RE: [Declude.JunkMail] Upgrade 4.6.35 AVG not scanning - FIX
Hi, I am unable to connect to the interim download site with the standard interim/decinterim credentials. Have they changed? Goran Jovanovic Omega Network Solutions From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Monday, June 01, 2009 3:38 PM To: declude.junkmail@declude.com; declude.vi...@declude.com Subject: [Declude.JunkMail] Upgrade 4.6.35 AVG not scanning - FIX If your AVG is not scanning emails, please upgrade immediately to 4.6.35 which is available from the Declude website. If you are unsure whether this means you, we suggest you upgrade, if you need any assistance in this matter please contact supp...@declude.com David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.commailto:dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Exclude a single user from a banned file rule
Hi, Is it possible to BANEXT EXE for everyone except for one user? The user in question would be allowed to receive all the .exe files they can handle? Let me know please Thanks Goran Jovanovic Omega Network Solutions --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Command in Declude
I seem to remember that there was a command added to Declude that would allow you to save the D/Q files off to a directory. Am I dreaming of such a command or not? And it was different than the HOLD. I seem to remember it was COPY...HEADERS Any help would be appreciated. Thanks Goran Jovanovic Omega Network Solutions --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Command in Declude
So I can trigger this based on a test, copy the D/Q files and then continue processing the email and send it on its way? Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, February 05, 2007 3:59 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Command in Declude Is this what you were thinking of ? COPYFILE eg. WEIGHT20 COPYFILE C:\Temp\ David Barker Director of Product Management Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Monday, February 05, 2007 3:51 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Command in Declude I seem to remember that there was a command added to Declude that would allow you to save the D/Q files off to a directory. Am I dreaming of such a command or not? And it was different than the HOLD. I seem to remember it was COPY...HEADERS Any help would be appreciated. Thanks Goran Jovanovic Omega Network Solutions --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] CMDSPACE/SmarterMail
My understanding from quite a while ago is that SmarterMail did not pass the CMDSPACE info on to Declude (somehow). So the test is irrelevant in SmarterMail. Maybe this has been corrected in some newer version of SmarterMail?? Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Friday, November 10, 2006 3:40 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] CMDSPACE/SmarterMail Thanks, David. It's little things like this short acknowledging message that can go miles towards making your customers feel better about Declude's support. Gary Original Message From: David Barker [EMAIL PROTECTED] Sent: Friday, November 10, 2006 3:10 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] CMDSPACE/SmarterMail I see that too, I will look into this. David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Friday, November 10, 2006 2:27 PM To: declude.junkmail@declude.com Subject: re: [Declude.JunkMail] CMDSPACE/SmarterMail I'm also using SmarterMail Enterprise Edition 3.3.2439 and Declude 4.3.14, and have had CMDSPACE configured for quite a while, but hadn't thought anything about it. When I saw your message I ran DLanalyzer on my logs for the past two weeks and saw that there were no hits for CMDSPACE at all. So it seems I am experiencing the same problem. Gary Original Message From: Michael Jaworski [EMAIL PROTECTED] Sent: Friday, November 10, 2006 10:45 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] CMDSPACE/SmarterMail We just started using CMDSPACE and noticed the test does not appears to be working on SmarterMail Enterprise Edition 3.3.2439 and Declude 4.3.14. I am not seeing any errors in the debug level logs files. A check of the release logs it appears support for CMDSPACE test in Smartermail was provided in 4.0.9. (Feb 2006) Anyone seeing the same thing? Here are my relevant entries without quotes: Global.cfg - CMDSPACE cmdspaceX X 8 0 $default$.junkmail - CMDSPACE WARN Mike --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Badheaders and un-decoded mail
Hi, A client sent this email back to me saying that they cannot read it. Well no wonder the message did not get un-decoded properly. I have two questions: 1) The badheaders code (8c02) means that there was no This E-mail has no From: header. And yet it appears to have one two lines after the X-Mailer: Groupwise 6.5. So why the badheaders code? 2) What could have caused the message to be un-decodable when it reached the final destination? Thanks Goran -Original Message- From: Sent: Monday, September 25, 2006 3:05 PM Subject: X-Mailer: Groupwise 6.5 Message-ID: [EMAIL PROTECTED] From: Line Desrosiers [EMAIL PROTECTED] Subject: =?UTF-8?B?UsOpcC4gOiBSRTog?= To: Joe User [EMAIL PROTECTED] Content-Type: multipart/alternative; boundary=LPHMXLZMXOMRLFKSEJCW X-MXRate-Prob: -1 X-MXRate-Country: CA X-MXRate-Action: ALLOW X-Alligate-ReceivingIP: [192.168.170.2] X-Alligate-Grey: Skipped X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8c02]. X-RBL-Warning: BASE64: A binary encoded text or HTML section was found in this E-mail. X-RBL-Warning: GOODREVDNS: Message failed GOODREVDNS test (line 30, weight -30) X-RBL-Warning: BYPASS: Message failed BYPASS test (line 8, weight 0) X-Declude-Sender: [EMAIL PROTECTED] [159.33.1.177] X-Declude-Spoolname: D288e01860770.smd X-Declude-RefID: X-Note: X-Note: Process Time: Scanned at 15:06:03 on 25 Sep 2006 X-Note: Reverse DNS: Sent from gwtor-out1.cbc.ca ([159.33.1.177]). X-Note: Country Path: CANADA-destination X-Note: X-Note: Tests Failed: BADHEADERS [2], BASE64 [4], GOODREVDNS [-30], BYPASS [0] X-Note: X-Note: Header Code: 8c02 X-Note: IP4R: 177.1.33.159 X-Note: MAILFROMBL: .radio-canada.ca X-Note: RHS BL: radio-canada.ca X-Note: Remote IP: 159.33.1.177 X-Note: X-Note: Recpient(s): [EMAIL PROTECTED] X-Note: Sender: [EMAIL PROTECTED] X-Note: Spool File: D288e01860770.smd X-Note: X-Note: This E-mail was scanned by Declude JunkMail version 4.3.7 X-Note: Total spam weight of this E-mail is -32. X-fpReview-Weight: -32 X-Note: Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 25 Sep 2006 19:06:07.0399 (UTC) FILETIME=[A7C4DB70:01C6E0D5] --LPHMXLZMXOMRLFKSEJCW Content-Type: text/plain; charset=utf-8 Content-Language: Content-Transfer-Encoding: base64 Qm9uam91ciBNb25zaWV1ciBMYWxvbmRlLA0KDQpKZSB2aWVucyB0b3V0IGp1c3RlIGRlIHZv dXMg ZW52b3llciBwYXIgdMOpbMOpY29waWVyIGF1IDQxNi0yMTQtNDQxMiwgIm1vbiBjb3Vycmll bCBx dWUgamUgdm91cyBhZHJlc3NhaXMgISENCg0KTWVyY2kgw6AgbCdhdmFuY2UgISENCg0KDQoN Cg0K DQpMaW5lIERlc3Jvc2llcnMNClJhZGlvLUNhbmFkYQ0KRGlyZWN0aW9uIGRlcyBvcMOpcmF0 aW9u cywNCkZpbmFuY2VtZW50IGV0IFJlbGF0aW9ucyBkJ2FmZmFpcmVzDQpUw6lsOiAgKDUxNCkt NTk3 Etc etc etc --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude Crashes
I had this problem a while ago and never really got an answer on it. I too had a script that would check the review directory and then let me know if there were files there. I reprocessed them manually to check for killer messages (just like Darrell) and never found one. I finally resorted to # Email in the \review directory is automatically moved to the \proc directory when the service # starts or when the proc directory is empty AUTOREVIEW ON In my DECLUDE.CFG file. That way I could stop checking the messages. Never did find the problem. Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Monday, August 28, 2006 8:55 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude Crashes Darrell, I have a script that is scheduled to run every 15 minutes to check for any files in the error or review folders. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Monday, August 28, 2006 5:18 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Declude Crashes Mark, I also have those issues. However, my decludeproc is set to auto restart. On several occasions I have tested the files in the review folder to see if they are the culprit (i.e killer message) and never made any headway on it. It has not been too much of an issue since it restarts itself. The only downside is that you run the risk of legit mail ending up in the review folder. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Mark Strother To: declude.junkmail@declude.com Sent: Monday, August 28, 2006 7:47 PM Subject: [Declude.JunkMail] Declude Crashes Does anyone else have problems with Declude crashing? Several times each day I see the following in our application event logs: Reporting queued error: faulting application decludeproc.exe, version 0.0.0.0, faulting module ntdll.dll, version 5.2.3790.1830, fault address 0x00032335. Followed by this in the system logs: The Decludeproc service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1 milliseconds: Restart the service. It seems as though Declude restarts fine and we dont seem to suffer any ill effects but Id like to see it resolved. Were processing a fair volume of mail, 100,000+ messages per day. Were running Declude 4.3.7 with Sniffer but I can rule out Sniffer as being the issue as I disabled it temporarily and still saw these errors. Mark Strother Pacific Online Phone: 604-638-6010 ext. 222 Fax: 604-638-6020 Toll Free: 1-877-503-9870 http://www.pacificonline.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Edmonds Sent: Monday, August 28, 2006 2:41 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] some emails being marked with **spam** despite being authenticated Importance: High Sensitivity: Confidential Thanks John, I had the log mode set to high, debug seems to show a lot more detail. Anything in particular I should look out for? (in debug mode the log can chuck out more than 300 lines!!!) Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com E : [EMAIL PROTECTED] LEGAL DISCLAIMER - This message may contain confidential, proprietary or legally privileged information and is intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby informed that you must not use, disseminate, copy it in any form or take any action in reliance on it. If you have received this message in error please delete it and any copies of it and notify it to the sender. AVISO LEGAL - Este mensaje puede contener informacion confidencial, en propiedad o legalmente protegida y esta dirigida unicamente para el uso de la persona destinataria. Si usted no es la persona destinataria de este mensaje, por la presente se le comunica que no debe usar, difundir, copiar de ninguna forma, ni emprender ninguna accion en relacion con ella. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Monday, August 28, 2006 7:25 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] some emails being marked with **spam** despite being authenticated Sensitivity: Confidential You need to review the log lines of a message that was marked, not one that shows Whitelisted. Preferably, the log should be in debug mode. John T eServices For You
RE: [Declude.JunkMail] Declude Crashes
Matt, I agree with your comments regarding AUTOREVIEW and its potential problems. I originally started out manually checking an moving but that got too time consuming and seeming to no effect. Therefore I made a calculated risk that I would turn it on and take the chance of a killer message being looped. If that happens my proc directory will backup and Queuemon will notify me of a problem. So not elegant but it seems to work for me. Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, August 28, 2006 10:33 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Declude Crashes Goran, That worked great for me until I experienced a killer message last week that AUTOREVIEW was throwing back into the proc directory after every restart which in turn caused Declude to crash every time. They said that this was fixed in the most recent version, but there are more bugs with their own killer messages out there certainly. AUTOREVIEW ON therefore should not be used for that reason. Keep in mind that not all messages that caused a crash will be repeatable causes of a crash. What I would like to see (and I'm not holding my breath) is something that didn't move all the proc contents into the review directory, but instead just the message that was there when it crashed. My GP1 file that was created by the crash as well as the logs clearly showed the problematic message. If Declude can create the GP1 file, it can also be made to only move that one problematic message over to review. I'm afraid that they are casting the net too widely. The protective measure of moving killer messages out of proc is wise, but designing a process that requires constant attention and maintenance to move messages back causes people to disable these protective measures. So the process should be changed to be more granular. With that said, I still would rather see the long known outstanding bugs addressed first. Clearly there has been a decision to ignore our concerns about these bugs and work on the gateway. That's an unfortunate way to deal with ones customers. Matt Goran Jovanovic wrote: I had this problem a while ago and never really got an answer on it. I too had a script that would check the review directory and then let me know if there were files there. I reprocessed them manually to check for killer messages (just like Darrell) and never found one. I finally resorted to # Email in the \review directory is automatically moved to the \proc directory when the service # starts or when the proc directory is empty AUTOREVIEW ON In my DECLUDE.CFG file. That way I could stop checking the messages. Never did find the problem. Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John T (Lists) Sent: Monday, August 28, 2006 8:55 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude Crashes Darrell, I have a script that is scheduled to run every 15 minutes to check for any files in the error or review folders. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Monday, August 28, 2006 5:18 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Declude Crashes Mark, I also have those issues. However, my decludeproc is set to auto restart. On several occasions I have tested the files in the review folder to see if they are the culprit (i.e killer message) and never made any headway on it. It has not been too much of an issue since it restarts itself. The only downside is that you run the risk of legit mail ending up in the review folder. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Mark Strother To: declude.junkmail@declude.com Sent: Monday, August 28, 2006 7:47 PM Subject: [Declude.JunkMail] Declude Crashes Does anyone else have problems with Declude crashing? Several times each day I see the following in our application event logs: Reporting queued error: faulting application decludeproc.exe, version 0.0.0.0, faulting module ntdll.dll, version 5.2.3790.1830, fault address 0x00032335. Followed by this in the system logs: The Decludeproc service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1 milliseconds: Restart the service. It seems as though Declude restarts fine and we dont seem to suffer any ill effects but Id like to see it resolved. Were processing a fair volume of mail
RE: [Declude.JunkMail] SKIPIFWEIGHT question
Title: Message Dont forget to take into account that any negative weighting does not get subtracted until all the tests are run. So with the default declude install there is -8 from the IPNOTINMX and NOLEGITCONTENT. So if you delete at 30 your SKIPIFWEIGHT should be set to 38. Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, August 25, 2006 12:25 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] SKIPIFWEIGHT question Another thing, Sharyn, is that the SKIPIFWEIGHT only does as the name implies. i.e. if you were expecting SKIPIFWEIGHT 30 to clamp the total message weight at exactly thirty, that would be expecting too much. If all of your RBL and external tests and the Declude built-in tests trigger, you can easily have a very high weight that is over thirty, but the filter text files will not appear in your logfile at MED level because they've been skipped. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sharyn Schmidt Sent: Friday, August 25, 2006 7:57 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] SKIPIFWEIGHT question I don't know if the message comes in any log level that is under high. It's at the top of your filters, I assume. SKIPIFWEIGHT315 Yeah, that's how I have it. It's working. I changed my log level from mid to high and I'm seeing that message. Atmid level logging itdoesn't show that it's skipping anything. Thanks! --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] ATTACH action
John, Here is exactly what you get, after the word Headers: Headers: Received: from gateway1.omeganetworksolutions.net [192.168.170.3] by mail1.omeganetworksolutions.net with ESMTP (SMTPD-8.22) id AE9301E8; Sun, 20 Aug 2006 14:48:51 -0400 Received: from sebrina.burtczarsecur.net [204.8.176.35] by gateway1.omeganetworksolutions.net (Alligate(TM) SMTP Gateway v2.6.6.29) with ESMPT id [EMAIL PROTECTED] for [EMAIL PROTECTED]; Sun, 20 Aug 2006 14:48:48 -0400 Received: by sebrina.burtczarsecur.net id ht2n960baf0o; Sun, 20 Aug 2006 14:48:45 -0400 (envelope-from [EMAIL PROTECTED]) Date: Sun, 20 Aug 2006 14:48:45 -0400 Errors-To: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] From: Extreme Makeover [EMAIL PROTECTED] Subject: *Extreme* Home makeover entry To: [EMAIL PROTECTED] Mime-Version: 1.0 Content-Type: multipart/alternative; boundary=Boundary_SlasN_1AZbMctsH2QQmfWQkF7wLfo_1aYW58gG8Tu7oLrh6DRo5Am ugs0 Date: Sun, 20 Aug 2006 14:48:45 -0400 X-MXRate-Prob: 90 X-MXRate-Country: US X-MXRate-Action: NONE X-Alligate-ReceivingIP: [192.168.170.2] X-Alligate-Grey: Skipped --- End Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Saturday, August 19, 2006 2:23 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] ATTACH action When using the ATTACH action, if I include %HEADERS% in the SPAMATTACH.EML file, will that show the headers with or without the lines Declude adds? The desired action is to show the headers WITH the lines added by Declude. John T eServices For You Seek, and ye shall find! --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Revenue Sharing Thoughts
I have to agree with all the other people who have expressed comments about the escalating costs to provide a good anti-spam/virus service. I also run into the problem of the client say it is good enough and when you look in their inbox if has a bunch of spam in it. So let me throw out a few thoughts on the yet not defined revenue sharing model. I provide a great service to my clients already. So far they are happy with it and my FPs are very low. For me to add the Commtouch product to my mix as is would be another cost with no extra revenue. What I could see is that as a Service Provider I get the Commtouch software for free and then I can turn it on per domain. What I would do is give existing customers a try and say this is the next level of spam fighting (or some other marketing words) and if you like it after your trial I will charge you an extra $x/month or whatever. If they sign on then I might consider sharing that incremental revenue with Declude/Commtouch. So the questions that arise out of this are: Can this new Commtouch thing be turned on and off by domain? What is the initial cost (if any) to the Service Provider? What is the % that Declude/Commtouch want out of my INCREMENTAL revenue? Hopefully this line of thought will stir some thought on how the revenue sharing model might work. Any other opinions out there? Goran Jovanovic Omega Network Solutions --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude 4.3
Well the definition says: As a service provider (definition: a business which provides their customers with delivery of their Email communications and/or users with access to their own Email) We are all businesses of one sort or another - Check We all provide our customers (internal or external) with delivery of email - Check So I agree can any one of us use this product? Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Tuesday, July 18, 2006 2:24 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Declude 4.3 I guess someone is going to make an official announcement today about Declude 4.3? I see that its downloadable in my account, but it would be nice to know what I'm getting before I install it, especially the new Commtouch stuff. The Restrictions listed next to the Add Commtouch section are especially confusing. https://www.declude.com/articles.asp?ID=205 Who would use Declude and not fit the definitions of the restrictions? Based on my reading of the Restrictions, nobody who uses Declude will ever be able to use Commtouch. If I am misreading this, would someone please explain it to me? Gary --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude 4.3
John, That applies to the Version 4 product for the people who are renting it on an annual basis. Check out section 2 on that page 2. Copyright and ownership Once you have acquired the Product, You own only the Media on which the Software is recorded. You do not own the Software itself. The Software is the exclusive property of Declude, Inc. The Software and the Documentation are proprietary products of Declude, Inc. and are protected by copyright and other intellectual property rights. Declude, Inc. reserves the right to maintain records of your installation. This may include the electronic notification of your installation from your mail server, appliance or gateway server to Declude, Inc. Us who have a perpetual license do not fall in this category. We own the software and not just the media. So there must be another version of this document for us perpetual users as this one dows not apply to us. Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, July 18, 2006 3:02 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.3 I guess we all missed the following paragraph in the license agreement: 3.2.6 sub-license, rent, sell, lease, distribute, or otherwise transfer the Licensed Program save as provided under this End-User License Agreement unless You obtain a separate License from Declude, Inc. for such purposes (for example, You may not embed the Licensed Program into another application and then distribute such to third parties unless You first acquire an OEM License from Declude, Inc.). As of June 1, 2006, ISP's and other service providers are not permitted to use Declude software to clean and forward mail to customers unless a separate revenue share agreement has been established with Declude. http://www.declude.com/Articles.asp?ID=121 Is Declude trying to put us out of business? We pay for the software and now have to pay them some of your meager profits? John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Tuesday, July 18, 2006 11:24 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Declude 4.3 I guess someone is going to make an official announcement today about Declude 4.3? I see that its downloadable in my account, but it would be nice to know what I'm getting before I install it, especially the new Commtouch stuff. The Restrictions listed next to the Add Commtouch section are especially confusing. https://www.declude.com/articles.asp?ID=205 Who would use Declude and not fit the definitions of the restrictions? Based on my reading of the Restrictions, nobody who uses Declude will ever be able to use Commtouch. If I am misreading this, would someone please explain it to me? Gary --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude 4.3
Andy, Yes I agree with you. Since I have a perpetual license I have the right to use the last version that I acquire under a current service agreement FOREVER. Just like I can still continue to use Word 95 if I had purchased it and it would run on the hardware/os etc etc I was using OWN and RIGHT TO USE FOREVER interchangeably Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Tuesday, July 18, 2006 3:44 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.3 Goran, Actually, you do NOT own the software. The software vendor does (unless they wrote it for hire). With a paid-up, perpetual license you own the RIGHT to use the software version you purchased without time restriction and without making additional payments - but that's all. An annual (or whatever term) licensee, will have to pay for each term. In either case, you will need to acquire a service agreement to obtain more current versions that what you originally pre-paid for. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Tuesday, July 18, 2006 03:24 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.3 John, That applies to the Version 4 product for the people who are renting it on an annual basis. Check out section 2 on that page 2. Copyright and ownership Once you have acquired the Product, You own only the Media on which the Software is recorded. You do not own the Software itself. The Software is the exclusive property of Declude, Inc. The Software and the Documentation are proprietary products of Declude, Inc. and are protected by copyright and other intellectual property rights. Declude, Inc. reserves the right to maintain records of your installation. This may include the electronic notification of your installation from your mail server, appliance or gateway server to Declude, Inc. Us who have a perpetual license do not fall in this category. We own the software and not just the media. So there must be another version of this document for us perpetual users as this one dows not apply to us. Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, July 18, 2006 3:02 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.3 I guess we all missed the following paragraph in the license agreement: 3.2.6 sub-license, rent, sell, lease, distribute, or otherwise transfer the Licensed Program save as provided under this End-User License Agreement unless You obtain a separate License from Declude, Inc. for such purposes (for example, You may not embed the Licensed Program into another application and then distribute such to third parties unless You first acquire an OEM License from Declude, Inc.). As of June 1, 2006, ISP's and other service providers are not permitted to use Declude software to clean and forward mail to customers unless a separate revenue share agreement has been established with Declude. http://www.declude.com/Articles.asp?ID=121 Is Declude trying to put us out of business? We pay for the software and now have to pay them some of your meager profits? John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Tuesday, July 18, 2006 11:24 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Declude 4.3 I guess someone is going to make an official announcement today about Declude 4.3? I see that its downloadable in my account, but it would be nice to know what I'm getting before I install it, especially the new Commtouch stuff. The Restrictions listed next to the Add Commtouch section are especially confusing. https://www.declude.com/articles.asp?ID=205 Who would use Declude and not fit the definitions of the restrictions? Based on my reading of the Restrictions, nobody who uses Declude will ever be able to use Commtouch. If I am misreading this, would someone please explain it to me? Gary --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com
RE: Re[2]: [Declude.JunkMail] Which way to upgrade - SmarterMail or IMail
Sandy, I looked through the Junkmail archives to see if I could find your documentation on how to make a pre-8.2 version of IMail only listen on 1 IP. I was unable to find it. Could you perhaps give me some other clues what to look for or do you still have the information somewhere? Thanks Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sanford Whiteman Sent: Sunday, July 16, 2006 9:01 PM To: Goran Jovanovic Subject: Re[2]: [Declude.JunkMail] Which way to upgrade - SmarterMail or IMail Smartertools confirmed that I could use the free (1 domain/10 users) as an unlimited gateway. I am putting in a gateway in front of my Declude process to handle address validation. NOTE that IMail will also gateway an unlimited number of domains as well. Still see no reason to open the floodgates to SM bugs, when your existing version of IMail can do all of this. --Sandy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] F-Prot Licensing
Title: Message As my kids have become fond of saying This sucks Goran Jovanovic Omega Network Solutions ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
[Declude.JunkMail] Which way to upgrade - SmarterMail or IMail
Hi All, I am currently running IMail 8.15 HF2 and Declude 4.1.0. I got new server hardware so it is time to do it all over again. I want to incorporate an address validation gateway on the same box as my Declude system. I gateway pretty much all of my traffic and host very few domains (on the same box). Since I want all this to happen on one box I need to have two IPs both of which listen on port 25, I do not want the Declude portion to be listening on a different port. So I would either need to upgrade to IMail 8.2x since it can listen on only one IP or move to SmarterMail 3.3 as it can do the same thing. Having run IMail for a while I am obviously familiar with the product and have scripts etc that have been created for it. Having said that I am not committed to IMail. I have seen the recent thread about the thousands of messages in the declude error folder with SmarterMail. What are people having luck with? Any comments would be appreciated. Thanks Goran Jovanovic Omega Network Solutions ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] Which way to upgrade - SmarterMail or IMail
Matt, I was reading just a little while ago that if you do the port redirection then some things like webmail might not work correctly. Even though I host just a few domains I do not want the hassle of figuring out a broken submission to port 25 when it is listening on 2525. So I will upgrade to either IMail 8.2x or SM 3.3 so I will not have that problem. I have no where near enough volume to justify two boxes for email at this point so splitting the functionality is not going to happen right now. I do have a leaning to IMail due to familiarity but it costs somewhat more than SM. If all I was doing was gatewaying I would look at the SM free version as it can gateway unlimited domains/users while only hosting 1 domain with 10 users. I think I may install the free version of SM and test it out by running a few domains through it and then I can see how it is going to perform for me. Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, July 13, 2006 6:55 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Which way to upgrade - SmarterMail or IMail Goran, You can do port redirection with most routers on the market, which would alleviate the need to upgrade any software. I had done this for over two years up until recently in fact. There is also software that can do port redirection. I have even seen Windows Firewall do this, though I would be more comfortable using a router than software on that box. I would not be scared of upgrading to IMail 8.22. I did this recently and the conversion was pretty much flawless, and the services have been perfectly stable for me. I however only host my MailPure accounts on that server, and otherwise use it for spam capture accounts, but that's it. All of my hosted E-mail is on a separate SmarterMail box. If you hosted your E-mail on a separate box, you could certainly configure both the gateway and IMail on different ports so long as the gateway is on port 25 and you don't have any users connecting to the server that aren't configured for the special port that you put IMail on. This is exactly what I am doing now. I would not necessarily discourage the use of Declude with SmarterMail when one is only hosting accounts on such a server, but for doing a gateway service I still strongly believe that IMail is best. The reason for this is because IMail uses ASCII formats for all of the associated files, and SmarterMail uses some funky Microsoft format that combines binary and ASCII data into one file, and it is impossible to manually modify some of these files for some things. The fact that IMail keeps true to standard formats that are fully text readable and editable can be a bonus for a gateway service. The logging is also better with IMail as well, and IMail is more mature in several ways that I find to be important. SmarterMail has some nifty features, but I find that their execution of such things to be lacking somewhat, though certainly not totally, and most of the issues are in how things are configured and the access that end-users have over things. SmarterMail does perform very well and is stable, but I honestly wished I still used IMail for my hosted E-mail now that IMail has improved their webmail interface. So I would recommend that you either do port redirection with a router, or upgrade to 8.22 or higher, or move the hosted E-mail to a separate box and leave the spam and virus blocking on a dedicated server along with the gateway where the IMail port wouldn't matter. I would not move Declude off of IMail for a gateway service installation. Matt Goran Jovanovic wrote: Hi All, I am currently running IMail 8.15 HF2 and Declude 4.1.0. I got new server hardware so it is time to do it all over again. I want to incorporate an address validation gateway on the same box as my Declude system. I gateway pretty much all of my traffic and host very few domains (on the same box). Since I want all this to happen on one box I need to have two IPs both of which listen on port 25, I do not want the Declude portion to be listening on a different port. So I would either need to upgrade to IMail 8.2x since it can listen on only one IP or move to SmarterMail 3.3 as it can do the same thing. Having run IMail for a while I am obviously familiar with the product and have scripts etc that have been created for it. Having said that I am not committed to IMail. I have seen the recent thread about the thousands of messages in the declude error folder with SmarterMail. What are people having luck with? Any comments would be appreciated. Thanks Goran Jovanovic Omega Network Solutions --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. ---This E-mail came
RE: [Declude.JunkMail] Verify code needed
What is the rule for SmarterMail? Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Asaro Sent: Tuesday, June 27, 2006 8:29 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Verify code needed In Imail systems only is this code required to be in your Declude.cfg. Yes John you are correct. Christopher Asaro www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Monday, June 26, 2006 6:53 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Verify code needed Just to verify, when using Declude 4.x with the appropriate code, you do not need a separate code for the Global.CFG or Virus.cfg or Hijack.cfg files, the code is only in the declude.cfg file, correct? John T eServices For You Seek, and ye shall find! --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Testing
Pong Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, June 20, 2006 12:06 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Testing Ping John T eServices For You Seek, and ye shall find! --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] HOLD action and %DATE% variable
David, This is not a development wish list item it is a bug. Please have it put on the bug list for fixing. Your own manual says that these variables are available. BTW so does the 3.0.5 manual. From the 4.0.8 manual 14. E-mail Notifications There are also a number of variables that you can use: Variable Description %ALLRECIPS% Recipients of the E-mail %BANEXT% Shows the file extension that was banned (for banned attachments) %DATE% Today's date DD MMM %EURDATE% Today's date DD/MM/ %HEADERS% Inserts the headers of the E-mail with the virus %INOROUT% incoming or outgoing %ISODATE% Today's date -MM-DD Goran Jovanovic Omega Network Solutions Tel: 416 322-0333 Cell: 416 805-HELP (4357) [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, June 19, 2006 8:34 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] HOLD action and %DATE% variable Currently the only date format available is %DATE% which is ddmmm I have added the request for different date formats to development wishlist. David B www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Friday, June 16, 2006 9:53 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] HOLD action and %DATE% variable Can anyone from Declude confirm this? Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, June 16, 2006 9:32 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] HOLD action and %DATE% variable To the best of my knowledge there is no way to customize the date. Darrell fpReview - The easy way to review false positives. http://www.invariantsystems.com - Original Message - From: Goran Jovanovic To: declude.junkmail@declude.com Sent: Friday, June 16, 2006 8:55 PM Subject: [Declude.JunkMail] HOLD action and %DATE% variable Hi, When you specify HOLD F:\Hold\%DATE% The date shows up as ddMMM Is there a way to have this show up as mmdd as it is much easier to sort and keep track? Thanks Goran Jovanovic Omega Network Solutions --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] HOLD action and %DATE% variable
Thanks Markus, I will look at those formats and see if they sort better. Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Saturday, June 17, 2006 9:12 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] HOLD action and %DATE% variable Sensitivity: Confidential In the Virus-Manual they have listed beside %DATE% for use in the eml-files also %EURDATE% and %ISODATE% Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Saturday, June 17, 2006 2:56 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] HOLD action and %DATE% variable Sensitivity: Confidential Hi, When you specify HOLD F:\Hold\%DATE% The date shows up as ddMMM Is there a way to have this show up as mmdd as it is much easier to sort and keep track? Thanks Goran Jovanovic Omega Network Solutions --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
[Declude.JunkMail] %EURDATE% and %ISODATE% are broken
Well I guess we should add this to the bug list. If you use %EURDATE% and %ISODATE% in a HOLD action you do not get what the manual says. You get: The first two were generated from %DATE% and the other two came from their namesakes. Based on what the manual says I want to use %ISODATE% because the format of the directory name becomes -MM-DD and that works for proper chronological sorting. Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Saturday, June 17, 2006 12:33 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] HOLD action and %DATE% variable Thanks Markus, I will look at those formats and see if they sort better. Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Saturday, June 17, 2006 9:12 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] HOLD action and %DATE% variable Sensitivity: Confidential In the Virus-Manual they have listed beside %DATE% for use in the eml-files also %EURDATE% and %ISODATE% Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Saturday, June 17, 2006 2:56 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] HOLD action and %DATE% variable Sensitivity: Confidential Hi, When you specify HOLD F:\Hold\%DATE% The date shows up as ddMMM Is there a way to have this show up as mmdd as it is much easier to sort and keep track? Thanks Goran Jovanovic Omega Network Solutions --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
[Declude.JunkMail] HOLD action and %DATE% variable
Hi, When you specify HOLD F:\Hold\%DATE% The date shows up as ddMMM Is there a way to have this show up as mmdd as it is much easier to sort and keep track? Thanks Goran Jovanovic Omega Network Solutions ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] HOLD action and %DATE% variable
Can anyone from Declude confirm this? Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, June 16, 2006 9:32 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] HOLD action and %DATE% variable To the best of my knowledge there is no way to customize the date. Darrell fpReview - The easy way to review false positives. http://www.invariantsystems.com - Original Message - From: Goran Jovanovic To: declude.junkmail@declude.com Sent: Friday, June 16, 2006 8:55 PM Subject: [Declude.JunkMail] HOLD action and %DATE% variable Hi, When you specify HOLD F:\Hold\%DATE% The date shows up as ddMMM Is there a way to have this show up as mmdd as it is much easier to sort and keep track? Thanks Goran Jovanovic Omega Network Solutions --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] Please take a look at this - forged mail headers?
I have been receiving these numeric SPAMs since Monday morning. I have been tagging them (there is not enough there to DELETE it). This means that my DNS etc tests are running and ACTIONs are being taken. Matt pointed out that perhaps the NO ACTION bug is with a NULL sender and these numeric SPAMs have the from and to as the same address. I am running Declude 4.1.0 and IMail 8.15 Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Carter Sent: Tuesday, June 06, 2006 8:52 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Please take a look at this - forged mail headers? I'm getting the same for several days. There are few recent comments over on the Imail forum, but nothing that clears up their purpose. What I find worrisome over the few weeks is the increase of all the various spam problems. Number of Nigerian letters are way up; spam coming through passing most all of the tests or with very low score are up; etc. Add to it the recent discovery of spam failing Declude tests but getting NO ACTIONS WERE TAKEN. John C -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Monday, June 05, 2006 10:24 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Please take a look at this - forged mail headers? I've been receiving some strange spam today on various email addresses of ours. Its almost like they are profiling various addresses to see if they are working. The from and to addresses are the same email address and they are valid addresses on our domain. However, it appears they are forging headers. Can someone take a look at these headers and tell me if its something I need to worry about? The body of the emails are a series of 3 to 4 numbers -- nothing meaningful. Which is why I think we are being profiled for some nefarious reason. The return-path, from and to address, smtp sender and message-id all look like valid headers for our mail server. However, the sever name is obviously not ours. So they aren't sending via our mail server (we haven't been hacked) however everything else is forged. What would be the purpose? Here are the headers: Return-Path: [EMAIL PROTECTED] Mon Jun 05 22:03:23 2006 Received: from catv25.avis.ne.jp [202.247.193.25] by perseus.sixthweb.com with SMTP; Mon, 5 Jun 2006 22:03:23 -0500 Date: Tue, 06 Jun 2006 11:59:17 +0900 To: Racing [EMAIL PROTECTED] From: Racing [EMAIL PROTECTED] Subject: 586876 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit X-RBL-Warning: SPFUNKNOWN: SPF returned UNKNOWN for this E-mail. X-RBL-Warning: Filter_Country: Message failed Filter_Country test (line 110, weight 3) X-Note: X-Note: Spam Score: [4] X-Note: Scan Time:22:03:35 on 05 Jun 2006 X-Note: Spool File: 30844292.EML X-Note: Server Name: catv25.avis.ne.jp X-Note: SMTP Sender: [EMAIL PROTECTED] X-Note: Reverse DNS IP: catv25.avis.ne.jp [202.247.193.25] X-Note: Recipient(s): fwd[EMAIL PROTECTED] X-Note: Country Chain:JAPAN-destination X-Note: Failed Weights: SPFUNKNOWN [1], Filter_Country [3] X-Note: X-Rcpt-To: [EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus] [This E-mail scanned for viruses by Declude EVA] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [This E-mail scanned for viruses by Declude EVA] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [This E-mail scanned for viruses by Declude EVA] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] phishing
Darrell, SANS or SANE Security? If it is SANS does that plug into CLAM? Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, June 06, 2006 9:32 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] phishing Roger, Are you using the SANS phish signatures? Since we started using we have seen virtually zero get through. Darrell --- fpReview - The quick way to reviewing false positives. http://www.invariantsystems.com Schmeits, Roger writes: What are people doing for phishing scams? We seem to be getting quite a few and was wondering what people do. Running declude 3.1.0 Imail 8.05 as a gateway. I have McAffee, f-prot Clamwin as scanners. Thanks. I heard some talk about clamdev ? or something like that -- did not pay much attention then , was not on the radar screen at the moment.. ## Roger Schmeits Sr. Network Engineer 101 South 42nd St. Omaha, NE 68131 http://www.clarksoncollege.edu (402) 552-2542 Office (800) 647-5500 Toll Free ## Disclaimer: The information contained in this e-mail is privileged and confidential and is intended only for the use of the addressee(s) indicated above. Use or disclosure of information e-mailed in error is respectfully prohibited. If you have received this e-mail in error, please contact the sender and immediately delete the original message. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [This E-mail scanned for viruses by Declude EVA] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [This E-mail scanned for viruses by Declude EVA] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: Automatic restart after power failure - Proliant 1850R
Dave, I had this problem with some older Dells and APC software. It was the older Dells that were running Windows Server 2003 that would not reboot. The identical Dells that were running Windows 2000 Server were just fine. There was even a case of one Dell that was Win2K which we upgraded to Win2K3 that used to reboot and then didnt. After much discussion with APC and some with Dell it all boiled down to something in 2003 was handling the power switch differently and there had to be a BIOS change to deal with it and Dell was not going to put one out due to machine age etc etc so the answer was live with it. I have a vague recollection that there may have been a fix from MS but cannot really remember. Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Doherty Sent: Saturday, June 03, 2006 3:06 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] OT: Automatic restart after power failure - Proliant 1850R Good question. I will check. Thanks. -d - Original Message - From: Gil Pleczynski To: Declude.JunkMail@declude.com Sent: Saturday, June 03, 2006 3:01 PM Subject: RE: [Declude.JunkMail] OT: Automatic restart after power failure - Proliant 1850R Way back I had an 1850rdo this and could never figure it out. I later flashed the bios to a newer revision for another issue and it seemed to fix the restart problem. Maybe it was a fluke or the bois was corrupt but I have not had a problem since. Do all your Proliants have the same bios revision? Hope this helps, Gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Doherty Sent: Saturday, June 03, 2006 12:39 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] OT: Automatic restart after power failure - Proliant 1850R OK, here's one for those of you with long memories I haveseveral Proliant 1850Rs on line. They were all configured with Smart Start, and all appear to have the same BIOS settings, including the advanced settings accessible after hitting Ctrl-A. The board switches are set the same on all machines. All but one restart automatically after a power failure. One does not, and I cannot find anything relating to this behavior in the BIOS settings or online at HP. A query to their support forum turned up another user with the same issue, and no response from anyone to the question. Does anybody here remember how to set this? -Dave Doherty Skywaves, Inc.
RE: [Declude.JunkMail] OT: Monitoring/Auditing a Windows Server
Hi Robert, All very good questions. The client is paying for piece work as opposed to an hourly rate so monitoring time spent against time billed is not a concern. Mostly they want to know if the developers are using the environment that has been provided to them. 2 SQL servers, 2 web servers, 2 application servers. Comments like did they just upload the new stuff the day before the deliverable date? Are they using the environment that was provided for 5 minutes a day or hours per day? I am thinking of it as more of a validation of the whole support environment for the developers rather than did they update/fix that web page. Monitoring the host machines via SNMP might be an idea. Any simple (but good) tool leap to mind? Thanks Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert E. Spivack Sent: Wednesday, May 31, 2006 7:01 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] OT: Monitoring/Auditing a Windows Server Lets start at the high-level: What question are you trying to answer? e.g: Are the developers spending enough time doing the work they should be doing? Are the developers doing things they should not be doing? Are the developers competent and performing their job properly? Are the developers hours spent working matching their timesheets/project sheets? Etc. There are different solutions depending upon your objectives. Note: Personally, for outsourcing I pay based on a project or deliverable so tracking time/usage is of no interest to me. I pay for a certain result and dont care if it takes an hour or a week to do it. Also, I audit the quality of the finished product/code/service, I dont care about the tools/methods used to reach that goal. In your case: Since you have a virtual server environment, you can also audit at the host level. E.g. you can run SNMP tools and measure traffic (bps and total bytes in/out) on the virtual network ports of the virtual machine to see the activity level. You can see the protocol (http, http, netbios, smb, etc.) to see what type of activity is flowing through the machine. If you run the tool in a virtual machine on the same physical host, it can use packet capture to fully analyze the traffic and not just SNMP/WMI. You might consider re-writing your outsourcing contract. You really shouldnt have to police the project/micromanage it. Afterall, management of outsourcing is the hidden cost that can eat you alive and remove any cost benefits so why allow yourself to fall into that black hole? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Wednesday, May 31, 2006 1:09 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] OT: Monitoring/Auditing a Windows Server It is a dev/staging server running in a virtual server environment so I have to be a bit careful what I turn on or dont. I tried the auditing a file. Wow talk about generating Security Event Log records. I turned auditing on for two files bginfo.exe and its corresponding config.bgi file. Then I ran it to generate the background on file server. That simple little thing created 15 log entries. If we turn this on we are going to need something to parse the security log file as I can see that it is going to produce a HUGE amount traffic in there. Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shaun Mickey Sent: Wednesday, May 31, 2006 3:34 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] OT: Monitoring/Auditing a Windows Server You could also enable auditing in Windows to examine file level access, just r-click on any file/folder and select properties, click on the security tab then click advanced then click on the auditing tab. WARNING: auditing a lot of high-use files could strain the server That being said, your on a dev server so it should be alright, though I would keep the number of files youre auditing to a minimum or as small a group as possible Thanks, Shaun --- Shaun Mickey 270net Technologies Phone: 301.663.6000 x28 Fax: 301.663.4410 www.270net.com Internet/Technology Solutions for Business and Government --- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Wednesday, May 31, 2006 3:16 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] OT: Monitoring/Auditing a Windows Server Source code activity would be best analyzed with Visual SourceSafe or another code control system. For watching use of the sites for testing, etc. just enable logging for the virtual webs and run reports on the web traffic. Darin. - Original Message - From: Goran
RE: [Declude.JunkMail] Windows Gui Ping
I use this. Does not need an install, runs from the EXE file. Very nice and easy Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of William Stillwell Sent: Thursday, June 01, 2006 5:45 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Windows Gui Ping Angry IP Scanner http://www.angryziber.com/ipscan/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Sent: Thursday, June 01, 2006 5:22 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Windows Gui Ping A little off topic but I remember seeing a post in the past on a great ping program on the list but forgot the name. It'll ping a range of ips and report with it either live or not. Any feedback greatly apprecicated. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] OT: Monitoring/Auditing a Windows Server
Hi All, This is definitely an off topic question. I have a client that wants to monitor what their outsourced developers are doing. The development is taking place in IIS, .Net Application Server and SQL 2000. They want to know generally speaking what they are doing. Are the development servers being used/tested? Would not have to report on what exactly is being changed etc but some sort of activity report. Does anyone know of anything that can report on this type of activity. Thanks Goran Jovanovic Omega Network Solutions
[Declude.JunkMail] New version - any hints
Hi David, You said: 5. Make sure you have the latest version of decludeproc ... There should be a release later today or tommorow. Any ints as to what is in this version? Goran Jovanovic Omega Network Solutions --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] CLAMAV Command Line Parameters
Hi Scott, I am trying to understand what the --max-ratio 0 command will do. It must be referring to the compression ratio but what does 0 mean? The default of 250 would mean that it would not decompress a 300 KB file that was compressed to a 1 KB file since that would be a 300:1 compression ratio. Does zero mean infinite or does it mean no compression? Just confused. Thanks Goran Jovanovic Omega Network Solutions Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Thursday, April 27, 2006 10:43 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] CLAMAV SANE Phishing Here's some clam-av command line changes that I use: I add the --max-ratio 0 to the command line. I have had numerous heavily compressed zip files caught by clam-av. Mostly these are large .txt files that have been zipped up. clamscan notes: --max-ratio=#n Set maximum archive compression ratio limit. This option pro-protects tects your system against DoS attacks (default: 250). I also add a --max-space 1M to the command line. This will decompress onlythe first 1M of each archive. My clam-av has choked on large archives before, so cutting the scan time was a goal. Plus I don't know of any viruses that routinely propogate in 1M+ zip files. clamscan notes: --max-space=#n Extract first #n kilobytes from each archive. You may give the number in megabytes in format xM or xm, where x is a number. This option protects your system against DoS attacks (default: 10 MB)
RE: [Declude.JunkMail] Virus?
I had to manually release your message from the virus queue because it got tagged as Virus: Html.Phishing.Card.Sanesecurity.06022100 Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Farris Sent: Thursday, April 06, 2006 9:04 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Virus? I just received about 10 of these at 7:30 this morning...any ideas what is going on.. Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support Crossroads to a Cleaner Internet
RE: [Declude.JunkMail] Virus?
Richard, I implemented CLAM AV with the Sane Security phishing filters. This is from the thread that Andrew included. I run F-Prot then McAfee then CLAM AV with the ExitOnFirstDetect (or whatever that directive is). Clam is the scanner that catches pretty much all phishing attempts. The other two dont do much in that department. Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Thursday, April 06, 2006 2:03 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Virus? Richard, you might want to check this thread from the archives. Goran can clarify, but I'm pretty sure that this is the source of the Sane Security detection string. For what it's worth, Message Sniffer catches the email message body you supplied with the MALWARE category. The hosting provider, 0catch.com are not bad guys but their express hosting model makes them a frequently used hoster of malware and pharmacy sales/scams. The link was still active, so I downloaded and ran it through various antivirus engines out of curiousity. Trend Micro didn't detect it, but F-Prot, McAfee and CLAM-AV all did. Here are the results from VirusTotal.com : Results of a file scan This is a report processed by VirusTotal on 04/06/2006 at 19:19:19 (CET) after scanning the file postcard.gif.exe file. Antivirus Version Update Result AntiVir 6.34.0.24 04.06.2006 TR/Zapchas.F Avast 4.6.695.0 04.03.2006 Win32:Parite AVG 386 04.06.2006 IRC/BackDoor.Flood Avira 6.34.0.56 04.06.2006 TR/Zapchas.F BitDefender 7.2 04.06.2006 Backdoor.IRC.Zapchast.AY CAT-QuickHeal 8.00 04.06.2006 no virus found ClamAV devel-20060202 04.06.2006 W32.Parite.B DrWeb 4.33 04.06.2006 no virus found eTrust-InoculateIT 23.71.121 04.06.2006 no virus found eTrust-Vet 12.4.2151 04.06.2006 no virus found Ewido 3.5 04.06.2006 no virus found Fortinet 2.71.0.0 04.06.2006 BAT/Zapchast.S-tr F-Prot 3.16c 04.06.2006 security risk or a backdoor program Ikarus 0.2.59.0 04.06.2006 no virus found Kaspersky 4.0.2.24 04.06.2006 Backdoor.IRC.Zapchast McAfee 4734 04.05.2006 IRC/Flood.ev NOD32v2 1.1474 04.05.2006 IRC/Zapchast.L Norman 5.90.15 04.06.2006 Smalldrp.IYU Panda 9.0.0.4 04.05.2006 no virus found Sophos 4.04.0 04.06.2006 W32/Parite-B Symantec 8.0 04.06.2006 Trojan.Dropper TheHacker 5.9.7.125 04.05.2006 no virus found UNA 1.83 04.05.2006 no virus found VBA32 3.10.5 04.06.2006 Backdoor.IRC.Zapchast Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Farris Sent: Thursday, April 06, 2006 10:20 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Virus? Which virus scanner do you use? Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support Crossroads to a Cleaner Internet - Original Message - From: Goran Jovanovic To: Declude.JunkMail@declude.com Sent: Thursday, April 06, 2006 10:47 AM Subject: RE: [Declude.JunkMail] Virus? I had to manually release your message from the virus queue because it got tagged as Virus: Html.Phishing.Card.Sanesecurity.06022100 Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Farris Sent: Thursday, April 06, 2006 9:04 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Virus? I just received about 10 of these at 7:30 this morning...any ideas what is going on.. Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support Crossroads to a Cleaner Internet
RE: [Declude.JunkMail] recursion turned off causes higher JM scores?
Ben, Here is my understanding of Forwarders Recursion If you have forwarders defined then any zone that your DNS is not authoritative for will look to the forwarders to resolve. If you have recursion on then your DNS server will call the root DNS servers and track down the authoritative DNS server for the request. I do not know what will take precedence if you have both defined and enabled. It has been said many times on this list that your ISP frowns on your DNS server using theirs for all the DNS checks that Declude does due to volume. Which goes back to John's point of having a DNS server on your Declude box that does recursive look ups and does not have forwarders defined. Hope it helps Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of IMail Admin Sent: Saturday, April 01, 2006 1:23 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] recursion turned off causes higher JM scores? I see; so it becomes non-authoritative on everything. Do you know what the difference is between the two recursion settings in MS DNS? There is one on the forwarders tab and one on the advanced tab. This is getting a little off-topic, but I appreciate the help anyway and the list looks quiet today. So why is recursion necessary? If I have forwarders configured, wouldn't they either report the answer, or use recursion, or use forwarders themselves? It would seem that forwarders should achieve the same results as recursion. For that matter, what would happen if you enabled recursion but didn't list forwarders? Thanks, Ben - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Saturday, April 01, 2006 10:10 AM Subject: RE: [Declude.JunkMail] recursion turned off causes higher JM scores? Don't configure any zones but allow recursion. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of IMail Admin Sent: Saturday, April 01, 2006 9:45 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] recursion turned off causes higher JM scores? That's what I was thinking. How do you configure the cache-only? Thanks, Ben - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Saturday, April 01, 2006 1:59 AM Subject: RE: [Declude.JunkMail] recursion turned off causes higher JM scores? What I do is install the MS DNS service on the Imail server, configure it for cache only allowing recursion, and point Imail and Declude to that. Make sure your firewall is configured to not allow the world to make DNS queries against it and you are set. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of IMail Admin Sent: Saturday, April 01, 2006 12:20 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] recursion turned off causes higher JM scores? Hi Sandy, OK, I've got recursion back on, so now I get email again. I hate to think how many complaints I'm going to have in the morning. Fortunately, most of our clients aren't as aggressive as I am in deleting spam based on rating. I understand what you're saying, and I thank you for the explanation. I'm not real anxious to get into SimpleDNS (and I've read enough complaints about BIND to be cautious) first, because of cost, and, second, because it's one more complication. However, I was thinking about something else I read here. There was some discussion about running a cache-only DNS server for IMail/Declude. I didn't read most of the thread, and I never saw how to make the DNS serve cache only, but I was thinking that if I had a cache-only server that is only available to the mail server, then I can leave on recursion for it and it won't matter because it wouldn't be available to the public. The public DNS servers I can then turn off their recursion feature. What do you think? Thanks again, Ben - Original Message - From: Sanford Whiteman [EMAIL PROTECTED] To: IMail Admin Declude.JunkMail@declude.com Sent: Saturday, April 01, 2006 12:06 AM Subject: Re: [Declude.JunkMail] recursion turned off causes higher JM scores? That's when the JM scores got so high. I'm testing a different config now: allow recursion on the Forwarders tab, but disable it on the Advanced tab. I won't know if this works until I get some messages. In the meanwhile, can anyone explain this to me? You _must_ allow recursion for the Declude server, or it will not be able
RE: [Declude.JunkMail] [OT] Drop Connection On First Invalid User
This will obviously work for domains that are hosted on IMAIL but I am sure that it cannot work with gatewayed domains as there is no user info (assuming no aliases etc). So if you are gatewaying some domains and hosting some domains then this parameter should have an effect on the hosted domains but no effect on the gatewayed ones. Correct? Thanks Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Greg Evanitsky Sent: Monday, March 27, 2006 9:00 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] [OT] Drop Connection On First Invalid User On Mar 26, 2006, at 2:22 PM, Goran Jovanovic wrote: How are you going to drop the SMTP connection on the first or second invalid recipient? In Imail. http://support.ipswitch.com/kb/IM-20050831-DM01.htm BTW, the support page says it works in 8.1+ but didn't for me. Upgraded to 8.22, works perfectly. Thanks, Greg Evanitsky ACS, Inc. (717) 248-2720 ext. 5113 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] [OT] Drop Connection On First Invalid User
Darrell, How are you going to drop the SMTP connection on the first or second invalid recipient? Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Thursday, March 23, 2006 12:56 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] [OT] Drop Connection On First Invalid User Is anyone dropping the smtp connection on the first invalid user? Anyone see a downside to this? If the message has multiple recipients (even ones that are valid) they will receive a notice saying the message was not delivered. Thoughts? Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] How to add extra points to this
Hi Here are the headers from a bunch of SPAM that is slipping through. Subject: Re: Para7mcy news To: [EMAIL PROTECTED] From: [EMAIL PROTECTED] REV DNS: corporativos244254-29.etb.net.co Date: 06 Mar 2006 at 02:42:18 Tests Failed: IPNOTINMX [0], NOLEGITCONTENT [0], SNIFFER [7], INV-URIBL [15], SIZE-BT-1KB-5KB [1] Weight: 23 Spool File: De7c016fa0086126d.smd To view the E-mail, just click the attachment. Headers: Received: from nicsweb.com [201.244.254.29] by mail1.omeganetworksolutions.net (SMTPD32-8.15) id A7C116FA0086; Mon, 06 Mar 2006 02:41:53 -0500 Message-ID: [EMAIL PROTECTED] Reply-To: Pallav Jenkins [EMAIL PROTECTED] From: Pallav Jenkins [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Para7mcy news Date: Mon, 6 Mar 2006 02:41:25 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_0001_01C640C7.764CC4D0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 As you can see the sending server is not blacklisted. SNIFFER and invURIBL pick it up but it is not high enough (need 30 to delete). I checked the IP http://www.dnsstuff.com/tools/whois.ch?ip=201.244.254.29 and it belongs to ETB in Columbia I check senderbase http://www.senderbase.org/search?searchString=201.244.254.29 from what I understand a magnitude of 2.7 is not a lot Checking DNSSTUFF now http://www.dnsstuff.com/tools/ip4r.ch?ip=201.244.254.29 shows that it is blacklisted by CBL CSMA-SBL DNSBLNETAUT1 SBL-XBL SPAMCOP Arrgh it was listed a little while after this message went through. In any case does anyone have any good ideas on how to block this SPAM when it is not on the black lists? I have thought of writing a filter that checks for both SNIFFER and INVURIBL and if the subject has the word NEWS in it then add another 5 (or so points). Goran Jovanovic Omega Network Solutions --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] How to add extra points to this
And just for the record the CBL, SBL, and SBL-XBL tests that you mentioned are now listed are all the same thing; only CBL is really listing the IP address, while SBL and SBL-XBL are including the CBL result. Our favorite R. Scott Perry has added a little summary at the top of DNSSTUFF when you look up an IP in the SPAM databases. I just did a cut and paste from there. I only test the combined sbl-xbl.spamhaus.org zone. I may decide to go to adding weight for Countries but I find that a bit risky. I have many different customers. I will think about a special filter test with a keyword what should be able to get rid of more of this SPAM. Thanks Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Monday, March 06, 2006 3:03 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] How to add extra points to this Message Sniffer plus any URI blacklist testis a powerful and reliable combination. You could add keywords to make it an even stronger weight if you wanted to maintain that. You could also implement the COUNTRY filter and give a little nudge weight for CO (Colombia) if you think you get very little spam from there; if you do, I'd suggest adding Brazil, Peru and Venezuela in there too. And just for the record the CBL, SBL, and SBL-XBL tests that you mentioned are now listed are all the same thing; only CBL is really listing the IP address, while SBL and SBL-XBL are including the CBL result. Scott recently posted to the list a whole handful of combo tests that he finds reliable. If you're not keeping messages from this list, you might want to check the web archive for his posting(s). Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Monday, March 06, 2006 7:36 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] How to add extra points to this Hi Here are the headers from a bunch of SPAM that is slipping through. Subject: Re: Para7mcy news To: [EMAIL PROTECTED] From: [EMAIL PROTECTED] REV DNS: corporativos244254-29.etb.net.co Date: 06 Mar 2006 at 02:42:18 Tests Failed: IPNOTINMX [0], NOLEGITCONTENT [0], SNIFFER [7], INV-URIBL [15], SIZE-BT-1KB-5KB [1] Weight: 23 Spool File: De7c016fa0086126d.smd To view the E-mail, just click the attachment. Headers: Received: from nicsweb.com [201.244.254.29] by mail1.omeganetworksolutions.net (SMTPD32-8.15) id A7C116FA0086; Mon, 06 Mar 2006 02:41:53 -0500 Message-ID: [EMAIL PROTECTED] Reply-To: Pallav Jenkins [EMAIL PROTECTED] From: Pallav Jenkins [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Para7mcy news Date: Mon, 6 Mar 2006 02:41:25 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_0001_01C640C7.764CC4D0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 As you can see the sending server is not blacklisted. SNIFFER and invURIBL pick it up but it is not high enough (need 30 to delete). I checked the IP http://www.dnsstuff.com/tools/whois.ch?ip=201.244.254.29 and it belongs to ETB in Columbia I check senderbase http://www.senderbase.org/search?searchString=201.244.254.29 from what I understand a magnitude of 2.7 is not a lot Checking DNSSTUFF now http://www.dnsstuff.com/tools/ip4r.ch?ip=201.244.254.29 shows that it is blacklisted by CBL CSMA-SBL DNSBLNETAUT1 SBL-XBL SPAMCOP Arrgh it was listed a little while after this message went through. In any case does anyone have any good ideas on how to block this SPAM when it is not on the black lists? I have thought of writing a filter that checks for both SNIFFER and INVURIBL and if the subject has the word NEWS in it then add another 5 (or so points). Goran Jovanovic Omega Network Solutions --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] How to add extra points to this
Hi Andrew, I was thinking specifically of a combo filter of both SNIFFER and INVURIBL and then adding keywords. The current campaign of one or two munged words and then news in the subject line is annoying me since it seems to be able to slip through in the early stages. I have already create a combo filter that helps a bunch, DUL space and then adding some more for SNF and URI. I suppose adding a combo of SNF and URI by themselves could also work. Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Monday, March 06, 2006 6:09 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] How to add extra points to this I will think about a special filter test with a keyword what should be able to get rid of more of this SPAM. Goran, I suggest that making a combo test that awards more weight when both Message Sniffer and your URI external test trigger will be a better value for you, as it will be far more wide-ranging than merely adding keywords for the current campaign. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Monday, March 06, 2006 1:31 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] How to add extra points to this And just for the record the CBL, SBL, and SBL-XBL tests that you mentioned are now listed are all the same thing; only CBL is really listing the IP address, while SBL and SBL-XBL are including the CBL result. Our favorite R. Scott Perry has added a little summary at the top of DNSSTUFF when you look up an IP in the SPAM databases. I just did a cut and paste from there. I only test the combined sbl-xbl.spamhaus.org zone. I may decide to go to adding weight for Countries but I find that a bit risky. I have many different customers. I will think about a special filter test with a keyword what should be able to get rid of more of this SPAM. Thanks Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Monday, March 06, 2006 3:03 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] How to add extra points to this Message Sniffer plus any URI blacklist testis a powerful and reliable combination. You could add keywords to make it an even stronger weight if you wanted to maintain that. You could also implement the COUNTRY filter and give a little nudge weight for CO (Colombia) if you think you get very little spam from there; if you do, I'd suggest adding Brazil, Peru and Venezuela in there too. And just for the record the CBL, SBL, and SBL-XBL tests that you mentioned are now listed are all the same thing; only CBL is really listing the IP address, while SBL and SBL-XBL are including the CBL result. Scott recently posted to the list a whole handful of combo tests that he finds reliable. If you're not keeping messages from this list, you might want to check the web archive for his posting(s). Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Monday, March 06, 2006 7:36 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] How to add extra points to this Hi Here are the headers from a bunch of SPAM that is slipping through. Subject: Re: Para7mcy news To: [EMAIL PROTECTED] From: [EMAIL PROTECTED] REV DNS: corporativos244254-29.etb.net.co Date: 06 Mar 2006 at 02:42:18 Tests Failed: IPNOTINMX [0], NOLEGITCONTENT [0], SNIFFER [7], INV-URIBL [15], SIZE-BT-1KB-5KB [1] Weight: 23 Spool File: De7c016fa0086126d.smd To view the E-mail, just click the attachment. Headers: Received: from nicsweb.com [201.244.254.29] by mail1.omeganetworksolutions.net (SMTPD32-8.15) id A7C116FA0086; Mon, 06 Mar 2006 02:41:53 -0500 Message-ID: [EMAIL PROTECTED] Reply-To: Pallav Jenkins [EMAIL PROTECTED] From: Pallav Jenkins [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Para7mcy news Date: Mon, 6 Mar 2006 02:41:25 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_0001_01C640C7.764CC4D0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 As you can see the sending server is not blacklisted. SNIFFER and invURIBL pick it up but it is not high enough (need 30 to delete). I checked the IP http://www.dnsstuff.com/tools/whois.ch?ip=201.244.254.29 and it belongs to ETB in Columbia I check senderbase http://www.senderbase.org/search?searchString=201.244.254.29 from what I understand a magnitude of 2.7 is not a lot Checking DNSSTUFF now http://www.dnsstuff.com/tools/ip4r.ch?ip=201.244.254.29 shows that it is blacklisted by CBL CSMA-SBL DNSBLNETAUT1 SBL-XBL SPAMCOP Arrgh it was listed a little while after this message went through. In any
RE: [Declude.JunkMail] MXRATE FYI
Thanks Scott. Subscribed and got my new address and done. Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Wednesday, March 01, 2006 12:14 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] MXRATE FYI FYI: It looks like around Janurary 26th the pub.mxrate.com IP4R DNSservices were made private. Since then I've had no response from the DNS lists. They have discontinued the public service and made a private service available. If you are interested the URL is here: http://www.mxrate.com/Subscribe.asp - Scott Fisher Director of IT Farm Progress Companies 191 S Gary Ave Carol Stream, IL 60188 630-462-2323 This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Although Farm Progress Companies has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments.
[Declude.JunkMail] Checking DUL Space
In looking through my DNS tests I see only the following two to be obviously checks on the DUL space NJABL-DUL SORBS-DUHL Are there other DNS tests that would also indicate that it came from the DUL space? Thanx Goran Jovanovic Omega Network Solutions --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] BADHEADER code c010100e
Title: Message Hi, This header failed with an error code c010100e which according to the web site means This E-mail has a bogus year in the Date: header. What I do not see is the bogus year. What am I missing??? Headers: Received: from mx.webminders.com [66.165.106.105] by mail1.omeganetworksolutions.net with ESMTP (SMTPD32-8.15) id A8E919C8006E; Mon, 27 Feb 2006 12:37:45 -0500 Received: from [10.1.0.105] by mx.webminders.com [10.1.0.105] with SmartMax MailMax for [EMAIL PROTECTED]; Mon, 27 Feb 2006 12:34:35 -0500 Return-Path: X-SmartMax-AuthUser: To: [EMAIL PROTECTED] From: Trish [EMAIL PROTECTED] Date: Date: Mon, 27 Feb 2006 12:34:34 -0500 Subject: Automated response from [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Goran Jovanovic Omega Network Solutions
RE: [Declude.JunkMail] Left over D*.SM$ files in proc\work
Thank Bill, I will review what I have setup later and get back to you. Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Green dfn Systems Sent: Wednesday, February 15, 2006 11:52 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Left over D*.SM$ files in proc\work Goran, I was having the same issue. I seem to have resolved it accidently while working on an ?unrelated? connectivity issue. Since I was not focusing on the orphaned proc/work files as I made changes, I do not know which change resolved this issue. These are the changes I made: In Queue Manager: Disabled DNS Cache Disabled Failed Domain Skipping In SMTP Security Tab: Disabled Check Valid Sender Disabled Auto-deny possible Hack Attempts Bill Green dfn Systems - Original Message - From: Goran Jovanovic Hi, I have noticed that I am getting left over D*.SM$ files in the proc\work directory. I am getting 2 to 4 of these per day on a volume of 15-20K messages a day. ~~~ Anyone have any ideas about this? Thanks Goran Jovanovic Omega Network Solutions
RE: [Declude.JunkMail] Combo Filter
Title: Message Here you go TESTSFAILED END CONTAINS BYPASS # Did it Fail CMDSPACE TESTSFAILED END NOTCONTAINS CMDSPACE # It failed CMDSPACE now check Sniffer TESTSFAILED 10 CONTAINS SNIFFER Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Grosshandler Sent: Friday, February 10, 2006 12:30 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Combo Filter Would you be so kind as to post this filter? Thanks ahead of time Rob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Saturday, January 14, 2006 8:33 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Combo Filter FYI All, I did my CMDSPACE and SNIFFER (all categories have not broken it up yet) combo filter an let it run all day yesterday. That filter triggered on 37.6% of my mail. I ran it yesterday with weight 0 and monitored, there were no false positives at all. Turning it on for real today. Looks like another good test that I am finally adding to my mix. Goran Jovanovic Omega Network Solutions
[Declude.JunkMail] Comments Test
Back in the beginning of last year there was some talk about the COMMENTS test and its effectiveness. I would like to know if others are using this test anymore and if so how well is it performing for you. For me it is hitting a very small percentage of my e-mail 0.16% and I am having FPs with it. The description in the manual really does not tell you exactly what it is doing. Anybody want to COMMENT J Goran Jovanovic Omega Network Solutions
RE: Re[4]: [Declude.JunkMail] [OT] Exchange2Aliases setup question
One thing that you need to make sure is that you target the specific OU in AD that has the users. If you have multiple OUs with users then you need to code it twice to go after both OUs. Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Dave Doherty Sent: Thursday, February 02, 2006 12:04 AM To: Declude.JunkMail@declude.com Subject: Re: Re[4]: [Declude.JunkMail] [OT] Exchange2Aliases setup question Thanks. We're getting set up to try again in the morning. -d - Original Message - From: Goran Jovanovic [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Wednesday, February 01, 2006 11:35 PM Subject: RE: Re[4]: [Declude.JunkMail] [OT] Exchange2Aliases setup question Dave, Just needs to be a regular user. Nothing extra. Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Dave Doherty Sent: Tuesday, January 31, 2006 4:00 PM To: Declude.JunkMail@declude.com Subject: Re: Re[4]: [Declude.JunkMail] [OT] Exchange2Aliases setup question What privileges does the user on the AD controller need? Just membership in the User group, or is there anything special related to LDAP? -d - Original Message - From: Sanford Whiteman [EMAIL PROTECTED] To: Dave Doherty Declude.JunkMail@declude.com Sent: Monday, January 30, 2006 10:54 PM Subject: Re[4]: [Declude.JunkMail] [OT] Exchange2Aliases setup question Also, My impression is that this may be an authentication issue. How can we get a username and password into that connection string? It's both. You need to get the right LDAP container, as in my previous e-mail. And the ex2a script needs to run in the context of a user whose id and password are valid on the remote LDAP (AD) server. Note that the machine running ex2a can be totally separate, both geographically and domain-wise, but you do need to run as a user on the ex2a machine with equivalent simple credentials on the LDAP machine. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/rel ea se/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/dow nl oad/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/downloa d/ release/ --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Stock Spam
Title: Message I have just seen the plain text stock spam morph into HTML based and now instead of it saying Symbol: xxx it actually replaces the mbol with a graphic mbol. I posted an example on the Sniffer list. Last night Sniffer was not catching the new HTML variety. Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Doherty Sent: Thursday, February 02, 2006 10:10 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Stock Spam If you're referring to the geocities stuff that's been out the last couple of days, I just use a body filter. BODY3CONTAINSau.geocities.com Sniffer, which I weight at 7,picks it up OK, and the added weight of 3 is enough to get to my hold weight of 10. -Dave Doherty Skywaves, Inc. - Original Message - From: Michael Jaworski To: Declude.JunkMail@declude.com Sent: Thursday, February 02, 2006 9:32 AM Subject: [Declude.JunkMail] Stock Spam Anyone have a good filter strategy on the increasing amount of stock spam??? Thanks, Mike
RE: [Declude.JunkMail] Stock Spam
Title: Message Scott, Do you apply this filter to all incoming mail or just to some that have already hit something else? You must also be referring to some other stock scam than what I am seeing. The stuff that is coming across my desk is the HTML stock stuff now with images in it. There is no reference to geocities of any type in it. Just curious to know what spam is doing this. Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Thursday, February 02, 2006 12:46 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Stock Spam Here's my geocities filter. It's a little more specific so I can weight foreign geocities more than US geocities. STOPATFIRSTHIT BODY100CONTAINSar.geocities.com BODY100CONTAINSgeocities.com.ar BODY100CONTAINSar.geocities.yahoo.com BODY100CONTAINSgeocities.yahoo.com.ar BODY100CONTAINSasia.geocities.com BODY100CONTAINSasia.geocities.yahoo.com BODY100CONTAINSau.geocities.com BODY100CONTAINSgeocities.com.au BODY100CONTAINSau.geocities.yahoo.com BODY100CONTAINSgeocities.yahoo.com.au BODY100CONTAINSbr.geocities.com BODY100CONTAINSgeocities.com.br BODY100CONTAINSbr.geocities.yahoo.com BODY100CONTAINSgeocities.yahoo.com.br BODY100CONTAINSca.geocities.com BODY100CONTAINSgeocities.ca BODY100CONTAINSca.geocities.yahoo.com BODY100CONTAINSgeocities.yahoo.ca BODY100CONTAINScf.geocities.com BODY100CONTAINScf.geocities.yahoo.com BODY100CONTAINScn.geocities.com BODY100CONTAINSgeocities.cn BODY100CONTAINScn.geocities.yahoo.com BODY100CONTAINSgeocities.yahoo.cn BODY100CONTAINSde.geocities.com BODY100CONTAINSgeocities.de BODY100CONTAINSde.geocities.yahoo.com BODY100CONTAINSgeocities.yahoo.de BODY100CONTAINSes.geocities.com BODY100CONTAINSgeocities.es BODY100CONTAINSes.geocities.yahoo.com BODY100CONTAINSgeocities.yahoo.es BODY100CONTAINSespanol.geocities.com BODY100CONTAINSespanol.geocities.yahoo.com BODY100CONTAINShk.geocities.com BODY100CONTAINSgeocities.com.hk BODY100CONTAINSgeocities.hk BODY100CONTAINShk.geocities.yahoo.com BODY100CONTAINSgeocities.yahoo.com.hk BODY100CONTAINSgeocities.yahoo.hk BODY100CONTAINSin.geocities.com BODY100CONTAINSgeocities.co.in BODY100CONTAINSin.geocities.yahoo.com BODY100CONTAINSgeocities.yahoo.co.in BODY100CONTAINSit.geocities.com BODY100CONTAINSgeocities.it BODY100CONTAINSit.geocities.yahoo.com BODY100CONTAINSgeocities.yahoo.it BODY100CONTAINSkr.geocities.com BODY100CONTAINSgeocities.co.kr BODY100CONTAINSkr.geocities.yahoo.com BODY100CONTAINSgeocities.yahoo.co.kr BODY100CONTAINSmx.geocities.com BODY100CONTAINSgeocities.com.mx BODY100CONTAINSmx.geocities.yahoo.com BODY100CONTAINSgeocities.yahoo.com.mx BODY100CONTAINSsg.geocities.com BODY100CONTAINSgeocities.com.sg BODY100CONTAINSsg.geocities.yahoo.com BODY100CONTAINSgeocities.yahoo.com.sg BODY100CONTAINSuk.geocities.com BODY100CONTAINSgeocities.co.uk BODY100CONTAINSuk.geocities.yahoo.com BODY100CONTAINSgeocities.yahoo.co.uk BODY75CONTAINSgeocities.com BODY75CONTAINSgeocities.yahoo.com - Original Message - From: Dave Doherty To: Declude.JunkMail@declude.com Sent: Thursday, February 02, 2006 9:09 AM Subject: Re: [Declude.JunkMail] Stock Spam If you're referring to the geocities stuff that's been out the last couple of days, I just use a body filter. BODY3CONTAINSau.geocities.com Sniffer, which I weight at 7,picks it up OK, and the added weight of 3 is enough to get to my hold weight of 10. -Dave Doherty Skywaves, Inc. - Original Message - From: Michael Jaworski To: Declude.JunkMail@declude.com Sent: Thursday, February 02, 2006 9:32 AM Subject: [Declude.JunkMail] Stock Spam Anyone have a good filter strategy on the increasing amount of stock spam??? Thanks, Mike
RE: [Declude.JunkMail] Stock Spam
Title: Message Thank you Scott Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Thursday, February 02, 2006 1:46 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Stock Spam I've been applying a filter to Geocities links since August 2005. It's just too common in spam. Being a business, I don't get a lot of valid email with a geocities link. I think ISPs would have more. I do TESTSFAILED END CONTAIN on some good whitelist tests. I also skip for some yahoo IPs . I'm not sure I remember why, but perhaps it was to be safe. REVDNSENDENDSWITH.scd.yahoo.com Since I hold at 200, 75/100 points usually isn't enough points to interfere with good email. But it's enough points to help push the spam up escpecially with a spamdomains or some DUL hits. - Original Message - From: Goran Jovanovic To: Declude.JunkMail@declude.com Sent: Thursday, February 02, 2006 12:05 PM Subject: RE: [Declude.JunkMail] Stock Spam Scott, Do you apply this filter to all incoming mail or just to some that have already hit something else? You must also be referring to some other stock scam than what I am seeing. The stuff that is coming across my desk is the HTML stock stuff now with images in it. There is no reference to geocities of any type in it. Just curious to know what spam is doing this. Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Thursday, February 02, 2006 12:46 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Stock Spam Here's my geocities filter. It's a little more specific so I can weight foreign geocities more than US geocities. STOPATFIRSTHIT BODY100CONTAINSar.geocities.com BODY100CONTAINSgeocities.com.ar BODY100CONTAINSar.geocities.yahoo.com BODY100CONTAINSgeocities.yahoo.com.ar BODY100CONTAINSasia.geocities.com BODY100CONTAINSasia.geocities.yahoo.com BODY100CONTAINSau.geocities.com BODY100CONTAINSgeocities.com.au BODY100CONTAINSau.geocities.yahoo.com BODY100CONTAINSgeocities.yahoo.com.au BODY100CONTAINSbr.geocities.com BODY100CONTAINSgeocities.com.br BODY100CONTAINSbr.geocities.yahoo.com BODY100CONTAINSgeocities.yahoo.com.br BODY100CONTAINSca.geocities.com BODY100CONTAINSgeocities.ca BODY100CONTAINSca.geocities.yahoo.com BODY100CONTAINSgeocities.yahoo.ca BODY100CONTAINScf.geocities.com BODY100CONTAINScf.geocities.yahoo.com BODY100CONTAINScn.geocities.com BODY100CONTAINSgeocities.cn BODY100CONTAINScn.geocities.yahoo.com BODY100CONTAINSgeocities.yahoo.cn BODY100CONTAINSde.geocities.com BODY100CONTAINSgeocities.de BODY100CONTAINSde.geocities.yahoo.com BODY100CONTAINSgeocities.yahoo.de BODY100CONTAINSes.geocities.com BODY100CONTAINSgeocities.es BODY100CONTAINSes.geocities.yahoo.com BODY100CONTAINSgeocities.yahoo.es BODY100CONTAINSespanol.geocities.com BODY100CONTAINSespanol.geocities.yahoo.com BODY100CONTAINShk.geocities.com BODY100CONTAINSgeocities.com.hk BODY100CONTAINSgeocities.hk BODY100CONTAINShk.geocities.yahoo.com BODY100CONTAINSgeocities.yahoo.com.hk BODY100CONTAINSgeocities.yahoo.hk BODY100CONTAINSin.geocities.com BODY100CONTAINSgeocities.co.in BODY100CONTAINSin.geocities.yahoo.com BODY100CONTAINSgeocities.yahoo.co.in BODY100CONTAINSit.geocities.com BODY100CONTAINSgeocities.it BODY100CONTAINSit.geocities.yahoo.com BODY100CONTAINSgeocities.yahoo.it BODY100CONTAINSkr.geocities.com BODY100CONTAINSgeocities.co.kr BODY100CONTAINSkr.geocities.yahoo.com BODY100CONTAINSgeocities.yahoo.co.kr BODY100CONTAINSmx.geocities.com BODY100CONTAINSgeocities.com.mx BODY100CONTAINSmx.geocities.yahoo.com BODY100CONTAINSgeocities.yahoo.com.mx BODY100CONTAINSsg.geocities.com BODY100CONTAINSgeocities.com.sg BODY100CONTAINSsg.geocities.yahoo.com BODY100CONTAINSgeocities.yahoo.com.sg BODY100CONTAINSuk.geocities.com BODY100CONTAINSgeocities.co.uk BODY100CONTAINSuk.geocities.yahoo.com BODY100CONTAINSgeocities.yahoo.co.uk BODY75CONTAINSgeocities.com BODY75CONTAINSgeocities.yahoo.com - Original Message - From: Dave Doherty To: Declude.JunkMail@declude.com Sent: Thursday, February 02, 2006 9:09 AM Subject: Re: [Declude.JunkMail] Stock Spam If you're referring to the geocities stuff that's been out the last couple of days, I just use a body filter. BODY3CONTAINSau.geocities.com Sniffer, which I weight at 7,picks it up OK, and the added weight of 3 is enough to get to my hold weight of 10. -Dave Doherty Skywaves, Inc. - Original Message - From: Michael Jaworski To: Declude.JunkMail
RE: Re[4]: [Declude.JunkMail] [OT] Exchange2Aliases setup question
Dave, Just needs to be a regular user. Nothing extra. Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Dave Doherty Sent: Tuesday, January 31, 2006 4:00 PM To: Declude.JunkMail@declude.com Subject: Re: Re[4]: [Declude.JunkMail] [OT] Exchange2Aliases setup question What privileges does the user on the AD controller need? Just membership in the User group, or is there anything special related to LDAP? -d - Original Message - From: Sanford Whiteman [EMAIL PROTECTED] To: Dave Doherty Declude.JunkMail@declude.com Sent: Monday, January 30, 2006 10:54 PM Subject: Re[4]: [Declude.JunkMail] [OT] Exchange2Aliases setup question Also, My impression is that this may be an authentication issue. How can we get a username and password into that connection string? It's both. You need to get the right LDAP container, as in my previous e-mail. And the ex2a script needs to run in the context of a user whose id and password are valid on the remote LDAP (AD) server. Note that the machine running ex2a can be totally separate, both geographically and domain-wise, but you do need to run as a user on the ex2a machine with equivalent simple credentials on the LDAP machine. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/rel ea se/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/dow nl oad/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/downloa d/ release/ --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] IPFILE vs REMOTEIP
Hi, Is there any performance benefit of using an IPFILE lookup vs a REMOTEIP lookup? Is there any consensus of which option would be better to use to subtract some weight from a good mail? I am looking into this as I have some mail coming from a server with no REVDNS and a HELOBOGUS and I need to counterweight it somehow. This IP belongs to CrystalTech Web Hosting Inc so I may have to credit back checking the MAILFROM. X-RBL-Warning: HELOBOGUS: Domain DEDE58 returns a server failure for MX or A records. X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 209.200.82.59 with no reverse DNS entry. Thanks Goran Jovanovic Omega Network Solutions
RE: [Declude.JunkMail] IPFILE vs REMOTEIP
That sounds like IPFILE will use more resources since it is going to test up to HOPHIGH whereas REMOTEIP will have to be invoked in a filter file but it is a single test. Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Monday, January 30, 2006 10:57 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] IPFILE vs REMOTEIP One difference I know of, is that if you use a HOPHIGH parameter, IPFILE will search more hops. Tehrefore with a HOPHIGH and IPFILE anemail with forged headers could trip the test. REMOTEIP only uses the last hop. - Original Message - From: Goran Jovanovic To: Declude.JunkMail@declude.com Sent: Monday, January 30, 2006 9:35 AM Subject: [Declude.JunkMail] IPFILE vs REMOTEIP Hi, Is there any performance benefit of using an IPFILE lookup vs a REMOTEIP lookup? Is there any consensus of which option would be better to use to subtract some weight from a good mail? I am looking into this as I have some mail coming from a server with no REVDNS and a HELOBOGUS and I need to counterweight it somehow. This IP belongs to CrystalTech Web Hosting Inc so I may have to credit back checking the MAILFROM. X-RBL-Warning: HELOBOGUS: Domain DEDE58 returns a server failure for MX or A records. X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 209.200.82.59 with no reverse DNS entry. Thanks Goran Jovanovic Omega Network Solutions
RE: Re[2]: [Declude.JunkMail] [OT] Exchange2Aliases setup question
Dave, I have done exactly what you are trying to do. For the authentication I did the following. Create an ID on the target system (say LDAP-companyname) with a password that does not expire Create the same ID on your IMail/Declude box (I am assuming that it is not part of the target domain) with the same password. Now create a scheduled task that runs your .cmd file with the cscript in it. The key is to have that task run as your LDAP-companyname ID. What happens when the script connects it uses pass-through authentication and passes the credentials that are running the script (ie LDAP-companyname) and it is authenticated. You do not need to worry about passing the domain name since there is no local IDs on the target system since it is a domain controller. Hope this helps. Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Dave Doherty Sent: Monday, January 30, 2006 9:22 PM To: Declude.JunkMail@declude.com Subject: Re: Re[2]: [Declude.JunkMail] [OT] Exchange2Aliases setup question Also, My impression is that this may be an authentication issue. How can we get a username and password into that connection string? -d - Original Message - From: Sanford Whiteman [EMAIL PROTECTED] To: Dave Doherty Declude.JunkMail@declude.com Sent: Monday, January 30, 2006 6:04 PM Subject: Re[2]: [Declude.JunkMail] [OT] Exchange2Aliases setup question cscript exchange2con.vbs LDAP://mail.inetdomain.com/cn=users,dc=ADdomainControllerName Traditionally, this would take the form ...cn=users,dc=example,dc=com -- not ...cn=users,dc=domain controller. Are you sure this is a valid LDAP context in your setup? --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/rel ea se/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/dow nl oad/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/downloa d/ release/ --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Left over D*.SM$ files in proc\work
OK it finally happened. I got another leftover D*.SM$ file in the proc\work directory while I was running the logs on debug. Any thoughts? I think the following is the important part from various log files. I can post the whole thing if this is not enough. DECLUDE.LOG . . . 01/23/2006 17:14:34.497 q552537e400a4261c.smd Msg failed WEIGHT10 (Weight of 65 reaches or exceeds the limit of 10.). Action=""> 01/23/2006 17:14:34.497 q552537e400a4261c.smd Turning spam into an attachment 01/23/2006 17:14:34.513 q552537e400a4261c.smd Wrote 2025 bytes of attachment header 01/23/2006 17:14:34.513 q552537e400a4261c.smd Wrote 3142 (3142)bytes of attachment header 01/23/2006 17:14:34.513 q552537e400a4261c.smd Set process priority back to 38273056. 01/23/2006 17:14:34.513 q552537e400a4261c.smd Couldn't move/copy ATTACH data file [183] . . . 01/23/2006 17:14:34.935 q552537e400a4261c.smd MoveFile in AlterMessage - datafile = [D:\spool\proc\work\D552537e400a4261c.smd] TempFile = [D:\spool\proc\work\D552537e400a4261c.sm$] 01/23/2006 17:19:40.456 q552537e400a4261c.smd Couldn't rename SMD to SM$ [183]. Priority back to 32. Error String: [Cannot create a file when that file already exists.] [D:\spool\proc\work\D552537e400a4261c.smd] [D:\spool\proc\work\D552537e400a4261c.sm$] 01/23/2006 17:19:40.456 q552537e400a4261c.smd Data File [D:\spool\proc\work\D552537e400a4261c.smd] deleted. 01/23/2006 17:19:40.456 q552537e400a4261c.smd Recipient File [D:\spool\proc\work\q552537e400a4261c.smd] deleted. VIRUS.LOG . . . 01/23/2006 17:19:40.456 q552537e400a4261c.smd Couldn't rename SMD to SM$ [183]. Priority back to 32. Error String: [Cannot create a file when that file already exists.] [D:\spool\proc\work\D552537e400a4261c.smd] [D:\spool\proc\work\D552537e400a4261c.sm$] IMAIL.LOG 01:23 17:13 SMTPD(552537e400a4261c) [192.168.69.4] connect 85.182.54.161 port 1447 01:23 17:13 SMTPD(552537e400a4261c) [85.182.54.161] HELO e182054161.adsl.alicedsl.de 01:23 17:13 SMTPD(552537e400a4261c) [85.182.54.161] MAIL FROM: [EMAIL PROTECTED] 01:23 17:13 SMTPD(552537e400a4261c) [85.182.54.161] RCPT TO: [EMAIL PROTECTED] 01:23 17:14 SMTPD(552537e400a4261c) [85.182.54.161] RCPT TO: [EMAIL PROTECTED] 01:23 17:14 SMTPD(552537e400a4261c) [85.182.54.161] RCPT TO: [EMAIL PROTECTED] 01:23 17:14 SMTPD(552537e400a4261c) [85.182.54.161] RCPT TO: [EMAIL PROTECTED] 01:23 17:14 SMTPD(552537e400a4261c) [85.182.54.161] D:\spool\D552537e400a4261c.SMD 3142 Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Saturday, January 21, 2006 2:10 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Left over D*.SM$ files in proc\work How often is this happening? Are you using Hijack? Put both the Junkmail and Virus logs into Debug until a couple of these occur, then extract from the log files ALL lines pertaining to the files in question into one file in exact time sequence along with the log lines from Imail SMTP. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Saturday, January 21, 2006 10:45 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Left over D*.SM$ files in proc\work Hi, I have noticed that I am getting left over D*.SM$ files in the proc\work directory. I am getting 2 to 4 of these per day on a volume of 15-20K messages a day. Windows Server 2003 IMail 8.15 HF2 Declude 3.0.5.23 Sniffer, invURUBL, F-Prot, McAfee No on access Virus Scanner When I check the logs I find In the DECLUDE Log 01/21/2006 06:56:32.233 q1ffa301900405c91.smd Couldn't move/copy ATTACH data file [183] 01/21/2006 07:01:37.778 q1ffa301900405c91.smd Couldn't rename SMD to SM$ [183]. Priority back to 32. Error String: [Cannot create a file when that file already exists.] [D:\spool\proc\work\D1ffa301900405c91.smd] [D:\spool\proc\work\D1ffa301900405c91.sm$] And in the Virus log 01/21/2006 07:01:37.778 q1ffa301900405c91.smd Couldn't rename SMD to SM$ [183]. Priority back to 32. Error String: [Cannot create a file when that file already exists.] [D:\spool\proc\work\D1ffa301900405c91.smd] [D:\spool\proc\work\D1ffa301900405c91.sm$] Other times I will only find this message in the DECLUDE.LOG file. 01/15/2006 19:21:39.160 qe70539e800a6f12a.smd Couldn't move/copy ATTACH data file [32] Anyone have any ideas about this? Thanks Goran Jovanovic Omega Network Solutions
[Declude.JunkMail] Left over D*.SM$ files in proc\work
Hi, I have noticed that I am getting left over D*.SM$ files in the proc\work directory. I am getting 2 to 4 of these per day on a volume of 15-20K messages a day. Windows Server 2003 IMail 8.15 HF2 Declude 3.0.5.23 Sniffer, invURUBL, F-Prot, McAfee No on access Virus Scanner When I check the logs I find In the DECLUDE Log 01/21/2006 06:56:32.233 q1ffa301900405c91.smd Couldn't move/copy ATTACH data file [183] 01/21/2006 07:01:37.778 q1ffa301900405c91.smd Couldn't rename SMD to SM$ [183]. Priority back to 32. Error String: [Cannot create a file when that file already exists.] [D:\spool\proc\work\D1ffa301900405c91.smd] [D:\spool\proc\work\D1ffa301900405c91.sm$] And in the Virus log 01/21/2006 07:01:37.778 q1ffa301900405c91.smd Couldn't rename SMD to SM$ [183]. Priority back to 32. Error String: [Cannot create a file when that file already exists.] [D:\spool\proc\work\D1ffa301900405c91.smd] [D:\spool\proc\work\D1ffa301900405c91.sm$] Other times I will only find this message in the DECLUDE.LOG file. 01/15/2006 19:21:39.160 qe70539e800a6f12a.smd Couldn't move/copy ATTACH data file [32] Anyone have any ideas about this? Thanks Goran Jovanovic Omega Network Solutions
RE: [Declude.JunkMail] Left over D*.SM$ files in proc\work
How often is this happening? 2 to 4 of these per day on a volume of 15-20K messages a day Are you using Hijack? No Put both the Junkmail and Virus logs into Debug until a couple of these occur, then extract from the log files ALL lines pertaining to the files in question into one file in exact time sequence along with the log lines from Imail SMTP. I will try that. So far the IMail logs receive the mail but then do nothing else. Goran Jovanovic Omega Network Solutions
RE: [Declude.JunkMail] Whitelisting email address
You can also do WHITELIST TO [EMAIL PROTECTED] Not sure about Standard vs Pro Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Carter Sent: Tuesday, January 17, 2006 1:38 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Whitelisting email address Can't he go into global.cfg and use WHITELIST TO receiving_domain or is that a Pro version thing? John From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shayne Embry Sent: Tuesday, January 17, 2006 12:12 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Whitelisting email address We have found that if one of the addresses is whitelisted, then every recipient's address gets whitelisted. This may be unique to SmarterMail/Declude. I don't remember having the problem with IMail, but we haven't used it in over a year. Shayne Hi Brian, Yes, this can be done with the Pro version. You can have per-user configurations. You can't not have Declude scan the mail, but you can set this individual's configuration to ignore all test results and deliver the mail. As far as I know, this shouldn't have any affect on other recipients of the email. Dean On 1/17/06, Brian [EMAIL PROTECTED] wrote: I have a customer who wants to receive all emails without having declude check them for spam. My question, is can this be done? And then can it be done so that if a message comes in and it is a message that contains their email address and several other email address on our domain, that it can only be sent to their address prior to the spam checks? I hope this makes sense. Thanks in advance, Brian T. ---
RE: [Declude.JunkMail] Combo Filter
Title: Message FYI All, I did my CMDSPACE and SNIFFER (all categories have not broken it up yet) combo filter an let it run all day yesterday. That filter triggered on 37.6% of my mail. I ran it yesterday with weight 0 and monitored, there were no false positives at all. Turning it on for real today. Looks like another good test that I am finally adding to my mix. Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, January 12, 2006 4:47 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Combo Filter That sounds about right from where I sit. You might also think about doing a combo with DUL lists and CMDSPACE, (timeout) with CMDSPACE, and [no reverse DNS] with CMDSPACE. All three of these things are highly associated with zombies, and they are also isolated in terms of the conditions that generate the hits. Matt Goran Jovanovic wrote: Ok I tag at 10 and delete at 30 Currently CMDSPACE is 8, SNIFFER is 7 so the combo of these two could be 10? That would make it 25 (not including the default -8 from IPNOTINMX and NOLEGIT) which would still require something else to delete the message. Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Thursday, January 12, 2006 4:04 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Combo Filter Definitely. One of the better points to this combination is that both tests are completely isolated from one another. The only danger is that some bulk E-mail software/providers will trigger CMDSPACE, and Sniffer does have a moderate problem with false positives on bulk E-mail, IMO, so you might get a few false positives on this. Matt Goran Jovanovic wrote: Hi, Would CMDSPACE and SNIFFER be a good combo test to have? I already have some other combos with SNIFFER. Thanx Goran Jovanovic Omega Network Solutions
[Declude.JunkMail] Sniffer weighting
Hi, Does anyone have a good list of all the SNIFFER categories and different weights for them that they would like to share? Thanks Goran Jovanovic Omega Network Solutions
[Declude.JunkMail] Combo Filter
Title: Message Hi, Would CMDSPACE and SNIFFER be a good combo test to have? I already have some other combos with SNIFFER. Thanx Goran Jovanovic Omega Network Solutions
RE: [Declude.JunkMail] Combo Filter
Title: Message Ok I tag at 10 and delete at 30 Currently CMDSPACE is 8, SNIFFER is 7 so the combo of these two could be 10? That would make it 25 (not including the default -8 from IPNOTINMX and NOLEGIT) which would still require something else to delete the message. Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, January 12, 2006 4:04 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Combo Filter Definitely. One of the better points to this combination is that both tests are completely isolated from one another. The only danger is that some bulk E-mail software/providers will trigger CMDSPACE, and Sniffer does have a moderate problem with false positives on bulk E-mail, IMO, so you might get a few false positives on this. Matt Goran Jovanovic wrote: Hi, Would CMDSPACE and SNIFFER be a good combo test to have? I already have some other combos with SNIFFER. Thanx Goran Jovanovic Omega Network Solutions
RE: [Declude.JunkMail] All I wan't for Christmas is not to be paged!
Hi Darrell, My Declude is working as Pro still. Looking back I find an undeliverable message to: Delivery failed 20 attempts: [EMAIL PROTECTED] I am not sure if this is a call home message or not since it has part of a message that I sent to Declude support earlier at the bottom of the Undeliverable message. I do know that the message that is at the bottom got through as David (of Declude) replied to it. Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Saturday, December 24, 2005 11:37 PM To: Declude.JunkMail@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.JunkMail] All I wan't for Christmas is not to be paged! So here it is the night before Christmas and all though the house not a creature was stirring not even a mouse. My pager starts going off incenstantly - so I jump up to see what's the matter - oh my queues are filling up faster and faster... Sorry about that - maybe its the Christmas spirit that grabbed me... When I got into the server my proc folder was around 2500+ q*.smd files. Thank god for QueueMon :) At first I had no idea what was going on - my proc folder was growing and growing. I checked the usual suspects (DNS, etc) and everything was working fine. I started to sift through the logs and noticed a huge amount of messages that were failing a lot of tests and should have been held or deleted but were being marked with LAST ACTION=IGNORE. I bumped up the log levels and started to see the following: Sorry, filters [REVERSEWEIGHTDNS] are only available in Declude JunkMail Pro Using [no] CFG file outgoing. Pro version required for outgoing mail. Not to mention I noticed messages being cleared very slowly. After several restarts of the Declude Proc service things started to move again - I am not sure if it was because of the multiple Declude proc restarts or putting in the DNSOVERIDE command that we used back under 2.0.6 see - http://www.mail-archive.com/declude.junkmail@declude.com/msg24661.html After a couple of restarts of the decludeproc service and the DNSOVERIDE command my Declude started working again as a PRO version and messages started being blocked and processing very quickly. My queues than cleared up. I am a bit sick to my stomach over this as I leaked to my customers probably 4-6K spam's over the entire 3 hour period from when this started to when it was finished. I will have a bit of explaining to do I imagine on Tuesday if not sooner. Has anyone seen this? Any explanations on what could have caused this. I just keep thinking what if I did not have monitoring to catch this in time - I probably would not have checked the servers until Tuesday. My only guess is that my server failed in the phone home license check and downgraded itself. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude Hardware Issue
While my Declude continued to work as a Pro version what I did find is that my DNS test were failing during the hardware issue. During the problem period I saw: 12/26/2005 14:10:13.947 q3f72000100cac64e.smd Test 2-AHBL-RELAYS-ALL didn't get a response. 12/26/2005 14:10:13.947 q3f72000100cac64e.smd Test 22-AHBL-EXEMPT-DYNA didn't get a response. Then after the hardware problem was resolved (and without me doing anything) I got 12/26/2005 16:39:47.064 q63031dff006cd044.smd Test #2 [AHBL-RELAYS-ALL] is same as Test #2 [AHBL-RELAYS-ALL=127.0.0.2]. Answer=admins.sosdg.org.? 12/26/2005 16:39:47.064 q63031dff006cd044.smd Test #2 [AHBL-RELAYS-ALL] is same as Test #4 [AHBL-PROXY-ALL=127.0.0.3]. Answer=admins.sosdg.org.? 12/26/2005 16:39:47.064 q63031dff006cd044.smd Test #2 [AHBL-RELAYS-ALL] is same as Test #6 [AHBL-SOURCES-ALL=127.0.0.4]. Answer=admins.sosdg.org.? It was not just one message that the DNS tests failed on but all of them that I monitored. Now my over WEIGHT30 is back in the more appropriate rage of WEIGHT30117...74.05% And not what it was for the most of the day WEIGHT30...1,724...25.87% === Way too low. I would like to know why the Declude hardware communications problem broke my DNS tests? Not sure if this info helps or not but it is what happened with my installation (3.0.5.22 junkmail and virus) Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Franco-Rocha Sent: Monday, December 26, 2005 4:01 PM To: Declude.JunkMail@declude.com Cc: Declude.Virus@declude.com Subject: [Declude.JunkMail] Declude Hardware Issue Please note that the hardware issue preventing communication with Declude has been resolved. Key authentication has resumed as normal. There appear to be some misconceptions on the lists regarding the key authentication system. In the event that your key cannot be authenticated (either due to communication failure or because the key was never issued): A) Your software will continue to function B) Your software is NEVER downgraded for any reason, either automatically or otherwise We have had a few reports from customers who have licensed versions of Pro, saying that they are receiving messages in their log files that they do not have the Pro version. We will identify the source of that issue tomorrow when the office reopens and will resolve it. It does not have any relation to the key authentication mechanism with the server, since the actual authentication with IMail versions of Declude continues to be via the old codes entered into the configuration files. David Franco-Rocha Declude Technical / Engineering
RE: [Declude.JunkMail] Declude Hardware Issue
Yes I find the linkage to be tenuous at best but the timing is interesting Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Monday, December 26, 2005 5:17 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Declude Hardware Issue I doubt that the problems experienced by the Declude licensing server had anything to do with your DNS tests failing. I have been running version 3.0.5.22 since it was released and experienced no problems over the weekend, including DNS based tests. Bill - Original Message - From: Goran Jovanovic To: Declude.JunkMail@declude.com Sent: Monday, December 26, 2005 2:09 PM Subject: RE: [Declude.JunkMail] Declude Hardware Issue While my Declude continued to work as a Pro version what I did find is that my DNS test were failing during the hardware issue. During the problem period I saw: 12/26/2005 14:10:13.947 q3f72000100cac64e.smd Test 2-AHBL-RELAYS-ALL didn't get a response. 12/26/2005 14:10:13.947 q3f72000100cac64e.smd Test 22-AHBL-EXEMPT-DYNA didn't get a response. Then after the hardware problem was resolved (and without me doing anything) I got 12/26/2005 16:39:47.064 q63031dff006cd044.smd Test #2 [AHBL-RELAYS-ALL] is same as Test #2 [AHBL-RELAYS-ALL=127.0.0.2]. Answer=admins.sosdg.org.? 12/26/2005 16:39:47.064 q63031dff006cd044.smd Test #2 [AHBL-RELAYS-ALL] is same as Test #4 [AHBL-PROXY-ALL=127.0.0.3]. Answer=admins.sosdg.org.? 12/26/2005 16:39:47.064 q63031dff006cd044.smd Test #2 [AHBL-RELAYS-ALL] is same as Test #6 [AHBL-SOURCES-ALL=127.0.0.4]. Answer=admins.sosdg.org.? It was not just one message that the DNS tests failed on but all of them that I monitored. Now my over WEIGHT30 is back in the more appropriate rage of WEIGHT30117...74.05% And not what it was for the most of the day WEIGHT30...1,724...25.87% === Way too low. I would like to know why the Declude hardware communications problem broke my DNS tests? Not sure if this info helps or not but it is what happened with my installation (3.0.5.22 junkmail and virus) Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Franco-Rocha Sent: Monday, December 26, 2005 4:01 PM To: Declude.JunkMail@declude.com Cc: Declude.Virus@declude.com Subject: [Declude.JunkMail] Declude Hardware Issue Please note that the hardware issue preventing communication with Declude has been resolved. Key authentication has resumed as normal. There appear to be some misconceptions on the lists regarding the key authentication system. In the event that your key cannot be authenticated (either due to communication failure or because the key was never issued): A) Your software will continue to function B) Your software is NEVER downgraded for any reason, either automatically or otherwise We have had a few reports from customers who have licensed versions of Pro, saying that they are receiving messages in their log files that they do not have the Pro version. We will identify the source of that issue tomorrow when the office reopens and will resolve it. It does not have any relation to the key authentication mechanism with the server, since the actual authentication with IMail versions of Declude continues to be via the old codes entered into the configuration files. David Franco-Rocha Declude Technical / Engineering
[Declude.JunkMail] DEBUG log oddity
I noticed that when I was running declude in debug mode I would periodically get my message headers dumped into the log as well. Not every message but just some of them. This appears to happen only during debug mode. Has anyone else seen this? Does anyone have any idea why some of the headers would be put into the log? Thanks Goran Jovanovic Omega Network Solutions --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] All I wan't for Christmas is not to be paged!
I do not have the DNSOVERRIDE in my Declude.cfg file (before or after the problem). Best as I can tell my DNS tests started working at 14:20 EST. I was in debug log mode until almost 14:18. I did not stop/start declude proc to change back from debug to high. Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Carter Sent: Monday, December 26, 2005 8:52 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] All I wan't for Christmas is not to be paged! Kevin Prior to this problem, I did not have DNSOVERRIDE in my Declude.cfg. Added it after I got Decludeproc restarted and it was running slow. However then processing speed went back to near normal. I don't know if the DNSOVERRIDE did it or the multiple restarts, but to quote Goran, I find the linkage to be tenuous at best but the timing is interesting. :-) John C -- Original Message -- From: Kevin Bilbee [EMAIL PROTECTED] Reply-To: Declude.JunkMail@declude.com Date: Mon, 26 Dec 2005 16:37:52 -0800 After checking my server I did not see any issue with downgrades or delivery this weekend. Since it was a DNS issue that failed, can the users that had the issue check to see if they had a DNSOVERRIDE in their declude.cfg. When declude first switched to the phone home licensing modle we had problems connecting to their DNS server for license verification. They had me place DNSOVERRIDE [ip address of local caching DNS server] in my declude.cfg file. Since I did not have any issues this round and if you do not have this set you may want to set it Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Carter Sent: Monday, December 26, 2005 9:13 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] All I wan't for Christmas is not to be paged! This was suppose to be a holiday ... I didn't need this. Imail 8.22 Declude 3.0.5.22 EVA Junkmail Pro F-Prot/ClamAV/Sniffer I had a problem similar to Darrell's. After noticing very little mail going through the server yesterday and then this morning, came in to find 20,000+ msg in \proc folder. It does appear Decludeproc had a major senior moment -- had climbed to 510,000K in task manager. Couldn't stop service; I rebooted. Mail started moving, but slowly and Decludeproc moved up to 400,000K +. Based on previously comments, I added DNSOVERRIDE to declude.cfg. Mail is moving faster and Decludeproc is sitting around 100,000K. Now down around 9,000 msgs to go -- light at the end of the tunnel -- just hope it isn't an on-coming train! I guess I conclude with this: 1. where's the documentation on DNSOVERRIDE - couldn't find any. 2. at least the msgs weren't lost, just held up - a plus for the Declude model. 3. I'm not standing in some %$#* return/exchange line. John C --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Decludeproc abend
I have had decludeproc 3.0.5.22 abend on me twice today. Is there anything I should be doing to capture information about this? I have automatic restart enabled so it starts again but I am not super happy with it abending. Any hints on what (if anything) I can/should be doing? Goran Jovanovic Omega Network Solutions
RE: [Declude.JunkMail] Decludeproc abend
It is an IBM mainframe term from long ago. ABnormal END Of course this is all very interesting but it does not answer my original questions L Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Wednesday, December 21, 2005 4:36 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Decludeproc abend Abend is a common term used in the world of mainframes. Its the same as aborted or crashed. I first heard it in 1981 and used it many, many times over the years. I dont know where the term originated from. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Wednesday, December 21, 2005 3:30 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Decludeproc abend abend in German means evening. good Abend! :-) Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Wednesday, December 21, 2005 10:23 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Decludeproc abend Is abend some kind of French word? ;) John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Wednesday, December 21, 2005 1:13 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Decludeproc abend I have had decludeproc 3.0.5.22 abend on me twice today. Is there anything I should be doing to capture information about this? I have automatic restart enabled so it starts again but I am not super happy with it abending. Any hints on what (if anything) I can/should be doing? Goran Jovanovic Omega Network Solutions
RE: [Declude.JunkMail] Decludeproc abend
And here I thought that everyone knew that termoh well I am dating myself Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, December 21, 2005 4:49 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Decludeproc abend I always thought it was Absent By Enforced Net Deprivation - usually when someone hadn't posted in a while 'cause their modem died or their parents grounded them. It's been a long time since I heard that though. - greg Abend is a common term used in the world of mainframes. It's the same as aborted or crashed. I first heard it in 1981 and used it many, many times over the years. I don't know where the term originated from. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Wednesday, December 21, 2005 3:30 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Decludeproc abend abend in German means evening. good Abend! :-) Markus _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Wednesday, December 21, 2005 10:23 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Decludeproc abend Is abend some kind of French word? ;) John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Wednesday, December 21, 2005 1:13 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Decludeproc abend I have had decludeproc 3.0.5.22 abend on me twice today. Is there anything I should be doing to capture information about this? I have automatic restart enabled so it starts again but I am not super happy with it abending. Any hints on what (if anything) I can/should be doing? Goran Jovanovic Omega Network Solutions --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] REVDNS
Here is the exact line for one my log D9786103b008853ab.smd:X-Note: Reverse DNS: Sent from (timeout) ([81.215.38.233]). This is from Version 3.0.5.22 Goran Jovanovic Omega Network Solutions Tel: 416 322-0333 New Cell: 416 805-4357 or 416 805-HELP [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Serge Sent: Monday, December 12, 2005 9:54 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] REVDNS So it would be interesting know what's exactly in his text filter file REVDNS-TIMEOUT I'm going to try REVDNS END CONTAINS (timeout) if somebody have a better idea, please post - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Monday, December 12, 2005 7:42 AM Subject: RE: [Declude.JunkMail] REVDNS I think it may be (timeout). I know Scott Fisher posted a filter the other day that had the exact text on what it is when rev dns times out. It was a message from Scott Fisher on the cbl-thread and as I can see he posted a line TESTSFAILED 50 CONTAINS REVDNS-TIMEOUT So it would be interesting know what's exactly in his text filter file REVDNS-TIMEOUT Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] REVDNS
Filter test are not case sensitive Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Serge Sent: Monday, December 12, 2005 10:14 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] REVDNS should this be (Timeout) or (timeout) ? - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Monday, December 12, 2005 2:58 PM Subject: Re: [Declude.JunkMail] REVDNS REVDNS 10 IS (Timeout) - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Monday, December 12, 2005 1:42 AM Subject: RE: [Declude.JunkMail] REVDNS I think it may be (timeout). I know Scott Fisher posted a filter the other day that had the exact text on what it is when rev dns times out. It was a message from Scott Fisher on the cbl-thread and as I can see he posted a line TESTSFAILED 50 CONTAINS REVDNS-TIMEOUT So it would be interesting know what's exactly in his text filter file REVDNS-TIMEOUT Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] What are d*.sm$ in the work directory
I just had 3.0.5.22 abend on me. There were 2 D*.smd and 2 Q*.smd files in the work directory. There was also a .vir directory with nothing in it for one of the two D files. I cleared out the files and then restarted decludeproc. After it cleared out the 200 messages in the proc directory there were 7 d*.sm$ files left in the work directory. There were no Q files left behind. All the 7 files were SPAM and also well over the delete weight. Why would these files be left behind? Goran Jovanovic Omega Network Solutions --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] OT Alias redirection in IMAIL
Hi, I am using Sandy's Exchange2Alias program and it is working just great. Now I have run into another problem. I am gatewaying e-mail for a domain and it is hosted somewhere else (not Exchange). They do not allow a domain alias or a sub-domain like I am using for exchange. How can I use IMAIL's aliases to do the envelope validation and then forward on the mail to the hosting server when I cannot send it as a sub-domain? Anyone have any thoughts on this? Thanx Goran Jovanovic Omega Network Solutions --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT Alias redirection in IMAIL
Hi Sandy, I'm going to give you the easy answer, hoping we don't need to escalate. Does their server accept address literals -- addresses in the format [EMAIL PROTECTED], where 1.2.3.4 is their IP address, or in the source-routed format [EMAIL PROTECTED] 220 pop-mx00.ca.mci.com ESMTP helo mail.omeganetworksolutions.com 250 pop-mx00.ca.mci.com mail from:[EMAIL PROTECTED] 250 Ok rcpt to:[EMAIL PROTECTED] 554 [EMAIL PROTECTED]: Recipient address rejcted: Access denied rcpt to:[EMAIL PROTECTED] 554 [EMAIL PROTECTED]: Recipient address rejected: Access denied rcpt to:[EMAIL PROTECTED] 250 Ok So it looks like we are going to need to escalate Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Sanford Whiteman Sent: Friday, December 09, 2005 6:03 PM To: Goran Jovanovic Subject: Re: [Declude.JunkMail] OT Alias redirection in IMAIL I am using Sandy's Exchange2Alias program and it is working just great. Good to hear. How can I use IMAIL's aliases to do the envelope validation and then forward on the mail to the hosting server when I cannot send it as a sub-domain? I'm going to give you the easy answer, hoping we don't need to escalate. Does their server accept address literals -- addresses in the format [EMAIL PROTECTED], where 1.2.3.4 is their IP address, or in the source-routed format [EMAIL PROTECTED] --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/rel ea se/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/dow nl oad/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/downloa d/ release/ --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Aliases and per-domain configs
Hi, It seems that since I create a new domain in IMail and added aliases to it (to stop dictionary attacks) declude is no longer using the $default$.junkmail config file in the domain.com directory. It is using the one in the imail\declude directory which is for incoming mail. Or do I need a domain directory now called scrubbed.domain.com since I am adding scrubbed. Onto the front of the domain? Goran Jovanovic Omega Network Solutions --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Aliases and per-domain configs
That would make the difference Thanx Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, December 08, 2005 3:02 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Aliases and per-domain configs The domain name folder should be the same as that in your imail. If the domain name in Imail is scrubbed.domain.com the the folder name should be scrubbed.domain.com David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, December 08, 2005 3:00 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Aliases and per-domain configs Hi, It seems that since I create a new domain in IMail and added aliases to it (to stop dictionary attacks) declude is no longer using the $default$.junkmail config file in the domain.com directory. It is using the one in the imail\declude directory which is for incoming mail. Or do I need a domain directory now called scrubbed.domain.com since I am adding scrubbed. Onto the front of the domain? Goran Jovanovic Omega Network Solutions --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] OT Exchange2Alias Questions
Hi, I have got Sandy's Exchange2Alias working but I have a couple of questions. It seems that the VBS script only reads the OU that it is pointed to and does not go down the AD tree into sub-OUs. Is this correct? If the above is correct is there a way to change/enhance the program to walk the AD tree? I would love to have an option to point it at the top of the tree and then have it search through the whole thing for the e-mail addresses. Now when the script is running it deletes the aliases in the registry then starts to fill them up again. In my case I run the script for one AD tree 5 times (since the e-mail addresses are in 5 OUs). Only the first one runs without the -NC option. Am I correct in assuming that if an e-mail comes in during the operation of the script and if the e-mail address in question is not there at the time IMail will reject the message? The way to mitigate this problem is to run the script at off-peak times but the possibility will always exist. Is there any way around this at present? I suppose I could import the aliases to a fake domain in registry and then use some tool to copy/move the registry entries from the fake domain to the correct domain after the script is done. Another enhancement that I would like to suggest is that the script writes the registry entries to a file instead of directly to the directory so that I could gather the information and then very quickly import it into the registry. Also if it was written to a file then you could send the file back to the client so that they could validate the list of e-mail addresses. Goran Jovanovic Omega Network Solutions --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] HOLD Action
Hi, I see in the manual the syntax of the HOLD action allows me to have HOLD [PATH]. I remember that a while ago the [PATH] was broken and only the HOLD %DATE% worked. Is HOLD [PATH] working now? Now what I would like to do is do a different hold path for each of my gatewayed domains. So in domaina.com's $default$.junkmail file WEIGHT2039 HOLD D:\HOLD\domaina.com In domainb.com's $default$.junkmail file WEIGHT2039 HOLD D:\HOLD\domainb.com Will this work? Thanks Goran Jovanovic Omega Network Solutions --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude 3.0.5.18 Posted
If you do a decludeproc -v to get its version what do you do for declude.exe? Thanx Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Friday, November 04, 2005 4:21 PM To: Declude.JunkMail@declude.com; Declude.Virus@declude.com; [EMAIL PROTECTED] Subject: [Declude.JunkMail] Declude 3.0.5.18 Posted Declude 3.0.5.18 ALL - Fixed un-defined variables causing intermittent stop/start with the decludeproc service. JM - Fixed SmarterMail incoming email recipient domain aliases. AV - Fixed un-defined variables, causing incorrect Virus Names. David B www.declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] OT: Firewall detecting a Content-Transfer-Encoding error from Yahoo
Hi, I have a SonicWALL firewall in front of my mail server. It has its Intrusion Protection Service turned on. Now I am getting an alert from the firewall: 11/05/2005 01:11:19.416 - Alert - Intrusion Prevention -IPS Prevention Alert: SMTP Content-Transfer-Encoding overflow attempt, SID: 743, Priority: Medium - 209.191.68.173, Which points to: 209.191.68.173 PTR record: web34809.mail.mud.yahoo.com. And when I look up the SMTP error this is what it says The prescan() function in the address parser (parseaddr.c) in Sendmail before 8.12.9 does not properly handle certain conversions from char and int types, which can cause a length check to be disabled when Sendmail misinterprets an input value as a special NOCHAR control value, allowing attackers to cause a denial of service and possibly execute arbitrary code via a buffer overflow attack using messages, a different vulnerability than CAN-2002-1337. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0161 http://www.cert.org/advisories/CA-2003-12.html Since the firewall rejects it at the perimeter it never makes it to IMail/Declude. Obviously some piece of mail is trying to come in and failing. Does anyone else have any experience about this type of a problem? I can just ignore it and it will finally go away but I am sort of surprised that a Yahoo mail server would have this vulnerability when there is a patch for it. Any thoughts on this? Thanks Goran Jovanovic Omega Network Solutions --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: Firewall detecting a Content-Transfer-Encoding error from Yahoo
Darrell, The way that I read it the incoming mail is tripping the Intrusion Prevention mechanism. So I am thinking that the sending server is trying to do something bad or has something wrong with the message. But know that I am writing this perhaps the firewall is protecting my sendmail server from this incoming message that would cause it grief. If it is the second case then I could disable that Intrusion Prevention test since I do not have a sendmail server. Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Saturday, November 05, 2005 10:34 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] OT: Firewall detecting a Content-Transfer-Encoding error from Yahoo The only question I would look into is if you ever seen a legit mail fail that test. Goran was that mail legit - if so I would turn the function off since you are not running sendmail. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Evans Martin [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Saturday, November 05, 2005 5:09 PM Subject: RE: [Declude.JunkMail] OT: Firewall detecting a Content-Transfer-Encoding error from Yahoo This exploit appears to be unique to SendMail. I would probably allow it and let Declude categorize it. What do you guys think? Evans Martin http://www.martekware.com iPlus Info Browser - The ultimate IMail administrative suite! -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Saturday, November 05, 2005 1:34 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] OT: Firewall detecting a Content-Transfer- Encoding error from Yahoo Hi, I have a SonicWALL firewall in front of my mail server. It has its Intrusion Protection Service turned on. Now I am getting an alert from the firewall: 11/05/2005 01:11:19.416 - Alert - Intrusion Prevention - IPS Prevention Alert: SMTP Content-Transfer-Encoding overflow attempt, SID: 743, Priority: Medium - 209.191.68.173, Which points to: 209.191.68.173 PTR record: web34809.mail.mud.yahoo.com. And when I look up the SMTP error this is what it says The prescan() function in the address parser (parseaddr.c) in Sendmail before 8.12.9 does not properly handle certain conversions from char and int types, which can cause a length check to be disabled when Sendmail misinterprets an input value as a special NOCHAR control value, allowing attackers to cause a denial of service and possibly execute arbitrary code via a buffer overflow attack using messages, a different vulnerability than CAN-2002-1337. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0161 http://www.cert.org/advisories/CA-2003-12.html Since the firewall rejects it at the perimeter it never makes it to IMail/Declude. Obviously some piece of mail is trying to come in and failing. Does anyone else have any experience about this type of a problem? I can just ignore it and it will finally go away but I am sort of surprised that a Yahoo mail server would have this vulnerability when there is a patch for it. Any thoughts on this? Thanks Goran Jovanovic Omega Network Solutions --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: Firewall detecting a Content-Transfer-Encoding error from Yahoo
The only question I would look into is if you ever seen a legit mail fail that test. Do not know as this is a new firewall with new Intrusion Prevention Service on it. Goran was that mail legit - if so I would turn the function off since you are not running sendmail. Don't know if it was legit since it never made it past the firewall. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Evans Martin [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Saturday, November 05, 2005 5:09 PM Subject: RE: [Declude.JunkMail] OT: Firewall detecting a Content-Transfer-Encoding error from Yahoo This exploit appears to be unique to SendMail. I would probably allow it and let Declude categorize it. What do you guys think? Evans Martin http://www.martekware.com iPlus Info Browser - The ultimate IMail administrative suite! -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Saturday, November 05, 2005 1:34 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] OT: Firewall detecting a Content-Transfer- Encoding error from Yahoo Hi, I have a SonicWALL firewall in front of my mail server. It has its Intrusion Protection Service turned on. Now I am getting an alert from the firewall: 11/05/2005 01:11:19.416 - Alert - Intrusion Prevention - IPS Prevention Alert: SMTP Content-Transfer-Encoding overflow attempt, SID: 743, Priority: Medium - 209.191.68.173, Which points to: 209.191.68.173 PTR record: web34809.mail.mud.yahoo.com. And when I look up the SMTP error this is what it says The prescan() function in the address parser (parseaddr.c) in Sendmail before 8.12.9 does not properly handle certain conversions from char and int types, which can cause a length check to be disabled when Sendmail misinterprets an input value as a special NOCHAR control value, allowing attackers to cause a denial of service and possibly execute arbitrary code via a buffer overflow attack using messages, a different vulnerability than CAN-2002-1337. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0161 http://www.cert.org/advisories/CA-2003-12.html Since the firewall rejects it at the perimeter it never makes it to IMail/Declude. Obviously some piece of mail is trying to come in and failing. Does anyone else have any experience about this type of a problem? I can just ignore it and it will finally go away but I am sort of surprised that a Yahoo mail server would have this vulnerability when there is a patch for it. Any thoughts on this? Thanks Goran Jovanovic Omega Network Solutions --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] decludeproc did not install
How would you de-install the service if you wanted to? Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of David Barker Sent: Wednesday, September 28, 2005 3:26 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] decludeproc did not install Fred, Goto you're the command prompt and to your \Imail directory and type the following: decludeproc -i This should install the service. David Barker www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederick Samarelli Sent: Wednesday, September 28, 2005 1:27 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] decludeproc did not install It looks like Declude should have installed a Service called decludeproc service. It did not. What next. Fred --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: Store and Forward Spam Filtering to Multiple IPs
Would this work? Instead of using the hosts file to define the IPs and DOMAINS could you not create a zone on your own DNS server for the domain in question and then define 2 MX records? In this case when the primary goes down it will flip to the secondary by itself? Then you would not need to put it into the hosts file. Or is this not a good idea? Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Wednesday, September 28, 2005 1:38 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] OT: Store and Forward Spam Filtering to Multiple IPs ... 66.148.217.251 domain.com 70.60.133.251 domain.com will this mechanism rotate through both IPs or will it also just use whichever it hits first when reading from the top of the list down? Or is it just a bad idea in general to do this and we will just have to change the IP manually if one ISP goes down? I think this will always forward messages to the first entry, and so it will not do what you want. We've had the same request and so we've defined all our storeforward IP's in a simple database table. This database contains domains, primary and eventualy secondary MX IP's. Then we've set up our monitoring system to try to reach the primary MX on port 25. if this will fail two consecutive times the action is a simple script that does the following 1.) mark this domain in the table as fault 2.) read all active entries from the table and choose the primary MX or the secondary if marked as fault 3.) write a new hosts file 4.) stop and start the Imail smtp service If the monitoring system can see again the primary MX on port 25 there is a similar script that put's back to the primary mx this domain. Hope this helps Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: Re[2]: [Declude.JunkMail] OT: Store and Forward Spam Filtering to Multiple IPs
Sandy, Well at least the idea was good. I will wait for your next post. Thank you Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Sanford Whiteman Sent: Wednesday, September 28, 2005 4:16 PM To: Goran Jovanovic Subject: Re[2]: [Declude.JunkMail] OT: Store and Forward Spam Filtering to Multiple IPs Instead of using the hosts file to define the IPs and DOMAINS could you not create a zone on your own DNS server for the domain in question and then define 2 MX records? In this case when the primary goes down it will flip to the secondary by itself? Then you would not need to put it into the hosts file. Or is this not a good idea? It's a great idea, but it won't work with IMail because of the way it uses HOSTS as a reference for remote domains. However, see my next post for how you can make this usable. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/rel ea se/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/dow nl oad/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/downloa d/ release/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] How to credit a domain
Hi all, I get messages like this all the time and I am always in a dilemma on what to do about them. This is a legit mail that scored 10 (where I start tagging mail). - Received: from mx.dstsystems.com [204.167.177.68] by mail1.gonetworks.net with ESMTP (SMTPD32-8.13) id AAD8195300F2; Wed, 07 Sep 2005 15:09:12 -0400 X-RBL-Warning: HELOBOGUS: Domain mx.dstsystems.com has no MX or A records [0301]. X-Declude-Sender: [EMAIL PROTECTED] [204.167.177.68] X-Note: Reverse DNS: Sent from dstsys-cp.dstsystems.com ([204.167.177.68]). X-Note: Tests Failed: CMDSPACE [8], HELOBOGUS [5], NOLEGITCONTENT [0], SIZE-S [0] - So this mail came from domain dstsystems.com on the IP 204.167.177.68 but it is from domain ifdsgroup.com. Now my preferred method of dealing with this type of problem is to credit based on REVDNS. Again in this case there is a good REVDNS but it is not from the same domain as the MAILFROM (if it was then I would have no problem in crediting the REVDNS). So is there a way to figure out if dstsystems.com is a e-mail hosting company and then I would not want to credit the REVDNS as I do not know what other domains they host. If I cannot figure out the link then I would not credit REVDNS and would move to step 2. Credit HELO. HELOs can be spoofed but in this case the HELO is basically the same as the REVDNS. Next step is crediting MAILFROM. This I can do with the ifdsgroup.com and lower the score for e-mail from this domain. Again it can be spoofed but ... I would prefer to credit REVDNS as that cannot be spoofed but I am leery of crediting an unknown domain when it does not relate to the MAILFROM address. Any thoughts on how (if possible) to connect the two domains? Or do I simply drop down to option 3 and credit MAILFROM? I suppose that I could try and figure out the admin responsible for dstsystems.com and tell them to fix the HELOBOGUS error in which case my problems would (mostly) go away. Any thoughts and comments are appreciated. Thanks Goran Jovanovic The LAN Shoppe --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] How to credit a domain
Andrew, Why would you counterweight their IP and not the REVDNS? It seems that it is basically the same thing? Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Thursday, September 08, 2005 11:52 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] How to credit a domain Goran, I have consistently found that providers that handle mail for other companies are reliable enough that I can merely counterweight their IP. I hardly ever trust their reverse DNS, and even less often the HELO. I have a last resort test where I have a mixed bag of counterweights. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, September 08, 2005 8:33 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] How to credit a domain Hi all, I get messages like this all the time and I am always in a dilemma on what to do about them. This is a legit mail that scored 10 (where I start tagging mail). -- -- - Received: from mx.dstsystems.com [204.167.177.68] by mail1.gonetworks.net with ESMTP (SMTPD32-8.13) id AAD8195300F2; Wed, 07 Sep 2005 15:09:12 -0400 X-RBL-Warning: HELOBOGUS: Domain mx.dstsystems.com has no MX or A records [0301]. X-Declude-Sender: [EMAIL PROTECTED] [204.167.177.68] X-Note: Reverse DNS: Sent from dstsys-cp.dstsystems.com ([204.167.177.68]). X-Note: Tests Failed: CMDSPACE [8], HELOBOGUS [5], NOLEGITCONTENT [0], SIZE-S [0] -- -- - So this mail came from domain dstsystems.com on the IP 204.167.177.68 but it is from domain ifdsgroup.com. Now my preferred method of dealing with this type of problem is to credit based on REVDNS. Again in this case there is a good REVDNS but it is not from the same domain as the MAILFROM (if it was then I would have no problem in crediting the REVDNS). So is there a way to figure out if dstsystems.com is a e-mail hosting company and then I would not want to credit the REVDNS as I do not know what other domains they host. If I cannot figure out the link then I would not credit REVDNS and would move to step 2. Credit HELO. HELOs can be spoofed but in this case the HELO is basically the same as the REVDNS. Next step is crediting MAILFROM. This I can do with the ifdsgroup.com and lower the score for e-mail from this domain. Again it can be spoofed but ... I would prefer to credit REVDNS as that cannot be spoofed but I am leery of crediting an unknown domain when it does not relate to the MAILFROM address. Any thoughts on how (if possible) to connect the two domains? Or do I simply drop down to option 3 and credit MAILFROM? I suppose that I could try and figure out the admin responsible for dstsystems.com and tell them to fix the HELOBOGUS error in which case my problems would (mostly) go away. Any thoughts and comments are appreciated. Thanks Goran Jovanovic The LAN Shoppe --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spam box
I have a question about these boxes that go in front of Declude, be they IMGATE or ORF or whatever. The way that I understand it from reading the threads here is that these front end boxes require the complete list of valid e-mail addresses for all domains that are being processed. Is that correct? If that is correct, then perhaps someone who is gatewaying mail to clients could answer this. How do you get all the e-mail addresses on the front end box and how do you keep it updated? I am doing gatewaying to various Exchange and other hosting providers and do not host any mail on my site. So am I correct in assuming that this solution will not work in my setup? Thanx Goran Jovanovic The LAN Shoppe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Thursday, August 04, 2005 1:43 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Spam box Richard Farris wrote: Is there a box I can put in front of my Imail server that will help take some of the load off of the spam filtering that Declude is doing Hi Richard - One method is to put ORF in front of your IMail box and via its recipients blacklist feature refuse all mail that does not have a legit address on the imail box. It has really helped me kill huge dictionary attacks - like in the magnitude of 2 mill a day .. -Nick Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support Crossroads to a Cleaner Internet
RE: [Declude.JunkMail] Whitelistfile
I will throw in a couple of cents worth (but CDN so perhaps less than others :) ) All the mail that I process I gateway. So in each domain directory I have a $default$.junkmail file and in each one of those I have the following two lines added WHITELISTFILE C:\IMail\Declude\Filters\GlobalWhiteList.txt WHITELISTFILE C:\IMail\Declude\domain.com\whitelist.txt I do not use the DOMAINWHITELIST command in global.cfg By doing the above I can specifically whitelist a user per domain so [EMAIL PROTECTED] or I have some clients who have multiple domains being accepted by the same server then in the domain2.com $default$.junkmail file I put in a reference to domain.com\whitelist and not domain2.com\whitelist since the two domains are really the same so I only have to maintain one whitelist.txt file for that company. Hope that helps Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of kztechinfo - cribellum Sent: Wednesday, July 13, 2005 12:43 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Whitelistfile Scott, From what I read DOMAINWHITELIST does not whitelist the domain using it but allow you to add a whitelist file to the domains directory that lists (the IP address, E-mail address, etc.) to be whitelisted. Keith Zwick Cribellum, LLC 248-596-1901 ex301 - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Wednesday, July 13, 2005 12:30 PM Subject: Re: [Declude.JunkMail] Whitelistfile I'll add my 2cents worth. I don't whitelist by domain name because these can be easily forged by spammers and/or virus zombies. - Original Message - From: kztechinfo - cribellum [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Wednesday, July 13, 2005 11:20 AM Subject: Re: [Declude.JunkMail] Whitelistfile Thanks Darrell, I had found that archive. I guess I was a little confused because if you enable DOMAINWHITLIST then you put a file whitelist.txt in the users domain directory or the other way is to put a whitelistfile entry into the domain.junkmail.txt file with a whateverfilename.txt in the declude directory. They both seem very similar and am not sure why there are two ways to do this unless, the WHITELISTFILE allows for putting one file and having multiple domains use it. Does the Domainwhitelists use the same format as the WHITELIST option in the global.cfg but instead the emails are in the whitellist.txt file name? Also, is there a limit of 200 lines when using the whitelist.txt file? Would this be another reason to use the WHITELISTFILE, because there are not limits? Keith Zwick Cribellum, LLC 248-596-1901 ex301 - Original Message - From: Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Wednesday, July 13, 2005 11:37 AM Subject: Re: [Declude.JunkMail] Whitelistfile Keith, The way this message reads - http://www.mail-archive.com/declude.junkmail@declude.com/msg21038.html It appears as its a either or so for example if you have the DOMAINWHITELISTS ON than you do not have to have the entry in the domains default.junkmail file. Or you can have the entry in each default.junkmail and not have the DOMAINWHITELISTS ON in the global.cfg Darrell - invURIBL - Intelligent URL filtering. Stops 85% of spam with the default configuration. http://www.invariantsystems.com kztechinfo - cribellum writes: Hi, I am currently using Declude Junkmail 1.82 and am looking at adding the WHITELISTFILE option. I checked the release notes and it says it was added in beta for 1.78 but it lists: DOMAINWHITELISTS ON option, to allow for per-domain whitelist files at \IMail\Declude\example.com\whitelist.txt. Is the Domainwhitelists on option needed? Inthe manual it does not state it and I am not sure it is needed anymore. From what I saw by looking at the manual, release notes and archives you need to put; WHITELISTFILE D:\{MAILSERVER}\Declude\mywhitelist.txt in just the $default$.junkmail file you want to use it for. If it is for a certain domain then it would just go in their file. Also, it looks like you don't have to put anything in the global.cfg file according to the manual. What is the DOMAINWHITELISTS ON option mentioned in the release notes and is it still used? Can mywhitelist.txt be named anything you want? In an archive dated 9/2004 Scott stated that the file needed to be called whitelist.txt, does this still apply? If it does not anymore, what version did it change? Thanks for any help, Keith Zwick Cribellum, LLC --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail
[Declude.JunkMail] Problems with Network Solutions DNS Servers
Hi all, I have been having problems with Network Solutions DNS server all day. Specifically ns7 and ns8.worldnic.com. When you ask for an SOA record they come back with gonetworks.net Server: ns7.worldnic.com Address: 216.168.228.6 (root) nameserver = G.ROOT-SERVERS.NET (root) nameserver = H.ROOT-SERVERS.NET (root) nameserver = I.ROOT-SERVERS.NET (root) nameserver = J.ROOT-SERVERS.NET (root) nameserver = K.ROOT-SERVERS.NET (root) nameserver = L.ROOT-SERVERS.NET (root) nameserver = M.ROOT-SERVERS.NET (root) nameserver = A.ROOT-SERVERS.NET (root) nameserver = B.ROOT-SERVERS.NET (root) nameserver = C.ROOT-SERVERS.NET (root) nameserver = D.ROOT-SERVERS.NET (root) nameserver = E.ROOT-SERVERS.NET (root) nameserver = F.ROOT-SERVERS.NET They will sometimes answer an A record request for cmail1.gonetworks.net with the correct IP address and other times they will not. Has anyone else been experiencing these problems today? The story I get from first level phone support is that their servers are down for maintenance (all day???) and that engineering will get back to me in 1 to 3 days. Has anyone else been experiencing these problems today? Goran Jovanovic The LAN Shoppe --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Problems with Network Solutions DNS Servers
And me not monitoring the imail list. What were the problems (in summary)? -Original Message- From: John Tolmachoff \(Lists\) [EMAIL PROTECTED] Date: Fri, 8 Jul 2005 14:49:52 To:Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Problems with Network Solutions DNS Servers Known problem as posted on the Imail list. I actually sent out a broadcast earlier informing them of possible problems. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Friday, July 08, 2005 2:27 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Problems with Network Solutions DNS Servers Hi all, I have been having problems with Network Solutions DNS server all day. Specifically ns7 and ns8.worldnic.com. When you ask for an SOA record they come back with gonetworks.net Server: ns7.worldnic.com Address: 216.168.228.6 (root) nameserver = G.ROOT-SERVERS.NET (root) nameserver = H.ROOT-SERVERS.NET (root) nameserver = I.ROOT-SERVERS.NET (root) nameserver = J.ROOT-SERVERS.NET (root) nameserver = K.ROOT-SERVERS.NET (root) nameserver = L.ROOT-SERVERS.NET (root) nameserver = M.ROOT-SERVERS.NET (root) nameserver = A.ROOT-SERVERS.NET (root) nameserver = B.ROOT-SERVERS.NET (root) nameserver = C.ROOT-SERVERS.NET (root) nameserver = D.ROOT-SERVERS.NET (root) nameserver = E.ROOT-SERVERS.NET (root) nameserver = F.ROOT-SERVERS.NET They will sometimes answer an A record request for cmail1.gonetworks.net with the correct IP address and other times they will not. Has anyone else been experiencing these problems today? The story I get from first level phone support is that their servers are down for maintenance (all day???) and that engineering will get back to me in 1 to 3 days. Has anyone else been experiencing these problems today? Goran Jovanovic The LAN Shoppe --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. Goran Jovanovic The LAN Shoppe O: (416) 440-1167 x-2113 C: (416) 931-0688 E: [EMAIL PROTECTED] Sent from my Wireless Blackberry --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: Re[6]: [Declude.JunkMail] Test Order
I went through this just a bit ago and if memory serves me correctly DNS Tests Builtin tests External Filters And External and Filters run in the order they are found in the global.cfg Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Wednesday, May 18, 2005 5:39 AM To: Declude.JunkMail@declude.com Subject: Re: Re[6]: [Declude.JunkMail] Test Order Flip your log into debug mode for a couple of emails. You'll see exactly what order everything runs. - Original Message - From: David Sullivan [EMAIL PROTECTED] To: Darrell ([EMAIL PROTECTED]) Declude.JunkMail@declude.com Sent: Tuesday, May 17, 2005 3:54 PM Subject: Re[6]: [Declude.JunkMail] Test Order Dsic I found an answer in the archives from Scott. External tests are ran in the Dsic order they are listed in the global.cfg. Dsic http://www.mail-archive.com/declude.junkmail@declude.com/msg06191.html Thanks. This does help. That thread is about 2.5 years old now, can someone from Declude confirm that this does still apply? Also, what order are the groups run in? If I had an external test that was the LAST external test would it also be the last test or is there a group of tests that get run after external? -- Best regards, Davidmailto:[EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Thoughts on why this did not make it
Hi, This is the IMail log for a specific message that was sent through me to my client. The SendingDomain.com is actually whitelisted in their per domain whitelist file. On May 10 there were 3 messages from sender to receiver and 2 of them did not make it but one did. This is one of the did not make it ones. All three of them were addressed to the same three people. As far as I can tell we got it OK, processed it (whitelisted) and then handed it off to the client. We got a 250 OK at the end of the data, got 250 OKs from the RCPT TO. So if we gave it to the client (and it looks like we did unless I am missing something) I guess the next step is for the client to review their Exchange logs. Any other thoughts? Thanx 05:10 10:00 SMTPD(be761384002c6f12) [10.0.0.8] connect 160.109.101.40 port 49675 05:10 10:00 SMTPD(be761384002c6f12) [160.109.101.40] EHLO smtp.SendingDomain.com 05:10 10:00 SMTPD(be761384002c6f12) [160.109.101.40] MAIL From:[EMAIL PROTECTED] 05:10 10:00 SMTPD(be761384002c6f12) [160.109.101.40] RCPT To:[EMAIL PROTECTED] NOTIFY=FAILURE,DELAY 05:10 10:00 SMTPD(be761384002c6f12) [160.109.101.40] RCPT To:[EMAIL PROTECTED] NOTIFY=FAILURE,DELAY 05:10 10:00 SMTPD(be761384002c6f12) [160.109.101.40] RCPT To:[EMAIL PROTECTED] NOTIFY=FAILURE,DELAY 05:10 10:00 SMTPD(be761384002c6f12) [160.109.101.40] C:\IMail\spool\Dbe761384002c6f12.SMD 14046 05:10 10:00 SMTP-() Info - Adding Queue file C:\IMail\spool\Qbe761384002c6f12.SMD 05:10 10:00 SMTP-(be761384002c6f12) processing C:\IMail\spool\Qbe761384002c6f12.SMD 05:10 10:00 SMTP-(be761384002c6f12) [x] looking up ReceivingDomain.com in HOSTS and MX 05:10 10:00 SMTP-(be761384002c6f12) [x] looking up ReceivingDomain.com in HOSTS and MX 05:10 10:00 SMTP-(be761384002c6f12) [x] looking up ReceivingDomain.com in HOSTS and MX 05:10 10:00 SMTP-(be761384002c6f12) Trying ReceivingDomain.com (0) 05:10 10:00 SMTP-(be761384002c6f12) [x] Connecting socket to service SMTP on host ReceivingDomain.com using protocol tcp 05:10 10:00 SMTP-(be761384002c6f12) [x] using source IP for mail1.gonetworks.net [10.0.0.8] 05:10 10:00 SMTP-(be761384002c6f12) Connect ReceivingDomain.com [xxx.xxx.xxx.xxx:25] (1) 05:10 10:00 SMTP-(be761384002c6f12) 220 server.ReceivingDomain.com ESMTP Server (Microsoft Exchange Internet Mail Service 5.5.2650.10) ready 05:10 10:00 SMTP-(be761384002c6f12) EHLO mail1.gonetworks.net 05:10 10:00 SMTP-(be761384002c6f12) 250-server.ReceivingDomain.com Hello [cmail1.gonetworks.net] 05:10 10:00 SMTP-(be761384002c6f12) 250-XEXCH50 05:10 10:00 SMTP-(be761384002c6f12) 250-HELP 05:10 10:00 SMTP-(be761384002c6f12) 250-ETRN 05:10 10:00 SMTP-(be761384002c6f12) 250-DSN 05:10 10:00 SMTP-(be761384002c6f12) 250-SIZE 5120 05:10 10:00 SMTP-(be761384002c6f12) 250-AUTH LOGIN 05:10 10:00 SMTP-(be761384002c6f12) 250 AUTH=LOGIN 05:10 10:00 SMTP-(be761384002c6f12) MAIL FROM:[EMAIL PROTECTED] 05:10 10:00 SMTP-(be761384002c6f12) 250 OK - mail from [EMAIL PROTECTED] 05:10 10:00 SMTP-(be761384002c6f12) RCPT To:[EMAIL PROTECTED] NOTIFY=FAILURE,DELAY 05:10 10:00 SMTP-(be761384002c6f12) 250 OK - Recipient [EMAIL PROTECTED] 05:10 10:00 SMTP-(be761384002c6f12) RCPT To:[EMAIL PROTECTED] NOTIFY=FAILURE,DELAY 05:10 10:00 SMTP-(be761384002c6f12) 250 OK - Recipient [EMAIL PROTECTED] 05:10 10:00 SMTP-(be761384002c6f12) RCPT To:[EMAIL PROTECTED] NOTIFY=FAILURE,DELAY 05:10 10:00 SMTP-(be761384002c6f12) 250 OK - Recipient [EMAIL PROTECTED] 05:10 10:00 SMTP-(be761384002c6f12) DATA 05:10 10:00 SMTP-(be761384002c6f12) 354 Send data. End with CRLF.CRLF 05:10 10:00 SMTP-(be761384002c6f12) . 05:10 10:00 SMTP-(be761384002c6f12) 250 OK 05:10 10:00 SMTP-(be761384002c6f12) rdeliver ReceivingDomain.com multiple (3) [EMAIL PROTECTED] 14887 05:10 10:00 SMTP-(be761384002c6f12) QUIT 05:10 10:00 SMTP-(be761384002c6f12) 221 closing connection 05:10 10:00 SMTP-(be761384002c6f12) [u] closing socket (u) 05:10 10:00 SMTP-(be761384002c6f12) finished C:\IMail\spool\Qbe761384002c6f12.SMD status=1 Goran Jovanovic The LAN Shoppe
[Declude.JunkMail] Graceful way to stop services
Title: Message Hi, What is the most graceful way to stop mail processing on an IMail/Declude process? At present when I have to stop the services I stop the SMTP service then the Queue Manager Service, watch task manager for all the Declude processes to stop. Will this method leave T*.SMD files or incomplete D*.SMD files? I think it does. Goran Jovanovic The LAN Shoppe
[Declude.JunkMail] What is a D*.SM$ file
Title: Message Hi all, I have some leftover D*.SM$ files that seem to be showing up occasionally in my spool directory. These files contain the e-mail after declude has processed the e-mail. There is no corresponding T or Q file sitting around so it is definitely an orphan. Any idea on why/what this file is? Thanx Goran Jovanovic The LAN Shoppe
RE: [Declude.JunkMail] Graceful way to stop services
Title: Message But stopping the SMTP service creates the incomplete T and D files right? So there is no way to tell IMail to do not accept any more connections and finish what you are doing so that I can stop the process without getting the incomplete files? I know that the sending server will retry the mail again so I am not really worried about losing mail I was just trying to prevent clutter in the spool directory. In any case I have a cleanup routing that deletes old T, D and Q files. Goran Jovanovic The LAN Shoppe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Friday, May 13, 2005 5:09 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Graceful way to stop services You should only need to stop the SMTP service and then wait about 10 seconds. Matt Goran Jovanovic wrote: Hi, What is the most graceful way to stop mail processing on an IMail/Declude process? At present when I have to stop the services I stop the SMTP service then the Queue Manager Service, watch task manager for all the Declude processes to stop. Will this method leave T*.SMD files or incomplete D*.SMD files? I think it does. Goran Jovanovic The LAN Shoppe -- =MailPure custom filters for Declude JunkMail Pro.http://www.mailpure.com/software/=
RE: [Declude.JunkMail] Graceful way to stop services
Title: Message Thanx for the tip. I am actually using a program called cleaner.exe with a cleaner.ini file that I run every night. I think I will continue to use it so that all my log deletion etc can be found in one place. Only problem with Cleaner is that the log file it produces is in German Untersuche c:\imail\spool\virus\ (I think) Thanx to all Goran Jovanovic The LAN Shoppe 2345 Yonge Street, Suite 302 Toronto, Ontario M4P 2E5 Phone: (416) 440-1167 x-2113 Cell: (416) 931-0688 E-Mail: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, May 13, 2005 6:03 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Graceful way to stop services Exercise caution if you're using isplcln.exe with an old version of IMail. See my posting in the web archive: http://www.mail-archive.com/declude.junkmail@declude.com/msg22444.html Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Friday, May 13, 2005 2:56 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Graceful way to stop services Goran, I'm not 100% positive about this, but I don't think that it leaves garbage lying around if you stop the SMTP service, or if it does, it is normally minimal. Stopping the Queue Manager might, but I generally don't do that. It's not uncommon for me to stop my SMTP service and I don't have orphans lying around. I do however gateway everything through different servers which stops the problem where zombies will leave incomplete E-mails all over the place, and IMail will even deliver some of them even though they don't even contain a full set of headers. A lot of the trash that you might be seeing may very well be from zombies. I seem to recall that the renaming of the SMD files to SM$ might indicate that they are missing a Q file or something and were found stranded in the spool, and might also be related to these bad sessions that timeout. You can't do anything about the zombie/broken mailer issue unless you use a different piece of software as your gateway for incoming E-mail. Anyway, every midnight I run the following command line tool from Ipswitch to clean out my spool of files older than 3 days: C:\IMail\ISplCln.exe -n 3 The -n switch targets non-logs. An additional switch for -l will target the logs. It doesn't traverse directories and it uses the Spool location stored in IMail. My command will delete any E-mail file older than 3 days that is sitting in the spool. I only retry E-mail for up to 18 hours, so practically speaking, I could get away with deleting after just 1 day and not affect my system, but I like to have a history of a few days there just in case something happened and I missed it. http://support.ipswitch.com/kb/IM-19990629-DM06.htm Matt Goran Jovanovic wrote: But stopping the SMTP service creates the incomplete T and D files right? So there is no way to tell IMail to do not accept any more connections and finish what you are doing so that I can stop the process without getting the incomplete files? I know that the sending server will retry the mail again so I am not really worried about losing mail I was just trying to prevent clutter in the spool directory. In any case I have a cleanup routing that deletes old T, D and Q files. Goran Jovanovic The LAN Shoppe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Friday, May 13, 2005 5:09 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Graceful way to stop services You should only need to stop the SMTP service and then wait about 10 seconds. Matt Goran Jovanovic wrote: Hi, What is the most graceful way to stop mail processing on an IMail/Declude process? At present when I have to stop the services I stop the SMTP service then the Queue Manager Service, watch task manager for all the Declude processes to stop. Will this method leave T*.SMD files or incomplete D*.SMD files? I think it does. Goran Jovanovic The LAN Shoppe -- =MailPure custom filters for Declude JunkMail Pro.http://www.mailpure.com/software/= -- =MailPure custom filters for Declude JunkMail Pro.http://www.mailpure.com/software/=
[Declude.JunkMail] Phishing Question
Hi, I do not understand how this is being displayed in IE. I got a phishing e-mail reported to me and I went to check it out. This is the HTML text P class=Estilo6To log into your account and verify your account activity, click here: BRA onmouseover=window.status='https://www1.royalbank.com/cgi-bin/rbaccess/ rbunxcgi?REQUEST=ClientSigninamp;LANGUAGE=ENGLISH'; return true; href=http://haukelid.com/hfl/.rbc/index.php; target=_blankhttp://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUES T=ClientSigninamp;LANGUAGE=ENGLISH/A/P Now I understand that this shows up in the e-mail as www1.royalbank.com/ So what I did was to go to the haukelic.com/... page directly in IE. When I get there the address in the address bar is http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUEST=ClientSignin LANGUAGE=ENGLISH How is this possible to display some other address when I went to the haukelid.com address? What would people do to prevent this mail from getting through in the future? In the past I would have put into my phishing.txt filter http://haukelid.com but when I go there it is a real site and the first level down is also a real site. I am tempted to ban it at the top level as this person is either using his own site to do phishing from or his site is compromised and the next URL could be somewhere else on his site. Can I get some thoughts on this. Thanx Goran Jovanovic The LAN Shoppe --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.