the domain
> >>early the next morning."
> >>
> >>H
> >>
> >>Kami
> >>
> >>
> >>
> >
> >
> >---
> >E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)
> >
> >---
> >[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
> >
> >---
> >This E-mail came from the Declude.JunkMail mailing list.  To
> >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> >type "unsubscribe Declude.JunkMail".  The archives can be found
> >at http://www.mail-archive.com.
> >
> >
> >
> >
>
> -- 
> =
> MailPure custom filters for Declude JunkMail Pro.
> http://www.mailpure.com/software/
> =
>
>


---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Interesting tactic..

[Dan Geiser]

I don't get this article at all.  How is this any different then sending
e-mails with using domains that you have no intention of ever using?  Why
would you want to register the domain name and then associated yourself with
a domain used in a spam mailing?  And from a technical standpoint why would
a distributed DNS system be overloaded by trying to lookup bogus domain
names?

- Original Message - 
From: "Kami Razvan" <[EMAIL PROTECTED]>
To: 
Sent: Tuesday, January 11, 2005 2:50 PM
Subject: [Declude.JunkMail] Interesting tactic..


> 
> http://www.eweek.com/article2/0,1759,1749328,00.asp\
>
> "One troublesome technique finding favor with spammers involves sending
mass
> mailings in the middle of the night from a domain that has not yet been
> registered. After the mailings go out, the spammer registers the domain
> early the next morning."
>
> H
>
> Kami
>


---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] 2005 SpamHeaders - Fix

[Dan Geiser]

Scott,
I was running 1.81.

Thanks,
Dan

- Original Message - 
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: 
Sent: Tuesday, January 04, 2005 10:25 AM
Subject: Re: [Declude.JunkMail] 2005 SpamHeaders - Fix


>
> >I have upgraded to the new Declude.exe v1.82.  Within a matter of minutes
of
> >doing this upgrade I've noticed that my mail server has started to bog
down.
>
> Were you running v1.81 before, or a different version?
>
> -Scott
> ---
> Declude JunkMail: The advanced anti-spam solution for IMail mailservers
> since 2000.
> Declude Virus: Ultra reliable virus detection and the leader in mailserver
> vulnerability detection.
> Find out what you've been missing: Ask for a free 30-day evaluation.
>
>
> 
> This outgoing message is guaranteed to be authentic by Message Level
users.
> Guarantee the authenticity of your email @ http://www.messagelevel.com.
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> ---
> E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)
>
>
>


---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] 2005 SpamHeaders - Fix

[Dan Geiser]

Hi, Scott, et.al,
I have upgraded to the new Declude.exe v1.82.  Within a matter of minutes of
doing this upgrade I've noticed that my mail server has started to bog down.
I don't know if I'm getting his with a new wave of spam and the server's
straining to keep up or if there might be something in the new Declude code
which would cause the .EXE to not run as quickly or as efficiently as
before.

I'm not pointing fingers.  I just wanted to know if there's been any
possible performance changes because of the bug fix.  If not I'll look
somewhere else.

Thanks In Advance,
Dan Geiser
[EMAIL PROTECTED]


---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Current Default GLOBAL.CFG

[Dan Geiser]

Hello, All,
I would like to take a look at the current default GLOBAL.CFG.  It used to
be linked to from the manual but that link is gone.  Can someone tell me
where I would go to find that now?

Thanks,
Dan Geiser
[EMAIL PROTECTED]



---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Question on SortMonster/MessageSniffer

[Dan Geiser]

I've never heard of it.

- Original Message - 
From: "Chris Ulrich" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, December 13, 2004 12:45 PM
Subject: [Declude.JunkMail] Question on SortMonster/MessageSniffer


> Is anyone using this product as part of their filtering?
>
> http://www.sortmonster.com/MessageSniffer
>
> Any feedback?
>
> Does it download "definition updates" or something similar, or is it
purely
> rules based and the only update would be to the program itself?
>
> How would you integrate this in to the config files?
>
> Also, I'm putting together a list of common words/phrases found in SPAM
> that gets through the current filters.  Up to about 200, yes, there are
> plenty more.  At what point do you take a "serious" performance hit doing
this?
>
> I'd post the list of words, but I'd probably score about a 400 on
> everyone's filters and you'd never see it anyway!
>
> Thanks
>
> Chris
> Cydian Technologies
>
>
> ---
> [This E-mail scanned for viruses by Declude Virus]
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> ---
> Sign up for virus-free and spam-free e-mail with Nexus Technology Group
> http://www.nexustechgroup.com/mailscan
>
>

---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] OT: Declude Config Files...anyone in the holiday giving mood?

[Dan Geiser]

No, that is not the domain name that I am referring to.  If you look at my
>From Address you will see it as N T G - H O S T I N G. C O M.

- Original Message - 
From: "Che Vilnonis" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, December 08, 2004 3:34 PM
Subject: RE: [Declude.JunkMail] OT: Declude Config Files...anyone in the
holiday giving mood?


> Dan, I know I am not THAT obtuse. Isn't your domain...
> n  e  x  u  s  t  e  c  h  g  r  o  u  p  --  d  o  t  --  c  o  m  ???
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Dan Geiser
> Sent: Wednesday, December 08, 2004 3:23 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.JunkMail] OT: Declude Config Files...anyone in the
> holiday giving mood?
>
>
> Che,
> NOT the address that I typed in my e-mail.  Look at my From Address in my
> original post.
>
> Thanks,
> Dan
>
> - Original Message -
> From: "Che Vilnonis" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, December 08, 2004 3:19 PM
> Subject: RE: [Declude.JunkMail] OT: Declude Config Files...anyone in the
> holiday giving mood?
>
>
> > Dan...I am not having any luck. Am I doing something wrong?
> > I replace the last five chars of your domain.
> > http://declude.nexustech?.com/
> >
> > Regards, Che
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] Behalf Of Dan Geiser
> > Sent: Wednesday, December 08, 2004 3:12 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: [Declude.JunkMail] OT: Declude Config Files...anyone in the
> > holiday giving mood?
> >
> >
> > Che,
> > You can see everything that I am currently doing here...
> >
> > http://declude./
> >
> > Replace  with the domain that I use to post to the list.
> >
> > Please let me know if you have any questions.
> >
> > Thanks,
> > Dan Geiser
> > [EMAIL PROTECTED]
> >
> > - Original Message -
> > From: "Che Vilnonis" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Wednesday, December 08, 2004 12:32 PM
> > Subject: [Declude.JunkMail] OT: Declude Config Files...anyone in the
> holiday
> > giving mood?
> >
> >
> > > I hope I am posting this in the right place...
> > >
> > > Hello all. I've asked this before and had no takers.
> > > I'd like to see some real working examples of how Declude
> > > users have set up their respective config files with weights,
> > > rules, etc.
> > >
> > > I'd like to tighten up my Declude settings, but unfortunately
> > > I am not an experienced declude user/network admin like many
> > > of you are. Can anyone help? Is this wrong of me to even ask for?
> > >
> > > Thanks in advance!
> > > ~Che
> > > ---
> > > [This E-mail was scanned for viruses by Declude Virus
> > (http://www.declude.com)]
> > >
> > > ---
> > > This E-mail came from the Declude.JunkMail mailing list.  To
> > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > > type "unsubscribe Declude.JunkMail".  The archives can be found
> > > at http://www.mail-archive.com.
> >
> ---
> > > Sign up for virus-free and spam-free e-mail with Nexus Technology
Group
> > > http://www.nexustechgroup.com/mailscan
> > >
> > >
> >
> > ---
> > Sign up for virus-free and spam-free e-mail with Nexus Technology Group
> > http://www.nexustechgroup.com/mailscan
> >
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> > (http://www.declude.com)]
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.JunkMail".  The archives can be found
> > at http://www.mail-archive.com.
> >
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.JunkMail".  The archives can be found
> > at http://www.mail-archive.com.
> > --

Re: [Declude.JunkMail] OT: Declude Config Files...anyone in the holiday giving mood?

[Dan Geiser]

Che,
NOT the address that I typed in my e-mail.  Look at my From Address in my
original post.

Thanks,
Dan

- Original Message - 
From: "Che Vilnonis" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, December 08, 2004 3:19 PM
Subject: RE: [Declude.JunkMail] OT: Declude Config Files...anyone in the
holiday giving mood?


> Dan...I am not having any luck. Am I doing something wrong?
> I replace the last five chars of your domain.
> http://declude.nexustech?.com/
>
> Regards, Che
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Dan Geiser
> Sent: Wednesday, December 08, 2004 3:12 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.JunkMail] OT: Declude Config Files...anyone in the
> holiday giving mood?
>
>
> Che,
> You can see everything that I am currently doing here...
>
> http://declude./
>
> Replace  with the domain that I use to post to the list.
>
> Please let me know if you have any questions.
>
> Thanks,
> Dan Geiser
> [EMAIL PROTECTED]
>
> - Original Message -
> From: "Che Vilnonis" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, December 08, 2004 12:32 PM
> Subject: [Declude.JunkMail] OT: Declude Config Files...anyone in the
holiday
> giving mood?
>
>
> > I hope I am posting this in the right place...
> >
> > Hello all. I've asked this before and had no takers.
> > I'd like to see some real working examples of how Declude
> > users have set up their respective config files with weights,
> > rules, etc.
> >
> > I'd like to tighten up my Declude settings, but unfortunately
> > I am not an experienced declude user/network admin like many
> > of you are. Can anyone help? Is this wrong of me to even ask for?
> >
> > Thanks in advance!
> > ~Che
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.JunkMail".  The archives can be found
> > at http://www.mail-archive.com.
> > ---
> > Sign up for virus-free and spam-free e-mail with Nexus Technology Group
> > http://www.nexustechgroup.com/mailscan
> >
> >
>
> ---
> Sign up for virus-free and spam-free e-mail with Nexus Technology Group
> http://www.nexustechgroup.com/mailscan
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> ---
> Sign up for virus-free and spam-free e-mail with Nexus Technology Group
> http://www.nexustechgroup.com/mailscan
>
>

---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] OT: Declude Config Files...anyone in the holiday giving mood?

[Dan Geiser]

Che,
You can see everything that I am currently doing here...

http://declude./

Replace  with the domain that I use to post to the list.

Please let me know if you have any questions.

Thanks,
Dan Geiser
[EMAIL PROTECTED]

- Original Message - 
From: "Che Vilnonis" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, December 08, 2004 12:32 PM
Subject: [Declude.JunkMail] OT: Declude Config Files...anyone in the holiday
giving mood?


> I hope I am posting this in the right place...
>
> Hello all. I've asked this before and had no takers.
> I'd like to see some real working examples of how Declude
> users have set up their respective config files with weights,
> rules, etc.
>
> I'd like to tighten up my Declude settings, but unfortunately
> I am not an experienced declude user/network admin like many
> of you are. Can anyone help? Is this wrong of me to even ask for?
>
> Thanks in advance!
> ~Che
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> ---
> Sign up for virus-free and spam-free e-mail with Nexus Technology Group
> http://www.nexustechgroup.com/mailscan
>
>

---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] SPAMDOMAINS and "No Reverse DNS"

[Dan Geiser]

Scott,
When using the SPAMDOMAINS test we have the option 
to put a string in the second column which will also pass the test, 
e.g...
 
.hotmail.com   .msn.com
 
like ".msn.com" is in the above 
example.
 
I have a couple of SPAMDOMAINS where I would like 
to have "No Reverse DNS" be a viable alternative to the domain but still 
block on everything else.  Can I just put that string "No Reverse DNS" in 
second column to pass through domains which only match "domain.com" and "No 
Reverse DNS"?
 
I hope that makes sense.
 
Thanks,
Dan Geiser
[EMAIL PROTECTED]

Re: [Declude.JunkMail] Interesting Spamming Technique

[Dan Geiser]

Hey, Goran,
That is what we ended up doing for this customer.  They can't receive any 
port 25 traffic from any IP addresses except ours now.  I just had never 
seen evidence of spammers caching IP addresses before.

I was thinking though that scanning ranges of IP addresses for responses on 
port 25 and then sending e-mail either from or to @domain.tld, where 
domain.tld is the second-level domain found when you do a lookup on the 
Reverse DNS for any IP addresses found to be responding on port 25, might be 
a good way for spammers to get their messages through.

Thanks, Much!
Dan Geiser
[EMAIL PROTECTED]
- Original Message - 
From: "Goran Jovanovic" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, November 18, 2004 1:49 PM
Subject: RE: [Declude.JunkMail] Interesting Spamming Technique

Hi Dan,
What we do for out store and forward customers is to lock down their
firewall to only accept port 25 traffic from our IPs. Instant end to the
end-around problem.
I moved a MX record about a week ago for a domain and I am still seeing
about 1000 messages per day still hitting the old IP address and 98% of
them are WEIGHT10 +

Goran Jovanovic
The LAN Shoppe

-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of Dan Geiser
Sent: Thursday, November 18, 2004 10:32 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Interesting Spamming Technique
Hello, All,
In addition to doing spam filtering for some of our IMail hosting
customers
we also do Store and Forward filtering for a few domains.  In the past
day
or so I've had complaints from Store and Forward customers about an
increase
in spam.  When I check the headers of the e-mail they are sending to
me I
don't see any indication that they e-mail was routed through us and
NOT
picked up as spam.  Instead it looks like the mail was delivered
directly
to
their e-mail servers and did the end around our Store and Forward.
The
thing is I have no idea how the spammer even knew the direct IP
addresses
of
our customers because those don't show up anywhere in their DNS
records.
Although I guess they could just be running port scans and checking
for
responses on port 25 and attempting delivery of spam that way without
using
DNS lookups.  But part of the IMail Store and Forward documentation
involves
locking down the SMTP server to only accept e-mail of the relaying IP
address.  I'm 99% sure that we had the customers lock down their
incoming
e-mail to only accept connections from us but I need to confirm that.
In
the meantime has anyone noticed an increase in this direct delivery
method
which basically ignores the current DNS system?
Thanks In Advance,
Dan Geiser
[EMAIL PROTECTED]

---
Sign up for virus-free and spam-free e-mail with Nexus Technology
Group
http://www.nexustechgroup.com/mailscan
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group
http://www.nexustechgroup.com/mailscan

---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Interesting Spamming Technique

[Dan Geiser]

Hello, All,
In addition to doing spam filtering for some of our IMail hosting customers
we also do Store and Forward filtering for a few domains.  In the past day
or so I've had complaints from Store and Forward customers about an increase
in spam.  When I check the headers of the e-mail they are sending to me I
don't see any indication that they e-mail was routed through us and NOT
picked up as spam.  Instead it looks like the mail was delivered directly to
their e-mail servers and did the end around our Store and Forward.  The
thing is I have no idea how the spammer even knew the direct IP addresses of
our customers because those don't show up anywhere in their DNS records.
Although I guess they could just be running port scans and checking for
responses on port 25 and attempting delivery of spam that way without using
DNS lookups.  But part of the IMail Store and Forward documentation involves
locking down the SMTP server to only accept e-mail of the relaying IP
address.  I'm 99% sure that we had the customers lock down their incoming
e-mail to only accept connections from us but I need to confirm that.  In
the meantime has anyone noticed an increase in this direct delivery method
which basically ignores the current DNS system?

Thanks In Advance,
Dan Geiser
[EMAIL PROTECTED]


---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Is DNSStuff Down?

[Dan Geiser]

Scott,
I can seem to reach www.dnsstuff.com or backup.dnsstuff.com.  Are you
current having issues?

Thanks,
Dan Geiser
[EMAIL PROTECTED]


---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] OT: Using Real E-Mail Address on Web Site

[Dan Geiser]

Hello, All,
We have a new web site and we would like to put links on the contact page
which allow people to click on the links and send us an e-mail but we don't
want those addresses to be scanned and added to the latest spammers mailing
list.  Are there any common practices for obfuscating the links so they are
recognizable as valid html "mailto" links by an e-mail client but they would
be less than likely to be picked up by the spammers of the world?

Right now our webmaster replaced the e-mail addresses with images of the
e-mail addresses and the images look horrible.

Thanks In Advance,
Dan Geiser
[EMAIL PROTECTED]


---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Upgrading from 1.79 to 1.81

[Dan Geiser]

Hello, All,
I am currently running Declude 1.79.  On the virus mailing list, because of
a bug with regular zips being blocked as encrypted zips, Scott recommended
that I upgrade to 1.81.  I have yet to upgrade Declude using the new upgrade
methodology.  When I go to our account page it is offering me the Automatic
Install and Manual Install.  Up until now I've always considered upgrading
the Declude.exe executable to be a manual sort of process.  Does the Manual
Install listed on the Account page give us the same sort of upgrade path
that we old-timers are used to?  Or is it safe now to use the Automatic
Install?  I know that there were kinks to be worked out when the Automatic
Install method was first released and I just wanted to know if they had been
resolved.  In addition to a new Declude.exe executable what new files will
be installed when I upgrade to 1.81?

Thanks In Advance,
Dan Geiser
[EMAIL PROTECTED]


---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] OT: NO@no.com

[Dan Geiser]

Title: Message



Or Snapple addresses...

  - Original Message - 
  From: 
  Kevin Bilbee 
  To: [EMAIL PROTECTED] 
  
  Sent: Wednesday, November 03, 2004 4:13 
  PM
  Subject: RE: [Declude.JunkMail] OT: [EMAIL PROTECTED]
  
  Thanks for the information. I can now block smaphole address from 
  downloading the software???
   
   
  Kevin Bilbee
  
-Original Message-From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]On Behalf Of Colbeck, 
AndrewSent: Wednesday, November 03, 2004 1:07 PMTo: '[EMAIL PROTECTED]'Subject: 
RE: [Declude.JunkMail] OT: [EMAIL PROTECTED]
tip: if you don't trust a requestor but need to supply a valid 
address and would prefer to simply filter the mail, rather than clutter the 
requestor's database, you can use SpamHole instead.  SpamHole will give 
you a time-limited valid address on their domain, so that you can get, say, 
a validation key through email, but after the period you specify, that 
temporary address will evaporate, thus denying the requestor the ability to 
pester you in the future.
 
http://www.spamhole.com/
 
Andrew 8)

  
  -Original Message-From: Chase 
  Seibert [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 
  03, 2004 12:54 PMTo: [EMAIL PROTECTED]; 
  [EMAIL PROTECTED]Subject: RE: [Declude.JunkMail] 
  OT: [EMAIL PROTECTED]
  
  I 
  did not file this request, but I do post simular forms to other sites on 
  occasion.  Generally, my reasoning is: I don't 
  know you, and I don't trust you not to spam me. It's none of your 
  bussiness. It's pretentious to assume that you can require me to give you 
  my email address. Besides, I like pissing you off by cluttering your 
  database with bad data.  Just my two cents.
  
   
  -Chase
  Chase 
  Seibert |  Network and Systems Engineer 
  |  Bullhorn Inc  |  617.464.2440 x119  
  |  www.bullhorn.com
   
  -Original 
  Message-From:Kevin Bilbee [EMAIL PROTECTED] 
  To: "[EMAIL PROTECTED]" 
  <[EMAIL PROTECTED]>;Sent: Nov 3, 2004 03:22:15 
  PMSubject: [Declude.JunkMail] OT: [EMAIL PROTECTED]To whome 
  tried to qnwnload my hold analyzer with the following information 
  DLA Downloaded by Name: Why Do You Title: Request 
  Company Name: This Information Number of domains on IMail: 1 
  Address: 123 No City: No State: NO Zip: NO Phone 
  Number: NO Phone Extension: NO Email Address: [EMAIL PROTECTED] 
  Because it amuses me to see these types of requests. And it is 
  free software so why do you care. We are not marketing the software or 
  using the email addresses to spam. If I wanted to do that I can just 
  harvest address from the declude list. It is free and a 
  condition of the download. Kevin Bilbee > 
  -Original Message- > From: 
  [EMAIL PROTECTED] > 
  [mailto:[EMAIL PROTECTED] Behalf Of Kevin Bilbee 
  > Sent: Wednesday, November 03, 2004 12:03 PM > To: 
  [EMAIL PROTECTED] > Subject: RE: [Declude.JunkMail] 
  Vulnerability hold conflicting with > filter > > 
  > look at a program that I wrote. We have been using it very 
  > successfully for > about a year now > > 
  > http://www.ssc-isp.net/holdanalyzer/ > > > 
  Kevin Bilbee > > > -Original Message- > 
  > From: [EMAIL PROTECTED] > > 
  [mailto:[EMAIL PROTECTED] Behalf Of John Carter 
  > > Sent: Wednesday, November 03, 2004 11:51 AM > > 
  To: [EMAIL PROTECTED] > > Subject: Re: 
  [Declude.JunkMail] Vulnerability hold conflicting with > > 
  filter > > > > > > Looks like either way I 
  have to go through 100's of held > messages daily to > > 
  find that 99.9% are spam and then manually delete them. I > guess 
  I'll pull > > the ol' Visual Basic out and work up a solution. 
  > > > > Thanks, > > John > > 
  > > (Scott wrote) > > Your option here would be to add 
  a line "AVAFTERJM ON" to the > > \IMail\Declude\virus.cfg file. 
  This will force Declude JunkMail to run > > first, allowing it 
  to delete the E-mail. However, this runs the risk of > > E-mail 
  being held by Declude JunkMail -- in which case it would not be > 
  > scanned by Declude Virus > > > > -Scott > 
  > > > > > > > --- > > [This 
  E-mail was scanned for viruses by Declude Virus > 
  (http://www.declude.com)] > > --- > This E-mail came 
  from the Declude.JunkMail mailing list. To > unsubscribe, just send 
  an E-mail to [EMAIL PROTECTED], and > type "unsubscribe 
  Declude.JunkMail". The archives can be found > at 
  http://www.mail-archive.com. > > --- > [This E-mail 
  was scanned for viruses by Declude Virus (http://www.declude.com)] 
  --- This E-mail came from the Declude.JunkMail mailing list. 
  To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and 
  typ

[Declude.JunkMail] OT: Anti-Virus Feeds for Web Site

[Dan Geiser]

Hello, All,
We are in the process of re-doing are web site and I am looking for a good,
current, reliable Anti-Virus breaking news feed that we can put on our web
site.  We are currently a registed Symantec Partner and we also use McAfee
so I'm looking into registering as a partner with them.  I know that part of
our parternship will probably give us access to feeds through them, although
I've been a little unimpressed by their AV feeds.  I'm curious to know if
there are any other good ones out there.

Thanks, Much!
Dan Geiser
[EMAIL PROTECTED]


---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: Re[2]: [Declude.JunkMail] Determining a BCC Recipient

[Dan Geiser]

OK, fine then.  Don't do it every month.  Pick the archival frequency of
your choosing.  And can't you use Declude to insert the routing information
into the headers?  And can't you download the e-mail from the inbox into the
mail client of your choosing and archive it that way?  Anyway, as usual
someone's off on an unintended tangent here.  All I'm saying is that if I
worked for a company I would come up with a more elegant solution to mail
archiving then being dependent on SQL Server or any other proprietary
format.  Plain old text files are just fine by me.

- Original Message - 
From: "Sanford Whiteman" <[EMAIL PROTECTED]>
To: "Dan Geiser" <[EMAIL PROTECTED]>
Sent: Wednesday, October 27, 2004 5:33 PM
Subject: Re[2]: [Declude.JunkMail] Determining a BCC Recipient


> > If  it were me I would just use the CATCHALLMAILS feature of Declude
> > and  COPY  them to an archival e-mail address and then just burn the
> > inbox  of  that address to disk once a month.
>
> For  low-volume and unregulated businesses, perhaps, but this will not
> accomplish compliance, since:
>
> - it does not preserve envelope routing information
>
> -  at  1.5  GB  per  day, you could not actually read the monthly MBXs
> using  a standard client, even if IMail and the filesystem allowed you
> to create them
>
> -  it  does not allow for keyword search and export over the volume of
> data in question
>
> - the monthly backup is too infrequent
>
> Remember, this is a question of regulations, not internal policies.
>
> --Sandy
>
>
> 
> Sanford Whiteman, Chief Technologist
> Broadleaf Systems, a division of
> Cypress Integrated Systems, Inc.
> e-mail: [EMAIL PROTECTED]
>
> SpamAssassin plugs into Declude!
>
http://www.mailmage.com/products/software/freeutils/SPAMC32/download/release/
>
> Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail
Aliases!
>
http://www.mailmage.com/products/software/freeutils/exchange2aliases/download/release/
>
http://www.mailmage.com/products/software/freeutils/ldap2aliases/download/release/
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> ---
> Sign up for virus-free and spam-free e-mail with Nexus Technology Group
> http://www.nexustechgroup.com/mailscan
>
>


---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Determining a BCC Recipient

[Dan Geiser]

If it were me I would just use the CATCHALLMAILS feature of Declude and COPY
them to an archival e-mail address and then just burn the inbox of that
address to disk once a month.

- Original Message - 
From: "Rick Davidson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, October 27, 2004 4:29 PM
Subject: Re: [Declude.JunkMail] Determining a BCC Recipient


> Essentially the good folks at Enron and WorldComm brought us the
> Sarbanes-Oxley Act or SOX for short. Public companies have to keep a
record
> of all communications, the details of this are vague but mostly apply to
the
> money people and decision makers. Since we cant selectively catch that
> specific traffic we have to grab it all.
>
> Basicly all mail must be archived including the attachments and all mail
> must be retrievable in a reasonable amount of time, thats about it.
>
> We were considering stripping the attachments and storing them in a
> directory structure and storing the email text data in the sql database.
> Separate fields for the date, to, from, subject, the entire D file and the
> attachment names and their location.
>
> We figure we can get decent compression and searchabiltiy with the text
info
> but the biggest hurdle is the attachments and being a Title company we
have
> alot of large attachments to deal with.
>
>
> Rick Davidson
> National Systems Manager
> North American Title Group
> -
> - Original Message - 
> From: "Matt" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, October 27, 2004 3:53 PM
> Subject: Re: [Declude.JunkMail] Determining a BCC Recipient
>
>
> > That's funny that you should ask.  I just coded that one up in VBScript
> > this last weekend.  I even managed to decode base64 text attachments,
> > remove quoted-printable encoding, and strip out all of the HTML code.
If
> > this is for archiving according to legal requirement, the attachments
> > would probably be necessary however.
> >
> > Sandy had some good recommendations on how to archive.  Maybe if you
> > shared your requirements with the list, someone would have some
> > recommendations as to how to approach this a better way.
> >
> > Matt
> >
> >
> >
> > Rick Davidson wrote:
> >
> >> ok thanks Matt, we do have some programmers on staff here but I will
sure
> >> conscript your help if we brick wall. Regardless of where it is stored
> >> its going to be a massive amount of data, my initial samplings show 1.5
> >> to 2GB per day. Yikes!
> >>
> >> You wouldnt happen to know how to parse mime types and remove
attachments
> >> would you? :-)
> >>
> >> Rick Davidson
> >> National Systems Manager
> >> North American Title Group
> >> -
> >> - Original Message - From: "Matt" <[EMAIL PROTECTED]>
> >> To: <[EMAIL PROTECTED]>
> >> Sent: Wednesday, October 27, 2004 2:58 PM
> >> Subject: Re: [Declude.JunkMail] Determining a BCC Recipient
> >>
> >>
> >>> That's going to be one massive database :)  I've become quite the
> >>> VBScripter as of late (if that's something to brag about), so let me
> >>> know if you need any help.
> >>>
> >>> Matt
> >>>
> >>> Rick Davidson wrote:
> >>>
>  Thanks Matt,
>  COPYFILE is working perfectly, now its just a matter of writing the
>  program to parse and insert it into the SQL database.
> 
>  Rick Davidson
>  National Systems Manager
>  North American Title Group
>  -
>  - Original Message - From: "Matt" <[EMAIL PROTECTED]>
>  To: <[EMAIL PROTECTED]>
>  Sent: Tuesday, October 26, 2004 5:15 PM
>  Subject: Re: [Declude.JunkMail] Determining a BCC Recipient
> 
> 
> > Rick,
> >
> > This information is in the Q* file.  If you use the COPYFILE action,
> > it will keep both the D* and the Q* file.  The only issue is that
the
> > Declude headers are lost and each message is kept separately and not
> > viewable without a special application like spamreview.  IMO, this
is
> > appropriate for archiving due to legal requirement, but not for
doing
> > review.
> >
> > If you want to handle this in a different way by just sending to a
> > mailbox, you can use a WARN action with the %ALLRECIPS% variable
which
> > will contain the BCC addresses as well.  For instance, you could do
> > the following:
> >
> > TESTNAMEWARN X-RECIPIENTS: <%ALLRECIPS%>
> >
> > This of course exposes the BCC info to all that might view the
> > headers.
> >
> > Matt
> >
> >
> > Rick Davidson wrote:
> >
> >> I am looking at creating our own email archiving solution using
sql,
> >> the main hurdle is how to handle and email sent to a user using
BCC.
> >> Is there a way to use Declude to include that info in a recipient
> >> x-header?
> >>
> >> If I send myself using only the BCC field the header contains only
> >> this
> >>
> >> From: "Rick Davidson" <[EMAIL PROTECTED]>
> >> To: 
> >> Subject: test
> >>
> >>

Re: [Declude.JunkMail] How to tell which version I have

[Dan Geiser]

Mark,
I wasn't talking about "declude -ver" vs. 
"declude.exe -ver".  I was saying to Darin that "-ver" appears to work as 
well as "-diag".
 
Dan Geiser
[EMAIL PROTECTED]

  - Original Message - 
  From: 
  Mark E. 
  Smith 
  To: [EMAIL PROTECTED] 
  
  Sent: Friday, October 22, 2004 3:24 
  PM
  Subject: RE: [Declude.JunkMail] How to 
  tell which version I have
  
  Doesn't matter if you add the extension or 
  not.
  The command interpreter will process it properly. 
  However, I make it a habit of added the extension in scripting in case there's 
  a .bat or .cmd file with the same name.
   
  For example, you might want to run declude.exe but there 
  might be a file you've added called declude.bat in the same 
  folder.
  Depending on the sort order of the command interpreter 
  declude.bat might execute.
   
   
   
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dan 
GeiserSent: Friday, October 22, 2004 2:52 PMTo: 
[EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] How 
to tell which version I have

"Declude.exe -ver" appears to work as 
well.

  - Original Message - 
  From: 
  Darin Cox 

  To: [EMAIL PROTECTED] 
  
  Sent: Friday, October 22, 2004 2:28 
  PM
  Subject: Re: [Declude.JunkMail] How 
  to tell which version I have
  
  Uh...shouldn't that be "decude - 
  diag"?
  Darin.
   
   
  - Original Message - 
  From: Mark 
  E. Smith 
  To: [EMAIL PROTECTED] 
  
  Sent: Friday, October 22, 2004 2:04 PM
  Subject: RE: [Declude.JunkMail] How to tell which version I 
  have
  
  declude.exe -ver
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Jeff 
PereiraSent: Thursday, October 21, 2004 5:22 PMTo: 
[EMAIL PROTECTED]Subject: 
[Declude.JunkMail] How to tell which version I have

How can I tell which version of Declude 
Junkmail I am using 
??

Re: [Declude.JunkMail] How to tell which version I have

[Dan Geiser]

"Declude.exe -ver" appears to work as 
well.

  - Original Message - 
  From: 
  Darin Cox 
  To: [EMAIL PROTECTED] 
  
  Sent: Friday, October 22, 2004 2:28 
  PM
  Subject: Re: [Declude.JunkMail] How to 
  tell which version I have
  
  Uh...shouldn't that be "decude - 
  diag"?
  Darin.
   
   
  - Original Message - 
  From: Mark E. 
  Smith 
  To: [EMAIL PROTECTED] 
  
  Sent: Friday, October 22, 2004 2:04 PM
  Subject: RE: [Declude.JunkMail] How to tell which version I 
  have
  
  declude.exe -ver
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Jeff 
PereiraSent: Thursday, October 21, 2004 5:22 PMTo: [EMAIL PROTECTED]Subject: 
[Declude.JunkMail] How to tell which version I have

How can I tell which version of Declude 
Junkmail I am using ??

[Declude.JunkMail] Weird Issue with SMTP32-FWD

[Dan Geiser]

Hello, All,
First let me apologize for posting this General IMail issue to the Declude
JunkMail list.  I normally wouldn't do this but I'm sort of at my wits end.
If you are going to flame me for doing that just please press delete and
move along.  That being said...

I am having a very weird issue with one of my e-mail hosting customers and I
was hoping that someone could provide some guidance.

We have a customer, [EMAIL PROTECTED]  Whenever Gretchen sends an e-mail to
anybody, whether it is an Internet recipient or someone on our IMail server,
the same e-mail address, [EMAIL PROTECTED], always gets a copy of the
message.

Yesterday I had her send a test to my e-mail address,
[EMAIL PROTECTED], and I watched the IMail inbox, main.mbx, for
[EMAIL PROTECTED] very closely and sure enough at the same instant I receive
Gretchen's test message one showed up in the [EMAIL PROTECTED] inbox.  I
looked over everything in IMail and on their Outlook clients and couldn't
find any settings which would be causing this to happen.  To eliminate IMail
as a source of the problem I decided to delete their whole IMail host and
recreate the users from scratch.  I did that and we tested again and again
[EMAIL PROTECTED] received a copy of the message.

 Here are the headers from the made after we deleted and re-added everything
back...

Test Message Sent to Me:
==
Received: from omg3 [245.106.230.134] by xyz.com with ESMTP
  (SMTPD32-6.06) id A8D7FA5100DC; Tue, 12 Oct 2004 17:12:55 -0400
From: "Gretchen" [EMAIL PROTECTED]
To: <[EMAIL PROTECTED]>
Subject: test 6
Date: Tue, 12 Oct 2004 17:12:55 -0400
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="=_NextPart_000_00B7_01C4B07E.B7A8FE10"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2627
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
X-Declude-Sender: [EMAIL PROTECTED] [245.106.230.134]
X-Note: This E-mail was scanned & filtered by Declude [1.79] for SPAM &
viruses.
X-Country-Chain: UNITED STATES->destination
X-Note: Recipient(s):  [EMAIL PROTECTED]
X-Note: Sent with HELO [omg3] from Reverse DNS [[No Reverse DNS]]
X-Spam-Tests-Failed: IPNOTINMX, NOLEGITCONTENT, REVDNS [25]
X-RCPT-TO: <[EMAIL PROTECTED]>
X-UIDL: 60777
Status: U

This is a multi-part message in MIME format.

--=_NextPart_000_00B7_01C4B07E.B7A8FE10
Content-Type: text/plain;
 charset="us-ascii"
Content-Transfer-Encoding: 7bit

Test6

Gretchen
==

Test Also Received by [EMAIL PROTECTED]:
 ==
 From [EMAIL PROTECTED] Tue Oct 12 17:13:05 2004
 Received: from SMTP32-FWD by pagerover.com
   (SMTP32) id A1154; Tue, 12 Oct 2004 17:13:04 -0400
 Received: from omg3 [245.106.230.134] by xyz.com with ESMTP
   (SMTPD32-6.06) id A8D7FA5100DC; Tue, 12 Oct 2004 17:12:55 -0400
 From: "Gretchen" [EMAIL PROTECTED]
 To: <[EMAIL PROTECTED]>
 Subject: test 6
 Date: Tue, 12 Oct 2004 17:12:55 -0400
 Message-ID: <[EMAIL PROTECTED]>
 MIME-Version: 1.0
 Content-Type: multipart/alternative;
  boundary="=_NextPart_000_00B7_01C4B07E.B7A8FE10"
 X-Priority: 3 (Normal)
 X-MSMail-Priority: Normal
 X-Mailer: Microsoft Outlook, Build 10.0.2627
 Importance: Normal
 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
 X-Declude-Sender: [EMAIL PROTECTED] [245.106.230.134]
 X-Note: This E-mail was scanned & filtered by Declude [1.79] for SPAM &
 viruses.
 X-Country-Chain: UNITED STATES->destination
 X-Note: Recipient(s):  [EMAIL PROTECTED]
 X-Note: Sent with HELO [omg3] from Reverse DNS [[No Reverse DNS]]
 X-Spam-Tests-Failed: IPNOTINMX, NOLEGITCONTENT, REVDNS [25]
 X-UIDL: 397615190
 Status: U

 This is a multi-part message in MIME format.

 --=_NextPart_000_00B7_01C4B07E.B7A8FE10
 Content-Type: text/plain;
  charset="us-ascii"
 Content-Transfer-Encoding: 7bit

 Test6

 Gretchen
 ==

 This first thing I noticed when comparing these two headers was the
 additional line in the one which ended up in [EMAIL PROTECTED]'s in-box...
 ==
 Received: from SMTP32-FWD by pagerover.com
   (SMTP32) id A1154; Tue, 12 Oct 2004 17:13:04 -0400
 ==

 Pagerover.com is another domain name on our IMail server but I can't figure
 out why SMTP32-FWD is kicking in.  Is there some place in the file system
or
 registry where I can go to see why SMTP32-FWD is forwarding this message?

 Thanks So Much!
 Dan Geiser
 [EMAIL PROTECTED]



---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Message Which Didn't Fail MAILFROM Test

[Dan Geiser]

Scott,
I'm a little suprised that this message didn't fail the MAILFROM test...

===
Received: from wrkst-120-188.trafficopen.com [69.42.120.188] by
mail.maildesk.net
  (SMTPD32-6.06) id A197D95000B8; Wed, 13 Oct 2004 20:00:23 -0400
From: "Market Research" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Subject: Free to new members- Flat Screen TV
Date: Wed, 13 Oct 2004 17:03:41 -0800
MIME-Version: 1.0
Content-type: text/html; charset="ISO-8859-1"
Content-transfer-encoding: 7bit
Message-Id: <[EMAIL PROTECTED]>
X-Declude-Sender: [EMAIL PROTECTED] [69.42.120.188]
X-Note: This E-mail was scanned & filtered by Declude [1.79] for SPAM &
viruses.
X-Country-Chain: [Unknown]->destination
X-Note: Recipient(s):  [EMAIL PROTECTED]
X-Note: Sent with HELO [wrkst-120-188.trafficopen.com] from Reverse DNS
[(timeout)]
X-Spam-Tests-Failed: IPNOTINMX, NOLEGITCONTENT, WEIGHT-HOLD, FILTER-COUNTRY,
FILTER-HELO, IPFILE-BAD-16 [259]
===

Should it have failed?

Thanks,
Dan


---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Citibank - phishing- still live

[Dan Geiser]

Hi, Chuck,
I don't consider the non-existence of a common "SpamDomains" text file to be
a problem.  As I said in my response to Markus no one "SpamDomains" file is
correct.  So if no one "SpamDomains" file can be seen as correct then you
can't have one common "SpamDomains" text file.

With multiple "SpamDomains" source files you could choose to weight some
"SpamDomains" such as those legitimate business which use outsourced 3rd
party mailers but that still shouldn't effect all "SpamDomains" across the
board.

My top priority is to deliver all legitimate e-mail as well.  Right now our
DJM installation is looking at about 400,000 messages a month 3/4's of which
are spam.  That's only for 19 domains.  If other customer's start using our
spam filtering that number will go up so I am trying to keep the resource
intensive tests to a minimum so I don't have to worry too much about it
scaling up down the road.

But I go back to my original post.  The Declude JunkMail discussion list is
a pretty busy list as it is.  I see all sorts of news articles and phishing
URLs posted to this list which are mostly meaningless to me.  Yes, most of
the news articles are related to spam filtering in general, and in the case
of the phishing URLs some DJM users are choosing to block those URLs with
body filters individually, but I still don't see why the whole group has to
be included on those phishing announcements.  I think the "general spam news
articles" would be more appropriate for a list which discusses the problem
of "spam in general".  And I think the "phishing URLs" would be be more
appropriate for a list which discussed "currently active phishing URLs".

Less noise and more signal on this list means less meaningless (to me)
messages that I have to wade through to get to the real meat of the new
enhancements in Declude JunkMail.  As it is I can't keep up with everything
which is discussed on here and I don't think there's anything "wrong" with
inquiring about the purpose of certain postings.

Thanks,
Dan Geiser
[EMAIL PROTECTED]

- Original Message - 
From: "Chuck Schick" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, October 05, 2004 3:51 PM
Subject: RE: [Declude.JunkMail] Citibank - phishing- still live


Dan:

I certainly know how to run the spamdomains test but I would like to point
out some of the basic problems with the spam domains test.  As I said there
is no central list for the spam domains - you posted yours and Marcus posted
his and they were different.  Here are a few other problems with spamdomains
- many legitimate businesses (American Express, Dell) outsource mailings to
third party  mailers - this can trigger  false positives.  People using
their personal email address as a reply to address and send it from a
different server (from work) - more false positives.  People forwarding mail
to an account on our server from another mail server - these will trip more
false positives.

Every situation is different, everyone's objectives are a little different.
I could never get away with blocking mail without a reverse dns entry like
aol does.  Our top priority is to deliver the mail, our second priority is
block unwanted email, our third priority is to minimize time spent
maintaining the mail system.  I find that body filters are very good at
meeting our objectives and actually save us time.  We use spam domain tests
but find they are more prone to false positives for the reasons mentioned
above and therefore we have to weigh it lower than some other tests.

Chuck Schick
Warp 8, Inc.
(303)-421-5140
www.warp8.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser
Sent: Tuesday, October 05, 2004 10:30 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Citibank - phishing- still live


Chuck,
If you are getting lots of false positives with SpamDomains then I don't
think you are using it right.  My hold weight is 100.  My delete weight is
200.  I have multiple SpamDomains tests with some weighing 100 points and
some weighing 125 points.  So almost any failure of SpamDomains is held in
my setup.  Obviously I wouldn't be holding on SpamDomains if it generated
lots of false positives.

BTW, I don't do any filtering on the body of messages, only headers.  Body
filtering is a big waste of time in my opinion.

Dan

- Original Message - 
From: "Chuck Schick" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, October 05, 2004 12:07 PM
Subject: RE: [Declude.JunkMail] Citibank - phishing- still live




Unfortunately spamdomains is a test that has a lot of false positives and
there is not real solid list of spamdomains.  Because of that we have to
weight spamdomains low, so I could never say th

Re: [Declude.JunkMail] Citibank - phishing- still live

[Dan Geiser]

Markus,
For the record I have about 5 different spam domains tests.

Dan

- Original Message - 
From: "Markus Gufler" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, October 05, 2004 12:41 PM
Subject: RE: [Declude.JunkMail] Citibank - phishing- still live


> Chuck, and others,
>
> Maybe you should consider splitting your spamdomain file to multiple files
> with different weights
>
> While messages from yahoo, msn and Co. could have many FP's as users are
> connecting from everwhere you shouldn't see any message from other tipical
> spamdomains (like citibank) not matching the spamdomain-rule.
>
> Someone (Scott Fisher?) has a great list of spamdomains categorized in
> SD-STRONG
> SD-LOW
> SD-PISH
> ...
>
> SD-PISH on my server has a spam-accuracy of 100% (no false positives) in
> over 360.000 processed messages.
> Here's the list of domains for SD-PISH:
>
> 
> @paypal.com .paypal.
> @ebay.com .ebay.
> .ebay.com  .emailebay.com
> citibank.com .ssmb.com
> commercebank.com .psmtp.com
> fleet.com .bkb.com
> @usbank.com .usbank.com
> wellsfargo.com .norwest.com
> 
>
> Markus
>
>
>
>
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick
> > Sent: Tuesday, October 05, 2004 6:07 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [Declude.JunkMail] Citibank - phishing- still live
> >
> >
> >
> > Unfortunately spamdomains is a test that has a lot of false
> > positives and there is not real solid list of spamdomains.
> > Because of that we have to weight spamdomains low, so I could
> > never say that users would not see such an email because of
> > spam domains alone.  On the other hand I can give a very high
> > weight to urls contained in the body of an email and will
> > have almost no false positives.  Just my thoughts on the matter.
> >
> > Chuck Schick
> > Warp 8, Inc.
> > (303)-421-5140
> > www.warp8.com
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser
> > Sent: Tuesday, October 05, 2004 9:14 AM
> > To: [EMAIL PROTECTED]
> > Subject: Re: [Declude.JunkMail] Citibank - phishing- still live
> >
> >
> > Whether I classify them as spam or not, I don't post every
> > spam that I receive to this list.
> >
> > My point is that if you are blocking phish based on
> > individual URLs I think you are not doing it in the most
> > efficient way.  Simply adding...
> >
> > @ameritrade.com.ameritrade.com
> > @citi.com.citibank.com
> > @citibank.com.citibank.com
> > @ebay.com.ebay.com
> > @fleet.com.fleet.com
> > .gs.com
> > @paypal.com  .paypal.com
> > @suntrust.com.suntrust.com
> > @visa.com.visa.com
> > @wellsfargo.com.wellsfargo.com
> >
> > to the text file which maps to my Spamdomains test keeps all
> > of the phish away from my users since none of these messages
> > every originate from the proper domains.
> >
> > Dan
> >
> > - Original Message -
> > From: "Bill Landry" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Tuesday, October 05, 2004 10:58 AM
> > Subject: Re: [Declude.JunkMail] Citibank - phishing- still live
> >
> >
> > > Where else would you suggest they be posted, after all, phishing
> > > e-mail
> > are
> > > spam in my book.  However, with that said, more and more
> > virus vendors
> > > are starting to add phishing e-mail recognition to their virus
> > > definitions. Both uvscan (NAI/McAfee) and the latest release
> > > candidates for ClamAV support phishing e-mail detection.
> > >
> > > Bill
> > > - Original Message -
> > > From: "Dan Geiser" <[EMAIL PROTECTED]>
> > > To: <[EMAIL PROTECTED]>
> > > Sent: Tuesday, October 05, 2004 4:22 AM
> > > Subject: Re: [Declude.JunkMail] Citibank - phishing- still live
> > >
> > >
> > > Can I ask why you guys post these to the Declude JunkMail
> > discussion
> > > list?  It doesn't seem to have anything to do with the
> > subject matter
> > > of this list.
> > >
> > > - Original Message -
> > > From: Kami Razvan <mailto:[EMAIL PROTECTED]>
> > > To: [EMAIL PROTECTED]
> > <mailto:[EM

Re: [Declude.JunkMail] Citibank - phishing- still live

[Dan Geiser]

Markus,
I would say that your list is more much complete than mine.  Mine is correct
just not as complete.  Mine is based on the messages that I have received
and if I haven't received phishes for some specific domains then they
wouldn't have ended up on my list.

Dan

- Original Message - 
From: "Markus Gufler" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, October 05, 2004 12:59 PM
Subject: RE: [Declude.JunkMail] Citibank - phishing- still live


>
> Hmm as I can see there are a lot of differences between the phishing list
> posted by Dan...
>
> > @ameritrade.com.ameritrade.com
> > @citi.com.citibank.com
> > @citibank.com.citibank.com
> > @ebay.com.ebay.com
> > @fleet.com.fleet.com
> > .gs.com
> > @paypal.com  .paypal.com
> > @suntrust.com.suntrust.com
> > @visa.com.visa.com
> > @wellsfargo.com.wellsfargo.com
>
>
> and the list I'm using at the moment.
>
> > 
> > @paypal.com .paypal.
> > @ebay.com .ebay.
> > .ebay.com  .emailebay.com
> > citibank.com .ssmb.com
> > commercebank.com .psmtp.com
> > fleet.com .bkb.com
> > @usbank.com .usbank.com
> > wellsfargo.com .norwest.com
> > 
>
>
> Is there someone who can confirm for a certain domain what's the right SD
> alias?
>
> Markus
>
>
>
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> ---
> Sign up for virus-free and spam-free e-mail with Nexus Technology Group
> http://www.nexustechgroup.com/mailscan
>
>


---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Citibank - phishing- still live

[Dan Geiser]

Chuck,
If you are getting lots of false positives with SpamDomains then I don't
think you are using it right.  My hold weight is 100.  My delete weight is
200.  I have multiple SpamDomains tests with some weighing 100 points and
some weighing 125 points.  So almost any failure of SpamDomains is held in
my setup.  Obviously I wouldn't be holding on SpamDomains if it generated
lots of false positives.

BTW, I don't do any filtering on the body of messages, only headers.  Body
filtering is a big waste of time in my opinion.

Dan

- Original Message - 
From: "Chuck Schick" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, October 05, 2004 12:07 PM
Subject: RE: [Declude.JunkMail] Citibank - phishing- still live




Unfortunately spamdomains is a test that has a lot of false positives and
there is not real solid list of spamdomains.  Because of that we have to
weight spamdomains low, so I could never say that users would not see such
an email because of spam domains alone.  On the other hand I can give a very
high weight to urls contained in the body of an email and will have almost
no false positives.  Just my thoughts on the matter.

Chuck Schick
Warp 8, Inc.
(303)-421-5140
www.warp8.com

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser
Sent: Tuesday, October 05, 2004 9:14 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Citibank - phishing- still live


Whether I classify them as spam or not, I don't post every spam that I
receive to this list.

My point is that if you are blocking phish based on individual URLs I think
you are not doing it in the most efficient way.  Simply adding...

@ameritrade.com.ameritrade.com
@citi.com.citibank.com
@citibank.com.citibank.com
@ebay.com.ebay.com
@fleet.com.fleet.com
.gs.com
@paypal.com  .paypal.com
@suntrust.com.suntrust.com
@visa.com.visa.com
@wellsfargo.com.wellsfargo.com

to the text file which maps to my Spamdomains test keeps all of the phish
away from my users since none of these messages every originate from the
proper domains.

Dan

- Original Message - 
From: "Bill Landry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, October 05, 2004 10:58 AM
Subject: Re: [Declude.JunkMail] Citibank - phishing- still live


> Where else would you suggest they be posted, after all, phishing
> e-mail
are
> spam in my book.  However, with that said, more and more virus vendors
> are starting to add phishing e-mail recognition to their virus
> definitions. Both uvscan (NAI/McAfee) and the latest release
> candidates for ClamAV support phishing e-mail detection.
>
> Bill
> - Original Message -
> From: "Dan Geiser" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, October 05, 2004 4:22 AM
> Subject: Re: [Declude.JunkMail] Citibank - phishing- still live
>
>
> Can I ask why you guys post these to the Declude JunkMail discussion
> list?  It doesn't seem to have anything to do with the subject matter
> of this list.
>
> - Original Message -
> From: Kami Razvan <mailto:[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
> Sent: Tuesday, October 05, 2004 6:56 AM
> Subject: [Declude.JunkMail] Citibank - phishing- still live
>
> Hi;
> the following is another phishing attempt- the site still live.
>
> http://211.158.34.250/citifi/ <http://211.158.34.250/citifi/>
>
> Regards,
> Kami
>
>
>  Email
>
> Subject: [37~]Dear customer your details have been compromised
> MIME-Version: 1.0 (produced by annunciatemarginalia 8.2)
> Content-Type: multipart/alternative;  boundary="--938071008627732911"
> X-RBL-Warning: IPNOTINMX:
> X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail
> detected.
> X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command.
> X-RBL-Warning: NJABL-DYNA: "Dynamic/Residential IP range listed by NJABL
> dynablock - http://njabl.org/dynablock.html
> <http://njabl.org/dynablock.html> "
> X-RBL-Warning: NJABL-DUL: This E-mail came from 12.107.246.11, a
> potential spam source listed in NJABL-DUL.
> X-RBL-Warning: NOABUSE: "Not supporting [EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED]> "
> X-RBL-Warning: SORBS-DUL: "Dynamic IP Address See:
> http://www.dnsbl.sorbs.net/lookup.shtml?12.107.246.11
> <http://www.dnsbl.sorbs.net/lookup.shtml?12.107.246.11> "
> X-RBL-Warning: IPLINKED: Message failed IPLINKED test (line 198, weight
> 13)
> X-Declude-Sender: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
> [12.107.246.11]
> X-Declude-Spoolname: D26691b0502409fba.SMD
> X-Note:
> ==
>

[Declude.JunkMail] Anyone Want to See My Declude Configuration Files?

[Dan Geiser]

Hello, All,
I have made most of my Declude Configuration 
Files accessible via a public HTTP URL.  Eventually I'll post the link to 
the list at large but at first I'm just looking for a few interested and 
educated Declude users who might be interested in seeing them and commenting on 
whether I'm making too much of my Declude config known to the 
public.
 
Any takers?  If so, just e-mail me directly 
and I'll send you the link.
 
Thanks,
Dan Geiser
[EMAIL PROTECTED]

Re: [Declude.JunkMail] Citibank - phishing- still live

[Dan Geiser]

Whether I classify them as spam or not, I don't post every spam that I
receive to this list.

My point is that if you are blocking phish based on individual URLs I think
you are not doing it in the most efficient way.  Simply adding...

@ameritrade.com.ameritrade.com
@citi.com.citibank.com
@citibank.com.citibank.com
@ebay.com.ebay.com
@fleet.com.fleet.com
.gs.com
@paypal.com  .paypal.com
@suntrust.com.suntrust.com
@visa.com.visa.com
@wellsfargo.com.wellsfargo.com

to the text file which maps to my Spamdomains test keeps all of the phish
away from my users since none of these messages every originate from the
proper domains.

Dan

- Original Message - 
From: "Bill Landry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, October 05, 2004 10:58 AM
Subject: Re: [Declude.JunkMail] Citibank - phishing- still live


> Where else would you suggest they be posted, after all, phishing e-mail
are
> spam in my book.  However, with that said, more and more virus vendors are
> starting to add phishing e-mail recognition to their virus definitions.
> Both uvscan (NAI/McAfee) and the latest release candidates for ClamAV
> support phishing e-mail detection.
>
> Bill
> - Original Message - 
> From: "Dan Geiser" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, October 05, 2004 4:22 AM
> Subject: Re: [Declude.JunkMail] Citibank - phishing- still live
>
>
> Can I ask why you guys post these to the Declude JunkMail discussion
> list?  It doesn't seem to have anything to do with the subject matter of
> this list.
>
> - Original Message - 
> From: Kami Razvan <mailto:[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
> Sent: Tuesday, October 05, 2004 6:56 AM
> Subject: [Declude.JunkMail] Citibank - phishing- still live
>
> Hi;
> the following is another phishing attempt- the site still live.
>
> http://211.158.34.250/citifi/ <http://211.158.34.250/citifi/>
>
> Regards,
> Kami
>
>
>  Email
>
> Subject: [37~]Dear customer your details have been compromised
> MIME-Version: 1.0 (produced by annunciatemarginalia 8.2)
> Content-Type: multipart/alternative;
>  boundary="--938071008627732911"
> X-RBL-Warning: IPNOTINMX:
> X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail
> detected.
> X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command.
> X-RBL-Warning: NJABL-DYNA: "Dynamic/Residential IP range listed by NJABL
> dynablock - http://njabl.org/dynablock.html
> <http://njabl.org/dynablock.html> "
> X-RBL-Warning: NJABL-DUL: This E-mail came from 12.107.246.11, a
> potential spam source listed in NJABL-DUL.
> X-RBL-Warning: NOABUSE: "Not supporting [EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED]> "
> X-RBL-Warning: SORBS-DUL: "Dynamic IP Address See:
> http://www.dnsbl.sorbs.net/lookup.shtml?12.107.246.11
> <http://www.dnsbl.sorbs.net/lookup.shtml?12.107.246.11> "
> X-RBL-Warning: IPLINKED: Message failed IPLINKED test (line 198, weight
> 13)
> X-Declude-Sender: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
> [12.107.246.11]
> X-Declude-Spoolname: D26691b0502409fba.SMD
> X-Note:
> ==
> X-Note: Spam Score: 37 [BLOCKED ON 20+ & DELETED ON 40+]
> X-Note: Scan Time: 00:43:47 on 05 Oct 2004
> X-Note: Spool File: D26691b0502409fba.SMD
> X-Note: Server Name: dialup-12-107-246-11.dtccom.net
> X-Note: SMTP Sender: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
> X-Note: Reverse DNS & IP: dialup-12-107-246-11.dtccom.net
> [12.107.246.11]
> X-Note: Country Chain: UNITED STATES->destination
>
>
> 938071008627732911
> Content-Type: text/plain;
>  charset="iso-2059-6"
> Content-Transfer-Encoding: quoted-printable
> Content-Description: nicholson salmonberry biblical
>
> Dear Customer:
>
> Recently there have been a large number of cyber attacks pointing our
> data=
> base servers. In order to safeguard your account, we require you to sign
> o=
> n immediately.
>
> This personal check is requested of you as a precautionary measure and
> to =
> ensure yourselves that everything is normal with your balance and
> personal=
>  information.
>
> This process is mandatory, and if you did not sign on within the nearest
> t=
> ime your account may be subject to temporary suspension.
>
> Please make sure you have your Citibank(R) debit card number and your
> User=
>  ID and Password at hand.
>
> Please use our secure counter server to indicate that you have signed
> on, =
> please click the link bellow:
>
>

Re: [Declude.JunkMail] Citibank - phishing- still live

[Dan Geiser]

Hi, Kami,
Well, my users never see them because I have 
"citibank.com" on my "spam domains" list.  I agree that it might be 
important to disseminate currently active phishing URLs but I just don't know 
that the DJM mailing list is the place.
 
Just An Idea,
 
Thanks!
Dan

  - Original Message - 
  From: 
  Kami Razvan 
  To: [EMAIL PROTECTED] 
  
  Sent: Tuesday, October 05, 2004 7:47 
  AM
  Subject: RE: [Declude.JunkMail] Citibank 
  - phishing- still live
  
  Hi Dan:
   
  I post it just in case you want to filter a phishing 
  attempt.
   
  Historically people have posted this to stop the attempts - this way 
  your users will not receive this.
   
  Don't you think it applies?
   
  Kami
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Dan 
  GeiserSent: Tuesday, October 05, 2004 7:23 AMTo: 
  [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] 
  Citibank - phishing- still live
  
  Can I ask why you guys post these to the Declude 
  JunkMail discussion list?  It doesn't seem to have anything to do with 
  the subject matter of this list.
  
- Original Message - 
From: 
Kami Razvan 
To: [EMAIL PROTECTED] 

Sent: Tuesday, October 05, 2004 6:56 
AM
Subject: [Declude.JunkMail] Citibank - 
phishing- still live

Hi;
the following 
is another phishing attempt- the site still live.
 
http://211.158.34.250/citifi/
 
Regards,
Kami
 
 
 
Email
Subject: [37~]Dear customer your details have been 
compromisedMIME-Version: 1.0 (produced by annunciatemarginalia 
8.2)Content-Type: 
multipart/alternative; boundary="--938071008627732911"X-RBL-Warning: 
IPNOTINMX: X-RBL-Warning: NOLEGITCONTENT: No content unique to 
legitimate E-mail detected.X-RBL-Warning: CMDSPACE: Space found in RCPT 
TO: command.X-RBL-Warning: NJABL-DYNA: "Dynamic/Residential IP range 
listed by NJABL dynablock - http://njabl.org/dynablock.html"X-RBL-Warning: 
NJABL-DUL: This E-mail came from 12.107.246.11, a potential spam source 
listed in NJABL-DUL.X-RBL-Warning: NOABUSE: "Not supporting [EMAIL PROTECTED]"X-RBL-Warning: 
SORBS-DUL: "Dynamic IP Address See: http://www.dnsbl.sorbs.net/lookup.shtml?12.107.246.11"X-RBL-Warning: 
IPLINKED: Message failed IPLINKED test (line 198, weight 
13)X-Declude-Sender: [EMAIL PROTECTED] 
[12.107.246.11]X-Declude-Spoolname: D26691b0502409fba.SMDX-Note: 
==X-Note: 
Spam Score: 37 [BLOCKED ON 20+ & DELETED ON 40+]X-Note: Scan Time: 
00:43:47 on 05 Oct 2004X-Note: Spool File: 
D26691b0502409fba.SMDX-Note: Server Name: 
dialup-12-107-246-11.dtccom.netX-Note: SMTP Sender: [EMAIL PROTECTED]X-Note: 
Reverse DNS & IP: dialup-12-107-246-11.dtccom.net 
[12.107.246.11]X-Note: Country Chain: UNITED 
STATES->destination
938071008627732911Content-Type: 
text/plain; charset="iso-2059-6"Content-Transfer-Encoding: 
quoted-printableContent-Description: nicholson salmonberry 
biblical
 
Dear Customer:
 
Recently there have been a large number of cyber attacks pointing our 
data="">base servers. In order to safeguard your account, we require you to 
sign o=n immediately. 
 
This personal check is requested of you as a precautionary measure and 
to =ensure yourselves that everything is normal with your balance and 
personal= information.
 
This process is mandatory, and if you did not sign on within the 
nearest t=ime your account may be subject to temporary suspension.
 
Please make sure you have your Citibank(R) debit card number and your 
User= ID and Password at hand.
 
Please use our secure counter server to indicate that you have signed 
on, =please click the link bellow:
 
http://211.158.34.250/citifi/
 
!! Note that we have no particular indications that your details have 
been= compromised in any way.
 
Thank you for your prompt attention to this matter and thank you for 
using= Citibank(R)
 
Regards,
 
Citibank(R) Card Department
 
(C)2004 Citibank. Citibank, N.A., Citibank, F.S.B., Citibank 
(West), FSB. Member FDIC.Citibank and Arc Design is a registered service 
mark of Citicorp.
 
938071008627732911--

Re: [Declude.JunkMail] Citibank - phishing- still live

[Dan Geiser]

Can I ask why you guys post these to the Declude 
JunkMail discussion list?  It doesn't seem to have anything to do with the 
subject matter of this list.

  - Original Message - 
  From: 
  Kami Razvan 
  To: [EMAIL PROTECTED] 
  
  Sent: Tuesday, October 05, 2004 6:56 
  AM
  Subject: [Declude.JunkMail] Citibank - 
  phishing- still live
  
  Hi;
  the following is 
  another phishing attempt- the site still live.
   
  http://211.158.34.250/citifi/
   
  Regards,
  Kami
   
   
   
  Email
  Subject: [37~]Dear customer your details have been 
  compromisedMIME-Version: 1.0 (produced by annunciatemarginalia 
  8.2)Content-Type: 
  multipart/alternative; boundary="--938071008627732911"X-RBL-Warning: 
  IPNOTINMX: X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate 
  E-mail detected.X-RBL-Warning: CMDSPACE: Space found in RCPT TO: 
  command.X-RBL-Warning: NJABL-DYNA: "Dynamic/Residential IP range listed by 
  NJABL dynablock - http://njabl.org/dynablock.html"X-RBL-Warning: 
  NJABL-DUL: This E-mail came from 12.107.246.11, a potential spam source listed 
  in NJABL-DUL.X-RBL-Warning: NOABUSE: "Not supporting [EMAIL PROTECTED]"X-RBL-Warning: 
  SORBS-DUL: "Dynamic IP Address See: http://www.dnsbl.sorbs.net/lookup.shtml?12.107.246.11"X-RBL-Warning: 
  IPLINKED: Message failed IPLINKED test (line 198, weight 
  13)X-Declude-Sender: [EMAIL PROTECTED] 
  [12.107.246.11]X-Declude-Spoolname: D26691b0502409fba.SMDX-Note: 
  ==X-Note: 
  Spam Score: 37 [BLOCKED ON 20+ & DELETED ON 40+]X-Note: Scan Time: 
  00:43:47 on 05 Oct 2004X-Note: Spool File: 
  D26691b0502409fba.SMDX-Note: Server Name: 
  dialup-12-107-246-11.dtccom.netX-Note: SMTP Sender: [EMAIL PROTECTED]X-Note: Reverse 
  DNS & IP: dialup-12-107-246-11.dtccom.net [12.107.246.11]X-Note: 
  Country Chain: UNITED STATES->destination
  938071008627732911Content-Type: 
  text/plain; charset="iso-2059-6"Content-Transfer-Encoding: 
  quoted-printableContent-Description: nicholson salmonberry biblical
   
  Dear Customer:
   
  Recently there have been a large number of cyber attacks pointing our 
  data="">base servers. In order to safeguard your account, we require you to 
  sign o=n immediately. 
   
  This personal check is requested of you as a precautionary measure and to 
  =ensure yourselves that everything is normal with your balance and 
  personal= information.
   
  This process is mandatory, and if you did not sign on within the nearest 
  t=ime your account may be subject to temporary suspension.
   
  Please make sure you have your Citibank(R) debit card number and your 
  User= ID and Password at hand.
   
  Please use our secure counter server to indicate that you have signed on, 
  =please click the link bellow:
   
  http://211.158.34.250/citifi/
   
  !! Note that we have no particular indications that your details have 
  been= compromised in any way.
   
  Thank you for your prompt attention to this matter and thank you for 
  using= Citibank(R)
   
  Regards,
   
  Citibank(R) Card Department
   
  (C)2004 Citibank. Citibank, N.A., Citibank, F.S.B., Citibank (West), 
  FSB. Member FDIC.Citibank and Arc Design is a registered service mark of 
  Citicorp.
   
  938071008627732911--

Re: [Declude.JunkMail] OT: IP block tool

[Dan Geiser]

John,
What is the IP range?

Dan

- Original Message - 
From: "John Shacklett" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, September 30, 2004 3:35 PM
Subject: [Declude.JunkMail] OT: IP block tool


> I use SamSpade for Windows as my Swiss Army Knife while I'm working, and
99
> times out of 100 it proves its worth. Fantastic tool.
>
> That 1 time when I'm not pleased, I'm trying to research who owns a given
IP
> Range. The results that SamSpade returns just don't have the granularity I
> want. Can anyone recommend a tool to quickly look up IP Range assignments
> that works more strongly than SamSpade?
>
> --
>
> John Shacklett
>
> [EMAIL PROTECTED]
> [EMAIL PROTECTED]
>
> www.continentaloffice.com
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> ---
> Sign up for virus-free and spam-free e-mail with Nexus Technology Group
> http://www.nexustechgroup.com/mailscan
>
>
>


---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Typos on Declude Web Site and/or Manual

[Dan Geiser]

Does anyone know the best method for submitting 
reports regarding the Declude Web Site and/or JunkMail Manual?  

 
BTW, it's cool to finally put a face to our 
esteemed junkmail saviour, Scott Perry, http://www.declude.com/aboutus.asp.
 
Thanks,
Dan Geiser
[EMAIL PROTECTED]
 

Re: [Declude.JunkMail] 100 Point scale / DNS

[Dan Geiser]

David,
I migrated our Declude JunkMail setup to a 100 
point system awhile back.  With our current setup as it is today we HOLD on 
100 and DELETE on 300.  When I first migrated over the way that I did it 
was I set my HOLD weight to 100 and had no DELETE weight and then I assigned 
arbitrary (with reason) to different tests.  Since I didn't have a DELETE 
weight at all at first I didn't worry about any messages being deleted and 
since I was closely monitoring things during this transition anything that was 
accidentally held I would just release.  Before releasing I would adjust my 
original arbitrary scoring down to make sure that the next time that message, 
given the tests that it had failed, that it wouldn't be caught 
again.
 
Most tests I just started out at 100 points each 
and very quickly in a few days adjusted them down to something more reasonable, 
usually in the 25 point range.  I came up with that I think is a good 
combination of getting messages to squeak in under the 100 HOLD 
weight (few false positives) and yet leaving the scores high enough to 
catch a lot of spam.  Whenever I add a new test now I add it as a 100 point 
test and then I adjust my DELETE weight up 100 points so that way I am assured 
that the addition of the new test will not put anything over the delete 
level.  And then I watch for false positives and adjust the new test down 
accordingly to again get those messages to squeak in under the HOLD 
weight.
 
I am investigating making my DJM settings 
publically available via FTP as Kami does. If you are interested I'll let you 
see how I am doing it when that's up.
 
Dan
 
- Original Message - 

  From: 
  Kornitz, David 
  To: [EMAIL PROTECTED] 
  
  Sent: Tuesday, September 28, 2004 8:36 
  AM
  Subject: [Declude.JunkMail] 100 Point 
  scale / DNS
  
  
  First 
  Question:
   
  I know this issue has been 
  discussed in the past, but I would like to make sure I understand the 
  discussions:
   
  1.   
  We are contemplating revising the 
  scoring to a 100 point scale
  2.   
  I assume that when the conversion 
  is made that initially you select the value for 100 point and then 
  proportionally adjust the scores up.
   
  Questions:  What weight did 
  you use for the 100 points? Was it the delete weight? Or the hold weight? 
   or something in between the values?
   
   
   
  Second 
  Question:
   
      
  I am receiving a lot of DNS timeout values, yet when I go the run the IP 
  address through NSLookup, it returns the address immediately.  The 
  primary address on the server is a Windows 2003 DNS server, secondary 
  addresses are linux DNS servers.   What DNS servers is Declude using 
  when doing a DNS lookup?  As I recall, there was a way to specify these 
  values in the global.cfg but I was not able to locate any information on this. 
    Anyone have any recommendations or insight into the problem? 
  
   
  Thanks for you help in 
  advance,
   
  David

Re: [Declude.JunkMail] Online FTP site with Declude Files...

[Dan Geiser]

ftp.xyz.com/imail where xyz.com is Kami's domain

- Original Message - 
From: "Mark Smith" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, September 20, 2004 3:19 PM
Subject: [Declude.JunkMail] Online FTP site with Declude Files...


> I believe that it was Kami who had his \declude folder exposed via FTP so
> you could pull his tests.
>
> Anyone remember the URL and is this still online?
>
> Thanks!
>
> Mark
>
>
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> ---
> Sign up for virus-free and spam-free e-mail with Nexus Technology Group
> http://www.nexustechgroup.com/mailscan
>
>
>


---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Troubleshooting "FROMFILE" Configuration Issue

[Dan Geiser]

Hello, All,
I'm having an issue with Declude ignoring a test 
and I can't seem to figure out where my configuration problem lies so I thought 
I'd send it to the list for some additional troubleshooting.
 
Our mail system received the following message 
Friday Night...
 

Received: from tempus.getresponse.com 
[207.8.198.43] by american-ape.com  (SMTPD32-6.06) id A6B2180027A; Fri, 
17 Sep 2004 22:00:18 -0400Received: (qmail 81325 invoked by uid 1003); 18 
Sep 2004 01:58:34 -Date: 18 Sep 2004 01:58:34 -Message-ID: 
<[EMAIL PROTECTED]>From: 
"BestYellow.com" <[EMAIL PROTECTED]>Reply-To: [EMAIL PROTECTED]To: 
"Submitter" <[EMAIL PROTECTED]>X-Mailer: 
GetResponseX-Complaints-To: [EMAIL PROTECTED]Response-id: 
r-bestyellow-rid-336878-bid-100291X-Remove-Address: [EMAIL PROTECTED]X-Responder-ID: 
336878Subject: 
=?utf-8?b?SGVscCAtIEh1cnJpY2FuZSBSZWxpZWYgUGFja2FnZQ==?=Content-Type: 
text/html; charset="UTF-8"X-Declude-Sender: [EMAIL PROTECTED] 
[207.8.198.43]X-Note: This E-mail was scanned & filtered by Declude 
[1.79] for SPAM & viruses.X-Country-Chain: UNITED 
STATES->destinationX-Note: Recipient(s):  [EMAIL PROTECTED]X-Note: Sent 
with HELO [tempus.getresponse.com] from Reverse DNS [tempus.getresponse.com] 
X-Spam-Tests-Failed: NOABUSE, IPNOTINMX, NOLEGITCONTENT, WEIGHT-HOLD, 
AHBL-RHSBL-RELAY, IPFILE-BAD-24 [199]

 
One of these tests that I have configured did not 
get noted in the X-Spam-Tests-Failed line.
 
I have the following entry in 
GLOBAL.CFG...
 

FROMFILE-OTHER  fromfile D:\iMail\declude\JunkMail.08.FromFile.Other.txt  x 50 0

 
and the following entry in 
"JunkMail.08.FromFile.Other.txt"...
 

# // JunkMail.08.FromFile.Other.txt //
 
# # == Add 
Points To Total Weight ==# 
 
# -- Strings In User Names
 
-COM@-return@.com@.com-.com..com?

 
This message should have had an additional 50 
points added to it because it has the string ".com@" in the "Sender" field but 
it didn't.
 
I isolated the entries for this message in the 
Declude JunkMail Log...
 

09/17/2004 22:00:37 Q96b227a NOABUSE:24 
AHBL-RHSBL-RELAY:25 IPFILE-BAD-24:150 .  Total weight = 199.09/17/2004 
22:00:37 Q96b227a Msg failed NOABUSE ("Not supporting [EMAIL PROTECTED]"). Action="">09/17/2004 
22:00:37 Q96b227a Msg failed WEIGHT-HOLD (Total weight between 100 and 299.). 
Action="">09/17/2004 22:00:37 Q96b227a Msg failed AHBL-RHSBL-RELAY 
("Domain used in spam.  Access is not allowed."). 
Action="">09/17/2004 22:00:37 Q96b227a Msg failed IPFILE-BAD-24 (# 
[US]). Action="">09/17/2004 22:00:37 Q96b227a R1 Message 
OK09/17/2004 22:00:37 Q96b227a Subject: 
=?utf-8?b?SGVscCAtIEh1cnJpY2FuZSBSZWxpZWYgUGFja2FnZQ==?=09/17/2004 22:00:37 
Q96b227a From: [EMAIL PROTECTED] 
To:  IP: 207.8.198.43 ID: 09/17/2004 22:00:37 Q96b227a Tests failed 
[weight=199]: NOABUSE=IGNORE IPNOTINMX=IGNORE NOLEGITCONTENT=IGNORE 
CATCHALLMAILS=IGNORE WEIGHT-HOLD=IGNORE AHBL-RHSBL-RELAY=IGNORE 
IPFILE-BAD-24=IGNORE 09/17/2004 22:00:37 Q96b227a Using [incoming] CFG file 
d:\iMail\Declude\american-ape.com\$default$.junkmail.09/17/2004 22:00:37 
Q96b227a Msg failed NOABUSE ("Not supporting [EMAIL PROTECTED]"). Action="">09/17/2004 
22:00:37 Q96b227a Msg failed WEIGHT-HOLD (Total weight between 100 and 299.). 
Action="">09/17/2004 22:00:37 Q96b227a Msg failed AHBL-RHSBL-RELAY 
("Domain used in spam.  Access is not allowed."). 
Action="">09/17/2004 22:00:37 Q96b227a Msg failed IPFILE-BAD-24 (# 
[US]). Action="">09/17/2004 22:00:37 Q96b227a Subject: 
=?utf-8?b?SGVscCAtIEh1cnJpY2FuZSBSZWxpZWYgUGFja2FnZQ==?=09/17/2004 22:00:37 
Q96b227a From: [EMAIL PROTECTED] 
To: [EMAIL PROTECTED]  IP: 
207.8.198.43 ID: 09/17/2004 22:00:37 Q96b227a Tests failed [weight=199]: 
NOABUSE=IGNORE IPNOTINMX=IGNORE NOLEGITCONTENT=IGNORE CATCHALLMAILS=IGNORE 
WEIGHT-HOLD=HOLD AHBL-RHSBL-RELAY=IGNORE IPFILE-BAD-24=IGNORE 09/17/2004 
22:00:37 Q96b227a Last action = "">
 
but still no mention of the FROMFILE-OTHER 
test.
 
Does anyone have an idea what might be going on 
here?
 
Thanks In Advance,
Dan Geiser
[EMAIL PROTECTED]

[Declude.JunkMail] Missing IP4R Entry

[Dan Geiser]

Scott,
There appears to be a discrepancy between a couple 
of the resources you provide.
 
On the DNSStuff Spam Database Lookup you have an 
entry called PDL2 which points to www.blackholes.us.  There is no 
reference to PDL2 on the List of All Known Spam Databases.
 
Please let me know if that is intentional as I 
would like to use that for lookups if possible.
 
Thanks, Much!
Dan Geiser
[EMAIL PROTECTED]

Re: [Declude.JunkMail] Fw: Help, I have been blacklisted

[Dan Geiser]

Have you even read their sites?

- Original Message - 
From: "Richard Farris" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, September 13, 2004 11:51 AM
Subject: Re: [Declude.JunkMail] Fw: Help, I have been blacklisted


> I have been delisted from SPAMCOP...whew...but I still am in the red with
> these guys:
>
> PSBL
> JAMMDNSBL
> BLARSBL
>
> Do you know how to get delisted with these guys...
>
> Richard Farris
> Ethixs Online
> 1.270.247. Office
> 1.800.548.3877 Tech Support
> "Crossroads to a Cleaner Internet"
>
> - Original Message - 
> From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Saturday, September 11, 2004 12:11 PM
> Subject: RE: [Declude.JunkMail] Fw: Help, I have been blacklisted
>
>
> Quickly contact Declude for a trial of Declude Hijack, which is a Declude
> product that just happens to be designed to stop this.
>
> John Tolmachoff
> Engineer/Consultant/Owner
> eServices For You
>
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> > [EMAIL PROTECTED] On Behalf Of Richard Farris
> > Sent: Saturday, September 11, 2004 9:06 AM
> > To: [EMAIL PROTECTED]
> > Subject: Re: [Declude.JunkMail] Fw: Help, I have been blacklisted
> >
> > My log files have trippled in size the last 3 days. I have taken out
> several
> > IPs to send for that were questionable and still I think I am hijacked
but
> I
> > cannot figure out where it is coming from...I have no viruses (except in
> the
> > virus folder) so I must be hijacked..
> >
> > Is there a way I can tell where the emails are coming from..I guess I
can
> > keep taking out IPs until it stops?
> >
> > Richard Farris
> > Ethixs Online
> > 1.270.247. Office
> > 1.800.548.3877 Tech Support
> > "Crossroads to a Cleaner Internet"
> >
> > - Original Message -
> > From: "Richard Farris" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Friday, September 10, 2004 2:18 PM
> > Subject: [Declude.JunkMail] Fw: Help, I have been blacklisted
> >
> >
> > > This is just from SpamCopI am not open relay but have several IPs
to
> > > relay for and am taking most of them out and making customers
> > authenicate..
> > >
> > > Richard Farris
> > > Ethixs Online
> > > 1.270.247. Office
> > > 1.800.548.3877 Tech Support
> > > "Crossroads to a Cleaner Internet"
> > >
> > > - Original Message -
> > > From: "SpamCop/Ellen" <[EMAIL PROTECTED]>
> > > To: "Richard Farris" <[EMAIL PROTECTED]>
> > > Sent: Friday, September 10, 2004 1:35 PM
> > > Subject: Re: Help, I have been blacklisted
> > >
> > >
> > > > Hi -- I do not see spam right now and your IP is scheduled for
> delisting
> > > > within the next 2 hours. The headers below are indicative of all the
> > > headers
> > > > in the database. If you have fixed the problem then we should not
see
> > any
> > > > further spam and everything will be fine. If you have not fixed the
> > > problem
> > > > and the spammer abusing your server is just laying low waiting for
the
> > > > delist then I would expect that we will be seeing more spam in the
> next
> > 2
> > > or
> > > > 3 days which will cause the IP to relist.
> > > >
> > > > Ellen
> > > >
> > > > Please include all previous correspondence with replies
> > > >
> > > >
> > > >
> > > > - Original Message -
> > > > From: "Richard Farris" <[EMAIL PROTECTED]>
> > > > To: "SpamCop/Ellen" <[EMAIL PROTECTED]>
> > > > Sent: Friday, September 10, 2004 1:08 PM
> > > > Subject: Re: Help, I have been blacklisted
> > > >
> > > >
> > > > > Even now you see spam coming out to you?
> > > > > Is there an exact IP I can trace or is it just the IP of my server
> > > > > 65.240.164.10
> > > > >
> > > > > Richard Farris
> > > > > Ethixs Online
> > > > > 1.270.247. Office
> > > > > 1.800.548.3877 Tech Support
> > > > > "Crossroads to a Cleaner Internet"
> > > > >
> > > > > - Original Message -
> > > > > From: "SpamCop/Ellen" <[EMAIL PROTECTED]>
> > > > > To: "Richard Farris" <[EMAIL PROTECTED]>
> > > > > Sent: Friday, September 10, 2004 11:47 AM
> > > > > Subject: Re: Help, I have been blacklisted
> > > > >
> > > > >
> > > > > > Hi Richard -- we are seeing spam being sent thru that IP:
> > > > > >
> > > > > > Received: from host-10.ethixs.com (HELO ethixs.com)
> (65.240.164.10)
> > > > > >  by 
> > > > > > Received: from scene [201.128.42.9] by ethixs.com with ESMTP
> > > > > >  (SMTPD32-7.11) id ; Wed, 08 Sep 2004 14:xx:XX -0400
> > > > > > Subject: ONlY THE BEST F0R URS...
> > > > > >
> > > > > > The cause can be one of several things -- a worm/virus infection
> on
> > > the
> > > > > > server or a machine nat'd behind the server or it could be an
> > > SMTP/AUTH
> > > > > > exploit where the spammer has authenticated to your server and
is
> > > > > > sending/relaying spam thru it. Other possibilities include an
> > insecure
> > > > > cache
> > > > > > or proxy on the server or php or cgi script. The headers do not
> > > clearly
> > > > > > indicate

Re: [Declude.JunkMail] I HAVE BLACKLISTED ON SPAMCOP

[Dan Geiser]

Richard,
If you query PSBL you can see some of the spam being sent from your IP,
http://psbl.surriel.com/evidence?ip=65.240.164.10&action=Check+evidence.  My
guess is an Open Relay.

Dan

- Original Message - 
From: "Richard Farris" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, September 10, 2004 12:21 PM
Subject: Re: [Declude.JunkMail] I HAVE BLACKLISTED ON SPAMCOP


> They don't have a problem sending to me...but I have had a significant
> increase in folks telling me they are getting undeliverable mails back
from
> those they regularly send mail to..
>
> Richard Farris
> Ethixs Online
> 1.270.247. Office
> 1.800.548.3877 Tech Support
> "Crossroads to a Cleaner Internet"
>
> - Original Message - 
> From: "Dan Geiser" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, September 10, 2004 11:12 AM
> Subject: Re: [Declude.JunkMail] I HAVE BLACKLISTED ON SPAMCOP
>
>
> > If you were on a blacklist people would not have problems sending to
you.
> >
> > - Original Message - 
> > From: "Richard Farris" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Friday, September 10, 2004 12:07 PM
> > Subject: [Declude.JunkMail] I HAVE BLACKLISTED ON SPAMCOP
> >
> >
> > > 65.240.164.10 has been blacklistedwhat do I do to get it off..this
> > must
> > > be the reason I have had customers email me that they are getting
> returned
> > > mailI couldnt figure it out...I have been trying to for 3 days
now..
> > >
> > > Richard Farris
> > > Ethixs Online
> > > 1.270.247. Office
> > > 1.800.548.3877 Tech Support
> > > "Crossroads to a Cleaner Internet"
> > >
> > > - Original Message - 
> > > From: "Richard Farris" <[EMAIL PROTECTED]>
> > > To: <[EMAIL PROTECTED]>
> > > Sent: Friday, September 10, 2004 10:54 AM
> > > Subject: Re: [Declude.JunkMail] 100% CPU
> > >
> > >
> > > > I see I have been blacklisted in spamcop.net...What do I
do...Nothing
> > > could
> > > > be further from the truth of us sending spam..
> > > >
> > > > >
> > > > > In an effort to reduce the amount of SPAM that enters this site.
> > > > >
> > > > > Your E-mail to :"Richard Farris" <[EMAIL PROTECTED]> with the
> subject
> > > of
> > > > :SPAMWARNING spam
> > > > > Was marked as SPAM and was not delvered.
> > > > >
> > > > >
> > > > > The reason for your E-mail to be mark was :
> > > > >
> > > > > smtp server is listed at bl.spamcop.net
> > > > >
> > > > >
> > > > > Please see the above souces to have your E-mail server removed
from
> > > their
> > > > black list.
> > > > >
> > > > >
> > > > >
> > > > > Scanning software was supplied free from...
> > > > > Martijn Jongen
> > > > > www.martinjongen.com/orfilter
> > > > >
> > > > > Thank you  !!
> > > > >
> > > > >
> > > > >
> > > > > Patrick C. Schafer
> > > > > Aerolite Extrusion Co
> > > >
> > > > Richard Farris
> > > > Ethixs Online
> > > > 1.270.247. Office
> > > > 1.800.548.3877 Tech Support
> > > > "Crossroads to a Cleaner Internet"
> > > >
> > > > - Original Message - 
> > > > From: "Richard Farris" <[EMAIL PROTECTED]>
> > > > To: <[EMAIL PROTECTED]>
> > > > Sent: Wednesday, September 08, 2004 8:22 PM
> > > > Subject: Re: [Declude.JunkMail] 100% CPU
> > > >
> > > >
> > > > > I see from previous messages it is a good idea to use SKIPIFWEIGHT
> > > > > Where do I put this and what is a good number to put in there..
> > > > > I hold at 9 and delete at 18...
> > > > >
> > > > > How can you tell if you are under a dictionary attack...thru the
> > > routers?
> > > > >
> > > > > Richard Farris
> > > > > Ethixs Online
> > > > > 1.270.247. Office
> > > > > 1.800.548.3877 Tech Support
> > > > > "Crossroads to a Cleaner Internet"
> > > > >
> > > &

Re: [Declude.JunkMail] I HAVE BLACKLISTED ON SPAMCOP

[Dan Geiser]

If you were on a blacklist people would not have problems sending to you.

- Original Message - 
From: "Richard Farris" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, September 10, 2004 12:07 PM
Subject: [Declude.JunkMail] I HAVE BLACKLISTED ON SPAMCOP


> 65.240.164.10 has been blacklistedwhat do I do to get it off..this
must
> be the reason I have had customers email me that they are getting returned
> mailI couldnt figure it out...I have been trying to for 3 days now..
>
> Richard Farris
> Ethixs Online
> 1.270.247. Office
> 1.800.548.3877 Tech Support
> "Crossroads to a Cleaner Internet"
>
> - Original Message - 
> From: "Richard Farris" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, September 10, 2004 10:54 AM
> Subject: Re: [Declude.JunkMail] 100% CPU
>
>
> > I see I have been blacklisted in spamcop.net...What do I do...Nothing
> could
> > be further from the truth of us sending spam..
> >
> > >
> > > In an effort to reduce the amount of SPAM that enters this site.
> > >
> > > Your E-mail to :"Richard Farris" <[EMAIL PROTECTED]> with the subject
> of
> > :SPAMWARNING spam
> > > Was marked as SPAM and was not delvered.
> > >
> > >
> > > The reason for your E-mail to be mark was :
> > >
> > > smtp server is listed at bl.spamcop.net
> > >
> > >
> > > Please see the above souces to have your E-mail server removed from
> their
> > black list.
> > >
> > >
> > >
> > > Scanning software was supplied free from...
> > > Martijn Jongen
> > > www.martinjongen.com/orfilter
> > >
> > > Thank you  !!
> > >
> > >
> > >
> > > Patrick C. Schafer
> > > Aerolite Extrusion Co
> >
> > Richard Farris
> > Ethixs Online
> > 1.270.247. Office
> > 1.800.548.3877 Tech Support
> > "Crossroads to a Cleaner Internet"
> >
> > - Original Message - 
> > From: "Richard Farris" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Wednesday, September 08, 2004 8:22 PM
> > Subject: Re: [Declude.JunkMail] 100% CPU
> >
> >
> > > I see from previous messages it is a good idea to use SKIPIFWEIGHT
> > > Where do I put this and what is a good number to put in there..
> > > I hold at 9 and delete at 18...
> > >
> > > How can you tell if you are under a dictionary attack...thru the
> routers?
> > >
> > > Richard Farris
> > > Ethixs Online
> > > 1.270.247. Office
> > > 1.800.548.3877 Tech Support
> > > "Crossroads to a Cleaner Internet"
> > >
> > > - Original Message - 
> > > From: "Darin Cox" <[EMAIL PROTECTED]>
> > > To: <[EMAIL PROTECTED]>
> > > Sent: Wednesday, September 08, 2004 8:03 PM
> > > Subject: Re: [Declude.JunkMail] 100% CPU
> > >
> > >
> > > > What processes are using the most CPU?
> > > > What's are the message counts in your IMail spool?
> > > > Are you perhaps experiencing dictionary attacks?
> > > >
> > > > Darin.
> > > >
> > > >
> > > > - Original Message - 
> > > > From: "Richard Farris" <[EMAIL PROTECTED]>
> > > > To: <[EMAIL PROTECTED]>
> > > > Sent: Wednesday, September 08, 2004 8:44 PM
> > > > Subject: [Declude.JunkMail] 100% CPU
> > > >
> > > >
> > > > Over the last 24 hrs it seems my server has been working overtime
> > > processing
> > > > messages...I was at constant 100%...I tried downloading the latest
> > interim
> > > > 1.79i16 and that didn't help...I turned off and reloaded
Sortomonster
> > > files
> > > > and that didnt helpI took out all my IMAIL rules (rules.ima)
which
> > had
> > > a
> > > > lot of Body rules (about 40)  and that helped tremendouslyso I
> guess
> > I
> > > > will leave them out..however it does seem to still be pegging 100%
> quite
> > a
> > > > bit..
> > > >
> > > > I guess my question is why all of a sudden without changing anything
> did
> > > my
> > > > NT server peg out...I had not updated my rules.ima in a while...and
> how
> > > can
> > > > I see what is taking so much resources...The task manager moves so
> fast
> > I
> > > > cant see what is what...I do see a lot of Declude running but I
think
> > that
> > > > is normal?
> > > >
> > > > Any hints to where I could look to get back more resources would be
> > > > appreciated..
> > > >
> > > > Richard Farris
> > > > Ethixs Online
> > > > 1.270.247. Office
> > > > 1.800.548.3877 Tech Support
> > > > "Crossroads to a Cleaner Internet"
> > > >
> > > > ---
> > > > [This E-mail was scanned for viruses by Declude Virus
> > > > (http://www.declude.com)]
> > > >
> > > > ---
> > > > This E-mail came from the Declude.JunkMail mailing list.  To
> > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > > > type "unsubscribe Declude.JunkMail".  The archives can be found
> > > > at http://www.mail-archive.com.
> > > >
> > > > ---
> > > > [This E-mail was scanned for viruses by Declude Virus
> > > (http://www.declude.com)]
> > > >
> > > > ---
> > > > This E-mail came from the Declude.JunkMail mailing list.  To
> > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > > > type "unsubscribe Declude.JunkMail".  The arch

Re: [Declude.JunkMail] 100% CPU

[Dan Geiser]

Not just Spamcop, http://www.dnsstuff.com/tools/ip4r.ch?ip=65.240.164.10.

- Original Message - 
From: "Richard Farris" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, September 10, 2004 11:54 AM
Subject: Re: [Declude.JunkMail] 100% CPU


> I see I have been blacklisted in spamcop.net...What do I do...Nothing
could
> be further from the truth of us sending spam..
>
> >
> > In an effort to reduce the amount of SPAM that enters this site.
> >
> > Your E-mail to :"Richard Farris" <[EMAIL PROTECTED]> with the subject
of
> :SPAMWARNING spam
> > Was marked as SPAM and was not delvered.
> >
> >
> > The reason for your E-mail to be mark was :
> >
> > smtp server is listed at bl.spamcop.net
> >
> >
> > Please see the above souces to have your E-mail server removed from
their
> black list.
> >
> >
> >
> > Scanning software was supplied free from...
> > Martijn Jongen
> > www.martinjongen.com/orfilter
> >
> > Thank you  !!
> >
> >
> >
> > Patrick C. Schafer
> > Aerolite Extrusion Co
>
> Richard Farris
> Ethixs Online
> 1.270.247. Office
> 1.800.548.3877 Tech Support
> "Crossroads to a Cleaner Internet"
>
> - Original Message - 
> From: "Richard Farris" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, September 08, 2004 8:22 PM
> Subject: Re: [Declude.JunkMail] 100% CPU
>
>
> > I see from previous messages it is a good idea to use SKIPIFWEIGHT
> > Where do I put this and what is a good number to put in there..
> > I hold at 9 and delete at 18...
> >
> > How can you tell if you are under a dictionary attack...thru the
routers?
> >
> > Richard Farris
> > Ethixs Online
> > 1.270.247. Office
> > 1.800.548.3877 Tech Support
> > "Crossroads to a Cleaner Internet"
> >
> > - Original Message - 
> > From: "Darin Cox" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Wednesday, September 08, 2004 8:03 PM
> > Subject: Re: [Declude.JunkMail] 100% CPU
> >
> >
> > > What processes are using the most CPU?
> > > What's are the message counts in your IMail spool?
> > > Are you perhaps experiencing dictionary attacks?
> > >
> > > Darin.
> > >
> > >
> > > - Original Message - 
> > > From: "Richard Farris" <[EMAIL PROTECTED]>
> > > To: <[EMAIL PROTECTED]>
> > > Sent: Wednesday, September 08, 2004 8:44 PM
> > > Subject: [Declude.JunkMail] 100% CPU
> > >
> > >
> > > Over the last 24 hrs it seems my server has been working overtime
> > processing
> > > messages...I was at constant 100%...I tried downloading the latest
> interim
> > > 1.79i16 and that didn't help...I turned off and reloaded Sortomonster
> > files
> > > and that didnt helpI took out all my IMAIL rules (rules.ima) which
> had
> > a
> > > lot of Body rules (about 40)  and that helped tremendouslyso I
guess
> I
> > > will leave them out..however it does seem to still be pegging 100%
quite
> a
> > > bit..
> > >
> > > I guess my question is why all of a sudden without changing anything
did
> > my
> > > NT server peg out...I had not updated my rules.ima in a while...and
how
> > can
> > > I see what is taking so much resources...The task manager moves so
fast
> I
> > > cant see what is what...I do see a lot of Declude running but I think
> that
> > > is normal?
> > >
> > > Any hints to where I could look to get back more resources would be
> > > appreciated..
> > >
> > > Richard Farris
> > > Ethixs Online
> > > 1.270.247. Office
> > > 1.800.548.3877 Tech Support
> > > "Crossroads to a Cleaner Internet"
> > >
> > > ---
> > > [This E-mail was scanned for viruses by Declude Virus
> > > (http://www.declude.com)]
> > >
> > > ---
> > > This E-mail came from the Declude.JunkMail mailing list.  To
> > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > > type "unsubscribe Declude.JunkMail".  The archives can be found
> > > at http://www.mail-archive.com.
> > >
> > > ---
> > > [This E-mail was scanned for viruses by Declude Virus
> > (http://www.declude.com)]
> > >
> > > ---
> > > This E-mail came from the Declude.JunkMail mailing list.  To
> > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > > type "unsubscribe Declude.JunkMail".  The archives can be found
> > > at http://www.mail-archive.com.
> > >
> > >
> >
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.JunkMail".  The archives can be found
> > at http://www.mail-archive.com.
> >
> >
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> ---
> Sign up for virus-free and spam

[Declude.JunkMail] Web Site?

[Dan Geiser]

What's up with the Declude.com web site?  When 
I go to http://www.declude.com/ I 
get...
 
"Microsoft OLE DB Provider for SQL Server error 
'80040e37' 
Invalid object name 'ConfigSetup'. 
/incfiles/configsetup.asp, line 600"Thanks,Dan

Fw: [Declude.JunkMail] New ALL_LIST.DAT File?

[Dan Geiser]

Hello, All,
So far I've had about seven people e-mail directly to get the instructions
for setting this up.  If you are interested let me know at
[EMAIL PROTECTED]  Also, if you are one of the people whom I provided
instructions to I'd be interested in knowing how you fare with them.  I
think they're pretty concise but I'm always looking for constructive
criticism.

Thanks,
Dan
[EMAIL PROTECTED]

- Original Message - 
From: "Dan Geiser" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, July 30, 2004 12:40 PM
Subject: Re: [Declude.JunkMail] New ALL_LIST.DAT File?


> Joe,
> I can send you the instructions on how to set it up if you like.
>
> Thanks,
> Dan Geiser
> [EMAIL PROTECTED]
>
> - Original Message - 
> From: "R. Scott Perry" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, July 30, 2004 12:24 PM
> Subject: Re: [Declude.JunkMail] New ALL_LIST.DAT File?
>
>
> >
> > >Maybe I'm way behind here, but what is the all_list.dat file?
> >
> > It is used by the experimental geolocation system in Declude JunkMail
Pro
> > (which identifies the country(ies) the E-mail passed through based on
the
> > IP(s)).  This then lets you have a header showing the list of countries,
> > and filter based on them.
> >
> > For further details, you can search the archives for "all_list" or
> > "all_list.dat".
> >
> > -Scott
>
>
> ---
> Sign up for virus-free and spam-free e-mail with Nexus Technology Group
> http://www.nexustechgroup.com/mailscan
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> ---
> Sign up for virus-free and spam-free e-mail with Nexus Technology Group
> http://www.nexustechgroup.com/mailscan
>
>
>


---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] WARNING: Unknown filter type #

[Dan Geiser]

Hello, All,We are using Declude JunkMail Pro v. 1.79 
Beta.  (No Intermin Release).  I am getting the following line in my 
DJM Logs...
07/30/2004 15:30:57 Qa1ea0c4 WARNING: Unknown filter type 
#.
I've been all over the GLOBAL.CFG file and I can't figure out 
what syntax error I have that is causing this to occur.
Any ideas?
Thanks,Dan Geiser[EMAIL PROTECTED]

Re: [Declude.JunkMail] New ALL_LIST.DAT File?

[Dan Geiser]

Joe,
I can send you the instructions on how to set it up if you like.

Thanks,
Dan Geiser
[EMAIL PROTECTED]

- Original Message - 
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, July 30, 2004 12:24 PM
Subject: Re: [Declude.JunkMail] New ALL_LIST.DAT File?


>
> >Maybe I'm way behind here, but what is the all_list.dat file?
>
> It is used by the experimental geolocation system in Declude JunkMail Pro
> (which identifies the country(ies) the E-mail passed through based on the
> IP(s)).  This then lets you have a header showing the list of countries,
> and filter based on them.
>
> For further details, you can search the archives for "all_list" or
> "all_list.dat".
>
> -Scott


---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] New ALL_LIST.DAT File?

[Dan Geiser]

Cool!  Thanks!

- Original Message - 
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, July 30, 2004 9:36 AM
Subject: Re: [Declude.JunkMail] New ALL_LIST.DAT File?


>
> >Has the file been updated?
>
> It has just been updated, and is
> at  http://www.declude.com/version/release/all_list.dat .
>
> -Scott
> ---
> Declude JunkMail: The advanced anti-spam solution for IMail mailservers
> since 2000.
> Declude Virus: Ultra reliable virus detection and the leader in mailserver
> vulnerability detection.
> Find out what you've been missing: Ask for a free 30-day evaluation.
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> ---
> Sign up for virus-free and spam-free e-mail with Nexus Technology Group
> http://www.nexustechgroup.com/mailscan
>
>
>


---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] New ALL_LIST.DAT File?

[Dan Geiser]

Hi, Scott,
Has the file been updated?

Thanks, Much!
Dan Geiser
[EMAIL PROTECTED]

- Original Message - 
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, July 29, 2004 1:58 PM
Subject: Re: [Declude.JunkMail] New ALL_LIST.DAT File?


>
> >Has the ALL_LIST.DAT been updated recently?
> >
>
><http://www.declude.com/release/179/all_list.dat>www.declude.com/release/17
9/all_list.dat
>
> There is a new one, but it isn't on the website yet.  I'll make sure that
> it gets updated.
>
> -Scott
> ---
> Declude JunkMail: The advanced anti-spam solution for IMail mailservers
> since 2000.
> Declude Virus: Ultra reliable virus detection and the leader in mailserver
> vulnerability detection.
> Find out what you've been missing: Ask for a free 30-day evaluation.
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> ---
> Sign up for virus-free and spam-free e-mail with Nexus Technology Group
> http://www.nexustechgroup.com/mailscan
>
>
>


---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] New ALL_LIST.DAT File?

[Dan Geiser]

Scott,
Has the ALL_LIST.DAT been updated 
recently?
 
www.declude.com/release/179/all_list.dat
 
The reason i ask is that an obvious spam IP 
address, 66.248.151.127, is showing up in the Declude headers as  "[ARIN 
Unlisted]" yet when I look that IP up on DNSStuff it says country United States, http://www.dnsstuff.com/tools/cidr.ch?ip=66.248.151.107.  
Also ARIN WHOIS appears to have it allocated to an ISP in Las 
Vegas.
 
Could some your tools have one setup of IP 
allocation tables different from ALL_LIST.DAT?
 
Thanks,
Dan Geiser
[EMAIL PROTECTED]

[Declude.JunkMail] OT: Reverse DNS Timeouts Over Weekend

[Dan Geiser]

Hello, All,
I'm checking SpamReview this morning for false 
positives.  Usually after the weekend I might have about 400 messages to 
review.  This morning I have close to 1400.  There seems to be an 
inordinate number of Reverse DNS lookup timeouts over the weekend which caused 
e-mails which normally would've failed "Spam Domains" (and get pushed above my 
delete threshold) to get lower scores and hence end up in the review 
directory.
 
Did anyone besides myself experience a larger 
number of Reverse DNS lookup timeouts over the weekend?  If so, any idea 
what might be causing it?  The only thing I've really done recently is 
upgraded to Beta 1.79 (no interim).  Could that have something to do with 
it?
 
Thanks In Advance,
Dan Geiser
[EMAIL PROTECTED]

[Declude.JunkMail] Fw: New Multiple Threat Lookup Database test for Declude JunkMail

[Dan Geiser]

Is this guy serious when he says "The test is available for download".  What do we 
have to download?  What version number includes this test?  What is 
the format of the test?  Is it just an IP4R test?  What host name do 
we use?

  - Original Message - 
  From: 
  Barry @ CPHZ 
  
  To: [EMAIL PROTECTED] 
  
  Sent: Friday, July 09, 2004 10:35 
AM
  Subject: New Multiple Threat Lookup 
  Database test for Declude JunkMail
  
  
  We 
  are pleased to let you know that today we have released a new test for all 
  Declude JunkMail customers who are covered by a currently valid Support 
  Agreement.
   
  The 
  MTLDB test will test each E-mail against our database of IP addresses that 
  have sent viruses.  If the IP address is listed, the E-mail will fail the 
  test.  Otherwise, the E-mail will pass the test.  The MTLDB test is 
  used in the same way as other Declude JunkMail tests.  For most 
  customers, it would be used towards the weighting system, so that it is more 
  likely that spam will get caught.  However, like other tests in Declude 
  JunkMail, it is possible to take a separate action for E-mails failing the 
  MTLDB test (such as quarantining them with the HOLD 
  action).
   
  The 
  test is available for download www.declude.com 
  
   
  Thanks for your support.
   
  Barry
  Barry 
  SimpsonPresident & CEOComputerized Horizons, LLC65 Parker 
  StreetUnit 5Newburyport, MA 
  01950 
  
   

Re: [Declude.JunkMail] Country Configuration?

[Dan Geiser]

Hello, Doug,
I would recommend using the COUNTRY/COUNTRIES 
functionality in a filter.  Here is how I do it...
 
1.  Download the file, http://www.declude.com/release/179/all_list.dat, and place it 
in the directory that your GLOBAL.CFG file is in.
 
2.  Add the following...
 
GLOBAL.CFG
--
XINHEADER   
X-Country-Chain: %COUNTRYCHAIN%
--
 
This will add a header in each e-mail which shows 
you the countries that own each IP that a message passes 
through.
 
3.  Add the following...
 
GLOBAL.CFG

FILTER-COUNTRY  filter  D:\IMail\declude\JunkMail.01.Filter.Country.txt  x 0 0

 
This will tell the GLOBAL.CFG file to use the 
filter file referenced above.
 
4.  Create a file called 
JunkMail.01.Filter.Country.txt and place it in the same directory as 
GLOBAL.CFG.
 
I have attached my 
JunkMail.01.Filter.Country.txt  file.  Keep in mind I HOLD on 100 and DELETE on 300 and that my 
countries are heavily scaled towards the countries that our customers receive 
e-mail from.
 
COUNTRY adds points for the last country in the 
chain.  COUNTRIES adds points for a country anywhere in the 
chain.
 
Let me know if it makes sense or not.
 
Thanks,
Dan Geiser
[EMAIL PROTECTED]

  - Original Message - 
  From: 
  Doug Anderson 
  To: [EMAIL PROTECTED] 
  
  Sent: Friday, July 09, 2004 10:52 
AM
  Subject: [Declude.JunkMail] Country 
  Configuration?
  
  After looking at the manual/archives and getting a 
  little more confused I've decided to consult the masses.
  What would be the easiest way of adding a few points for 
  emails NOT orgininating from Canada, US, and Mexico?
  We have users in all three areas so I'm guessing the 
  nonenglish won't work because we have english, spanish, and french emails 
  traveling through.
  I just want to add 2 or 3 points for Non Canada/US/Mexico 
  emails because what I'm doing now (endswith .ac, endwith ad...) needs to be 
  enhanced somehow.
   
  I'm running 1.75
   
# // JunkMail.01.Filter.Country.txt //

# *1 Multi-Regional
# *2 Europe
# *3 North America
# *4 Central/South America
# *5 Pacific Rim
# *A ARIN Unlisted
# *B Public Data Network
# *E RIPE Unlisted
# *I Private IP
# *L Loopback
# *M Multicast
# *P APNIC Unlisted
# *R IANA Reserved
# *U Unknown

# -- Non-Countries That Send Us Legit E-Mail --

COUNTRIES   25  CONTAINS*1
COUNTRY 33  CONTAINS*1
COUNTRIES   51  CONTAINS*A
COUNTRY 23  CONTAINS*A
COUNTRIES   67  CONTAINS*U
COUNTRY 33  CONTAINS*U

# -- Non-Countries That Don't Send Us Legit E-Mail --

COUNTRIES   67  CONTAINS*3
COUNTRY 33  CONTAINS*3
COUNTRIES   67  CONTAINS*4
COUNTRY 33  CONTAINS*4
COUNTRIES   67  CONTAINS*B
COUNTRY 33  CONTAINS*B
COUNTRIES   50  CONTAINS*E
COUNTRY 24  CONTAINS*E
COUNTRIES   67  CONTAINS*M
COUNTRY 33  CONTAINS*M
COUNTRIES   67  CONTAINS*P
COUNTRY 33  CONTAINS*P
COUNTRIES   67  CONTAINS*R
COUNTRY 33  CONTAINS*R

# -- Countries That Send Us Legit E-mail -- 

COUNTRIES   59  CONTAINSau
COUNTRY 33  CONTAINSau
COUNTRIES   67  CONTAINSbr
COUNTRY 33  CONTAINSbr
COUNTRIES   16  CONTAINSca
COUNTRY 8   CONTAINSca
COUNTRIES   56  CONTAINSch
COUNTRY 26  CONTAINSch
COUNTRIES   33  CONTAINScl
COUNTRY 16  CONTAINScl
COUNTRIES   16  CONTAINSde
COUNTRY 8   CONTAINSde
COUNTRIES   35  CONTAINSdk
COUNTRY 16  CONTAINSdk
COUNTRIES   67  CONTAINSeg
COUNTRY 33  CONTAINSeg
COUNTRIES   67  CONTAINSeu
COUNTRY 33  CONTAINSeu
COUNTRIES   34  CONTAINSfi
COUNTRY 17  CONTAINSfi
COUNTRIES   30  CONTAINSfr
COUNTRY 16  CONTAINSfr
COUNTRIES   0   CONTAINSjo
COUNTRY 33  CONTAINSjo
COUNTRIES   24  CONTAINSkw
COUNTRY 12  CONTAINSkw
COUNTRIES   28  CONTAINSmy
COUNTRY 14  CONTAINSmy
COUNTRIES   67  CONTAINSpe
COUNTRY 33  CONTAINSpe
COUNTRIES   67  CONTAINSsg
COUNTRY 33  CONTAINSsg
COUNTRIES   67  CONTAINStr
COUNTRY 33  CONTAINStr
COUNTRIES   59  CONTAINStw
COUNTRY 33  CONTAINStw
COUNTRIES   50  CONTAINSuk
COUNTRY 24  CONTAINSuk

# -- Countries That Don't Send Us Legit E-Mail --

COUNTRI

Re: [Declude.JunkMail] DOW test

[Dan Geiser]

Can someone tell me what DOW is?

Thanks,
Dan Geiser
[EMAIL PROTECTED]

- Original Message - 
From: "John Olden" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, May 25, 2004 9:09 AM
Subject: [Declude.JunkMail] DOW test


> Maybe someone can answer this for me. Looking at my daily WamLog stats I
> see that my DOW test is averaging about 90-95% on message failure.
>
> DOW2366   912443   86
>
> Message Count25902836
>
> Shouldn't this be 100%? I have the following definition?
>
> DOWdow15-1010
>
> Or is this percentage a little lower because of local (outgoing) IPs
> being whitelisted?
> Just checking.
>
> John Olden - Systems Administrator
> Champaign Park District
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> ---
> Sign up for virus-free and spam-free e-mail with Nexus Technology Group
> http://www.nexustechgroup.com/mailscan
>
>

---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] News: Reformed spammer says he may relapse

[Dan Geiser]

http://money.cnn.com/2004/05/20/technology/spam.reut/?cnn=yes
 
"Ron Scelson told the Senate Commerce Committee 
that the 30 million messages he sends out each day from an underground 
nuclear-fallout shelter contain his mailing address and a method for recipients 
to opt out of future mailings, as required by a national law that took effect 
Jan. 1. 


But the man known as the "Cajun spammer" said he stood ready to deploy a 
range of deceptive tactics if large Internet providers like America Online and 
Microsoft Corp.'s Hotmail continued to block his messages." 
So, is that some sort of threat, Ron?  What Ron and his ilk don't 
understand is that we have the right to filter any traffic coming into our 
networks if our customers grant us that right.  Filtering spam with 
software is no different than filtering TCP/IP and ICMP traffic with 
a firewall.  The filtering just occurs at a different layer in 
the OSI Network Model.
 
 
 
 

Re: [Declude.JunkMail] FTC to crack down on porn spam

[Dan Geiser]

I always though it would be much easier to track down spammers if the ISPs
would stop terminating the service of the known spammers that they have on
their networks and instead allow them to continue to keep the same IP
addresses.  That way the list of IP addresses of known spammers would not be
ever changing.  So the ISPs would continue to take money from them for
Internet service, draining their pocketbooks on one end, and we would block
the IPs of the spammers, blocking their source of income, and in turn their
pocket books, on the other end.

- Original Message - 
From: "Goran Jovanovic" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, May 20, 2004 1:30 PM
Subject: RE: [Declude.JunkMail] FTC to crack down on porn spam


I have a better idea. Make the spammers put the word SPAM at the
beginning of the subject line (regardless of content) then it would make
it really easy for filters..

All I have to say is this is going to be very usefulNOT



 Goran Jovanovic
 The LAN Shoppe



> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> [EMAIL PROTECTED] On Behalf Of Matt
> Sent: Thursday, May 20, 2004 9:53 AM
> To: [EMAIL PROTECTED]
> Subject: [Declude.JunkMail] FTC to crack down on porn spam
>
> What a bunch of idgets
>
> http://money.cnn.com/2004/05/19/technology/ftc_spam/index.htm
>
>
> --
> =
> MailPure custom filters for Declude JunkMail Pro.
> http://www.mailpure.com/software/
> =
>
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> ---
> [This E-mail scanned for viruses by Declude Virus]


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group
http://www.nexustechgroup.com/mailscan


---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Filtering for HELOs that are IP Addresses

[Dan Geiser]

Hello, All,
I am considering creating a filter file that looks 
for HELO strings that are IP addresses.  I was going to do something along 
the lines of the following...
 

# // JunkMail.05.Filter.Helo.IP.txt //
 
# # == Add 
Points To Total Weight ==# 
 
# -- Untrusted HELOs 
 
#  HELOs That Are IP Addresses 
 
HELO    100    
CONTAINS    0.1
HELO    100    
CONTAINS    0.2

HELO    100    
CONTAINS    0.3
HELO    100    
CONTAINS    0.4

HELO    100    
CONTAINS    0.5

HELO    100    
CONTAINS    0.6

HELO    100    
CONTAINS    0.7

HELO    100    
CONTAINS    0.8

HELO    100    
CONTAINS    0.9

 

 
HELO    100    
CONTAINS    9.1

HELO    100    
CONTAINS    9.2

HELO    100    
CONTAINS    9.3

HELO    100    
CONTAINS    9.4

HELO    100    
CONTAINS    9.5

HELO    100    
CONTAINS    9.6

HELO    100    
CONTAINS    9.7

HELO    100    
CONTAINS    9.8

HELO    100    
CONTAINS    9.9

 
Am I correct in my thinking that with this filter 
that an IP address in the HELO string would NOT add just 100 points to the 
weight of an e-mail but instead could end up adding up to 300 points because 
each line would be compared to the HELO string and if that string was 
210.10.23.75, for example, it would add 100 points for "0.1" and "0.2" and 
"3.7"?
 
Thanks In Advance,
Dan Geiser
 

Re: [Declude.JunkMail] f-prot

[Dan Geiser]

John,
Just use Froogle, http://froogle.google.com/.  There are plenty of stores
listed on there which have the product in that price range.

Dan Geiser
[EMAIL PROTECTED]

- Original Message - 
From: "John Carter" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, May 18, 2004 3:56 PM
Subject: RE: [Declude.JunkMail] f-prot


> Do you have a CDW product number on this?  Called and they took forever
> to come back with $20+
>
> Thanks,
> John
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer
> Sent: Tuesday, May 18, 2004 9:55 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.JunkMail] f-prot
>
> On 17 May 2004 at 20:56, Aaron J. Caviglia wrote:
>
> > Where can we purchase the command line scanner?
> Aaron -
>
> If you are referring to the Mcafee one for $11 - Scott mentioned
> "My 1 year McAfee VirusScan Command Line license was $11 through
> CDW."
>
> We paid the same thing off of State contract from Insight.
>
> -Nick Hayer
> >
> > Thanks,
> >
> > Aaron Caviglia
> >
> > On May 17, 2004, at 8:23 PM, Goran Jovanovic wrote:
> >
> > >> For the latter there is an outstanding request to Scott to
> > >> kill additional scanning once a scanner detects a virus..
> > >
> > > So right now if you use multiple scanners when you scan with
> > > ScannerA and it finds a virus Declude will still call ScannerB and
> > > have it scan as well?
> > >
> > > Scott pointed out that his McAfee was only $11.00 for the year so
> > > the price barrier is "non-existant" and I see from your and Scott's
> > > responses that there are indeed reasons to have more than one
> > > scanner.
> > >
> > > Thank you all
> > >
> > >  Goran Jovanovic
> > >  The LAN Shoppe
> > >
> > >
> > >> -Original Message-
> > >> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> > >> [EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Monday, May 17,
> > >> 2004 10:03 AM To: [EMAIL PROTECTED] Subject: RE:
> > >> [Declude.JunkMail] f-prot
> > >>
> > >> On 17 May 2004 at 9:13, Goran Jovanovic wrote:
> > >>
> > >>> For the folks using multiple scanners, do you have any stats on
> > >>> how often the secondary scanner found a virus that the first one
> > >>> missed?
> > >> Hi Goran,
> > >>
> > >> Here are my latest stats:
> > >> Virus Totals:
> > >> 441 F-Prot
> > >> 412 AVG
> > >> 446 McAfee
> > >> -
> > >> Vunerabilities:
> > >> 349
> > >> -
> > >>
> > >> I update the defs for all every 4 hrs on a staggered schedule.
> > >> Because of possible false positives I have found it hard to rank
> > >> one particular scanner over another. For me the advantage to have
> > >> more than one is one [varies] company will always come out with
> > >> protection for a new outbreak before another. The downside is cost
> > >> and cpu overhead. For the latter there is an outstanding request to
> > >> Scott to kill additional scanning once a scanner detects a virus..
> > >>
> > >> -Nick Hayer
> > >>
> > >>
> > >>
> > >>
> > >>>
> > >>> I realize that the cost of F-Prot (which I am using) is quite low
> > > and
> > >>> others might be as well, so it is not a cost issue but rather a
> > >>> "Do
> > > I
> > >>> really need it?".
> > >>>
> > >>> Thanx
> > >>>
> > >>>
> > >>>  Goran Jovanovic
> > >>>  The LAN Shoppe
> > >>>
> > >>>
> > >>>
> > >>>> -Original Message-
> > >>>> From: [EMAIL PROTECTED]
> > >>>> [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Scott
> > >>>> Fisher Sent: Monday, May 17, 2004 12:49 AM To:
> > >>>> [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail]
> > >>>> f-prot
> > >>>>
> > >>>> I find the Mcafee is the best at detecting viruses within
> > > encrupted
> > >>> zips.
> > >>>> Otherwise they are pretty even.
&

Re: [Declude.JunkMail] "SPAMHEADERS"?

[Dan Geiser]

http://www.declude.com/tools/header.php?code=420e

- Original Message - 
From: "Dave Doherty" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, May 17, 2004 2:26 PM
Subject: [Declude.JunkMail] "SPAMHEADERS"?


> Hi,
>
> Can anyone tell me why this one failed the SPAMHEADERS test?
>
> -Dave Doherty
>  Skywaves, Inc.
>
>
>
> Received: from IlanXP [68.236.177.124] by inettec.com with ESMTP
>   (SMTPD32-8.05) id A69B29201E4; Mon, 17 May 2004 13:30:03 -0400
> From: "Ilan Cyzner" <[EMAIL PROTECTED]>
> To: "'Dave Doherty'" <[EMAIL PROTECTED]>
> Subject: [11]   whitelist
> Date: Mon, 17 May 2004 13:32:41 -0400
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
>  boundary="=_NextPart_000_0066_01C43C13.6E051AD0"
> X-Mailer: Microsoft Office Outlook, Build 11.0.5510
> Thread-Index: AcQ8NPSd4vuOexbQSj+TGJ7Rqs6ypw==
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
> Message-Id: <[EMAIL PROTECTED]>
> X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam
> [420e].
> X-RBL-Warning: MAILPOLICE-DYNA-REVDNS: This E-mail came from a potential
> spam source listed in MAILPOLICE-DYNA-REVDNS.
> X-Spam-Tests-Failed: SPAMHEADERS [3], MAILPOLICE-DYNA-REVDNS [8]
> X-Spam-Total-Weight: [11]
> X-Declude-Sender: [EMAIL PROTECTED] [68.236.177.124]
> X-Declude-Spoolname: Df69b029201e40c72.SMD
> X-Note: This E-mail was sent from
dpvc-68-236-177-124.ny325.east.verizon.net
> ([68.236.177.124]).
> X-RCPT-TO: <[EMAIL PROTECTED]>
> Status: U
> X-UIDL: 343954817
>
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> ---
> Sign up for virus-free and spam-free e-mail with Nexus Technology Group
> http://www.nexustechgroup.com/mailscan
>
>

---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS?

[Dan Geiser]

Thank you so much, Kami!  I can definitely understand your concise
explanation and it sounds like a great way to handle what I am trying to do
or at least add another trick in the bag.  I'll have to see how I can
incorporate this into my current setup.

Thanks, Again!
Dan

- Original Message - 
From: "Kami Razvan" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, May 14, 2004 4:32 PM
Subject: RE: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS?


> "I don't even know how to mentally parse the below code that you've
listed."
>
> REVDNS END ENDSWITH .hotmail.com
> MAILFROM 3 ENDSWITH @hotmail.com
> HELO 5 ENDSWITH .hotmail.com
>
> Hi Dan:
>
> This is what the above means.
>
> REVDNS END ENDSWITH .hotmail.com
>
> -- if reverse dns ends with Hotmail.com end the filter and do not process
> the rest of the filter.  This way it won't even trigger the test as being
> run.  What that means is the reverse DNS is hotmail.com
>
> MAILFROM 3 ENDSWITH @hotmail.com
>
> -- naturally if line 2 is executed it means that reverse DNS is NOT
> hotmail.com and if the mailfrom endswith hotmail.com then add 3 to the
> weight.  As stated this is one of the many filters we have on Good ISP
> filters.  This filter penalizes an email if the sender's email is hotmail
> but the reverse dns and helo are not.
>
> Similarly on line 3-
>
> HELO 5 ENDSWITH .hotmail.com
>
> Add 5 points if HELO ends with hotmail.com
>
> So if someone's email is [EMAIL PROTECTED] and the reverse dns is not
> hotmail.com the email gets 3 and if HELO is hotmail.com then it gets 8
> points.
>
> Hope that explains it..
>
> Kami
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> ---
> Sign up for virus-free and spam-free e-mail with Nexus Technology Group
> http://www.nexustechgroup.com/mailscan
>
>

---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Comments in "SPAMDOMAINS" text file

[Dan Geiser]

Hello, All,
Is "spamdomains" one of the tests that permits 
comments on the same line as it's entries or not?
 
For example, if I have a "spamdomains" file that 
looks like...
 
@adelphia.net  .adelphia.net    
    # Added: 
05/17/2004@att.net    
# Added: 05/17/2004@attbi.com 
@bellsouth.net@eudoramail.com@juno.com  .untd.com@lycos.com@mindspring.com  blount.mail.mindspring.net@msn.com  .hotmail.com@netzero.net  .untd.com
 
will those "# Added: 05/17/2004" comments mess up 
the functioning of the file?
 
Thanks In Advance,
Dan Geiser
[EMAIL PROTECTED]
 
 

Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS?

[Dan Geiser]

Hi, Kami,
I don't even know how to mentally parse the below code that you've listed.
Would this go inside a filter file?  What does each line signify?

For example, REVDNS END ENDSWITH .hotmail.com.  I've not seen that syntax
before.  Is END a valid value in that column?  What does it do?  When was
the END value introduced?  I am currently running v1.75 and I know there's
been a lot of stuff introduced since our Service Agreement expired.

Thanks for your feedback.

Dan

- Original Message - 
From: "Kami Razvan" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, May 14, 2004 9:40 AM
Subject: RE: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS?


> Dan..
> May be I am not understanding the question.  But I basically have a couple
> of combination tests that are like the following:
>
> REVDNS END ENDSWITH .hotmail.com
> MAILFROM 3 ENDSWITH @hotmail.com
> HELO 5 ENDSWITH .hotmail.com
>
> So with this logic you can add weight if someone is using Hotmail as
return
> address but is not using hotmail to send mail.
>
> We have this for a lot of ISP's.
>
> Is this what you are trying to do?
>
> Regards,
> -Kami
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser
> Sent: Friday, May 14, 2004 9:31 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS?
>
> Kami,
> How do you see me using a filter file "to add a small amount of points for
> the end of every SENDER that doesn't match the end of every REVDNS in the
> "edu" TLD."?
>
> I don't know how to use a filter file to compare a string in one field to
a
> string in another.
>
> If it can be done that would be great.
>
> Thanks,
> Dan Geiser
> [EMAIL PROTECTED]
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> ---
> Sign up for virus-free and spam-free e-mail with Nexus Technology Group
> http://www.nexustechgroup.com/mailscan
>
>

---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS?

[Dan Geiser]

Kami,
How do you see me using a filter file "to add a small amount of points for
the end of every SENDER that doesn't match the end of every REVDNS in the
"edu" TLD."?

I don't know how to use a filter file to compare a string in one field to a
string in another.

If it can be done that would be great.

Thanks,
Dan Geiser
[EMAIL PROTECTED]

- Original Message - 
From: "Kami Razvan" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, May 14, 2004 9:22 AM
Subject: RE: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS?


> Dan..
>
> Can you not use a filter file for this?
>
> Kami
>
> -Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser
> Sent: Friday, May 14, 2004 9:09 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS?
>
> Scott,
> I know it's been awhile since you posted the answer to my original
question
> but I would _love_ to have a test which functions exactly the same as
> "spamdomains" but instead of searching the reverse DNS in a CONTAINS type
> manner it searched it an ENDSWITH type manner.
>
> That would allow me to create a file like the below (that would be used
with
> the ENDSWITH-type"spamdomains" test)...
>
> -
> a.edu
> b.edu
> c.edu
> d.edu
> .
> .
> .
> w.edu
> x.edu
> y.edu
> z.edu
> -
>
> which I would use to add a small amount of points for the end of every
> SENDER that doesn't match the end of every REVDNS in the "edu" TLD.  With
> "edu" especially a large majority of the time it does match so points for
> not matching would be great.
>
> And that's just one example of how that would be very useful to me.
> .Just another request to give consideration for the future.
>
> Thanks,
> Dan Geiser
> [EMAIL PROTECTED]
>
> - Original Message -
> From: "R. Scott Perry" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, March 02, 2004 7:11 PM
> Subject: Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS?
>
>
> >
> > >If I have a SPAMDOMAINS type test in my GLOBAL.CFG...
> > >
> > >SD-TLD   spamdomains D:\iMail\declude\JunkMail.SpamDomains.TLD.txt  x 5
0
> > >
> > >...and I have some entries in the corresponding flat text file like
> below...
> > >
> > >.mil
> > >
> > >will SPAMDOMAINS search the reverse DNS entry in a CONTAINS type manner
> or
> > >an ENDSWITH type manner?
> >
> > It will work like CONTAINS, so:
> >
> > >For example would the host name ".milton-bradley.com" in the below...
> > >
> > >-
> > >X-Note: Sent with HELO [mail] from Reverse DNS
[mail.milton-bradley.com]
> > >-
> > >
> > >get flagged as passing or failing the SPAMDOMAINS test?
> >
> > That one would get caught, if the reverse DNS entry did not contain
".mil"
> > in it.  So if the E-mail was from [EMAIL PROTECTED], and the
> > reverse DNS entry was "mail.milton-bradley.com", the E-mail would not
fail
> > the test (but if the reverse DNS was "mail.someone_else.com", it would
> fail
> > the test).
> >
> > -Scott
> > ---
> > Declude JunkMail: The advanced anti-spam solution for IMail mailservers
> > since 2000.
> > Declude Virus: Catches known viruses and is the leader in mailserver
> > vulnerability detection.
> > Find out what you've been missing: Ask for a free 30-day evaluation.
> >
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.JunkMail".  The archives can be found
> > at http://www.mail-archive.com.
> > ---
> > Sign up for virus-free and spam-free e-mail with Nexus Technology Group
> > http://www.nexustechgroup.com/mailscan
> >
> >
>
> ---
> Sign up for virus-free and spam-free e-mail with Nexus Technology Group
> http://www.nexustechgroup.com/mailscan
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, jus

Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS?

[Dan Geiser]

Scott,
I know it's been awhile since you posted the answer to my original question
but I would _love_ to have a test which functions exactly the same as
"spamdomains" but instead of searching the reverse DNS in a CONTAINS type
manner it searched it an ENDSWITH type manner.

That would allow me to create a file like the below (that would be used with
the ENDSWITH-type"spamdomains" test)...

-
a.edu
b.edu
c.edu
d.edu
.
.
.
w.edu
x.edu
y.edu
z.edu
-

which I would use to add a small amount of points for the end of every
SENDER that doesn't match the end of every REVDNS in the "edu" TLD.  With
"edu" especially a large majority of the time it does match so points for
not matching would be great.

And that's just one example of how that would be very useful to me.
.Just another request to give consideration for the future.

Thanks,
Dan Geiser
[EMAIL PROTECTED]

- Original Message - 
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, March 02, 2004 7:11 PM
Subject: Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS?


>
> >If I have a SPAMDOMAINS type test in my GLOBAL.CFG...
> >
> >SD-TLD   spamdomains D:\iMail\declude\JunkMail.SpamDomains.TLD.txt  x 5 0
> >
> >...and I have some entries in the corresponding flat text file like
below...
> >
> >.mil
> >
> >will SPAMDOMAINS search the reverse DNS entry in a CONTAINS type manner
or
> >an ENDSWITH type manner?
>
> It will work like CONTAINS, so:
>
> >For example would the host name ".milton-bradley.com" in the below...
> >
> >-
> >X-Note: Sent with HELO [mail] from Reverse DNS [mail.milton-bradley.com]
> >-
> >
> >get flagged as passing or failing the SPAMDOMAINS test?
>
> That one would get caught, if the reverse DNS entry did not contain ".mil"
> in it.  So if the E-mail was from [EMAIL PROTECTED], and the
> reverse DNS entry was "mail.milton-bradley.com", the E-mail would not fail
> the test (but if the reverse DNS was "mail.someone_else.com", it would
fail
> the test).
>
> -Scott
> ---
> Declude JunkMail: The advanced anti-spam solution for IMail mailservers
> since 2000.
> Declude Virus: Catches known viruses and is the leader in mailserver
> vulnerability detection.
> Find out what you've been missing: Ask for a free 30-day evaluation.
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> ---
> Sign up for virus-free and spam-free e-mail with Nexus Technology Group
> http://www.nexustechgroup.com/mailscan
>
>

---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.