Re: [Declude.JunkMail] Declude not taking action

[Eje Gustafsson]

Not related to your problem but do yourself a favor block @mcsi.net
only thing I ever seen from there is spam.

Best regards,
 Eje Aya Gustafsson mailto:[EMAIL PROTECTED]
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 240-376-7272
- Your Full Time Professionals -
Online Store http://www.wisp-router.com/
 MikroTik, Star-OS, PACWireless, EnGenius, RF Industries
-- 

KR I figure that each individual E-mail on my system has about a 0.6%
KR chance of being stolen and delivered by the queue.

KR Matt:

KR I have spent a lot of my years in the field of mathematics.  A study done a
KR while back and it is related to data-mining stated.. men buy baby diapers
KR and orange juice on Tuesdays more than any other day of the week.

KR While it sounds interesting it is real hard to make any use of it. :)  -- I
KR am either very lucky or the 0.6% is only concentrating itself to my
KR mailbox.

KR On our very small volume server I got 2 last night and that is only me  -
KR others are probably getting it and not letting us know.

KR Attached is an email that IMail added its headers but Declude never saw.

KR I get about 2-3 daily.

KR Regards,
KR Kami

-- 
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] failed to fail test ?

[Eje Gustafsson]

Thanks Scott for clearing things up for me.. Since all my dailup and
highspeed customers have correct revdns and everyone outside our
network have to use smtp auth (running WHITELIST AUTH) then there
should be no implications to do a spamdomain with fament.com.
If this is the case then time to add all my own domains in there and
cut of another potential spamhole...

Best regards,
 Eje Aya Gustafsson mailto:[EMAIL PROTECTED]
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 240-376-7272
- Your Full Time Professionals -
Online Store http://www.wisp-router.com/
 MikroTik, Star-OS, PACWireless, EnGenius, RF Industries
-- 


Yet this piece of mail did come though with a very low rate and didn't
fail the HOLOBOGUS ?

Received: from fament.com [63.165.214.42] by imail.fament.com with ESMTP
   (SMTPD32-8.03) id AD019930280; Sat, 22 Nov 2003 19:27:29 -0600

RSP That's because the HELO is fament.com, and fament.com has an MX
RSP record.  Therefore, it is a valid HELO.

RSP However, 63.165.214.42 is not in the MX record of fament.com, so:

X-Tests-Failed: IPNOTINMX, REVDNS.

RSP it failed the IPNOTINMX test.

Wouldn't helobogus add it's weight to it ? Or have I miss understood
the helobogus test ? How can I punish servers that try claim be from
my domain like the above ?

RSP HELOBOGUS just looks for bogus HELO entries (such as random characters, IPs
RSP masquerading as hostnames, and made-up domains).

RSP IPNOTINMX checks for IPs that aren't listed in the sender domain's MX
RSP records (note that it is not unusual for legitimate mail to be sent this way).

RSP In this case, SPAMDOMAINS may be the best answer, as it will require the
RSP reverse DNS entry of the sending computer to include the domain name in the
RSP return address -- but only for domains that you specify.  So if you list
RSP fament.com, this mail would have been caught.  But if you do list your
RSP domain, you need to be sure that people sending mail through your server
RSP come from IPs with your domain in the reverse DNS entry.

And how could the score end up at -2 ? What is the math behind it.

RSP Declude JunkMail adds all the weights for the E-mail, which came out to -2
RSP here.

RSP The confusing parts are things like negative weights (either kind -- a test
RSP that has a weight of -2, or a test that has a weight that is added for
RSP E-mail that does NOT fail the test, like the IPNOTINMX and NOLEGITCONTENT
RSP tests), and filters where multiple lines can match.

RSP -Scott
RSP ---
RSP Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
RSP Declude Virus: Catches known viruses and is the leader in mailserver
RSP vulnerability detection.
RSP Find out what you've been missing: Ask about our free 30-day evaluation.

RSP ---
RSP [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

RSP ---
RSP This E-mail came from the Declude.JunkMail mailing list.  To
RSP unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
RSP type unsubscribe Declude.JunkMail.  The archives can be found
RSP at http://www.mail-archive.com.

-- 
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] failed to fail test ?

[Eje Gustafsson]

I have the following two tests in my global.cfg (along with others)

HELOBOGUS   helovalid   x   x   6   0
IPNOTINMX   ipnotinmx   x   x   0   -3
REVDNS  revdnsexistsx   x   7   0
NOLEGITCONTENT  nolegitcontent  x   x   0   -8

Yet this piece of mail did come though with a very low rate and didn't
fail the HOLOBOGUS ?

Received: from fament.com [63.165.214.42] by imail.fament.com with ESMTP
  (SMTPD32-8.03) id AD019930280; Sat, 22 Nov 2003 19:27:29 -0600
Received: from DJQ92P11 [192.168.123.124] by fament.com with eSMTP; 
Sat, 22 Nov 2003 19:27:21 -0600
Message-ID: [EMAIL PROTECTED]
From: ryan [EMAIL PROTECTED]
To: [EMAIL PROTECTED]  
X-Tests-Failed: IPNOTINMX, REVDNS.
X-Note: Total spam weight of this E-mail is -2.

By default everything supposed to be -11 on a good e-mail.

63.165.214.42 is NOT a valid MX record for fament.com

Wouldn't helobogus add it's weight to it ? Or have I miss understood
the helobogus test ? How can I punish servers that try claim be from
my domain like the above ?

And how could the score end up at -2 ? What is the math behind it.
The -3 and -8 in the 6th column are the only - I have in that column
anywhere. So if it's -8 + 7 then shouldn't the weight be -1 and not -2
? But most important how can I punish servers that claim to be
fament.com if they are not ?

Best regards,
 Eje Aya Gustafsson mailto:[EMAIL PROTECTED]
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 240-376-7272
- Your Full Time Professionals -
Online Store http://www.wisp-router.com/
 MikroTik, Star-OS, PACWireless, EnGenius, RF Industries
-- 

-- 
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] blocking spam faked as coming from local address

[Eje Gustafsson]

Talking about SPAMDOMAINS anyone have a list they would like to share
with me (on or offlist).
I just setup this test and put in the ones I could THINK of of top of
my head (yahoo, msn, hotmail and a couple of others) but my list was
no more then about 10-12 before I ran out of domains I could think of
that I know was commonly used..

Best regards,
 Eje Aya Gustafsson mailto:[EMAIL PROTECTED]
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 240-376-7272
- Your Full Time Professionals -
Online Store http://www.wisp-router.com/
 MikroTik, Star-OS, PACWireless, EnGenius, RF Industries
-- 

MB Let's keep in mind that the discussion has changed from the original 
MB topic of MAILFROM Forged to VERP + Forged.

MB For the last day I've been filtering using the SPAMDOMAINS method which 
MB captures examples of both topics in this thread, however it didn't 
MB capture E-mail that fakes a local domain when it is sent from my 
MB Microsoft SMTP server because I have that IPBYPASSed (there would 
MB otherwise be a lot of this).


MB MAILFROM Forged
MB ---
MB As far as the MAILFROM test goes for finding faked local addresses, here 
MB are my results but bear in mind that this excludes intra-server faked 
MB domains from Web sites:

MB 3 - Spam w/Forged address (2 passed filters with 80% of fail weight, 
MB 1 failed).
MB 9 - Legit w/Forged address (E-mails sent from one local user to 
MB another local user but didn't use my server for sending.)
MB =
MB   12 - E-mails caught with whitelisting local Web server.

MB For me the FP rate of a MAILFROM ENDSWITH local domain test was 75% with 
MB whitelisting (as it is currently set) or about 89% without whitelisting 
MB because of mail sent from local Web sites.  The FP rate would definitely 
MB higher on weekdays because legit volume is higher and several customers 
MB have business communications sent forged.  This test tagged a total of 3 
MB pieces of spam out of a total of 1,968 unique messages received (0.15% 
MB of unique messages).

MB I am going to look at an entire week's traffic with the MAILFROM test as 
MB Andrew suggested in order to spot the possibility of adding a point or 
MB two if there is leeway in the current scoring.  For such a small number 
MB of forged addresses though, I don't want to risk the possibility of 
MB FPing on anything.  I do have problems with legit E-mail doing this that 
MB fails multiple tests that I don't want to turn down to allow this, and I 
MB don't like to whitelist if at all possible.


MB SPAMDOMAINS-based VERP + Forged
MB 
MB Now as far as the SPAMDOMAINS-based test results go, here's what I found:

MB 120 - Spam messages caught (71%)
MB   117 - Spam w/VERP
MB   3 - Spam w/Forged addresses
MB   50 - Legit messages caught (29%)
MB   41 - Legit w/VERP
MB 9 - Legit w/Forged addresses
MB 
MB 170 - Total Messages Caught

MB The only spams that got through were the two mentioned above that 
MB actually forged the local sender.  I also had one false positive in this 
MB group which was sent from Yahoo Groups and FP'd because for some reason, 
MB this message failed EASYNET-PROXIES.  I assume that this was a problem 
MB in the lookup returned by Easynet because that IP is not currently in 
MB their database, and that same server successfully sent about 40 other 
MB messages without being caught.  This message was also sent to a dead 
MB address that I am scoring as a 'spamtrap' but it is forwarded to another 
MB account so I'm not killing the message automatically.

MB  From looking at the spam using VERP, almost all of it came from a small 
MB handful of companies who have been tagged by FIVETEN-SPAMSUPPORT, 
MB MAILPOLICE-BULK, SPAMCOP, EASYNET-DNSBL and SBL.  All but about 5 of 
MB these were tagged by at least two of those mentioned which is enough to 
MB fail any message with no other points necessary.  None of the spam VERP 
MB messages passed my filters.

MB It appears that all of this VERP stuff comes from gray-spam (for lack of 
MB a better word).  These are addresses harvested primarily from contest 
MB and free membership sites with participants knowingly giving their 
MB addresses away for such things (not all of it uses VERP of course).  The 
MB ones using VERP likely have somewhat static addresses and therefore 
MB these mailers are easily tagged by the leading blocklists.  I don't 
MB believe I have any problems with VERP spammers, though this will take 
MB more monitoring to make a solid conclusion.

MB I do have problems already with FP's on legit opt-in advertising, some 
MB of which use VERP.  Too often such places find their way onto MailPolice 
MB or SpamCop only to be removed shortly thereafter, a problem 

Re: [Declude.JunkMail] Whitelisting

[Eje Gustafsson]

Say I want to do this for [EMAIL PROTECTED] as I understand I have
to create a fament.com directory would it be enough to drop in a
postmaster.Junkmail in that directory and have the rest of the default
settings be picked up from the main default
\imail\declude\$default$.junkmail file ?
I want to avoid having to many $default$.junkmail files because that
means when new features are added and lists dies etc I have to
manually edit multiple files. The less files to edit the better IMO.

Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
   - Your Full Time Professionals -
Mikrotik OEM dealer - Online Store http://www.fament.net/
-- 

  It was also mentioned to a blank user file with the per user config 
 which would allow all tests to pass. Would this work also?

  I just wanted more options. The negative weight works.

RSP The blank per-user file would work, just differently.

RSP Using a whitelist will ensure that the E-mail is delivered.  The blank 
RSP per-user file would work almost the same as whitelisting E-mail that was 
RSP sent *just* to that one user, but if it was sent to other users as well, it 
RSP could get blocked.

RSP -Scott
RSP ---
RSP Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
RSP Declude Virus: Catches known viruses and is the leader in mailserver 
RSP vulnerability detection.
RSP Find out what you've been missing: Ask about our free 30-day evaluation.

RSP ---
RSP [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

RSP ---
RSP This E-mail came from the Declude.JunkMail mailing list.  To
RSP unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
RSP type unsubscribe Declude.JunkMail.  The archives can be found
RSP at http://www.mail-archive.com.

-- 
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] SORBS-SPAM

[Eje Gustafsson]

If someone demands they not get listed then they deserve to get
blacklisted because OBVIOUSLY they have something to hide.

.6 is List of hosts that have been noted as sending
  spam/UCE/UBE to the admins of SORBS.  This
  zone also contains netblocks of spam supporting
  service providers, this could be for providing
  websites, DNS or drop boxes for a spammer.  Spam
  supporters are added on a 'third strike and you are
  out' basis, where the third spam will cause the
  supporter to be blocked.

.8   List of hosts demanding they are never tested by
 SORBS.

So of course someone that host spammers will demand they never be
tested. Almost should be a case for immediate blocking IMO.

Either way with declude there is not reason to directly block anything
just use a weighted system where each test add to the total weight.

Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
   - Your Full Time Professionals -
Mikrotik OEM dealer - Online Store http://www.fament.net/
-- 
PBH Yes..do not block on 127.0.0.6 and .8

PBH pbh



 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Smart Business Lists
 Sent: Monday, September 01, 2003 4:57 PM
 To: [EMAIL PROTECTED]
 Subject: [Declude.JunkMail] SORBS-SPAM
 
 
 Careful on SORBS-SPAM - blocking some large providers - Cox for one.
 
 
 Terry Fritts
 
 
 ---
 [This E-mail was scanned for viruses by Declude Virus 
 (http://www.declude.com)]
 
 ---
 This E-mail came from the 
 Declude.JunkMail mailing list.  To unsubscribe, just send an 
 E-mail to [EMAIL PROTECTED], and type unsubscribe 
 Declude.JunkMail.  The archives can be found at 
 http://www.mail-archive.com.
 ---
 [This E-mail scanned for 
 viruses by Declude Virus]
 
 
 


PBH ---
PBH [This E-mail scanned for viruses by Declude Virus]

PBH ---
PBH [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

PBH ---
PBH This E-mail came from the Declude.JunkMail mailing list.  To
PBH unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
PBH type unsubscribe Declude.JunkMail.  The archives can be found
PBH at http://www.mail-archive.com.

-- 
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] OSRELAY etc

[Eje Gustafsson]

Seems like it according to the news and information that been
released. Another rbl list that been killed by nasty DoS attacks more
then likely caused by spammers.
sorbs.net seems to be a decent replacement.

Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
   - Your Full Time Professionals -
Mikrotik OEM dealer - Online Store http://www.fament.net/
-- 
GH Hi,

GH Is relays.osirusoft.com permanently offline?

GH _
GH Glen Harvy 
GH Aquarius Communications
GH for all your Internet Needs.
GH Phone 9977 3788 Fax 9977 3844

-- 
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Another new test

[Eje Gustafsson]

ipswitch been meaning to add a tag in their queue file (the qx
file) where it would show if the message was a local originated,
remote originated or a remote smtp-auth originated. This way Scott
could create a test that could add a weight to any remote originated
e-mail that are NOT smtp-authenticated (local I understand should
include all the ips and ip blocks you allow to relay through the
server).

But until that happens there is no way for Scott to securely determine
if it was a local or remote originated e-mail short of digging through
the log files to see if it's a smtp-authed e-mail and check the relay
list and determine if the remote address is allowed to relay.

/ Eje

Sunday, June 22, 2003, 4:33:59 PM, you wrote:

DM This morning I received three spam from my own email address.
DM How about a way to tag a local user but remote origin?
DM Doug



DM ---
DM [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

DM ---
DM This E-mail came from the Declude.JunkMail mailing list.  To
DM unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
DM type unsubscribe Declude.JunkMail.  The archives can be found
DM at http://www.mail-archive.com.
DM ---
DM [This E-mail scanned for viruses by Declude Virus]




Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
---
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
eBay UserID : macahan
  - Your Full Time Professionals -

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] OT: Fraud Alert

[Eje Gustafsson]

Hey that one looks familiar.. I got 4 copies of that one today on
different e-mail accounts that I NEVER used (however posted on
webpages). Funny thing is that each and everyone of these are the same
purchased item with same address..

I called BestBuy about it earlier today tried to get them to post a
dang warning on their website about this fraud. Only way to fight
misinformation such as this one is with information.

Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
   - Your Full Time Professionals -
Mikrotik OEM dealer - Online Store http://www.fament.com/catalog/
-- 
DP Watch out for this one, the underlying code looks like:

DP href=http://www.your-instant-credit-reporter.org/fraud.html;FONT face=Arial 
size=2BestBuy.com/fraud_department.html/FONT/A/DIV/BODY/HTML



DP The subject reads:
DP BestBuy Order #1095619. Fraud Alert.



DP The message reads:
DP Dear customer, 
DP  
DP Recently we have received an order made by using your personal credit card 
information. 
DP This order was made online at our official BestBuy website on 06/19/2003. 
DP Our Fraud Department has some suspicions regarding this order and we need you to 
visit a special Fraud Department page at our web store where you can confirm or 
decline this transaction by
DP providing us with the correct information. 
DP This e-mail address has been taken from National Credit Bureau. 
DP  
DP Click the link below to visit a special Fraud Department page to resolve the cause 
of the problem.  
DP BestBuy.com/fraud_department.html

DP 
-- 
DP ORDER# 1095619 - STATUS: SUSPENDED  
DP ITEMS PURCHASED  
DP 
-- 
DP Item No: 73890 
DP CDA-9815 In-Dash CD Player/Ai-Changer Controller 
DP Price: $387.65   Qty: 2   Total: $775.3 
DP 
 
DP The order listed above has not yet been processed. 
DP The reason for the delay in processing your order is: 
DP  
DP - UNVERIFIED SHIPPING ADDRESS 
DP  
DP - Information provided: 
DP   Shipping 
DP   41 WINHAM ST 
DP   Staten Island, NY  10306 
DP   United States 
DP   phone# 206-337-9843 
DP  
DP In our effort to deter fraudulent transactions, we need your help in providing us 
with the correct information. Your prompt response is needed to avoid any unauthorized 
charges to your credit
DP card.
DP  
DP 
-- 
DP Click the link below to visit a special Fraud Department page to resolve the cause 
of the problem.  
DP BestBuy.com/fraud_department.html

DP ---
DP [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

DP ---
DP This E-mail came from the Declude.JunkMail mailing list.  To
DP unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
DP type unsubscribe Declude.JunkMail.  The archives can be found
DP at http://www.mail-archive.com.
DP ---
DP [This E-mail scanned for viruses by Declude Virus]

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] My domain failing HELOBOGUS

[Eje Gustafsson]

You need to have a MX record for hasna.jeeran.com which you don't
have.


Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
   - Your Full Time Professionals -
Mikrotik OEM dealer - Online Store http://www.fament.com/catalog/
-- 
OK Why would my IMGATE machine fail the HELOBOGUS test when  HELO/EHLO data
OK header  returns:

OK 220 hasna.jeeran.com - ESMTP - Postfix - Ahlan Wa Sahlan

OK Which seems complaint to me. Here is the error in the log file:

OK Msg failed MX; testing A (HELOBOGUS ) [0 1 0 ]

OK ---
OK [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

OK ---
OK This E-mail came from the Declude.JunkMail mailing list.  To
OK unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
OK type unsubscribe Declude.JunkMail.  The archives can be found
OK at http://www.mail-archive.com.
OK ---
OK [This E-mail scanned for viruses by Declude Virus]

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Request for new/enhanced feature

[Eje Gustafsson]

I keep getting mail that slipps through that IMO shouldn't be that
hard to catch really... They use a variant of the html comments but
the way they do it it don't get detected as a mail with to many html
comments.

Below is a snippet of example text inside the html formated e-mail :

Pk73ch7b1tddyenkqjezab3w79ejis 
Enkpv36t91gfs2largktwn2sd3kn7tqemek63uv4i3njxxcnt Pikxl9qjl2r3ervkll On The 
Mak9jgo17u5v244rkekth2amv3m1st!/font/font/font/bfont 
face=Arial,Helvetica/font
pfont face=Arial,Helvetica* Gksfvuh135aju042aikndkb4w1ppwy192n 
3kbq72kb2dv2xsd2+ Full Inkn46ft9yw8pchkwhb2wy27wls3es In 
Lengka4vte11x26Lengka4vte11x26wth/font
brfont face=Arial,Helvetica* Exkcay5sz12le0pand Your Pekt70s753udaio49nis Up 
To 20kh3tfh82ejp1%   

Basically remove the x junk and you get the text. Since these
are invalid html comments most e-mail clients just simply ignore the
comment text all together since it has the  around the text.

This messages X-Tests-Failed: IPNOTINMX, SUBJECTSPACES, LONGSUBJECT.

IMO this should also have failed HTMLCOMMENTS  which it did not.
So my question.. Would it be possible to add the above junk as
detected html comment ?

Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
-- 
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
   - Your Full Time Professionals -
Mikrotik OEM dealer - Online Store http://www.fament.com

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: SPAMCOP:Re: [Declude.JunkMail] HiJack Not Working ?

[Eje Gustafsson]

Not besides that your listed yourself in spamcop and that you need to
take a look at the logs to see what's in them and/or show them to us
so we can see what is failing.

I see a couple of things right of.
1) no reverse DNS for 208.253.112.168 which is your sending ip for you
mailserver.
2) your subnet is listed with numerous spam lists.
DELINK, SPAMCOP, XBL, HEUR1, REVDNS, SPAMCHK, IPNOTINMX, Reverse-IP

- Eje

Wednesday, March 26, 2003, 9:15:11 PM, you wrote:

BC Scott,

BC I made these changes and restarted services.

BC But then I stopped receiving emails.

BC When I reverted back, I'm now receiving emails again.

BC Any thoughts?

BC Thanks.

BC b

BC -- Original Message --
BC From: R. Scott Perry [EMAIL PROTECTED]
BC Reply-To: [EMAIL PROTECTED]
BC Date:  Wed, 26 Mar 2003 19:19:28 -0500


I checked the W log files and it looks like they are coming in through web 
messaging (god knows how they are sending that much email through web 
messaging) under several IP's ranging from Nigeria to Israel.  I blocked 
those IP's within Imail Control Access.

Ah, that explains what is going on.  That's the first time I've seen 
serious spammers try to send E-mail through web messaging.

How can I make Hijack work with webmessaging?

It is possible to do this, by having the declude.exe file act as the 
smtp32.exe file, so that Declude can intercept the web messaging E-mail.

This is done by renaming the smtp32.exe file to ipsmtp.exe, renaming the 
declude.exe file to smtp32.exe, using a DAISYCHAIN ipsmtp.exe line in the 
hijack.cfg file.

Then, you need to use regedit to change the 
HKEY_LOCAL_MACHINE\Software\Ipswitch\IMail\Global\SendName value to point 
to smtp32.exe instead of declude.com, and finally stop/restart the IMail 
SMTP service so that IMail will recognize the change
 -Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for Viruses and Spam by Richmond.com]


BC ---
BC [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

BC ---
BC This E-mail came from the Declude.JunkMail mailing list.  To
BC unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
BC type unsubscribe Declude.JunkMail.  The archives can be found
BC at http://www.mail-archive.com.
BC ---
BC [This E-mail scanned for viruses by Declude Virus]



Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
---
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
eBay UserID : macahan
  - Your Full Time Professionals -

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re[2]: [Declude.JunkMail] Q: help with fixing client-side?

[Eje Gustafsson]

Not sure where your getting 1903 etc from but that is besides the
point.

The main problem in this mess is among other things this line

Date: 20 Mar 03 18:30:01 -0800

A correct date according to the RFC should read
Date: 20 Mar 2003 18:30:01 -0800

The mac I seen resets back to 1980 when the batteries dies in them and
I think they use regular unix EPOC just like allot of other systems out
there when your dealing with system time (seconds since 1970 Jan 1
00:00:00).

- Eje

Friday, March 21, 2003, 7:30:30 PM, you wrote:

DP I have some insight on the date issue.  

DP Macs tell time by counting the amount of time since a date in 1903 (something to 
do with the Wright Brothers), used as time zero.  It makes them automatically y2k 
savvy, but it also means that
DP when a particular machine's been around long enough for the clock battery to die, 
they reset to time zero (1903).

DP Dan



DP On Friday, March 21, 2003 10:24, Joseph Acac [EMAIL PROTECTED] wrote:
What follows is the header from an email sent from a valid account to 
another valid account, here at UCD.  The recipient was concerned that this 
message would be tagged as 'consistent with spam' and/or 'bad headers'.  My 
thoughts were that perhaps its because the user is on an older Macintosh, 
running an old version of Quick Mail, which perhaps doesn't follow standard 
email protocol/form?  Any ideas?

Thanks,

joe

X-POP3-Rcpt: [EMAIL PROTECTED]
Return-Path: [EMAIL PROTECTED]
Received: from salzburg.ucdavis.edu (salzburg.ucdavis.edu [169.237.104.162])
 by orvieto.ucdavis.edu (8.11.6/8.11.0/IT4.6.2) with ESMTP id 
 h2L2M1p20970
 for [EMAIL PROTECTED]; Thu, 20 Mar 2003 18:22:01 
 -0800 (PST)
Received: from primate.ucdavis.edu (blackhole.primate.ucdavis.edu 
[169.237.80.10])
 by salzburg.ucdavis.edu (8.11.6/8.11.0/virus-scan-4.0.1) with 
 ESMTP id h2L2Lwd08932
 for [EMAIL PROTECTED]; Thu, 20 Mar 2003 18:21:59 -0800 (PST)
Received: from 169.237.80.51 [169.237.80.51] by primate.ucdavis.edu
   (SMTPD32-7.13) id A7451A730278; Thu, 20 Mar 2003 18:21:57 -0800
Date: 20 Mar 03 18:30:01 -0800
From: Alice Tarantal [EMAIL PROTECTED]
Subject: RE: Pilot call
To: John Capitanio [EMAIL PROTECTED]
X-Mailer: QuickMail Pro 1.5.4 (Mac)
X-Priority: 3
MIME-Version: 1.0
Reply-To: Alice Tarantal [EMAIL PROTECTED]
Content-Type: text/plain; charset=iso-8859-1
Message-Id: [EMAIL PROTECTED]
X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client 
[c014020e].
X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam 
[c014020e].
X-RBL-Warning: WEIGHT10: Weight of 11 reaches or exceeds the limit of 10.
X-Declude-Sender: [EMAIL PROTECTED] [169.237.80.51]
X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for 
spam.
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by orvieto.ucdavis.edu 
id h2L2M1p20970


Joseph C. Acac
CNPRC
University of California at Davis
[EMAIL PROTECTED] 

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


DP ---
DP [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

DP ---
DP This E-mail came from the Declude.JunkMail mailing list.  To
DP unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
DP type unsubscribe Declude.JunkMail.  The archives can be found
DP at http://www.mail-archive.com.
DP ---
DP [This E-mail scanned for viruses by Declude Virus]



Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
---
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
eBay UserID : macahan
  - Your Full Time Professionals -

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] HELO contains

[Eje Gustafsson]

Question..

I see more and more spams that is coming where the senders MTA is
claiming to be the localhost
As for example one of my servers is called imail.fament.com
Latest spam that slipped through had following header

Received: from imail.fament.com [66.81.201.98] by imail.fament.com
  (SMTPD32-7.13) id A7F38560150; Wed, 12 Mar 2003 16:42:59 -0600

Note that 66.81.201.98 is the spammers ip and do NOT belong to me.

SOO..  My question is this.. Could I create a wordfilter rule that
goes like
HELO 10 CONTAINS imail.fament.com
or will that shoot myself in the foot for some reason ?
If it really is the HELO string then I don't see this as a problem
since my understanding is that my mail server do NOT connect to itself
and should then never send the helo imail.fament.com to itself ?!

Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
---
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
eBay UserID : macahan
  - Your Full Time Professionals -

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re[2]: [Declude.JunkMail] HELO contains

[Eje Gustafsson]

Alright. Great. No the other mailserver identifies itself as
backup.fament.com which I don't have declude on.
On the other hand there. My backup mx server only forward mail. Do I
have to get the Pro version of Declude or would Standard be enough ?

I did throw out Webshield because it records the headers so badly that
so much junkmail came in that direction.

/ Eje

Wednesday, March 12, 2003, 5:17:33 PM, you wrote:


SOO..  My question is this.. Could I create a wordfilter rule that
goes like
HELO 10 CONTAINS imail.fament.com
or will that shoot myself in the foot for some reason ?

RSP That will work fine, just so long as you don't have any other mailservers 
RSP that identify themselves as imail.fament.com.  If your IMail server is 
RSP the only one that does, the filter will work fine.

If it really is the HELO string then I don't see this as a problem
since my understanding is that my mail server do NOT connect to itself
and should then never send the helo imail.fament.com to itself ?!

RSP Correct.  There might be odd cases where the IMail server would connect to 
RSP itself, but if that happens, you've got another problem on your hands (as 
RSP it would cause a mail loop).
RSP  -Scott

RSP ---
RSP [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

RSP ---
RSP This E-mail came from the Declude.JunkMail mailing list.  To
RSP unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
RSP type unsubscribe Declude.JunkMail.  The archives can be found
RSP at http://www.mail-archive.com.
RSP ---
RSP [This E-mail scanned for viruses by Declude Virus]




Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
---
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
eBay UserID : macahan
  - Your Full Time Professionals -

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Store and Forward w/JunkMail Question

[Eje Gustafsson]

spamreview rocks. Only wish it could do filters with wildcards. Hate
the darn spammers that uses mail123.domain.tld  mail124.domain.tld and
so on do *.domain.tld and take care of them for good.

Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
 - Your Full Time Professionals -
eBay UserID : macahan
--
JT Instead of ROUTETO, you could use HOLD. Then, the files will be in 
Imail\spool\spam\hold folder. You can either open them with notepad or use SpamReveiw.

JT John Tolmachoff MCSE, CSSA
JT IT Manager, Network Engineer
JT RelianceSoft, Inc.
JT Fullerton, CA  92835
JT www.reliancesoft.com

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
 [EMAIL PROTECTED]] On Behalf Of Keith Johnson
 Sent: Tuesday, February 11, 2003 7:10 PM
 To: [EMAIL PROTECTED]
 Subject: [Declude.JunkMail] Store and Forward w/JunkMail Question
 
 Since late last year we have had our entire setup with virtual hosted domains with
 No Mail Relay.   We are going to change our relay mode to 'relay for addresses' to
 filter email for about 10 or more Exchange Servers (thus, store and forward).
 However, we are going to still require all our other domains to SMTP Auth to us.
 My question is, with JunkMail, does all the filters and commands work just like they
 do under domains hosted on the IMail server itself.  Previously, we always used the
 RouteTo a mailbox (same domain) for a 'little' admin to look at the spam email and
 thus forward it on to the necessary person, however, we won't be able to do that
 anymore with these domains since the domain isn't on the box.  We were thinking
 of creating a bogus.com domain and RouteTo there.  Thanks for allowing me to
 ramble here, just trying to see if I missed anything.  I believe the Declude Virus
 should be fine with this as well.  Thank you for the info.
 
 Keith
 Nf???yu
 
 u ?dj)jgnr[x??f)+Nrz;?ukj)r[y jw???m r[x?8jqy ??  f+rmw? Vry

JT ---
JT [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

JT ---
JT This E-mail came from the Declude.JunkMail mailing list.  To
JT unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
JT type unsubscribe Declude.JunkMail.  The archives can be found
JT at http://www.mail-archive.com.
JT ---
JT [This E-mail scanned for viruses by Declude Virus]

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Base64 encoded

[Eje Gustafsson]

I know in the past it was discussion about legit base64 usage in mail.

I found what seems to be a legit e-mail where the mail client is
base64 encoding the message.

Received: from mail.XX.com [12.28.XX.XXX] by imail.fament.com with ESMTP
  (SMTPD32-7.13) id A4EE26B0366; Wed, 15 Jan 2003 09:57:34 -0600
Received: from [10.1.102.202] by mail.XX.XXX
 with SMTP (QuickMail Pro Server for Mac 3.0.1); 15-Jan-2003 09:57:19 -0600
Date: 15 Jan 2003 09:45:15 -0600
Message-ID: [EMAIL PROTECTED]
From: X X [EMAIL PROTECTED]
Subject: Fwd: 
To: X XX [EMAIL PROTECTED]
X-Mailer: QuickMail Pro 3.0 (Mac)
X-Priority: 3
MIME-Version: 1.0
Reply-To: X X [EMAIL PROTECTED]
Content-Type: multipart/mixed; boundary=50524848535754575554===1
X-RBL-Warning: BASE64: A binary encoded text or HTML section was found in this E-mail.
X-RBL-Warning: WEIGHT10: Weight of 20 reaches or exceeds the limit of 10.
X-Tests-Failed: REVDNS, BASE64, WEIGHT10, WEIGHT20.
X-Note: Total spam weight of this E-mail is 20.
--50524848535754575554===1
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=US-Ascii

regular text message (seems to be a chainmail)

MSN 8: advanced junk mail protection and 2 months FREE* http://g.msn.com/=
8HMNEN/2017
--50524848535754575554===1
Content-Transfer-Encoding: base64
Content-Type: text/html; name=Text00.htm;
x-mac-creator=556DC536;
x-mac-type=54455854

PGh0bWw+PGRpdiBzdHlsZT0nYmFja2dyb3VuZC1jb2xvcjonPjxESVY+DQo8UD48QlI+PFVuZGlz
Y2xvc2VkLVJlY2lwaWVudD

rest of the base64 is cut off.

Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
---
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
eBay UserID : macahan
  - Your Full Time Professionals -

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re[2]: [Declude.JunkMail] Base64 encoded

[Eje Gustafsson]

Well. When I say legit I reference in that it is not a spam mail but a
regular mail communication to a user that been sent with a regular
mail program.

Like you using Eudora Version 5.1 to send a e-mail message directly to
me. This person was using QuickMail Pro 3 (mac) to send a e-mail to a
client on our service.
Reason for doing base64 ? None except poor software engineering and
client more then likely using default settings because they don't know
better.

There is no reason really for the base64 just that it does it anyways
in poor practice. I personally put in a word filter rule that now
gives this X-mailer a somewhat negative weight to compensate for it's
poor e-mail sending behavior.

Wasn't sure if anyone ever found a e-mail client that did post
standard message in base64 besides what we frequently see from
spammers with advertisment junk in it.

/ Eje

Tuesday, January 21, 2003, 2:42:41 PM, you wrote:


I know in the past it was discussion about legit base64 usage in mail.

I found what seems to be a legit e-mail where the mail client is
base64 encoding the message.

RSP The question here is what legitimate means.

RSP Does it mean that it is a legitimate E-mail, which uses base64 encoding for 
RSP no apparent reason (which we are not too concerned about, as most people 
RSP only use the BASE64 test towards the weighting system), or is it a 
RSP legitimate mail that has a legitimate reason for using base64 encoding 
RSP (which we would care about, as it could indicate that there are false 
RSP positives that can't be prevented)?
RSP  -Scott

RSP ---
RSP [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

RSP ---
RSP This E-mail came from the Declude.JunkMail mailing list.  To
RSP unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
RSP type unsubscribe Declude.JunkMail.  The archives can be found
RSP at http://www.mail-archive.com.
RSP ---
RSP [This E-mail scanned for viruses by Declude Virus]




Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
---
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
eBay UserID : macahan
  - Your Full Time Professionals -

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re[4]: [Declude.JunkMail] Base64 encoded

[Eje Gustafsson]

Thank you I had missed the OWA I added that one myself. Thanks.

Tuesday, January 21, 2003, 3:33:06 PM, you wrote:

CA As per John's earlier research on OWA as a client, and Eje's report I now
CA use this in one of my filter text files:

CA #Nov-29-2002 AC Cancel the BASE64 weight when the client was
CA #   OWA for Exchange 2000 and Enterprise
CA HEADERS -4 CONTAINS V6.0.5762.3
CA HEADERS -4 CONTAINS V6.0.6249.0

CA #Jan-21-2003 AC Cancel the BASE64 weight another product that
CA #   happens to encode body test as BASE64
CA HEADERS -4 CONTAINS QuickMail Pro Server for Mac

CA Andrew 8)

EG Wasn't sure if anyone ever found a e-mail client that did post
EG standard message in base64 besides what we frequently see from
EG spammers with advertisement junk in it.

JT Outlook Web Access on Exchange 2000.

CA ---
CA [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

CA ---
CA This E-mail came from the Declude.JunkMail mailing list.  To
CA unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
CA type unsubscribe Declude.JunkMail.  The archives can be found
CA at http://www.mail-archive.com.
CA ---
CA [This E-mail scanned for viruses by Declude Virus]




Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
---
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
eBay UserID : macahan
  - Your Full Time Professionals -

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Base64 encoded

[Eje Gustafsson]

Hello Dan,

I see. Thanks for the clearification. This particular message was a html
encoded message where the html part got encoded.

Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
 - Your Full Time Professionals -
eBay UserID : macahan
--
DP Eje,

DP I use QuickMail on a Mac and Base64 is used as the encoding type by two of their 
standard configs, but only for attachments.  Base64 encoding for the message body 
requires a manual change.  What
DP most likely happened is that the sender in question was swapping around encoding 
types trying to get an attachment to go through and got sloppy.

DP Dan

 

DP On Tuesday, January 21, 2003 13:14, Eje Gustafsson [EMAIL PROTECTED] wrote:
Well. When I say legit I reference in that it is not a spam mail but a
regular mail communication to a user that been sent with a regular
mail program.

Like you using Eudora Version 5.1 to send a e-mail message directly to
me. This person was using QuickMail Pro 3 (mac) to send a e-mail to a
client on our service.
Reason for doing base64 ? None except poor software engineering and
client more then likely using default settings because they don't know
better.

There is no reason really for the base64 just that it does it anyways
in poor practice. I personally put in a word filter rule that now
gives this X-mailer a somewhat negative weight to compensate for it's
poor e-mail sending behavior.

Wasn't sure if anyone ever found a e-mail client that did post
standard message in base64 besides what we frequently see from
spammers with advertisment junk in it.

/ Eje

Tuesday, January 21, 2003, 2:42:41 PM, you wrote:


I know in the past it was discussion about legit base64 usage in mail.

I found what seems to be a legit e-mail where the mail client is
base64 encoding the message.

RSP The question here is what legitimate means.

RSP Does it mean that it is a legitimate E-mail, which uses base64 encoding for 
RSP no apparent reason (which we are not too concerned about, as most people 
RSP only use the BASE64 test towards the weighting system), or is it a 
RSP legitimate mail that has a legitimate reason for using base64 encoding 
RSP (which we would care about, as it could indicate that there are false 
RSP positives that can't be prevented)?
RSP  -Scott

RSP ---
RSP [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

RSP ---
RSP This E-mail came from the Declude.JunkMail mailing list.  To
RSP unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
RSP type unsubscribe Declude.JunkMail.  The archives can be found
RSP at http://www.mail-archive.com.
RSP ---
RSP [This E-mail scanned for viruses by Declude Virus]




Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
---
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
eBay UserID : macahan
  - Your Full Time Professionals -

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


DP ---
DP [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

DP ---
DP This E-mail came from the Declude.JunkMail mailing list.  To
DP unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
DP type unsubscribe Declude.JunkMail.  The archives can be found
DP at http://www.mail-archive.com.
DP ---
DP [This E-mail scanned for viruses by Declude Virus]

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Ipswitch Newsletter

[Eje Gustafsson]

Hello Michael,

Looks like your giving mail that fail the spamheaders test a negative
1 in weight. Funny that ipswitch's newsletter fails this test..
At least it's not a message or newsletter from Scott now that would be
really REALLY amusing consider the guys skills and knowledge ;)

-Eje

ML Either I am doing something wrong or this is worth a chuckle.

ML Received: from newman.ipswitch.com [156.21.1.4] by ucopiannetworks.com with
ML ESMTP
ML   (SMTPD32-6.05) id ACC42F4B00CA; Wed, 08 Jan 2003 21:21:56 -0500
ML Received: from CAMPAIGN [156.21.1.4] by newman.ipswitch.com
ML   (SMTPD32-7.12) id A2E2AE027A; Wed, 08 Jan 2003 13:50:10 -0500
ML From: Tamara Hart, Ipswitch [EMAIL PROTECTED]
ML To: [EMAIL PROTECTED]
ML Subject: Your Ipswitch Newsletter - January Edition
ML Date: WED, 08 JAN 2003 13:50:10 -0400
ML MIME-Version: 1.0
ML Reply-To: [EMAIL PROTECTED]
ML Content-Type: multipart/alternative; boundary=Boundary..
ML Message-Id: 200301081350968.SM00206@CAMPAIGN
ML X-Declude-Sender: [EMAIL PROTECTED] [156.21.1.4]
ML X-Note: This E-mail was scanned by Ucopian JunkMail
ML (www.ucopiannetworks.com) for spam.
ML X-Spam-Tests-Failed: SPAMHEADERS [-1]
ML X-RCPT-TO: [EMAIL PROTECTED]
ML X-UIDL: 342055870
ML Status: U

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] I can't believe this would even work.

[Eje Gustafsson]

This people been discussed about on the isp-ceo list provided by
isp-planet.com.
I gotten that one as well. One guy at the isp-ceo list sent the guy a
quote for about $1mill per month up front payment ;P

/ Eje

Thursday, January 2, 2003, 10:01:28 AM, you wrote:

CF Some spammer is soliciting for dedicated hosting of spam servers.
CF The received header -

CF Received: from onemails2608.com [66.118.148.209] by argolink.net
CF (SMTPD32-6.06) id A638128C0132; Mon, 30 Dec 2002 08:20:40 -0600

CF It was only caught by spamheaders.  It just goes to show, someone
CF somewhere is willing to support spammers if money can be made.

CF Thanks,
CF Chuck Frolick
CF ArgoNet, Inc.

CF -Original Message-
CF From: W2K Servers Needed [mailto:[EMAIL PROTECTED]] 
CF Sent: Monday, December 30, 2002 8:24 AM
CF To: [EMAIL PROTECTED]
CF Subject: I need 2 win2k dedicated servers
CF Importance: High


CF If you've already received this email, please disregard it.

CF I need 2 dedicated servers running Windows 2000, with FTP and Terminal
CF Services access.  I will be increasing servers if your service meets our
CF demands. You will get occasional spam complaints (at most 5 per month).
CF I won't be spamming or port scanning directly from the servers.  I will
CF be mailing through proxies, so you will get very few complaints, if any
CF at all.  If you can provide this service, please reply back and let me
CF know.


CF The headers - 

CF Received: from host01.corp.argolink.net [209.144.1.13] by argolink.net
CF with ESMTP
CF   (SMTPD32-6.06) id AF4C3D490142; Thu, 02 Jan 2003 09:48:28 -0600
CF Return-Path: [EMAIL PROTECTED]
CF Delivered-To: [EMAIL PROTECTED]
CF Received: from onemails2608.com [66.118.148.209] by argolink.net
CF (SMTPD32-6.06) id A638128C0132; Mon, 30 Dec 2002 08:20:40 -0600
CF Reply-To: [EMAIL PROTECTED]
CF Date: Mon, 30 Dec 2002 09:24:01 -0500
CF X-Priority: 1
CF MIME-Version: 1.0
CF X-Mailer: Microsoft Outlook Express 6.00.2600.
CF X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.
CF Content-Type: text/plain; charset=us-ascii
CF Content-Transfer-Encoding: 7bit
CF Message-Id: [EMAIL PROTECTED]
CF X-Declude-Warning: [SPAMHEADERS]
CF http://www.declude.com/tools/header.php?code=420e ::W5
CF X-SPAM-Level: SPAM-VLOW
CF X-Declude-Warning: [SPAMHEADERS] This message may be SPAM. This E-mail
CF has headers consistent with spam [420e].
CF X-Declude-Sender: [EMAIL PROTECTED] [66.118.148.209]
CF X-Declude-Spoolname: D5638132.SMD
CF X-Note: This E-mail was scanned for SPAM by ArgoLink.net with Declude
CF JunkMail. More info at http://help.argolink.net/spam.asp
CF X-Declude-Failed: SPAMHEADERS, SPAM-VLOW
CF X-Declude-Total-Weight: 5
CF X-RCPT-TO: [EMAIL PROTECTED]
CF Status: U
CF X-SpamReview-Deliver: Mesage redelivered by SpamReview. New headers
CF below.
CF X-SpamReview-Note: Original CC List:[EMAIL PROTECTED]
CF To: [EMAIL PROTECTED]
CF From: W2K Servers Needed [EMAIL PROTECTED]
CF Subject: I need 2 win2k dedicated servers
CF X-SPAM-Level: SPAM-NONE
CF X-Declude-Sender: [EMAIL PROTECTED] [209.144.1.13]
CF X-Declude-Spoolname: D5f4c142.SMD
CF X-Note: This E-mail was scanned for SPAM by ArgoLink.net with Declude
CF JunkMail. More info at http://help.argolink.net/spam.asp
CF X-Declude-Failed: SPAM-NONE
CF X-Declude-Total-Weight: 0
CF X-UIDL: 340151554



CF ---
CF [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

CF ---
CF This E-mail came from the Declude.JunkMail mailing list.  To
CF unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
CF type unsubscribe Declude.JunkMail.  The archives can be found
CF at http://www.mail-archive.com.
CF ---
CF [This E-mail scanned for viruses by Declude Virus]




Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
---
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
eBay UserID : macahan
  - Your Full Time Professionals -

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] With new release this git through

[Eje Gustafsson]

Hello Joe,

My understanding is that Outlook Express can't filter based on
headers Correct me if I'm wrong because if I am them I can pass
along the info to my customers using OE so they can filter the few
messages that might slip through and still get them incase they are
really messages they want.

Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
 - Your Full Time Professionals -
eBay UserID : macahan
--
JH Hi Scott,
JH   Happy Holidays

JH   I am running with the new version downloaded yesterday.  Thanks... That did the 
trick...

JH A weird problem.   I put a new weight10a test with an action of WEIGHT10a HEADER 
WEIGHT10a.  Notice that it did indeed add the text WEIGHT10a to the body of the 
message.  However, I have a rule
JH in Outlook to move any mail with weight10a in the body to another folder, but 
outlook can't see it.  It works fine for messages that come in as plain text.  Is this 
a bug in outlook or is Declude
JH putting the message in the wrong place.  
JH I think it's an Outlook express problem.
JH I changed my action to SUBJECT and that fixed the problem, but I was just curious 
if you know why outlook can't see the text in this email.  Thanks


JH Received: from mmhw [64.233.124.49] by reliant.igdc.com
JH   (SMTPD32-7.13) id A4C6E3EE021C; Wed, 25 Dec 2002 08:38:14 -0500
JH From: Joy Verardi [EMAIL PROTECTED]
JH To: [EMAIL PROTECTED]
JH Subject: Information webmaster
JH Date: Wed, 25 Dec 2002 10:56:13 -0500
JH Mime-Version: 1.0
JH Content-Type: text/html
JH Content-Transfer-Encoding: base64
JH Message-Id: [EMAIL PROTECTED]
JH X-RBL-Warning: DSBL: http://dsbl.org/listing.php?64.233.124.49
JH X-RBL-Warning: SPAMCOP: Blocked - see http://spamcop.net/bl.shtml?64.233.124.49
JH X-RBL-Warning: DSN: Not supporting null originator (DSN)
JH X-RBL-Warning: BASE64: A binary encoded text or HTML section was found in this 
E-mail.
JH X-RBL-Warning: HELOBOGUS: Domain mmhw has no MX or A records.
JH X-Declude-Sender: [EMAIL PROTECTED] [64.233.124.49]
JH X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam.
JH X-Spam-Tests-Failed: DSBL, SPAMCOP, DSN, BASE64, HELOBOGUS, WEIGHT10a, WEIGHT10 
[27]
JH X-RCPT-TO: [EMAIL PROTECTED]
JH Status: U
JH X-UIDL: 340370359

JH WEIGHT10a
JH PEhUTUw+PFAgQUxJR049Q0VOVEVSPjxGT05UICBTSVpFPTYgUFRTSVpFPTI0PjxCPndlYm1h
JH c3Rlciw8QlI+DQo8L0ZPTlQ+PEZPTlQgIENPTE9SPSIjZmYwMDAwIiBCQUNLPSIjZmZmZmZm
JH IiBzdHlsZT0iQkFDS0dST1VORC1DT0xPUjogI2ZmZmZmZiIgU0laRT02IFBUU0laRT0yNCBG
JH QU1JTFk9IlNBTlNTRVJJRiIgRkFDRT0iQXJpYWwiIExBTkc9IjAiPjxVPllvdSBoYXZlIGJl
JH ZW4gYXBwcm92ZWQuPEJSPg0KPC9GT05UPjxGT05UICBDT0xPUj0iI2ZmMDAwMCIgQkFDSz0i
JH I2ZmZmZmZiIgc3R5bGU9IkJBQ0tHUk9VTkQtQ09MT1I6ICNmZmZmZmYiIFNJWkU9NSBQVFNJ
JH WkU9MTggRkFNSUxZPSJTQU5TU0VSSUYiIEZBQ0U9IkFyaWFsIiBMQU5HPSIwIj48L1U+Q2Fz
JH aCBHcmFudCBBbW91bnQ6PEJSPg0KPC9GT05UPjxGT05UICBDT0xPUj0iIzAwMDBmZiIgQkFD
JH Sz0iI2ZmZmZmZiIgc3R5bGU9IkJBQ0tHUk9VTkQtQ09MT1I6ICNmZmZmZmYiIFNJWkU9NyBQ
JH VFNJWkU9MzYgRkFNSUxZPSJTQU5TU0VSSUYiIEZBQ0U9IkFyaWFsIiBMQU5HPSIwIj4kMTAs
JH MDAwLSQ1LDAwMCwwMDA8QlI+DQo8L0ZPTlQ+PEZPTlQgIENPTE9SPSIjMDAwMDAwIiBCQUNL
JH PSIjZmZmZmZmIiBzdHlsZT0iQkFDS0dST1VORC1DT0xPUjogI2ZmZmZmZiIgU0laRT02IFBU
JH U0laRT0yNCBGQU1JTFk9IlNBTlNTRVJJRiIgRkFDRT0iQXJpYWwiIExBTkc9IjAiPjxJPjxV
JH PkRpZCBZb3UgS25vdz88QlI+DQo8L0ZPTlQ+PEZPTlQgIENPTE9SPSIjMDAwMDAwIiBCQUNL
JH PSIjZmZmZmZmIiBzdHlsZT0iQkFDS0dST1VORC1DT0xPUjogI2ZmZmZmZiIgU0laRT01IFBU
JH U0laRT0xOCBGQU1JTFk9IlNBTlNTRVJJRiIgRkFDRT0iQXJpYWwiIExBTkc9IjAiPjwvQj48
JH L0k+PC9VPi1FYWNoIFllYXIgdGhlIFUuUy4gR292ZXJtZW50IEdpdmVzIGF3YXkgQklMTElP
JH TlMgaW4gY2FzaCBncmFudHM/PEJSPg0KLVRoZXJlJm5ic3A7IGFyZSBObyBzcGVjaWFsIHJl
JH cXVpcmVtZW50cyB0byBvYnRhaW4gdGhlc2UgZ3JhbnRzLjxCUj4NCi1UaGVzZSBhcmUgRnJl
JH ZSBDYXNoIEdyYW50cyBUaGF0IHlvdSBORVZFUiBoYXZlIHRvIHJlcGF5ITxCUj4NCjxCUj4N
JH CjwvRk9OVD48Rk9OVCAgQ09MT1I9IiMwMDAwMDAiIEJBQ0s9IiNmZmZmZmYiIHN0eWxlPSJC
JH QUNLR1JPVU5ELUNPTE9SOiAjZmZmZmZmIiBTSVpFPTYgUFRTSVpFPTI0IEZBTUlMWT0iU0FO
JH U1NFUklGIiBGQUNFPSJBcmlhbCIgTEFORz0iMCI+d2VibWFzdGVyLFlvdSBRdWFsaWZ5ITxC
JH Uj4NCjwvRk9OVD48Rk9OVCAgQ09MT1I9IiMwMDAwZmYiIEJBQ0s9IiNmZmZmZmYiIHN0eWxl
JH PSJCQUNLR1JPVU5ELUNPTE9SOiAjZmZmZmZmIiBTSVpFPTcgUFRTSVpFPTM2IEZBTUlMWT0i
JH U0FOU1NFUklGIiBGQUNFPSJBcmlhbCIgTEFORz0iMCI+PEEgSFJFRj0iaHR0cDovL3JkLnlh
JH aG9vLmNvbS82NDUxMTEvKmh0dHA6Ly93d3cuZnJlZWhvc3RuZXR3b3JrLmNvbS9ncmFudDJr
JH L2luZGV4LmFzcD9kdm49MDEoTDg5MzEyeDg5RTNMOGF3SjZMIj5DbGljayBIZXJlPC9BPjwv
JH Rk9OVD48Rk9OVCAgQ09MT1I9IiMwMDAwMDAiIEJBQ0s9IiNmZmZmZmYiIHN0eWxlPSJCQUNL
JH R1JPVU5ELUNPTE9SOiAjZmZmZmZmIiBTSVpFPTUgUFRTSVpFPTE4IEZBTUlMWT0iU0FOU1NF
JH UklGIiBGQUNFPSJBcmlhbCIgTEFORz0iMCI+PEJSPg0KPC9GT05UPjxGT05UICBDT0xPUj0i
JH I2ZmMDAwMCIgQkFDSz0iI2ZmZmZmZiIgc3R5bGU9IkJBQ0tHUk9VTkQtQ09MT1I6ICNmZmZm
JH ZmYiIFNJWkU9NyBQVFNJWkU9MzYgRkFNSUxZPSJTQU5TU0VSSUYiIEZBQ0U9IkFyaWFsIiBM
JH QU5HPSIwIj48Qj5MaW1pdGVkIFRpbWUgT2ZmZXI8L0ZPTlQ+PEZPTlQgIENPTE9SPSIjMDAw
JH

Re: [Declude.JunkMail] With new release this git through

[Eje Gustafsson]

Thanks. I guess that is what you get for not following a threat to
closely. =)

Back to my Christmas drinks =)

Cheers and Merry Christmas.

- Eje

 My understanding is that Outlook Express can't filter based on
 headers...

SW Joe's talking about the HEADER action, which isn't inserting an RFC822
SW header,  but  a  header  before  the  original  body  (closer  to word
SW processing terminology).

SW John's  answer  is spot-on: if the body is Base64, then ALL of it must
SW be decoded by the client, even if some of it is plain-text to a human.

SW -Sandy

SW ---
SW [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

SW ---
SW This E-mail came from the Declude.JunkMail mailing list.  To
SW unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
SW type unsubscribe Declude.JunkMail.  The archives can be found
SW at http://www.mail-archive.com.
SW ---
SW [This E-mail scanned for viruses by Declude Virus]

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] With new release this git through

[Eje Gustafsson]

blah and I can't type right either. THREAD not threaT doh..

EG Thanks. I guess that is what you get for not following a threat to
EG closely. =)

EG Back to my Christmas drinks =)

EG Cheers and Merry Christmas.

EG - Eje

 My understanding is that Outlook Express can't filter based on
 headers...

SW Joe's talking about the HEADER action, which isn't inserting an RFC822
SW header,  but  a  header  before  the  original  body  (closer  to word
SW processing terminology).

SW John's  answer  is spot-on: if the body is Base64, then ALL of it must
SW be decoded by the client, even if some of it is plain-text to a human.

SW -Sandy

SW ---
SW [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

SW ---
SW This E-mail came from the Declude.JunkMail mailing list.  To
SW unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
SW type unsubscribe Declude.JunkMail.  The archives can be found
SW at http://www.mail-archive.com.
SW ---
SW [This E-mail scanned for viruses by Declude Virus]

EG ---
EG [This E-mail scanned for viruses by Declude Virus]

EG ---
EG [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

EG ---
EG This E-mail came from the Declude.JunkMail mailing list.  To
EG unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
EG type unsubscribe Declude.JunkMail.  The archives can be found
EG at http://www.mail-archive.com.
EG ---
EG [This E-mail scanned for viruses by Declude Virus]

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Chinanet

[Eje Gustafsson]

Anyone knows of any spam list that got chinanet.cn.net ips blocked ?

Like for example the different blackholes.us lists that block china,
Argentina etc

Their damn spam keep coming through and I keep block it but they
always surface from different IP.

Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
--
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
 - Your Full Time Professionals -
eBay UserID : macahan

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] FrontPage form to email SPAMHEADERS

[Eje Gustafsson]

Hello William,

Imail automatically inserts missing Message-ID: headers.
Since Declude scans the e-mail before Imail put in that header you
will then get that positive but when you look at it Imail have fixed
it. Unfortunately your only way to truely fix this is to edit all
webforms to inject the Message-ID: in the headers or I guess you could
whitelist the local machine that way it will not give this warning and
if it sends to outside e-mail address then Imail will have fixed the
header for you.

If you fix it then when you fixed the Message-ID: you will have then
you will more then likely have to fix missing Date: header (which
Imail also fixes if it's missing but Declude will complain since it's
happens before Imail fixes it)

Best regards,
 Eje Gustafsson   mailto:MacAhan;fament.com
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
 - Your Full Time Professionals -
eBay UserID : macahan
--

WBc How do you get FrontPage form to email to add the Message-ID: header.

WBc I have Windows 2000 SP3 IIS server. When a user fills out a guest book
WBc the FrontPage form emails the results through Imail. All software is on
WBc the same server. Declude fails the message on SPAMHEADERS.

WBc The failed test indicates the Message-ID: is missing from the header.
WBc When it arrives the email does have the Message-ID: but Declude says
WBc Imail added it.

WBc I hope it does not involve editing ever web page on my site that uses
WBc form to email, because that a lot of them.




WBc Sincerely,
WBc  
WBc William J. Baumbach II  [EMAIL PROTECTED]
WBc 9975 Pennsylvania Ave. Manassas, Va. 20110-2028
WBc Ph: 703-273-4400 ext:1708 Fax: 703-691-0946
WBc -




WBc ---
WBc [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

WBc ---
WBc This E-mail came from the Declude.JunkMail mailing list.  To
WBc unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
WBc type unsubscribe Declude.JunkMail.  The archives can be found
WBc at http://www.mail-archive.com.
WBc ---
WBc [This E-mail scanned for viruses by Declude Virus]

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re[2]: [Declude.JunkMail] BASE64 problem!?

[Eje Gustafsson]

Actually you can see even more then that..

File-Details  (or right click on the message in the inbox)
Click on the details tab and hit the message source button. Now you
have the entire e-mail source to read (or copy and paste to submit to
spamcop ;P )

/ Eje

Friday, September 27, 2002, 5:33:41 PM, you wrote:

ST You can actually view the header in Outlook.  You just right click the
ST message in your inbox and then select options.  At the bottom of the options
ST window is all the header information.  (At least most of it)

ST Shane Thoney

ST -Original Message-
ST From: Joshua Levitsky [mailto:[EMAIL PROTECTED]] 
ST Sent: Friday, September 27, 2002 12:45 PM
ST To: [EMAIL PROTECTED]
ST Subject: Re: [Declude.JunkMail] BASE64 problem!?

ST - Original Message -
ST From: R. Scott Perry [EMAIL PROTECTED]
ST To: [EMAIL PROTECTED]
ST Sent: Friday, September 27, 2002 2:43 PM
ST Subject: RE: [Declude.JunkMail] BASE64 problem!?


 OE lets you see the raw E-mail, including the encoding?  I didn't realize
ST that.

ST Just right click on the email and pick properties and then on the Details
ST tab there is a button that says Message Source. It is the raw message if you
ST click on that.

ST --
ST Joshua Levitsky, MCSE, MCSA, CISSP, EMTD, MCP+I, MCP
ST Desktop Systems Engineer
ST AOL Time Warner

ST ---
ST [This E-mail was scanned for viruses by Declude Virus
ST (http://www.declude.com)]

ST ---
ST This E-mail came from the Declude.JunkMail mailing list.  To
ST unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
ST type unsubscribe Declude.JunkMail.  The archives can be found
ST at http://www.mail-archive.com.
ST ---
ST [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

ST ---
ST This E-mail came from the Declude.JunkMail mailing list.  To
ST unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
ST type unsubscribe Declude.JunkMail.  The archives can be found
ST at http://www.mail-archive.com.
ST ---
ST [This E-mail scanned for viruses by Declude Virus]




Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
---
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
eBay UserID : macahan
  - Your Full Time Professionals -

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Date Header wrong - REALLY?

[Eje Gustafsson]

My guess is that it didn't have any date header.
Imail automatically adds a Date header if it is missing.

/Eje

Wednesday, September 18, 2002, 5:02:44 PM, you wrote:

AS Scott-

AS why do I get  http://www.declude.com/tools/header.php?code=c020020c for
AS this:


AS Received: from mta541.mail.yahoo.com [216.136.131.23] by hm-software.com
AS   (SMTPD32-7.07) id A0461AEF00BE; Wed, 18 Sep 2002 17:29:42 -0400
AS From: [EMAIL PROTECTED]
AS To: [EMAIL PROTECTED]
AS X-Loop: [EMAIL PROTECTED]
AS Subject: SPAM: [See Headers]  Delivery failure
AS Message-Id: [EMAIL PROTECTED]
AS X-Declude-Note: This E-mail was sent from a broken mail client [c020020c].
AS See: http://www.declude.com/tools/header.php?code=c020020c
AS X-RBL-Warning: This E-mail has headers consistent with spam [c020020c]. See:
AS http://www.declude.com/tools/header.php?code=c020020c
AS X-Declude: Version 1.60; Df0461aef00be8b36.SMD from mta541.mail.yahoo.com
AS [216.136.131.23]
AS X-Declude: Failed BADHEADERS, SPAMHEADERS, WEIGHT8 [8]
AS Return-Path: 
AS Date: Wed, 18 Sep 2002 17:29:49 -0400
AS X-RCPT-TO: [EMAIL PROTECTED]
AS Status: U
AS X-UIDL: 896287752

AS Message from yahoo.de.
AS Unable to deliver message to the following address(es).

AS [EMAIL PROTECTED]:
AS This user doesn't have a yahoo.de account ([EMAIL PROTECTED])

AS [EMAIL PROTECTED]:
AS This user doesn't have a yahoo.de account ([EMAIL PROTECTED])

AS ---
AS [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

AS ---
AS This E-mail came from the Declude.JunkMail mailing list.  To
AS unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
AS type unsubscribe Declude.JunkMail.  The archives can be found
AS at http://www.mail-archive.com.
AS ---
AS [This E-mail scanned for viruses by Declude Virus]




Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
---
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
eBay UserID : macahan
  - Your Full Time Professionals -

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re[2]: [Declude.JunkMail] Fighting the Menace of Unwanted E-Mail

[Eje Gustafsson]

roflmao..


Lovely I love it!!

Tuesday, September 17, 2002, 10:47:34 AM, you wrote:

ADG Craig,

ADG I have two paid hotmail accounts. The one for my 5-year old daughter (it's
ADG really a test account for spam-filtering) did not get checked. My other
ADG account for Elmer Fudd strangely had a birthyear of 1900 and they were
ADG checked.

ADG I thought that when I set these up I said no sharing. Does anyone know how
ADG old these boxes are?

ADG You all might enjoy playing our new anti-s*pam game (see sig). Just launced
ADG today.

ADG Alexis
ADG ---
ADG Alexis D. Gutzman, Managing Editor, Reports
ADG MarketingSherpa's Knowledge Store
ADG http://torturegame4.emailsherpa.com = Play Torture a S^pammer online game

ADG - Original Message -
ADG From: Craig Gittens [EMAIL PROTECTED]
ADG To: [EMAIL PROTECTED]
ADG Sent: Tuesday, September 17, 2002 8:59 AM
ADG Subject: RE: [Declude.JunkMail] Fighting the Menace of Unwanted E-Mail


 Sorry, just getting around to reading my 700 or so unread messages. Anyone
 notice Hotmail put in a few new options a while ago and enabled them for
 everyone? Click on the options link and choose Personal Profile and scoll
ADG to
 the bottom. You will notice that the two options to 1) Share my email
 address and 2) Share my other registration information are checked.

 Craig.

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]]On Behalf Of Tom
 Sent: Monday, September 16, 2002 5:21 PM
 To: [EMAIL PROTECTED]
 Subject: [Declude.JunkMail] Fighting the Menace of Unwanted E-Mail


 By OREN ETZIONI of the NY TIMES
 ---

 A few days ago I created a new e-mail account, and within 24 hours I had
 received over 25 unsolicited commercial e-mail messages, otherwise known
ADG as
 spam. Even though I'm a professor of computer science, I, like so many
 others, have failed to protect myself from this daily nuisance. So I
ADG welcome
 t

 ---
 [This E-mail was scanned for viruses by Declude Virus
ADG (http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.


ADG ---
ADG [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

ADG ---
ADG This E-mail came from the Declude.JunkMail mailing list.  To
ADG unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
ADG type unsubscribe Declude.JunkMail.  The archives can be found
ADG at http://www.mail-archive.com.
ADG ---
ADG [This E-mail scanned for viruses by Declude Virus]




Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
---
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
eBay UserID : macahan
  - Your Full Time Professionals -

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Fighting the Menace of Unwanted E-Mail

[Eje Gustafsson]

Dear Kami,


Tuesday, September 17, 2002, 11:36:09 AM, you wrote:

KR Some thoughts ... What I have seen happening to us..

KR [1] What do you blacklist?  I think that only the IP address of the
KR sender could be safely blacklisted.

KR --- If I do IP then it has to be a temp file so lets say for 24 hours
KR that IP can not send email.  Because we sure don't want to blacklist a
KR temporary open relay.  These folks do not send email using their servers
KR but they always use open relays.  Also majority of times 

That is a sound approach.

KR [2] What happens if someone finds the address and uses it maliciously?

KR --- how?  I don't understand how an email can be used maliciously...
KR They can only send email to it and to an address where they have no
KR business of sending.

If you block based on email then your bound to even if you only do
24 hour blocks block hotmail, yahoo, netscape and eudoramail
constantly because a lot of spammers spoof those addresses.
So not a sound approach there.

KR [3] The spammer may have already sent a lot of spam before they send to
KR this address.

KR --- TRUE but a great chance also exists that it is the beginning of the
KR list or the middle.  What I see in the addresses that are sent they
KR typically are alphabetically sorted.  So may be an address like
KR AADoe@... Would put it on top of the list.  But regardless it is a first
KR attempt.  If nothing is gained, I feel nothing is lost either but if it
KR is used in their SPAM list then we have gained a lot.  I just can't see
KR us losing anything.  In the game of Pros  Cons our loss is a lot less
KR than our potential gain.

Yes you would have to make sure it's among the first possible hits.

/ Eje


KR -Original Message-
KR From: [EMAIL PROTECTED]
KR [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry
KR Sent: Tuesday, September 17, 2002 11:45 AM
KR To: [EMAIL PROTECTED]
KR Subject: RE: [Declude.JunkMail] Fighting the Menace of Unwanted E-Mail



An address that we can use in Declude so any e-mail that is sent to 
that address is automatically added to a blacklist address for 
background deletion.

KR This is something that we have been considering.

KR A couple of thoughts, though:

KR [1] What do you blacklist?  I think that only the IP address of the
KR sender 
KR could be safely blacklisted.

KR [2] What happens if someone finds the address and uses it maliciously?

KR [3] The spammer may have already sent a lot of spam before they send to 
KR this address.
KR  -Scott

KR ---
KR [This E-mail was scanned for viruses by Declude Virus
KR (http://www.declude.com)]

KR ---
KR This E-mail came from the Declude.JunkMail mailing list.  To
KR unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
KR unsubscribe Declude.JunkMail.  The archives can be found at
KR http://www.mail-archive.com.


KR ---
KR [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

KR ---
KR This E-mail came from the Declude.JunkMail mailing list.  To
KR unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
KR type unsubscribe Declude.JunkMail.  The archives can be found
KR at http://www.mail-archive.com.
KR ---
KR [This E-mail scanned for viruses by Declude Virus]




Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
---
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
eBay UserID : macahan
  - Your Full Time Professionals -

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Paypal scammer

[Eje Gustafsson]

Just want to warn and suggest people might consider putting up manual
blocks. Last few days I gotten a few supposedly Urgent Paypal account
update notices. However this is NOT coming from PayPal network.
They want you to login and update your account info because supposedly
a server of paypals caused corruption. Their is a link posted in this
html message that looks like it points to paypal.com's login page
HOWEVER the link in the html code points to 
http://www.paypalsys.com/cgibin/webscr/?cmd=_login-run
not the additional SYS in the domain name.
Also when you look at the headers of the e-mail it comes from
ehost.com and this site IS listed with spews.
http://spews.org/html/S1519.html

What scares me the most is now I gotten this e-mail to THREE of my
e-mail addresses on file with paypal. They have been spread out over
the last 2 days.

And they try to sweeten the deal and really get the customer to go
and login by claiming

Because of the inconvenience this causes we are giving all users that
repair their missing data their next two incoming transfers for free!
You will pay no fees for your next two incoming transfers*


Received: from eweb16.ehost.com [65.212.149.23] by imail.fament.com with ESMTP
  (SMTPD32-7.12) id A50A19BC00C6; Wed, 11 Sep 2002 22:07:54 -0500
Received: (from nobody@localhost)
by eweb16.ehost.com (8.11.2/8.11.2) id g8C34bJ28468;
Wed, 11 Sep 2002 20:04:37 -0700
Date: Wed, 11 Sep 2002 20:04:37 -0700
From: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Subject: URGENT: PayPal Account Update

is part of the headers.

Do your clients and customers a favour block this person from the look
of it this scum bag (pardon my language but this is the works of a con
artists that seems to been around for a longer time).

Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
---
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
eBay UserID : macahan
  - Your Full Time Professionals -

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re[2]: [Declude.JunkMail] Spammer tools - why do these sites exist

[Eje Gustafsson]

 PROTECTED]
JT 8593 Mentor Road
JT Mentor, OH 44060
JT US
JT 440-205-9140



JT  Registrar of Record: TUCOWS, INC.
JT  Record last updated on 16-Aug-2002.
JT  Record expires on 29-Jan-2003.
JT  Record Created on 29-Jan-2002.

JT  Domain servers in listed order:
JT NS1.1800THENERD.NET   64.214.111.123
JT WARHOL.AMERISERV.NET   216.82.64.10

JT IP whois look up for www.marketmenow.com:

JT OrgName:Fidelity Access Networks 
JT OrgID:  FAIN

JT NetRange:   66.94.64.0 - 66.94.95.255 
JT CIDR:   66.94.64.0/19 
JT NetName:FIDELITY-001
JT NetHandle:  NET-66-94-64-0-1
JT Parent: NET-66-0-0-0-0
JT NetType:Direct Allocation
JT NameServer: DNS-1.FIDELITYACCESS.NET
JT NameServer: MAIL-1.FIDELITYACCESS.NET
JT Comment:
JT RegDate:2002-07-03
JT Updated:2002-08-12

JT TechHandle: RM1764-ARIN
JT TechName:   Marks, Robert 
JT TechPhone:  +1-216-595-0866
JT TechEmail:  [EMAIL PROTECTED]



JT John Tolmachoff
JT IT Manager, Network Engineer
JT RelianceSoft, Inc.
JT Fullerton, CA  92835
JT www.reliancesoft.com


JT ---
JT [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

JT ---
JT This E-mail came from the Declude.JunkMail mailing list.  To
JT unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
JT type unsubscribe Declude.JunkMail.  The archives can be found
JT at http://www.mail-archive.com.
JT ---
JT [This E-mail scanned for viruses by Declude Virus]




Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
---
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
eBay UserID : macahan
  - Your Full Time Professionals -

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Please someone tell me it's friday..

[Eje Gustafsson]

Just found this e-mail in Spam Review.. Check out the subject..
almost made me fall out of the chair laughing.

/ Eje

Received: from opt-in-email-4-sale.com [65.245.26.62] by imail.fament.com
  (SMTPD32-7.07) id A4B854A011E; Sun, 04 Aug 2002 22:44:56 -0500
From: Fred [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Stop Spam  AND Get paid!
Sender: Fred [EMAIL PROTECTED]
Mime-Version: 1.0
Content-Type: text/html; charset=ISO-8859-1
Date: Sun, 4 Aug 2002 22:40:49 -0500
Reply-To: Fred [EMAIL PROTECTED]
Content-Transfer-Encoding: 8bit
Message-Id: [EMAIL PROTECTED]
X-RBL-Warning: SPAMCOP: Blocked - see http://spamcop.net/bl.shtml?65.245.26.62
X-RBL-Warning: REVDNS: This E-mail was sent from a mail server 65.245.26.62 with no 
reverse DNS entry.
X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam [420e].
X-RBL-Warning: WEIGHT10: Weight of 24 reaches or exceeds the limit of 10.
X-Declude-Sender: [EMAIL PROTECTED] [65.245.26.62]
X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam.
X-Note: This E-mail was sent from [No Reverse DNS] ([65.245.26.62]).
X-Tests-Failed: SPAMCOP, REVDNS, SPAMHEADERS, WEIGHT10, WEIGHT20.
X-Note: Total spam weight of this E-mail is 24.

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] What Action Do you take?

[Eje Gustafsson]

I used bounce but got so many return bounces due to the poor
bouncing option Imail offer Declude.
We block a good 3-5k messages each day out of 8-10k total.
So many spammers use fake addresses or get their service
disconnected/discontinued or simply get their mailboxes full that
there will be a LOT of bounces for your postmaster acct.
Depending on your total mail volume and volume of spam out of it
it might or might not be ok for you.
Can only say test and see but if you have a LOT of mail getting
delivered be ready to switch from bounce to hold very quickly.

/ Eje

Friday, August 2, 2002, 2:50:56 PM, you wrote:

DL I am sure most people use the weighting system.  For the most part you
DL have certain weights were you know that 99% of the mail triggering that
DL weight is spam.  

DL Do you BOUNCE, HOLD, Or DELETE?  Right now I am using HOLD, but was
DL considering switching that to BOUNCE.  There are defiantly some pro's
DL and con's to both.

DL Any thoughts.

DL Darrell 

DL ---
DL [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

DL ---
DL This E-mail came from the Declude.JunkMail mailing list.  To
DL unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
DL type unsubscribe Declude.JunkMail.  The archives can be found
DL at http://www.mail-archive.com.
DL ---
DL [This E-mail scanned for viruses by Declude Virus]




Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
---
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
eBay UserID : macahan
  - Your Full Time Professionals -

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re[2]: [Declude.JunkMail] Whitelist Not Working What Am I doing wrong

[Eje Gustafsson]

Yes

Monday, July 29, 2002, 3:51:24 PM, you wrote:

DL Scott,

DL In the new version is it even able to more refined subnets like 

DL 1.1.1.16/28?

DL Darrell

DL -Original Message-
DL From: [EMAIL PROTECTED]
DL [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry
DL Sent: Monday, July 29, 2002 4:41 PM
DL To: [EMAIL PROTECTED]
DL Subject: Re: [Declude.JunkMail] Whitelist Not Working What Am I doing
DL wrong


I add the following line to my global.cfg file

WHITELIST IP 66.54.32.*

However, messages from the 66.54.32.* subnet are not being WhiteListed.
What am I doing wrong?

DL That's because Declude JunkMail doesn't understand what the * means.

DL You can either use WHITELIST IP 66.54.32., or with the most recent 
DL version, you can use WHITELIST IP 66.54.32.0/24.
DL -Scott

DL ---
DL [This E-mail was scanned for viruses by Declude Virus
DL (http://www.declude.com)]

DL ---

DL This E-mail came from the Declude.JunkMail mailing list.  To
DL unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
DL type unsubscribe Declude.JunkMail.  You can E-mail
DL [EMAIL PROTECTED] for assistance.  You can visit our web
DL site at http://www.declude.com .

DL ---
DL [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

DL ---

DL This E-mail came from the Declude.JunkMail mailing list.  To
DL unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
DL type unsubscribe Declude.JunkMail.  You can E-mail
DL [EMAIL PROTECTED] for assistance.  You can visit our web
DL site at http://www.declude.com .
DL ---
DL [This E-mail scanned for viruses by Declude Virus]




Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
---
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
eBay UserID : macahan
  - Your Full Time Professionals -

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

Re: OSSRC:RE: BLARSBL:Re: [Declude.JunkMail] problem with spamreview software

[Eje Gustafsson]

Dear Robert,
Not sure about his e-mail but on his spamreview homepage there is a
paypal donation link/button. Just hit that one and send your money
through paypal that way.

http://www.slsoft.com/spamreview.htm


Thursday, July 25, 2002, 8:28:39 AM, you wrote:

RH Does he take PayPal? If so, what is his email?

RH Rob

Just a reminder guys.. Don't forget to make a donation to the
programer at slsoft.com for this wounderful tool that SpamReview is.
If you haven't donated then if something isn't working to your liking
you have no right to bitch IMO.


RH ---
RH [This E-mail scanned for viruses by Declude Virus]

RH ---
RH [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

RH ---

RH This E-mail came from the Declude.JunkMail mailing list.  To
RH unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
RH type unsubscribe Declude.JunkMail.  You can E-mail
RH [EMAIL PROTECTED] for assistance.  You can visit our web
RH site at http://www.declude.com .
RH ---
RH [This E-mail scanned for viruses by Declude Virus]




Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
---
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
eBay UserID : macahan
  - Your Full Time Professionals -

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

Re: [Declude.JunkMail] problem with spamreview software

[Eje Gustafsson]

I had no problem with .39 to do that as I recall. Did the check the programs
update a while back and ended up with .40 which works just fine
(tested it just now)


Wednesday, July 24, 2002, 4:05:03 PM, you wrote:

EC Is anyone having a problem with the latest version (1.0.39) of spamreview
EC not writing to the kill.lst file?
EC Tried local and mapped drives, file permissions etc. without success.
EC I have an older version (1.0.12) that does write to the kill.lst file.

EC I've also emailed the author of the program.

EC Thanks,

EC Eddie Cornejo, Sys Admin
EC Tom Rowe  Associates
EC 956-412-6600 Ext.10
EC Toll Free USA 888-866-7693
EC Toll Free Canada 877-866-7693
EC http://www.tomrowe.com

EC ---
EC [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

EC ---

EC This E-mail came from the Declude.JunkMail mailing list.  To
EC unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
EC type unsubscribe Declude.JunkMail.  You can E-mail
EC [EMAIL PROTECTED] for assistance.  You can visit our web
EC site at http://www.declude.com .
EC ---
EC [This E-mail scanned for viruses by Declude Virus]




Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
---
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
eBay UserID : macahan
  - Your Full Time Professionals -

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

Re: BLARSBL:Re: [Declude.JunkMail] problem with spamreview software

[Eje Gustafsson]

Hello Roger,

Just a reminder guys.. Don't forget to make a donation to the
programer at slsoft.com for this wounderful tool that SpamReview is.
If you haven't donated then if something isn't working to your liking
you have no right to bitch IMO.

I personally did a donation a couple of months ago. Now after updating
to .44 I see it's time to do another donation because he added a
couple of things that I asked for. =)
A great time saving tool. Well worth a donation.

Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
 - Your Full Time Professionals -
eBay UserID : macahan

RH Reply to: Eddie Cornejo
RH   Re: BLARSBL:Re: [Declude.JunkMail] problem with spamreview software on 
Wednesday 6:01:50 PM

RH I  have furnished some files to him to fix this and got fixes the
RH same  day.  It  is  an indispensable piece of sofware. Don't know
RH what  I  would  do  without it. Hope to see fixes on the kill.lst
RH That is the only problem I am experiencing at this time.

RH --
RH Roger Heath
RH [EMAIL PROTECTED]
RH www.rleeheath.com


RH - Copy of Original Message(s): -

E Roger,

E I've come to the conclusion that the spamreview software is choking on my
E spool files.
E I installed the software on three different machines with the same results
E (2k server, 2k pro, and win98).
E I am sending the author a sample of my spool files for testing.

E If anyone on this list wants to give it a try, please email me directly.

E mailto:[EMAIL PROTECTED]

E Eddie Cornejo, Sys Admin
E Tom Rowe  Associates
E 956-412-6600 Ext.10
E Toll Free USA 888-866-7693
E Toll Free Canada 877-866-7693
E http://www.tomrowe.com



E -Original Message-
E From: [EMAIL PROTECTED]
E [mailto:[EMAIL PROTECTED]]On Behalf Of Roger Heath
E Sent: Wednesday, July 24, 2002 5:10 PM
E To: Eddie Cornejo
E Subject: BLARSBL:Re: [Declude.JunkMail] problem with spamreview software


E Reply to: Eddie Cornejo
E   Re: [Declude.JunkMail] problem with spamreview software on Wednesday
E 4:05:03 PM

E We  have  reported  this  for several months now and it has never
E been  fixed  because  it  is  working for the author. We know the
E paths  are  correct as we can load the kill.lst from the menu. It
E keeps  putting  carriage  returns  at  the end of the file but no
E addresses or domains... NT4SP6A. You are not alone. g

E --
E Roger Heath
E [EMAIL PROTECTED]
E www.rleeheath.com


E - Copy of Original Message(s): -

E Is anyone having a problem with the latest version (1.0.39) of spamreview
E not writing to the kill.lst file?
E Tried local and mapped drives, file permissions etc. without success.
E I have an older version (1.0.12) that does write to the kill.lst file.

E I've also emailed the author of the program.

E Thanks,

E Eddie Cornejo, Sys Admin
E Tom Rowe  Associates
E 956-412-6600 Ext.10
E Toll Free USA 888-866-7693
E Toll Free Canada 877-866-7693
E http://www.tomrowe.com

E ---
E [This E-mail was scanned for viruses by Declude Virus
E (http://www.declude.com)]

E ---

E This E-mail came from the Declude.JunkMail mailing list.  To
E unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
E type unsubscribe Declude.JunkMail.  You can E-mail
E [EMAIL PROTECTED] for assistance.  You can visit our web
E site at http://www.declude.com .
E --
E ActivatorMail(tm) ver.061902 Scanned for all viruses by
E www.activatormail.com intelligent anti-virus anti-spam service

E --
E ActivatorMail(tm) ver.061902 Scanned for all viruses by
E www.activatormail.com intelligent anti-virus anti-spam service

E ---
E [This E-mail was scanned for viruses by Declude Virus
E (http://www.declude.com)]

E ---

E This E-mail came from the Declude.JunkMail mailing list.  To
E unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
E type unsubscribe Declude.JunkMail.  You can E-mail
E [EMAIL PROTECTED] for assistance.  You can visit our web
E site at http://www.declude.com .

E ---
E [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

E ---

E This E-mail came from the Declude.JunkMail mailing list.  To
E unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
E type unsubscribe Declude.JunkMail.  You can E-mail
E [EMAIL PROTECTED] for assistance.  You can visit our web
E site at http://www.declude.com .
E --
E ActivatorMail(tm) ver.061902 Scanned for all viruses by 
E www.activatormail.com intelligent anti-virus anti-spam service

RH --
RH ActivatorMail(tm) ver.061902 Scanned for all viruses by 
RH www.activatormail.com intelligent anti-virus anti-spam service

RH ---
RH [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

RH ---

RH This E-mail came from the Declude.JunkMail mailing list.  To
RH unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
RH type unsubscribe Declude.JunkMail.  You can E-mail
RH [EMAIL PROTECTED] for assistance

[Declude.JunkMail] weight of 63 passed ??

[Eje Gustafsson]

Strangeness. I'm curious how this message manage to get through and be
delivered. I have weight20 set to hold and weight30 to delete. This
message made weight63. The address it was delievered to is granted
located on a unix box but the messages get relayed through imail and
obviously declude processed and tagged this message but it got
delivered anyways. (below the message is excerp from my declude log)

Return-Path: [EMAIL PROTECTED]
Received: from imail.fament.com (imail.fament.com [208.189.26.51])
by unicorn.fament.com (8.11.6/8.11.0) with ESMTP id g6FDFf125937
for [EMAIL PROTECTED]; Mon, 15 Jul 2002 08:15:42 -0500
Received: from SPHINX.ftf.sn [213.154.76.114] by imail.fament.com with ESMTP
  (SMTPD32-7.07) id ABA29C500FE; Mon, 15 Jul 2002 08:18:26 -0500
Received: from smtp0210.mail.yahoo.com ([213.96.125.231]) by SPHINX.ftf.sn with
Microsoft SMTPSVC(5.0.2195.2966);
 Mon, 15 Jul 2002 11:58:12 +
Date: Mon, 15 Jul 2002 07:54:45 -0400
From: Virginia Doub[EMAIL PROTECTED]
X-Priority: 3
To: [EMAIL PROTECTED]
Subject:Free Online Payment Account - Plus a $5.00 Sign Up Bonus
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: [EMAIL PROTECTED]
X-OriginalArrivalTime: 15 Jul 2002 11:58:22.0356 (UTC) FILETIME=[EAF35540:01C22BF6]
X-RBL-Warning: OSRELAY: This entry was last confirmed open on 4/19/2002
X-RBL-Warning: SPAMCOP: Blocked - see http://spamcop.net/bl.shtml?213.96.125.231
X-RBL-Warning: NOABUSE: Not supporting abuse@domain
X-RBL-Warning: NOPOSTMASTER: Not supporting postmaster@domain
X-RBL-Warning: REVDNS: This E-mail was sent from a mail server 213.154.76.114 with no
reverse DNS entry.
X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam [4000100f].
X-RBL-Warning: WEIGHT10: Weight of 63 reaches or exceeds the limit of 10.
X-Declude-Sender: [EMAIL PROTECTED] [213.154.76.114]
X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam.
Status:



07/15/2002 08:19:29 Qcba209c500fe07cb Msg failed OSRELAY (This entry was last 
confirmed open on 4/19/2002).
07/15/2002 08:19:29 Qcba209c500fe07cb Msg failed SPAMCOP (Blocked - see 
http://spamcop.net/bl.shtml?213.96.125.231).
07/15/2002 08:19:29 Qcba209c500fe07cb Msg failed NOABUSE (Not supporting abuse@domain).
07/15/2002 08:19:29 Qcba209c500fe07cb Msg failed NOPOSTMASTER (Not supporting 
postmaster@domain).
07/15/2002 08:19:29 Qcba209c500fe07cb Msg failed REVDNS (This E-mail was sent from a 
mail server 213.154.76.114 with no reverse DNS entry.).
07/15/2002 08:19:29 Qcba209c500fe07cb Msg failed SPAMHEADERS (This E-mail has headers 
consistent with spam [4000100f].).
07/15/2002 08:19:29 Qcba209c500fe07cb Msg failed WEIGHT10 (Weight of 63 reaches or 
exceeds the limit of 10.).

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

[Declude.JunkMail] nice disclaimer

[Eje Gustafsson]

Now how is this for a disclaimer for junkmails ? (sender and receiver
of the e-mails are local mailboxes).


  This email was sent to you via Saf-E Mail Systems.  Your email address was 
automatically inserted into
  the To and From addresses to eliminate undeliverables which waste bandwidth and 
cause internet 
  congestion. Your email or webserver IS NOT being used for the sending of this 
mail. No-one else is 
  receiving emails from your address. You may utilize the removal link below if 
you do not wish to receive 
  this mailing.   Please Remove Me   Saf-E Mail Systems, PO Box 116-3015 San 
Rafael de Heredia, CR  
 011-506-267-7139

I hate spammers..

Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
---
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
eBay UserID : macahan
  - Your Full Time Professionals -

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

Re[2]: [Declude.JunkMail] nice disclaimer

[Eje Gustafsson]

Nod. I added a word filter rule which will cause my hold filter to get
triggered even if the mail passes all other tests. One thing to note
is that the sender is using $domain in their HELO.
However I get a bunch of these messages coming through our Webshield
server which don't record headers correctly :(

Wednesday, July 03, 2002, 10:33:13 AM, you wrote:

RD I thought that was cute to, I now filter and hold on Saf-E Mail Systems

RD Have a great day!
RD Rick Davidson
RD Buckeye Internet Services
RD www.buckeyeweb.com
RD 440-953-1900
RD -
RD - Original Message -
RD From: Eje Gustafsson [EMAIL PROTECTED]
RD To: [EMAIL PROTECTED]
RD Sent: Wednesday, July 03, 2002 11:16 AM
RD Subject: [Declude.JunkMail] nice disclaimer


 Now how is this for a disclaimer for junkmails ? (sender and receiver
 of the e-mails are local mailboxes).


   This email was sent to you via Saf-E Mail Systems.  Your email
RD address was automatically inserted into
   the To and From addresses to eliminate undeliverables which waste
RD bandwidth and cause internet
   congestion. Your email or webserver IS NOT being used for the
RD sending of this mail. No-one else is
   receiving emails from your address. You may utilize the removal link
RD below if you do not wish to receive
   this mailing.   Please Remove Me   Saf-E Mail Systems, PO Box
RD 116-3015 San Rafael de Heredia, CR
  011-506-267-7139

 I hate spammers..

 Best regards,
  Eje Gustafsson   mailto:[EMAIL PROTECTED]
 ---
 The Family Entertainment Network  http://www.fament.com
 Phone : 620-231-  Fax   : 620-231-4066
 eBay UserID : macahan
   - Your Full Time Professionals -

 ---
 [This E-mail scanned for viruses by Declude Virus]

 ---
 [This E-mail was scanned for viruses by Declude Virus
RD (http://www.declude.com)]

 ---

 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  You can E-mail
 [EMAIL PROTECTED] for assistance.  You can visit our web
 site at http://www.declude.com .


RD ---
RD [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

RD ---

RD This E-mail came from the Declude.JunkMail mailing list.  To
RD unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
RD type unsubscribe Declude.JunkMail.  You can E-mail
RD [EMAIL PROTECTED] for assistance.  You can visit our web
RD site at http://www.declude.com .
RD ---
RD [This E-mail scanned for viruses by Declude Virus]




Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
---
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
eBay UserID : macahan
  - Your Full Time Professionals -

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

IPWHOIS:Re[2]: Is there a feature list for the JunkMail beta? Fw: [Declude.JunkMail] New filter test

[Eje Gustafsson]

 ---
RD [This E-mail scanned for viruses by Declude Virus]




Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
---
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
eBay UserID : macahan
  - Your Full Time Professionals -

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

IPWHOIS:Re[2]: [Declude.JunkMail] My Word Filtering File

[Eje Gustafsson]

Dear Glenn,
A question here on the word filter.
Say if I have
BODY 5 CONTAINS viagra
in my word filter text if the message contains the word viagra 5 times
in it will it get an total weight of 25 due to word filter or will it
just get a weight of 5 ?
If the prior then people should be VERY careful to use single words in
the filter file.
Because a nasty joke could have say the words viagra in it 5 times.

Seems like I quickly got a LOT of hits on the wordlist so changed my
WEIGHT30 DELETE to WIEGHT30 HELD for now. Had one that hit a word
filter of 50. But that message also hit my senderblacklist, orbd and
spamcop so wasn't to worried about that one.

Thursday, June 27, 2002, 15:39:56 PM, you wrote:

GW Rick, would you mind providing the details of your tests and weights?  I tried 
HOLDING on weight30 for a couple days, reviewing with SpamReview to see what comes 
through.  It was around 8000 per
GW day.  None were legit, so I'm deleting those now.  On Weight20 I get between 
20,000 and 26,000 per day.  T many to screen to determine if blind-deleting is 
safe, so it's up to the users to do
GW what they want with them.  I also have Weight10 and Weight14.  I've had a handful 
of false-positives at 14, and quite a lot at 10.

GW I'm thinking of trying a weight25 and HOLDing those for a couple days to check for 
false-positive, then maybe auto-deleting on that instead of 30.

GW Glenn Z.
GW   - Original Message - 
GW   From: Rick Davidson 
GW   To: [EMAIL PROTECTED] 
GW   Sent: Thursday, June 27, 2002 2:51 PM
GW   Subject: Re: [Declude.JunkMail] My Word Filtering File


GW   just wanted to add that we hold at a weight of 14 and have virtually no
GW   false positives

GW   Have a great day!
GW   Rick Davidson
GW   Buckeye Internet Services
GW   www.buckeyeweb.com
GW   440-953-1900
GW   -
GW   - Original Message -
GW   From: Rick Davidson [EMAIL PROTECTED]
GW   To: [EMAIL PROTECTED]
GW   Sent: Thursday, June 27, 2002 3:48 PM
GW   Subject: [Declude.JunkMail] My Word Filtering File


GWhere is my word filter file, sorry I had to zip it or it wouldnt have made
GWit :-]
GW   
GWIts amazing how effective the phrase filter is when targeting their SPAM
GWexcuses...
GW   
GWHave a great day!
GWRick Davidson
GWBuckeye Internet Services
GWwww.buckeyeweb.com
GW440-953-1900
GW-
GW   

GW   ---
GW   [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

GW   ---

GW   This E-mail came from the Declude.JunkMail mailing list.  To
GW   unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
GW   type unsubscribe Declude.JunkMail.  You can E-mail
GW   [EMAIL PROTECTED] for assistance.  You can visit our web
GW   site at http://www.declude.com .





Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
---
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
eBay UserID : macahan
  - Your Full Time Professionals -

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

IPWHOIS:Re[2]: [Declude.JunkMail] My Word Filtering File

[Eje Gustafsson]

Thank you.
Then I can safetly turn back on my delete but for now until I got a
good set of word filters that I can sleep good with I think I will put
the delete on WEIGHT40 and hold the WEIGHT30 for now.

Thursday, June 27, 2002, 16:10:05 PM, you wrote:


A question here on the word filter.
Say if I have
BODY 5 CONTAINS viagra
in my word filter text if the message contains the word viagra 5 times
in it will it get an total weight of 25 due to word filter or will it
just get a weight of 5 ?

RSP No.  Only the first instance will be counted.
RSP -Scott

RSP ---
RSP [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

RSP ---

RSP This E-mail came from the Declude.JunkMail mailing list.  To
RSP unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
RSP type unsubscribe Declude.JunkMail.  You can E-mail
RSP [EMAIL PROTECTED] for assistance.  You can visit our web
RSP site at http://www.declude.com .
RSP ---
RSP [This E-mail scanned for viruses by Declude Virus]




Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
---
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
eBay UserID : macahan
  - Your Full Time Professionals -

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

[Declude.JunkMail] IPWHOIS:More McAfee spam

[Eje Gustafsson]

Now their spam starts to get very annoying. I know they are really an
opt-in/subscribtion list but gosh darn it I have no idea what they
done but they must changed spam err mail engine and new one is very
RFC incompliant so getting stuck. But I guess one can not expect
anything better from a company who's SMTP gateway (SMTP WebShield)
software is RFC incompliant and they show no interest in fixing this issue.


Received: from mcafee.com [216.49.93.46] by imail.fament.com
  (SMTPD32-7.07) id AE0010E800F4; Tue, 25 Jun 2002 21:59:12 -0500
X-Mailer: UnityMail
Originator: mesd_ex_1_text_list@MESD_ex_1
Errors-To: mesd_ex_1_text_list@MESD_ex_1
X-UnityID: [EMAIL PROTECTED]@UNITY4.mcafee.com
X-UnityUser: McAfee
X-Mailer-Version: 5.1.182
Reply-To: McAfee.com Store [EMAIL PROTECTED]
From: McAfee.com Store [EMAIL PROTECTED]
To: [EMAIL PROTECTED] [EMAIL PROTECTED]
Subject: Get a $10 certificate good at Amazon.com with VirusScan 6.0
Date: Tue, 25 Jun 2002 19:55:22 -0700
MIME-Version: 1.0
Content-Type: text/plain;
charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Thread-Index: AcIcvOoKX4KhLOXsTPuO6XqEVhEJxw==
Content-Class: urn:content-classes:message
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
Message-Id: [EMAIL PROTECTED]
X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam [420e].
X-RBL-Warning: WEIGHT10: Weight of 22 reaches or exceeds the limit of 10.
X-RBL-Warning: HEUR10: Heuristic spam detection level 10 [1.00]
X-Declude-Sender: mesd_ex_1_text_list.UM.A.143.10@MESD_ex_1 [216.49.93.46]
X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam.
X-Note: This E-mail was sent from unity8.mcafee.com. ([216.49.93.46]).
X-Tests-Failed: MAILFROM, SPAMHEADERS, WEIGHT10, WEIGHT20, HEUR10.
X-Note: Total spam weight of this E-mail is 22.

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

IPWHOIS:Re[2]: [Declude.JunkMail] Coldfusion Declude front end?

[Eje Gustafsson]

I would love to get a copy of you registry-sql conversion script.
I been thinking about doing this change for a while and would be nice
to have a way to decrypt the passwords to.

BTW is there any drawbacks on using sql database compared to registry
? I think I recall seeing something somewhere about something with
virtual servers not working correctly but not sure about version or
anything. Are there any such issues if so what are they ?



Friday, June 21, 2002, 12:14:23 PM, you wrote:

TBNI My code is not in a format I am proud to share right now.
TBNI I am running through putting comments in, and writing a small text file to
TBNI put up.
TBNI I'll post the URL to the code by the end of the day.

TBNI All of my IMAIL domains are stored in a SQL db so anyone using the registry
TBNI will need to most likely need to do a few modifications, or maybe I can post
my registry-sql conversion scripts for Imail as well. (that decrypt
TBNI passwords too).

TBNI Thank you,
TBNI Tom Baker
TBNI MCSE, CCNP
TBNI Network Administrator
TBNI Netsmith, Inc.


TBNI -Original Message-
TBNI From: Matt Robertson [mailto:[EMAIL PROTECTED]] 
TBNI Sent: Friday, June 21, 2002 11:00 AM
TBNI To: [EMAIL PROTECTED]
TBNI Subject: RE: [Declude.JunkMail] Coldfusion Declude front end? 


TBNI Yes, please!  I'll post back whatever I come up with as well.

TBNI --Matt Robertson--
TBNI MSB Designs, Inc.
TBNI http://mysecretbase.com
 
TBNI -Original Message-
TBNI From: [EMAIL PROTECTED]
TBNI [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Baker |
TBNI Netsmith Inc
TBNI Sent: Friday, June 21, 2002 4:04 AM
TBNI To: '[EMAIL PROTECTED]'
TBNI Subject: Re: [Declude.JunkMail] Coldfusion Declude front end? 


TBNI Actually yes, I have written two seperate front ends, as an ISP having a
TBNI frontend was essential to us. When we first purchased Junkmail Pro I went
TBNI straight to work for customized versions of
TBNI \imail\declude\domain.com\user.junkmail

TBNI After using that for a while and realizing what I really needed was a idiot
TBNI proof way of managing the \mail\mail_domain_com\users\USER\rules.ima file.

TBNI The last frontend I wrote does just that, so I erased all my user.JunkMail
TBNI files so that everyone on my system is using the $default$.Junkmail settings
TBNI (which is set to WARN on everything for header entries).

TBNI My frontend has a main menu with 3 options:
TBNI Filterlevel, Blocked Senders and Approved Senders.

TBNI When first choosing any of the 3 my script sucks in the current rules.ima
TBNI into a temporary SQL table (much easier to manage than a text file in CF).
TBNI The FilterLevel Menu has 5 Choices: Off, Low, Medium, High and Extreme as
TBNI well as 2 actions (move to SPAM or permanently delete) all 4 actual levels
TBNI are defined by another SQL table of course, and every level selected gets
TBNI logged into another table. (so if you update the definitions of the levels
TBNI you have a log of who has what level and can push the new rules.ima to
TBNI your users).

TBNI Blocked Senders and Approved Senders work by putting entries in rules.ima to
TBNI Move to Main and Move to NUL 

TBNI I haven't written the code to actually push updates to your definitions
TBNI yet, but I would be glad to post my code for both the user.JunkMail and the
TBNI rules.ima scripts for those interested.




TBNI From: Matt Robertson 
TBNI Subject: [Declude.JunkMail] Coldfusion Declude front end? 
TBNI Date: Thu, 20 Jun 2002 10:48:28 -0700 



TBNI Has anyone tried putting a web-based front end on Declude?  I just upgraded
TBNI to JunkMail Pro and am looking for something in ColdFusion. Don't want to
TBNI have to write it myself if I can avoid it.

TBNI --Matt Robertson--
TBNI MSB Designs, Inc.
TBNI http://mysecretbase.com

TBNI ---
TBNI [This E-mail was scanned for viruses by Declude Virus
TBNI (http://www.declude.com)]

TBNI ---

TBNI This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
TBNI just send an E-mail to [EMAIL PROTECTED], and type unsubscribe
TBNI Declude.JunkMail.  You can E-mail [EMAIL PROTECTED] for assistance.  You
TBNI can visit our web site at http://www.declude.com .
TBNI ---
TBNI [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

TBNI ---

TBNI This E-mail came from the Declude.JunkMail mailing list.  To
TBNI unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
TBNI type unsubscribe Declude.JunkMail.  You can E-mail
TBNI [EMAIL PROTECTED] for assistance.  You can visit our web
TBNI site at http://www.declude.com .
TBNI ---
TBNI [This E-mail scanned for viruses by Declude Virus]




Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
---
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
eBay UserID : macahan
  - Your Full Time Professionals -

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude

[Declude.JunkMail] IPWHOIS:Ip block

[Eje Gustafsson]

Noticed here a little while ago a spammer that was basically trying a
dictionary attack on our imail server.
If I IP blacklist this sender in declude he can still do his
dictionary attack right ? So only way to make sure he doesn't tie up
my server resources is to add him to Imail Kill list ?

FYI ip is 62.254.178.50

Also if anyone out there is using FormMail 1.9 then UPDATE. Had a
domain that used 1.9 that the spammers found this morning. Updated it
to 1.9sp7 and the spammers where killed.
  

Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
---
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
eBay UserID : macahan
  - Your Full Time Professionals -

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

IPWHOIS:Re[2]: [Declude.JunkMail] IP Blakclist

[Eje Gustafsson]

Talk about that..
205.244.69.0/24
207.33.16.0/24
216.129.173.70/32
216.15.250.0/23
216.33.87.128/26
64.158.28.0/25
64.159.91.197/32
64.32.34.128/25
64.49.220.128/25
64.5.230.0/24
66.115.47.0/24
66.185.166.0/25
66.35.193.0/24
80.64.131.0/25

Is my ip blacklist that I used in Imail klist BUT after I ran that a
while they stopped using our primary server and user our backup server
which runs SMTP Webshield so I removed them from Imail again.
These are the IPs for the worst spammers/promotors that sent things to
our network. (Note there are a few of those in there that belong to
places like for example Rackspace.com )

Also CAN oen do as with the fromfile add a comment after the ip ?
because as it is today I have NO idea why I choose to block all of
the above :(

Wednesday, June 19, 2002, 16:10:07 PM, you wrote:


OK I've had it with free4all.com 

In the global.cfg can I blacklist an entire series of ip's with one entry ..

eg 193.111.237 and leave the last portion off

RSP No, but you can do this if you set up an ipfile test type:

RSP  KILLFREE4ALL  ipfile  C:\IMail\Declude\killfree4all.txt x 10 
RSP 0  [in the global.cfg file]

RSP  KILLFREE4ALL  DELETE[in the $default$.JunkMail file]

RSP and:

RSP  193.111.237.0/24[in the 
RSP C:\IMai\Declude\killfree4all.txt file]


RSP -Scott

RSP ---
RSP [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

RSP ---

RSP This E-mail came from the Declude.JunkMail mailing list.  To
RSP unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
RSP type unsubscribe Declude.JunkMail.  You can E-mail
RSP [EMAIL PROTECTED] for assistance.  You can visit our web
RSP site at http://www.declude.com .
RSP ---
RSP [This E-mail scanned for viruses by Declude Virus]




Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
---
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
eBay UserID : macahan
  - Your Full Time Professionals -

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

IPWHOIS:Re[2]: [Declude.JunkMail] Minus One Address.

[Eje Gustafsson]

No I told you to leave them on ;) j/k


Thursday, June 20, 2002, 00:56:42 AM, you wrote:

 alltel.net is a isp and cellphone service provider. They provide
 dialup access and in some areas even DSL access. A competitor of ours
 so just leave them on the list ;P

 T @alltel.net

T Sorry about that, it will be removed from the list.

T Thanks,
T Tom

T ---
T [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

T ---

T This E-mail came from the Declude.JunkMail mailing list.  To
T unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
T type unsubscribe Declude.JunkMail.  You can E-mail
T [EMAIL PROTECTED] for assistance.  You can visit our web
T site at http://www.declude.com .
T ---
T [This E-mail scanned for viruses by Declude Virus]




Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
---
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
eBay UserID : macahan
  - Your Full Time Professionals -

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

IPWHOIS:Re[2]: [Declude.JunkMail] Coldfusion Declude front end?

[Eje Gustafsson]

Always been thinking about doing a simple thing in php so my users can
enable/disable it and maybe set levels. But to much to do with to
little time.

Thursday, June 20, 2002, 15:22:22 PM, you wrote:

WOD If you write one i'd love to see it too! ( CF  dude)

WOD - Original Message -
WOD From: Matt Robertson [EMAIL PROTECTED]
WOD To: [EMAIL PROTECTED]
WOD Sent: Thursday, June 20, 2002 11:04 AM
WOD Subject: [Declude.JunkMail] Coldfusion Declude front end?


 Has anyone tried putting a web-based front end on Declude?  I just
 upgraded to JunkMail Pro and am looking for something in ColdFusion.
 Don't want to have to write it myself if I can avoid it.

 --Matt Robertson--
 MSB Designs, Inc.
 http://mysecretbase.com


 ---
 [This E-mail was scanned for viruses by Declude Virus
WOD (http://www.declude.com)]

 ---

 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  You can E-mail
 [EMAIL PROTECTED] for assistance.  You can visit our web
 site at http://www.declude.com .
 ---
 [This E-mail scanned for viruses by our Stealth Virus Detector]



WOD ---
WOD [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

WOD ---

WOD This E-mail came from the Declude.JunkMail mailing list.  To
WOD unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
WOD type unsubscribe Declude.JunkMail.  You can E-mail
WOD [EMAIL PROTECTED] for assistance.  You can visit our web
WOD site at http://www.declude.com .
WOD ---
WOD [This E-mail scanned for viruses by Declude Virus]




Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
---
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
eBay UserID : macahan
  - Your Full Time Professionals -

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

Re: [Declude.JunkMail] Handling Held Spams

[Eje Gustafsson]

Hello Mark,

I use a weighted system. requires a lot more then badheaders to hold a
message. badheaders have a weight of 4. Need 15 to get held.
We use spamreview http://www.slsoft.com/spamreview.htm
to go through the held messages. In spam review we create filters that
delete what is obvious spams and return into the queue what is legit
messages that fallen victim to a black listed mailserver or for any
other reason triggered our hold weight.
It has an out of office mode that I always turn on and then in
mornings when I get back to work I go through the messages for which
there are currently no rules if only a single message from a special
source I process it manually if there are a lot of messages from a
special source I create a filter rule. Usually try to do it around
lunch time and before I go home. The first few days I ran it I ended
up spending a LOT of time with it but after a couple of weeks I might
spend 30 minutes in the morning, 5 around lunch and 10 around evening
time before I go home. Monday mornings can take a while since I
generally haven't done anything since Friday afternoon before I went
home.

Almost every webserver mail script trips badheaders so you will catch
a LOT of legit messages with that test alone. I advise against
holding messages that ONLY fails badheaders.

MM Hello,

MM   I was wondering how people handle all the held spam?  From my estimates,
MM my mailserver is holding over 1 million spams per month.  I only have
MM BADHEADERS and MAILFROM set for hold and rest for warn.  Are those the two
MM that most people have set to hold?  Any way to make it so the spam forwards
MM to a specific email address so I can search it easier if a customer
MM complains that there message was marked spam?

MM Thanks,
MM Mark

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

Re: [Declude.JunkMail] False positives for Spamheaders

[Eje Gustafsson]

 
If anyone would understand that then well world be so much easier.

Get it when someone like microsoft don't support postmaster and
abuse.. Their mailservers don't have any rev dns configured and to
boot has invalid headers (this was what I saw on a MSN passport
lost password requests that got held in our mails a while back).

Whatever you do do not block or delete on JUST spamheaders or
badheaders use the weighted system and if a message fail spamheaders
only let it pass through.

my .02


Thursday, May 23, 2002, 20:00:34, you wrote:

DM Hello...

DM Installed JunkMail last week and I'm getting some interesting spamheader 
DM false positives. Some of the more interesting ones are newsletters from: 
DM ORACLE, SOPHOS, and SYMANTEC!

DM I must trigger for Spamheaders since there are far too many real spam 
DM messages failing only the Spamheader test, so i'll be doing some 
DM whitelisting...

DM ...but, all this makes makes me wonder why companies such as these, who of 
DM all people should know better, are sending out deficient headers.

DM Any suggestions?

DM Thx,
DM D (just curious) McD.

DM ---
DM [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

DM ---

DM This E-mail came from the Declude.JunkMail mailing list.  To
DM unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
DM type unsubscribe Declude.JunkMail.  You can E-mail
DM [EMAIL PROTECTED] for assistance.  You can visit our web
DM site at http://www.declude.com .
DM ---
DM [This E-mail scanned for viruses by Declude Virus]




Best regards,
 Eje  mailto:[EMAIL PROTECTED]
---
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
 - Your Full Time Professionals -

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

[Declude.JunkMail] Maybe something real will come out of this one.

[Eje Gustafsson]

http://msn.com.com/2100-1105-916931.html

Maybe finally a real usable law might come out of that one... One can
always hope..

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

Re[2]: [Declude.JunkMail] Enhancements - unknown sender must reply to ack

[Eje Gustafsson]

A product that does just this is spambar.
Gets very enoying when someone on a mailing list starts use it and you
write to the list and you have to ack your message to this person.
Then someone else sees it start using it. ugh.

Tuesday, May 21, 2002, 08:22:33 AM, you wrote:

TH I have to agree that this could be one of the most powerful tools yet to
TH fight SPAM.  I would pay money for this even if it were a seperate product!
TH A couple of questions about the implementation:

TH 1- If the sender does not acknowledge the confirm request, do they go onto
TH the blacklist?  This could be helpful if its given a TTL and when expired
TH goes onto the blacklist. This would help reduce traffic when a spammer sends
TH repeated messages.

TH 2- Will it be server and per user based?  I don't want to configure anything
TH on the client for this and I don't want to traffic to/from the client for
TH confirm request/receipt.

TH 3- Would it be specific to Imail?  Would it be a gateway in front of the
TH mail server?

TH 4- How will the onslaught of undeliverable messages be handled?  I would
TH imagine that most of the SPAM messages would not have valid senders, and
TH those would produce undeliverable messages.

TH 5- If a message from a blacklisted address arrives, can it be put into a
TH hold bin instead of deleted?  Maybe the Imail SPAM folder, so we can
TH continue to SpamReview on them.

TH Thanks and I want to push for this product!!

TH Todd

TH -Original Message-
TH From: [EMAIL PROTECTED]
TH [mailto:[EMAIL PROTECTED]]On Behalf Of decjunkmail
TH Sent: Tuesday, May 21, 2002 12:41 AM
TH To: [EMAIL PROTECTED]
TH Subject: [Declude.JunkMail] Enhancements - unknown sender must reply to
TH ack


TH I think I saw this as somewhere else but never heard about it being released
TH or implemented:

TH System maintains a per-user whitelist of people that are allowed to send
TH email to that user

TH If an incoming mail is not on the whitelist, it is returned to the sender
TH automatically (the user never sees this first attempt) with a request to
TH confirm they are sending the email.

TH The sender confirms by replying to this request message and then the
TH original message will be delivered.

TH This has the benefit of:

TH Automated for the user.  they just start out with an empty individual
TH white-list.

TH Catches most spam - since the confirm message will bounce if it is sent to
TH a fake sender and that accounts for a lot of the spam

TH Can be customized - user can reset or manually change their whitelist if
TH they want to.

TH works for the naiive user - simple system config can enable or disable the
TH feature per-user but the actual user need do nothing (doesn't have to learn
TH anything)

TH The spam that does slip thru would still be processed by all the usual
TH weighted scoring algorithms.
TH ---
TH [This E-mail was scanned for viruses by Declude Virus
TH (http://www.declude.com)]

TH ---

TH This E-mail came from the Declude.JunkMail mailing list.  To
TH unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
TH type unsubscribe Declude.JunkMail.  You can E-mail
TH [EMAIL PROTECTED] for assistance.  You can visit our web
TH site at http://www.declude.com .
TH ---
TH [This E-mail scanned for viruses by Declude Virus]


TH ---
TH [This E-mail scanned for viruses by Declude Virus]

TH ---
TH [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

TH ---

TH This E-mail came from the Declude.JunkMail mailing list.  To
TH unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
TH type unsubscribe Declude.JunkMail.  You can E-mail
TH [EMAIL PROTECTED] for assistance.  You can visit our web
TH site at http://www.declude.com .
TH ---
TH [This E-mail scanned for viruses by Declude Virus]




Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
---
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
eBay UserID : macahan
  - Your Full Time Professionals -

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

Re: [Declude.JunkMail] Bounce strategies?

[Eje Gustafsson]

Don't bounce from your postmaster acct. That is just bad.
Rather create filters so that you delete the return bounce messages.
Just my $0.02

Monday, May 20, 2002, 12:31:55 PM, you wrote:

MR I just switched from DELETE to BOUNCE on my weight13 test.  I originally
MR set to DELETE, but wanted more of a safety factor in there, so went to
MR bounce.

MR Of course the inbox associated with the bounce msgs is loaded with
MR bounced bounce messages.  Is it safe for me to do something like set
MR that acct to 1-byte capacaity, or a 1-message limit?  Will other
MR postmasters bounce up and down when the bounced bounce bounces back to
MR them?  Any advice would be appreciated.

MR Cheers,

MR --Matt--

MR ---
MR [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

MR ---

MR This E-mail came from the Declude.JunkMail mailing list.  To
MR unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
MR type unsubscribe Declude.JunkMail.  You can E-mail
MR [EMAIL PROTECTED] for assistance.  You can visit our web
MR site at http://www.declude.com .
MR ---
MR [This E-mail scanned for viruses by Declude Virus]




Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
---
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
eBay UserID : macahan
  - Your Full Time Professionals -

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

Re[2]: [Declude.JunkMail] Bounce strategies?

[Eje Gustafsson]

I don't like to delete either. I just the other week move almost fully
into a 100% weighted system (used to delete spamcop failed and had a few
ones that was set to bounce).
If the weight is above 30 I delete, weight above 20 I hold. 10 I just
put a header on.
The held messages I process with spam review (a great program) those
that are abvious junk mail that sends a lot of junk I have filters
that deletes the messages basically moves them from Decludes hold
folder to a spam review hold folder. Every couple of weeks I purge out
messages in the spam review hold folder that are older then 2 weeks.
So IF a customer is missing a piece of mail they have 2 weeks to get
hold of me. However messages that obviously are not junk but ended
up in the hold queue for one or another reason I use spam review to
return into the queue to get delivered if I see a large amount of held
messages from one person I usually create a rule to automatically
return this persons messages back into the queue and for the majority
of the time I run spam review in Out of office mode during which time
it will process my filters automatically. Messages that don't match my
filters will sit there for me when I have time (usually spend a little
time in the morning processing last 12-24 hours messages).

No complaints from any of our customers so far. Well besides the
common complaint that they get a lot of junk mail. Delog show that
I block 50-60% of incoming messages and yet they complain :(

- Eje

Monday, May 20, 2002, 12:59:42 PM, you wrote:

GW I don't like the idea of bouncing or deleting any messages.  I don't want to take 
that responsibility, and potentially zap a message that a user wants.  I've set up a 
local blacklist (based on
GW the spams I've received that didn't fail any tests), a local whitelist, and I've 
adjusted the individual pre-defined test weights a little, and am testing a 
configuration that ATTACHes spam that
GW hits a weight of 10, 14, or 20.  I've had a few non-spams get a weight of 10, but 
14 and 20 are pretty on-target thus far.  If the users want to set up filters to 
delete messages, that's *their*
GW choice.

GW My problem at the moment is figuring out how to explain to a rather 
unsophisticated user base how to set up their own client or WebMail filters to make 
use of the whole thing, if they do want to
GW delete anything or move tagged messages to their own holding folder for later 
review.

GW Glenn Z.

GW   - Original Message - 
GW   From: Matt Robertson 
GW   To: [EMAIL PROTECTED] 
GW   Sent: Monday, May 20, 2002 12:48 PM
GW   Subject: RE: [Declude.JunkMail] Bounce strategies?


GW   Yah, I got that part.  I created an acct called ''spammaster'' and am
GW   sending bounce msgs from it.

GW   Using filters is a good idea.  Nice and transparent.  Anybody have ideas
GW   on how to handle the myriad of incoming msgs without a corresponding
GW   number of filters?  I've never really used them.

GW   --Matt--

GW   -Original Message-
GW   From: [EMAIL PROTECTED]
GW   [mailto:[EMAIL PROTECTED]] On Behalf Of Eje Gustafsson
GW   Sent: Monday, May 20, 2002 10:38 AM
GW   To: Matt Robertson
GW   Subject: Re: [Declude.JunkMail] Bounce strategies?


GW   Don't bounce from your postmaster acct. That is just bad. Rather create
GW   filters so that you delete the return bounce messages. Just my $0.02

GW   Monday, May 20, 2002, 12:31:55 PM, you wrote:

GW   MR I just switched from DELETE to BOUNCE on my weight13 test.  I 
GW   MR originally set to DELETE, but wanted more of a safety factor in 
GW   MR there, so went to bounce.

GW   MR Of course the inbox associated with the bounce msgs is loaded with 
GW   MR bounced bounce messages.  Is it safe for me to do something like set

GW   MR that acct to 1-byte capacaity, or a 1-message limit?  Will other 
GW   MR postmasters bounce up and down when the bounced bounce bounces back 
GW   MR to them?  Any advice would be appreciated.

GW   MR Cheers,

GW   MR --Matt--

GW   MR ---
GW   MR [This E-mail was scanned for viruses by Declude Virus 
GW   MR (http://www.declude.com)]

GW   MR ---

GW   MR This E-mail came from the Declude.JunkMail mailing list.  To 
GW   MR unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type 
GW   MR unsubscribe Declude.JunkMail.  You can E-mail [EMAIL PROTECTED]

GW   MR for assistance.  You can visit our web site at 
GW   MR http://www.declude.com .
GW   MR ---
GW   MR [This E-mail scanned for viruses by Declude Virus]




GW   Best regards,
GWEje Gustafsson   mailto:[EMAIL PROTECTED]
GW   ---
GW   The Family Entertainment Network  http://www.fament.com
GW   Phone : 620-231-  Fax   : 620-231-4066
GW   eBay UserID : macahan
GW - Your Full Time Professionals -

GW   ---
GW   [This E-mail scanned for viruses by Declude Virus]

GW   ---
GW   [This E-mail was scanned for viruses by Declude Virus
GW   (http://www.declude.com)]

GW   ---

GW   This E-mail came from

Re: [Declude.JunkMail] Wish List

[Eje Gustafsson]

Hello Tom,

Would i tbe possible to have SpamReview submit mailservers to like
DSBL like test systems and possible Spamcop (maybe look in header to
check for what Declude test message didn't fail and submit to those
that it passed). Not sure how really useful it would be but it was a
thought I had the other day.

TS David,

TS Only if it were that easy.  I'll toss it into the next major release.

TS ?  Do you use the Out of Office feature now?

TS Tom

TS -Original Message-
TS From: [EMAIL PROTECTED]
TS [mailto:[EMAIL PROTECTED]]On Behalf Of David Stavert
TS Sent: Monday, May 20, 2002 6:44 PM
TS To: [EMAIL PROTECTED]
TS Subject: RE: [Declude.JunkMail] Wish List
TS Importance: Low


TS Add away.

TS Thanks
TS David

TS -Original Message-
TS From: [EMAIL PROTECTED]
TS [mailto:[EMAIL PROTECTED]]On Behalf Of Tom Schwarz
TS Sent: Monday, May 20, 2002 4:24 PM
TS To: [EMAIL PROTECTED]
TS Subject: RE: [Declude.JunkMail] Wish List


TS I'm already doing this.  I have a program on the server that runs 24x7 and
TS checks a specific email account every minute.  In my case the email account
TS is [EMAIL PROTECTED]

TS This works with IMail Rules file.

TS The process is as follows:

TS You, as an email users, forward the email in question to
TS [EMAIL PROTECTED]  This program sees the email, strips it down, and
TS replys to you with information about what email address it is going to add
TS to the IMail rules.  If you reply to this email it is added to your Rules
TS and IMail takes care of all email from that address in the future.  I could
TS add this to SpamReview, if you like and it would work in the Out-Of-Office
TS Mode, or make it a seperate program.

TS However, as Scott points out it will not be perfect.



TS -Original Message-
TS From: [EMAIL PROTECTED]
TS [mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry
TS Sent: Monday, May 20, 2002 4:09 PM
TS To: [EMAIL PROTECTED]
TS Subject: Re: [Declude.JunkMail] Wish List



Would it not be great if we could assign an e-Mail or a number of
e-Mails that if someone sends a message to they will automatically get
blacklisted?  This would immediately save all the junk they will manage
to send through.

TS It is a good idea.  The question though is what to block -- the remote
TS mailserver, the return address, or something else?
TS -Scott

TS ---
TS [This E-mail was scanned for viruses by Declude Virus
TS (http://www.declude.com)]

TS ---

TS This E-mail came from the Declude.JunkMail mailing list.  To
TS unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
TS type unsubscribe Declude.JunkMail.  You can E-mail
TS [EMAIL PROTECTED] for assistance.  You can visit our web
TS site at http://www.declude.com .

TS ---
TS [This E-mail was scanned for viruses by Declude Virus
TS (http://www.declude.com)]

TS ---

TS This E-mail came from the Declude.JunkMail mailing list.  To
TS unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
TS type unsubscribe Declude.JunkMail.  You can E-mail
TS [EMAIL PROTECTED] for assistance.  You can visit our web
TS site at http://www.declude.com .

TS ---
TS [This E-mail was scanned for viruses by Declude Virus
TS (http://www.declude.com)]

TS ---

TS This E-mail came from the Declude.JunkMail mailing list.  To
TS unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
TS type unsubscribe Declude.JunkMail.  You can E-mail
TS [EMAIL PROTECTED] for assistance.  You can visit our web
TS site at http://www.declude.com .

TS ---
TS [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

TS ---

TS This E-mail came from the Declude.JunkMail mailing list.  To
TS unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
TS type unsubscribe Declude.JunkMail.  You can E-mail
TS [EMAIL PROTECTED] for assistance.  You can visit our web
TS site at http://www.declude.com .
TS ---
TS [This E-mail scanned for viruses by Declude Virus]

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

Re: [Declude.JunkMail] hotmail !?

[Eje Gustafsson]

Nothing like posting on your own post.
Also seems atleast one AOL server and one prodidgy server also been
OSSRC listed.
Got a chunk of legit mail that was caught this morning and tonight
thanks to OSSRC.
Guess I really need to go all the way with the weighted system
consider I'm using a combination weighted and hardcoded tests.

Wednesday, May 01, 2002, 10:38:25 AM, you wrote:

EG Seems like hotmail been ossrc listed !? Found it in our hold queue
EG this morning. There was a bunch from this person sent to this same
EG person and you can see in the message that it's a continues thread.

EG Received: from hotmail.com [64.4.30.124] by imail.fament.com with ESMTP
EG   (SMTPD32-7.07) id ACB422910122; Wed, 01 May 2002 09:33:24 -0500
EG Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
EG  Wed, 1 May 2002 07:30:20 -0700
EG X-Originating-IP: [12.147.72.21]
EG From: [EMAIL PROTECTED]
EG To: [EMAIL PROTECTED]
EG References: 003201c1f114$05edb930$291bbdd0@rene
EG Subject: Re: thoughts
EG Date: Wed, 1 May 2002 08:32:29 -0600
EG MIME-Version: 1.0
EG Content-Type: multipart/alternative;
EG boundary==_NextPart_000_0083_01C1F0EA.BACDFD80
EG X-Priority: 3
EG X-MSMail-Priority: Normal
EG X-Mailer: Microsoft Outlook Express 6.00.2600.
EG X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.
EG Message-ID: [EMAIL PROTECTED]
EG X-OriginalArrivalTime: 01 May 2002 14:30:20.0920 (UTC) FILETIME=[B90E8780:01C1F11C]
EG X-Declude-Sender: [EMAIL PROTECTED] [64.4.30.124]
EG X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam.
EG X-Note: This E-mail was sent from oe20.pav1.hotmail.com. ([64.4.30.124]).
EG X-Tests-Failed: OSSRC.
  

EG Best regards,
EG  Eje Gustafsson   mailto:[EMAIL PROTECTED]
EG ---
EG The Family Entertainment Network  http://www.fament.com
EG Phone : 620-231-  Fax   : 620-231-4066
EG eBay UserID : macahan
EG   - Your Full Time Professionals -

EG ---
EG [This E-mail scanned for viruses by Declude Virus]

EG ---
EG [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

EG ---

EG This E-mail came from the Declude.JunkMail mailing list.  To
EG unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
EG type unsubscribe Declude.JunkMail.  You can E-mail
EG [EMAIL PROTECTED] for assistance.  You can visit our web
EG site at http://www.declude.com .
EG ---
EG [This E-mail scanned for viruses by Declude Virus]




Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
---
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
eBay UserID : macahan
  - Your Full Time Professionals -

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

[Declude.JunkMail] Why is this one getting held?

[Eje Gustafsson]

Have a mail that gotten held by Declude.

Received: from mta01-srv.alltel.net [166.102.165.143] by imail.fament.com with ESMTP
  (SMTPD32-7.06) id A8321E100EE; Sat, 13 Apr 2002 13:25:54 -0500
Received: from mbaker ([216.96.14.52]) by mta01-srv.alltel.net with SMTP
  id 20020413182301.SHBY26878.mta01-srv.alltel.net@mbaker;
  Sat, 13 Apr 2002 13:23:01 -0500
Message-ID: 003901c1e317$e5ac1ea0$340e60d8@mbaker
From: Judy Baker [EMAIL PROTECTED]
  

I don't really a reason unless they where an open relay and cleared it
up gotten removed from the lists.
(I don't use the postfix list)
Any way to configure Declude to always write what check the message
failed ?
Because like this message have no Junk Mail Warnings.

Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
---
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
eBay UserID : macahan
  - Your Full Time Professionals -

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

Re[2]: [Declude.JunkMail] XBL:Just added new spam tests... opinions?

[Eje Gustafsson]

Welcome to the club a while back when I started on this list there was
a post to a tool called delog which I downloaded and setup and ran.
Since I started running that one (infrequently usage) I always get the
depressing results 62-67% junk that is getting blocked by declude :(
This weekend is first time I found in the hold folder any considerable
amount of legit mail that gotten held that I had to put back in
queue. (PS Spamreview is GREAT I hope I'm not the only one that
donated money to the guy for writing this great tool).

Monday, April 15, 2002, 10:53:28 AM, you wrote:

M We've noted a significant increase in spam volumes and variability. We
M are now discarding more mail than we deliver.

M _M

M | -Original Message-
M | From: [EMAIL PROTECTED] 
M | [mailto:[EMAIL PROTECTED]] On Behalf Of Mike Nice
M | Sent: Sunday, April 14, 2002 7:10 PM
M | To: [EMAIL PROTECTED]
M | Subject: Re: [Declude.JunkMail] XBL:Just added new spam 
M | tests... opinions?
M | 
M | 
M | Late last week overall volume picked up ... both caught and 
M | delivered. They seemed to be using lots more virgin relays 
M | that weren't listed in Spamcop, ORBL, etc.

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

Re[2]: [Declude.JunkMail] Why is this one getting held?

[Eje Gustafsson]

Hello R.,

Have a mail that gotten held by Declude.

From: Judy Baker [EMAIL PROTECTED]

RSP alltel.net is listed in the NOPOSTMASTER database.

Hmm ok. Shouldn't been held on that alone.

RSP To find out what other test(s) it failed, you can check the Declude 
RSP JunkMail log file.

Any way to configure Declude to always write what check the message
failed ?

RSP With recent version of Declude JunkMail, you can use:

RSP  XINHEADER   X-Tests-Failed: %TESTSFAILED%.

RSP That will add a line to the headers that shows which spam test(s), if any,
RSP the E-mail failed.

Thank you I know I seen it somewhere but being monday I couldn't find
it. =O Next time I will know thanks to this little trick.




Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
---
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
eBay UserID : macahan
  - Your fulltime professionals -

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

Re: [Declude.JunkMail] DSBL

[Eje Gustafsson]

Not many hits yet for dsbl but seen a few

Delog Version 1.05b Detailed Report for: 04/10/2002 10:10:46

Log file examined: I:\IMail\spool\dec0409.log

Unique Message Count: 7957
Failed Message Count: 4891
Total Percentage of Spam: 61%

User Selected tests: 20

   OSSRC failed: 1138
  OSSOFT failed: 245
   OSDUL failed: 2
  OSFORM failed: 0
  OSLIST failed: 0
 OSRELAY failed: 222
 SPAMCOP failed: 1281
DSBL failed: 41
 DSBLALL failed: 41
   DSBLMULTI failed: 0
ORDB failed: 228
MAILFROM failed: 36
  BADHEADERS failed: 1174
 SPAMHEADERS failed: 1899
  REVDNS failed: 980
 ROUTING failed: 159
 NOABUSE failed: 1471
WEIGHT10 failed: 2471
WEIGHT20 failed: 792
WEIGHT30 failed: 0

Just put in the DSBLMULTI and the WEIGHT30 today

I just love spamcop ;) Takes care of so much of our spam.

Wednesday, April 10, 2002, 08:26:04 AM, you wrote:

DD It appears that DSBL is now three lists ... the two confirmed ones
DD are:

DD list.dsbl.org for single-stage relays tested by trusted users, multihop.dsbl.org

DD I haven't noticed any hits on these with Declude ... are they working?

DD I'm using the format:


DD DSBL   ip4r  list.dsbl.org   *  10 0
DD DSBL   ip4r  multihop.dsbl.org   *   10 0

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

Re: [Declude.JunkMail] Declude Virus Junkmail

[Eje Gustafsson]

Hello Adam,

we run both on one server. A Dual P-II 350 /w 256MB ram. Imail deliver
about 4k e-mails each day and we have about 8-8.5k incoming e-mails of
which 4-4.5k gets blocked by declude junkmail.
Rarely gets over 10% load. This is on about 60+ domains which one
domain is for our dial-up service with 500+ accounts.

Tuesday, April 09, 2002, 11:01:52 AM, you wrote:

AH Hello,

AH We are ISP using Imail and we are evaluating Declude Virus  Junkmail. I was
AH wondering anyone can offer insight on how much of a load these 2 programs
AH will put on our servers.

AH Our machines have roughly 200 domains on each server. The server does both
AH web and email services. If we install Delcude Virus  Junkmail on each
AH server will this be to much? We have the trial version on Virus running and
AH it doesn't seem to bad yet (but we just started it). Our servers range from
AH PII-300 dual PII-1GHz machines.

AH I know a rough estimate on the number of emails would be good but I really
AH don't know. So if you have some figures for a server with about 200 domains
AH and the amount of email generated a day I would appreciate anything

AH Let me know about the stats for server loading...

AH Thanks,

AH Adam


AH 
AH Adam Hobach
AH CyberLynk Sales/Support
AH [EMAIL PROTECTED] or [EMAIL PROTECTED]

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

[Declude.JunkMail] Relaying configuration WAS HELP: I just got listed on ORDB

[Eje Gustafsson]

A little netiq please.. Trim your posts. The original message was
11.2k for less then 1k worth of comment...

Just want to chimn in and say that MSN also blocks outbound smtp and
you have to use their mailservers. But on top of that you HAVE to use
SPA smtp authentication which is something evil that microsoft have
come up with. I use a mail client called The Bat! and it would NOT
function with MSNs mailservers. Only app I managed to find that worked
was Outlook  Outlook Express. Now talk about cornering your
clients...

Sunday, March 31, 2002, 10:27:34 AM, you wrote:

DB Auth should work, then, unless there was some change in 7.xx. To be
DB sure, setup a test virtual server and try it from a dial-up. Have your
DB Imail logs set to debug, so you can see what's happening during the
DB test.

DB What we do here is use relay for addresses and Auth.  However, since
DB we use an external database with Imail 6.xx, we have to assign an IP
DB to every mail host that needs Auth.  That may be fixed in 7.xx, but I
DB haven't heard for sure.

DB Moreover, we really encourage our users to use the SMTP of their
DB dial-up provider, since many (like Earthlink) block port 25 traffic to
DB IP's which are not on their net.



DB Sunday, March 31, 2002, 9:16:42 AM, Jim Rooth [EMAIL PROTECTED] wrote:
JR I am using the Imail Database on v7.06

JR Family, God, and Corps...all else are mere details

JR Jim Rooth
JR http://www.usmcfew.com/3516 

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

Re: [Declude.JunkMail] Relaying configuration WAS HELP: I just got listed on ORDB

[Eje Gustafsson]

Hello Timm,

Hmm Never thought about that. I could do that on my firewall redirect
connections for port 125 to 25.

Sunday, March 31, 2002, 18:48:20 PM, you wrote:


TJ   I got around the SMTP filtering issue by setting up a small daemon on my
TJ server that accepted connections on port 125 (could be any port, I just
TJ picked 125) and redirects the connection to port 25. It's multi-threaded and
TJ lets people connect directly to your server to send mail even if their port
TJ 25 is blocked by their ISP.

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

[Declude.JunkMail] More wounderful SWBell.net

[Eje Gustafsson]

I know there was a discussion a few days ago about SWBells wounderfull
DNS service.

Well thought I give a true sad story. About a year ago we ran MailMax
and McAfee Webshield SMTP. We did an update of mailmax to latest
version less then a week later our server got hijacked and used as a
spamrelay server. Mailmax was configured to avoid relaying but
something was obviously broke and SmartMax people just keep saying
nothing wrong with mailmax even though I could show them rbl listings
with our mailmax servers tag in the passed messages.
After 5 days we gave up and started looking for new software and our
eyes fell on Ipswitch Imail and Declude antivirus and junkmail.
Said and done we bought 2 days delivery same day we ordered it we got
a call from SWBell Policy department telling us to shutdown our
mailserver or we would find our upstream bandwidth shutdown by 5pm
that same day (which BTW is big nono according to our contract we are
required 14day written notice). I managed to buy ourselves 24hrs more
since we had ordered the software and fixup so that swbell relay tests
wouldn't go through so I got enough time to get our new mailserver
software and install it without further threats (dirty done by me but
hey)...

Either way..

Today I found this after gotten a complaint from a customer that
couldn't receive mail from a customers of theirs.

#nslookup smtp-relay.swbell.net

Name:smtp-relay.swbell.net
Address:  151.164.30.54

http://www.orbz.org/b.php?151.164.30.54

Now... What is wrong with this picture 

If I do it they can violate our contract and threaten to terminate me
but they can run a relay server for over 3 weeks 

Besides I'm STILL waiting four our letter of apology from SWBell for
this incident.

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

Re: FW: [Declude.JunkMail] MISSING_REVERSE_DNS:FW: IMail Server 7.06 Hotfix 1

[Eje Gustafsson]

roflmao..
Now why don't that suprise me at all..

They recently upgraded their servers. Figures they screwed it up.
Their QoS is very poor to say the least trust me I had a T1 from them
for some time now and when the contract is up I will not renew with
them..

Sunday, March 10, 2002, 20:27:13 PM, you wrote:


What am I missing? Why did I get the reverse DNS note?

---from www.DNSstuff.com---
Reverse DNS for 209.184.248.29
Generated by www.DNSstuff.com
How I am searching:
Searching for PTR record for 29.248.184.209.in-addr.arpa at
h.root-servers.net:  Got referral to BUCHU.ARIN.NET.
Searching for PTR record for 29.248.184.209.in-addr.arpa at
BUCHU.ARIN.NET.:  Got referral to NS1.SWBELL.NET.
Searching for PTR record for 29.248.184.209.in-addr.arpa at
NS1.SWBELL.NET.:  Got referral to wildcat.elkhart.com.
Searching for PTR record for 29.248.184.209.in-addr.arpa at
wildcat.elkhart.com.:  Reports mail.elkhart.com.

RSP There seems to be a problem with the swbell.net servers.  Sometimes, they 
RSP are responding with one answer, sometimes with another.  For example:

RSP  Searching for PTR record for 29.248.184.209.in-addr.arpa at 
RSP NS1.SWBELL.NET.: Got referral to ns1.swbell.net.
RSP  Searching for PTR record for 29.248.184.209.in-addr.arpa at 
RSP ns1.swbell.net.: Got referral to wildcat.elkhart.com.
RSP  Searching for PTR record for 29.248.184.209.in-addr.arpa at 
RSP wildcat.elkhart.com.: Reports mail.elkhart.com.

RSP Here, ns1.swbell.net is referring the answer back to itself, and on the 
RSP second try is responding correctly.  It sounds like they may have the IP 
RSP for ns1.swbell.net point to multiple servers, some of which are set up 
RSP properly, and others are not.

RSP I'm guessing that our local DNS server sees ns1.swbell.net referring us 
RSP back to itself, and assumes that an infinite loop will result (whereas the 
RSP www.DNSstuff.com lookup will only detect an infinite loop if more than 20 
RSP lookups are performed).  The swbell.net people need to fix the problem.
RSP -Scott

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

Re[2]: [Declude.JunkMail] Spamcop issue

[Eje Gustafsson]

My only concern is that after doing some checking myself with just
warn on weight10 is that someone that fail revdns and badheaders will
have a weight of 13 and thusely get held/deleted.
I seen legit messages fail these two tests. For example my wife signed
up for a newsletter for a software this weekend weight 13.
I received a letter this morning from Microsoft also a newsletter
missing Revdns if they would also have bad headers or something
similar they would also be held.

I decided to only put warn on weight10 and create a weight 20 that I
end up holding. Might consider giving OSSRC a higher weight so that
your OSSRC and spamheaders push it up higher then 10 or make sure you
lower revdns since it seems so many legit mailinglist/newsletters
unfortunately fails this test.

Just my $.02
Saturday, March 02, 2002, 02:50:36 AM, you wrote:



T After careful consideration to everyone's views, I have elected
T to use the weight10 test to help define spam.  I have been looking
T through thousands of messages and logs to figure out what the best 
T method would be for cutting down spam.  Most spam will fail more
T than one test.  Usually a message considered spam will also fail
T the Spamheader test.  Using the Declude weight test I can now
T set Declude to hold just that message and let the other messages
T through with a warning.

T If you take a look at the following example, you will see that
T there are messages that fail more than one test;

T OSSRC: Jackpot.com spam
T SPAMHEADERS: This E-mail has headers consistent with spam

T So if both of these tests have a value of 5 then this mail 
T would fail based on the weight10 test.

T Any thoughts?

T Regards,
T Tom
T Image`fx
T ---
T [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

T ---

T This E-mail came from the Declude.JunkMail mailing list.  To
T unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
T type unsubscribe Declude.JunkMail.  You can E-mail
T [EMAIL PROTECTED] for assistance.  You can visit our web
T site at http://www.declude.com .
T ---
T [This E-mail scanned for viruses by Declude Virus]





Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
---
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
eBay UserID : macahan
  - Your fulltime professionals -

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

Re[2]: [Declude.JunkMail] Spamcop issue

[Eje Gustafsson]

Interesting Terry thanks for sharing.

How do you generate those reports ? Interested in sharing if it's a
program or script ?

Regards Eje

Monday, March 04, 2002, 09:20:27 AM, you wrote:

SBL Eje,

SBL Monday, March 4, 2002 you wrote:
EG My only concern is that after doing some checking myself with just
EG warn on weight10 is that someone that fail revdns and badheaders will
EG have a weight of 13 and thusely get held/deleted.

SBL I don't know if this helps you or not but we use a similar weighting
SBL system and here are our results for February:
SBL ---
SBL Total Messages: 26,438
SBL Not fail having weight: 20,626 (Avg Wt: 9.62)
SBL Failed Messages: 5,812 ( 21.98%) (Avg Wt: 34.93) 

SBL Messages failed the following tests: 
SBL ADULT: 80 
SBL BADHEADERS: 4633 
SBL DSN: 458 
SBL MAILFROM: 351 
SBL NOABUSE: 4276 
SBL NOPOSTMASTER: 3474 
SBL ORBZIN: 2162 
SBL ORBZOUT: 3239 
SBL ORDB: 2281 
SBL OSDUL: 33 
SBL OSLIST: 1 
SBL OSRELAY: 1849 
SBL OSSOFT: 218 
SBL OSSRC: 1448 
SBL REVDNS: 6480 
SBL ROUTING: 2409 
SBL SPAMCOP: 5218 
SBL SPAMHEADERS: 12603 
SBL nsbsibl1: 496 
SBL sbsibl1: 137 
SBL sbsibl2: 79 

SBL I think there may be a bug either in my reporting or perhaps in
SBL declude because we did have messages which should have no weight but I
SBL think because of our weight09 test they end up with some weight.  I
SBL haven't had time to check.

SBL So the average of our non-failed messages was 9.62 but 34.93 for the
SBL ones that did fail.

SBL Still we move all failed messages to a spam folder and then check them
SBL and move any good ones back to the spool.  Here is results of that:
SBL --
SBL Year - Mo  Moved   Pct DeletedPct  Total
SBL 2001 - 12 64 3.92%   1,567 96.08%  1,631
SBL 2002 - 01221 4.08%   5,198 95.92%  5,419
SBL 2002 - 02247 4.19%   5,643 95.81%  5,890

SBL So we still have about 4% of our trapped messages that are really
SBL legitimate messages.

SBL I do not see a solution for this at this point.

SBL Terry Fritts

SBL ---
SBL [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

SBL ---

SBL This E-mail came from the Declude.JunkMail mailing list.  To
SBL unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
SBL type unsubscribe Declude.JunkMail.  You can E-mail
SBL [EMAIL PROTECTED] for assistance.  You can visit our web
SBL site at http://www.declude.com .
SBL ---
SBL [This E-mail scanned for viruses by Declude Virus]





Best regards,
 Eje Gustafsson   mailto:[EMAIL PROTECTED]
---
The Family Entertainment Network  http://www.fament.com
Phone : 620-231-  Fax   : 620-231-4066
eBay UserID : macahan
  - Your fulltime professionals -

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .