Re: [Declude.JunkMail] Declude 2 and DELETE

2005-03-01 Thread Jason Fullen
I've run into this problem too.  My solution was to setup another delete 
test two points lower than your original delete test.  So with a WEIGHT30 
test, setup a WEIGHT28 test with the action of delete.  I don't know how 
reliable it is, but it worked for me.

Jason
- Original Message - 
From: Fritz Squib [EMAIL PROTECTED]
To: Declude.JunkMail@declude.com
Sent: Tuesday, March 01, 2005 7:42 AM
Subject: [Declude.JunkMail] Declude 2 and DELETE


Apparently I missing something bloody obvious, but with 2.0 running it 
seems
like my delete action doesn't work as expected any more.

Running the latest 2.x release downloaded last night.
--Global Config--
WEIGHT20 weight x x 20 0
WEIGHT30 weight x x 32 0
--Default.junkmail--
WEIGHT20 HOLD
WEIGHT30 DELETE
In a brief conversation with Declude the response I got was:
The problem is probably the change in the way the DELETE action works. 
In
the past, it would delete the E-mail for all recipients.  Now, it only
deletes the E-mail for recipients that use the DELETE action.

It still seems like the HOLD action is taking precedence over the DELETE
action since mail with weight over my WEIGHT30 test winds up in the hold
folder even though the log file says:
02/01/2005 12:25:06 Qbb6c48770128853b Msg failed WEIGHT30 (Weight of 44
reaches or exceeds the limit of 32.). Action=DELETE.
I has sent Scott debug log files but I still haven't figure out what I'm
missing.
Yes there are a *few* per user .junkmail files, with an action of WARN, 
but
most of the held mail is either not for them (nor are they CC'd or BCC'd 
as
far as I can tell) and/or (may or may not be related) in the spam review
application there is no To: field reported.

I have also tried changing 'weight' to 'weightrange' with the appropriate
scores, and still see the same results
Anyone else ?
Fritz
Frederick P. Squib, Jr.
Network Operations/Mail Administrator
Citizens Telephone Company of Kecksburg
http://www.wpa.net
()  ascii ribbon campaign - against html email
/\- against microsoft attachments
---
[This E-mail scanned by Citizens Internet Services with Declude Virus.]
---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


Re: [Declude.JunkMail] SURBL as RHSBL

2004-11-23 Thread Jason @ AreaTech
I would rather not add six new tests to my config.  Would you recommend a
single SURBL test?  Which one seems to work better?

Regards,

Jason

- Original Message - 
From: Darin Cox [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, November 23, 2004 8:02 AM
Subject: Re: [Declude.JunkMail] SURBL as RHSBL


 Hi Bill,

 You seem to always be one of the first to share new blacklists.  Where do
 you find this info?  Is there another list that would be worth joining?

 Thanks, man.

 Darin.


 - Original Message - 
 From: Bill Landry [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Tuesday, November 23, 2004 5:04 AM
 Subject: Re: [Declude.JunkMail] SURBL as RHSBL


 Modification, since I was not thinking, but Declude JunkMail does not
 support bitmasked responses.  So instead of using the multi zone, you will
 need to use:

 SURBL_AB  rhsbl ab.surbl.org127.0.0.2 1 0
 SURBL_JP  rhsbl jp.surbl.org127.0.0.2 1 0
 SURBL_OB  rhsbl ob.surbl.org127.0.0.2 1 0
 SURBL_PH  rhsbl ph.surbl.org127.0.0.2 1 0
 SURBL_SC  rhsbl sc.surbl.org127.0.0.2 1 0
 SURBL_WS  rhsbl ws.surbl.org127.0.0.2 1 0

 Which will require six different queries if you want to use all SURBL
lists.

 Bill
 - Original Message - 
 From: Bill Landry
 To: [EMAIL PROTECTED]
 Sent: Tuesday, November 23, 2004 12:47 AM
 Subject: Re: [Declude.JunkMail] SURBL as RHSBL


 Markus, if you want to test against all of the SURBLs, since it's only a
 single query to the multi zone, use:

 SURBL_AB  rhsbl multi.surbl.org127.0.0.32 1 0
 SURBL_JP  rhsbl multi.surbl.org127.0.0.64 1 0
 SURBL_OB  rhsbl multi.surbl.org127.0.0.16 1 0
 SURBL_PH  rhsbl multi.surbl.org127.0.0.8 1 0
 SURBL_SC  rhsbl multi.surbl.org127.0.0.2 1 0
 SURBL_WS  rhsbl multi.surbl.org127.0.0.4 1 0

 AB = AbuseButler data
 JP = Combination of Prolocation data  Joe Wein's SpamSpy data
 OB = OutBlaze data
 PH = Combination of MailPolice Fraud list data  MailSecurity Phishing
 list data
 SC = SpamCop top 200 hits data
 WS = William Stearns  submitter data

 I have been testing this for about an hour, and am getting a few hits.
 We'll see how it goes over the next 24 hours...


 Bill
 - Original Message - 
 From: Markus Gufler
 To: [EMAIL PROTECTED]
 Sent: Monday, November 22, 2004 11:41 PM
 Subject: RE: [Declude.JunkMail] SURBL as RHSBL


 Is this the correct configruation line for doing this?

 SURBLS-RHSBL  rhsbl %MAILFROM%.sc.surbl.org  127.0.0.2 5 0


 Markus


 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.

 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


[Declude.JunkMail] Spam Bounty Hunters...?

2004-06-30 Thread Jason @ AreaTech
http://www.msnbc.msn.com/id/5326107/
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


[Declude.JunkMail] Messages slipping through JM

2004-06-29 Thread Jason @ AreaTech
We have had a many e-mails showing up as of late that have no subject/body.
Further investigation shows that these messages are far above our hold
weight.  The latest one I've received has a subject, but no body.  Here are
the headers from the message:

Received: from host107-183.pool80181.interbusiness.it [80.181.183.107] by
areatech.com
  (SMTPD32-7.14) id A7EC9DA0084; Tue, 29 Jun 2004 14:50:04 -0500
From: [EMAIL PROTECTED]
To: dolphins@ areatech.com
Subject: Pay less money - receive more software.. It's too simple. ;-)
quibble
Date: Tue, 29 Jun 2004 14:48:37 -0600
Message-ID: 3[4
X-RBL-Warning: DSN: Not supporting null originator (DSN) [2-19-9800]
X-RBL-Warning: SPAMCHK: Message failed SPAMCHK: 12. [2-36-12000]
X-RBL-Warning: WEIGHT10: Weight of 39 reaches or exceeds the limit of 10.
[2-37-12800]
X-RBL-Warning: WEIGHT20: Weight of 39 reaches or exceeds the limit of 27.
[2-40-14000]
X-Declude-Sender: [EMAIL PROTECTED] [80.181.183.107]
X-Spam-Tests-Failed: SORBS-DUHL, DSN, SPAMCHK, WEIGHT10, WEIGHT20 [39]
X-UIDL: 385498355


Can someone shed some light on what may be causing this to be delivered?


Thanks

Jason

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


Re: [Declude.JunkMail] Messages slipping through JM

2004-06-29 Thread Jason @ AreaTech
Sorry Scott, should have been more clear.  We don't do a declude Hold at
Weight20, we do a warn, and then I have a rule in Imail (7.15) that sends
anything with WEIGHT20 to a spambox submailbox.

Here are the JM logs:

[trunc]
06/29/2004 14:49:58 Qc7df09da00840372 L1 Message OK
06/29/2004 14:49:58 Qc7df09da00840372 Tests failed [weight=39]:
SORBS-DUHL=IGNORE DSN=WARN IPNOTINMX=IGNORE SPAMCHK=WARN WEIGHT10=WARN
WEIGHT20=WARN CATCHALLMAILS=IGNORE
06/29/2004 14:49:58 Qc7df09da00840372 L2 Message OK
06/29/2004 14:49:58 Qc7df09da00840372 Tests failed [weight=39]:
SORBS-DUHL=IGNORE DSN=WARN IPNOTINMX=IGNORE SPAMCHK=WARN WEIGHT10=WARN
WEIGHT20=WARN CATCHALLMAILS=IGNORE
06/29/2004 14:49:58 Qc7df09da00840372 L3 Message OK
06/29/2004 14:49:58 Qc7df09da00840372 Tests failed [weight=39]:
SORBS-DUHL=IGNORE DSN=WARN IPNOTINMX=IGNORE SPAMCHK=WARN WEIGHT10=WARN
WEIGHT20=WARN CATCHALLMAILS=IGNORE
06/29/2004 14:49:58 Qc7df09da00840372 L4 Message OK
[/trunc]


So I'm gonna answer my own question here, and say that Declude got it right,
but Imail didn't catch it in the Rule.  Anyone have a clue on why Imail rule
wouldn't catch the text WEIGHT20 using this rule:


H~(WEIGHT20):spambox


TIA

Jason



- Original Message - 
From: Andy Schmidt [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, June 29, 2004 3:11 PM
Subject: RE: [Declude.JunkMail] Messages slipping through JM


 Jason,

 What does the Declude log file indicate for these messages?

 Best Regards
 Andy Schmidt

 HM Systems Software, Inc.
 600 East Crescent Avenue, Suite 203
 Upper Saddle River, NJ 07458-1846

 Phone:  +1 201 934-3414 x20 (Business)
 Fax:+1 201 934-9206

 http://www.HM-Software.com/



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


Re: [Declude.JunkMail] Messages slipping through JM

2004-06-29 Thread Jason @ AreaTech

- Original Message - 
From: Ken Weise [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, June 29, 2004 4:16 PM
Subject: Re: [Declude.JunkMail] Messages slipping through JM


 If this was forwarded from another account, it would skip the IMail rule.
I
 just went through that, when one of our sales people went on vacation and
 forwarded their mail to the CEO, who then received all their spam. :-)



Is this by design?  I'm confused now (doesn't take much).  So an e-mail
comes in, it gets processed by declude, processed by rules, and delivered.
Now we take that same e-mail and forward it to my account.   Where does it
go south, does it go from declude to an odd 'forward' process bypassing the
rules, and straight to delivery?


Thanks

Jason

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


Re: [Declude.JunkMail] Messages slipping through JM

2004-06-29 Thread Jason @ AreaTech
- Original Message - 
From: Grant Griffith - Declude JM [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, June 29, 2004 4:19 PM
Subject: RE: [Declude.JunkMail] Messages slipping through JM


 Why not use the command in Declude to do this directly?  In looking at the
 manual it appears to be ROUTETO email address.  You could do this for
the
 WEIGHT20 Piece.


I'm not sending all WEIGHT20 to a separate e-mail address.  I'm shooting it
to a sub mailbox.  For this I would use the MAILBOX action, and that
requires PRO which we do not have.


Jason



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] Messages slipping through JM

2004-06-29 Thread Jason @ AreaTech
Don't believe that will work.  Does anyone know why a forwarded message
isn't processed by the rules?

Thanks,

Jason


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grant Griffith
- Declude JM
Sent: Tuesday, June 29, 2004 4:44 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Messages slipping through JM


Not sure if this would really work, but you could send it to a separate
mailbox using the ROUTETO function by putting
[EMAIL PROTECTED] Will this work if it is to the same user?
Might be a way around the problem?

Sincerely,
Grant Griffith
EI8HT LEGS Enhanced Web Management
A Division of ETC
http://www.getafreewebsite.com
877-483-3393

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Jason @ AreaTech
Sent: Tuesday, June 29, 2004 4:44 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Messages slipping through JM


- Original Message -
From: Grant Griffith - Declude JM [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, June 29, 2004 4:19 PM
Subject: RE: [Declude.JunkMail] Messages slipping through JM


 Why not use the command in Declude to do this directly?  In looking at

 the manual it appears to be ROUTETO email address.  You could do 
 this for
the
 WEIGHT20 Piece.


I'm not sending all WEIGHT20 to a separate e-mail address.  I'm shooting
it to a sub mailbox.  For this I would use the MAILBOX action, and that
requires PRO which we do not have.


Jason



---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
unsubscribe Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
unsubscribe Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


[Declude.JunkMail] nospamproxy

2004-06-07 Thread Jason @ AreaTech
Anyone here try using Nospamproxy?  Looks promising


http://www.nospamproxy.de



Please let me know.


Jason

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] Nameserver issues and Spam fighting

2004-04-22 Thread Jason
Chuck,

Your most efficient option would be to run your own DNS server.  Then
YOU control the query volumes, and no longer rely on ATT. 

Jason






-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick
Sent: Thursday, April 22, 2004 11:16 AM
To: Declude. JunkMail
Subject: [Declude.JunkMail] Nameserver issues and Spam fighting


With the increase in people trying to fight spam, nameservers are
getting bombarded with lookup request.  Recently I understand that ATT
has taken steps to not allow lookups of most of the blacklists using
their network. It seems that we are seeing more and more DNS timeouts
which result in more spam getting through.  Anyone else perceive this as
a problem that will only get worse?  Anyone have any suggestions to make
the DNS lookup process more efficient?

It would be nice feature if we could bypass some of the DNS lookups if
the email scored over a certain amount which would allow some of the
email to bypass the lookups thereby reducing the load.

[AUTOMATED NOTE: Your mail server [66.140.194.140] is missing a reverse DNS entry. All 
Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry 
will cause your mail to be treated as spam on some servers, such as AOL.]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


[Declude.JunkMail] OT: Scripting batch files

2004-04-19 Thread Jason
Hello everyone.  

I have created a batch file that runs Bill's log analyzer that was made
available last week.  What I would like to do is have the DOS batch file
e-mail this each night at midnight using the previous days declude log
file.  I do not know much about date scripting in DOS batch files so any
help would be appreciated.  Here is the batch I have (very basic):


wamlog c:\imail\spool\dec0418.log  Stats.txt
imail1 -s Daily Spam Stats -t [EMAIL PROTECTED] -u Spam -h domain.com -f
Stats.txt



Thanks,


Jason

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] OT: Scripting batch files

2004-04-19 Thread Jason
Responding to my own post:

Here is the final batch file with date scripting included.  It is
probably too basic, but if anyone can use it here it is:

for /F tokens=1-4 delims=/-  %%A in ('date/T') do wamlog
c:\imail\spool\dec%%B%%C.log   Stats.txt
imail1 -s Daily Spam Stats -f Stats.txt -t [EMAIL PROTECTED] -u Spam -h
domain.com



Jason


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jason
Sent: Monday, April 19, 2004 2:05 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] OT: Scripting batch files


Hello everyone.  

I have created a batch file that runs Bill's log analyzer that was made
available last week.  What I would like to do is have the DOS batch file
e-mail this each night at midnight using the previous days declude log
file.  I do not know much about date scripting in DOS batch files so any
help would be appreciated.  Here is the batch I have (very basic):


wamlog c:\imail\spool\dec0418.log  Stats.txt
imail1 -s Daily Spam Stats -t [EMAIL PROTECTED] -u Spam -h domain.com -f
Stats.txt



Thanks,


Jason

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
unsubscribe Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] New test

2004-04-19 Thread Jason
These headers didn't trigger the HELOISIP test.  It looks to me like
they should have.  Any Ideas?




Received: from adsl-63-202-107-44.dsl.lsan03.pacbell.net [63.202.107.44]
by areatech.com
  (SMTPD32-7.14) id A37557AB0118; Mon, 19 Apr 2004 10:42:45 -0500
Received: from iowiekwaoakkwjehckckw.com (iowiekwaoakkwjehckckw.com
[20.214.235.110])
by adsl-63-202-107-44.dsl.lsan03.pacbell.net (Postfix) with
ESMTP id 24CB5D66BE
for [EMAIL PROTECTED]; Mon, 19 Apr 2004 11:36:16 -0400
Date: Mon, 19 Apr 2004 11:36:16 -0400
From: Counsellors T. Dissenters [EMAIL PROTECTED]
X-Mailer: The Bat! (v2.00.0) Personal
Reply-To: [EMAIL PROTECTED]
X-Priority: 3
Message-ID: [EMAIL PROTECTED]
To: Newlandj [EMAIL PROTECTED]
Subject: A|D|V 1adies tthat wannt to encounter 5trangers
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: by amavisd-milter (http://amavis.org/)
X-RBL-Warning: MAILFROM: Domain iowiekwaoakkwjehckckw.com has no MX or A
records [0301]. [2-26-d000]
X-RBL-Warning: SPAMCHK: Message failed SPAMCHK: 10. [2-37-12800]
X-RBL-Warning: WEIGHT10: Weight of 32 reaches or exceeds the limit of
10. [2-38-13000]
X-RBL-Warning: WEIGHT20: Weight of 32 reaches or exceeds the limit of
28. [2-41-14800]
X-Declude-Sender: [EMAIL PROTECTED] [63.202.107.44]
X-Spam-Tests-Failed: SORBS-DUHL, MAILFROM, SPAMCHK, WEIGHT10, WEIGHT20
[32]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] New test

2004-04-19 Thread Jason
Don't know about NT4, but we are running it on Win2k using log level low
and it is working well.  I don't see it come up in the task manager
either, but it is running.


Jason



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Glenn Brooks
Sent: Monday, April 19, 2004 1:10 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] New test


Will Heloisp run on NT ...I do not see any activity in task manager or
in 
the declude logslog level MID



At 01:57 PM 4/19/2004 -0400, you wrote:
You should be fine as long as you don't do matches on numbers below 20,

or
at least that is my experience.  I'm thinking that you created this 
exception in order to head off that problem.  Minimally it's worth a
try.

Matt


Bud Durland wrote:

Jason wrote:

These headers didn't trigger the HELOISIP test.  It looks to me like 
they should have.  Any Ideas?


Received: from adsl-63-202-107-44.dsl.lsan03.pacbell.net 
[63.202.107.44] by areatech.com  (SMTPD32-7.14) id A37557AB0118; Mon,

19 Apr 2004 10:42:45 -0500


Because of the 'lsan03', the numeric characters in the host name boil
down to 63.202.107.44.03.  I'm thinking about how best to make this
type 
of entry fail, without jacking up the risk of a false positive.


--
=
MailPure custom filters for Declude JunkMail Pro. 
http://www.mailpure.com/software/
=


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To 
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type 
unsubscribe Declude.JunkMail.  The archives can be found at 
http://www.mail-archive.com.

Glenn Brooks
WebWize, Inc.
713-688-4382
http://www.webwize.com 


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
unsubscribe Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] New test

2004-04-18 Thread Jason
Bud,

Is this the proper format for the config file? :

HELOISIPexternalweight
C:\imail\declude\heloisip\heloisip.exe 10 0

Thanks!


Jason




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bud Durland
Sent: Sunday, April 18, 2004 6:18 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] New test


Bud Durland wrote:

 I am testing a small external test program.  A message fails the test
 if there is an discernable IP address in the HELO entry of the
message.  


The new test is available for download from http://bud.thedurlands.com.

-- 

Bud Durland, CNE [EMAIL PROTECTED] fax: 518-561-0017

For sale: Parachute.  Like new, used once.  Small stain.


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[AUTOMATED NOTE: Your mail server [66.140.194.140] is missing a reverse DNS entry. All 
Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry 
will cause your mail to be treated as spam on some servers, such as AOL.]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] New test

2004-04-18 Thread Jason
Thanks Bill.  All I can say is WOW.  This test seems to be working very
very well.  It is snagging tons of stuff.

Jason


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry
Sent: Sunday, April 18, 2004 8:13 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] New test


Bud's documentation says should be setup as a nonzero test, for
example:

HELOISIP external nonzero C:\imail\declude\heloisip\heloisip.exe 10 0

rather then a weight test.

Bill
- Original Message - 
From: Jason [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Sunday, April 18, 2004 5:59 PM
Subject: RE: [Declude.JunkMail] New test


Bud,

Is this the proper format for the config file? :

HELOISIP external weight C:\imail\declude\heloisip\heloisip.exe 10 0

Thanks!


Jason




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bud Durland
Sent: Sunday, April 18, 2004 6:18 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] New test


Bud Durland wrote:

 I am testing a small external test program.  A message fails the test 
 if there is an discernable IP address in the HELO entry of the
message.


The new test is available for download from http://bud.thedurlands.com.

-- 

Bud Durland, CNE [EMAIL PROTECTED] fax: 518-561-0017

For sale: Parachute.  Like new, used once.  Small stain.


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
unsubscribe Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

[AUTOMATED NOTE: Your mail server [66.140.194.140] is missing a reverse
DNS entry. All Internet hosts are required to have a reverse DNS entry.
The missing reverse DNS entry will cause your mail to be treated as spam
on some servers, such as AOL.]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
unsubscribe Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
unsubscribe Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] Surbl.org

2004-04-13 Thread Jason
Me too   :)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff
(Lists)
Sent: Tuesday, April 13, 2004 10:27 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Surbl.org


I would be interested in your script until native support is added to
Declude.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] Surbl.org - Scott?

2004-04-13 Thread Jason
Yes, your 8 minute update timeframe has passed. ;)



Jason


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


[Declude.JunkMail] Surbl.org

2004-04-12 Thread Jason
From the IMGATE list:


http://surbl.org/

Interesting concept. Anyone here tried it?

Ive been planning to upgrade SA on my personal acct here and have a few
hours to kill on Tues so I think I'm going to add it and see how well it
does.




Any chance this can be made to work with Declude?


Thanks

Jason



[AUTOMATED NOTE: Your mail server [66.140.194.140] is missing a reverse DNS entry. All 
Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry 
will cause your mail to be treated as spam on some servers, such as AOL.]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] Surbl.org

2004-04-12 Thread Jason
Innocent?  ;).  We are already using spamchk as an external test.  I
would like to avoid adding spamassassin as well.  I was thinking more
along the lines of integrating the test into the declude core...


Jason


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sanford
Whiteman
Sent: Monday, April 12, 2004 11:05 PM
To: Jason
Subject: Re: [Declude.JunkMail] Surbl.org


 Any chance this can be made to work with Declude?

Well, SpamAssassin can. :)

Another innocent plug...

--Sandy



Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
e-mail: [EMAIL PROTECTED]

SpamAssassin plugs into Declude!
http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
unsubscribe Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] Passing weight to Externalplus test

2004-04-07 Thread Jason
Did you send Scott a Christmas card?

:)


Jason



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler
Sent: Wednesday, April 07, 2004 4:38 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Passing weight to Externalplus test


 There is now an interim 1.79i3 at

WOW!
I have to analyze Matt's and Sanford's messages/spelling/psycology.

How the hell it's possible to have such a fast reaction (8 minutes!!!)
for such a request?

No doubt, support issues are resolved very fast. Also realy important
things like EZIP. This is important and good.

But I'm asking for month's now for simple new features that in the
meantime was repeated several times by other customers...  still
waiting

Can't imagine what I'm doing wrong here.

Markus  :-(


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
unsubscribe Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] Habeas win judgment

2004-04-07 Thread Jason
Great info!  Thanks Bill.


Jason


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry
Sent: Wednesday, April 07, 2004 8:19 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Habeas win judgment


Based on the following link, Habeas is recommending that users no longer
rely on solely on the Habeas headers to whitelist messages:

http://habeas.com/configurationPages/spamassassin.htm

The patches Habeas provides for Spamassassin remove the weight reduction
rules based on the Habeas headers and adds the HIL (BlackList) and HUL
(WhiteList) RBLs instead.  I've added them to the Declude JunkMail
global.cfg as:

HABEAS-INFRINGER ip4r hil.habeas.com*  10 0
HABEAS-USER  ip4r hul.habeas.com*  -10 0

Adjust the weights to meet your own needs and requirements.

Bill
- Original Message - 
From: Nathan Fouarge [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, April 07, 2004 2:05 PM
Subject: [Declude.JunkMail] Habeas win judgment


 Just noticed this in the news and didn't see it on this list. 
 http://www.theregister.co.uk/2004/04/07/habeas_spam_lawsuit/
 Glad they are doing something about it.

 Nathan Fouarge
 AmberWave Communications

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To 
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type 
 unsubscribe Declude.JunkMail.  The archives can be found at 
 http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
unsubscribe Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] Phishing? (Possible test?)

2004-04-04 Thread Jason
Title: Message



Not 
knowing enough about the way WHOIS works, could a test be set up that would 
heavily weight any e-mails that come from a "New" domain? This would 
really help the pill/porn pushers....



Jason




  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Colbeck, AndrewSent: Saturday, April 03, 2004 
  7:17 PMTo: '[EMAIL PROTECTED]'Subject: RE: 
  [Declude.JunkMail] Phishing?
  The DNS and web 
  server for this domain were on dynamic-range hosts and have already been shut 
  down. The WHOIS registration is a little more than a week old. 
  Googling thenet-abuse groupsturns 
up:


RE: [Declude.JunkMail] BlackIce

2004-03-21 Thread Jason
We had a single Colo'd server fall ill to this vulnerability on Friday
night.  It wasn't a pretty sight to say the least.

Jason


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike Wiegers
Sent: Sunday, March 21, 2004 6:51 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] BlackIce


Thanks for the heads up on this. Unless you have updated your BlackICE
in the last week you are at risk.

http://xforce.iss.net/xforce/alerts/id/166

http://www.eeye.com/html/Research/Advisories/AD20040318.html


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Frederick
Samarelli
Sent: Sunday, March 21, 2004 5:17 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] BlackIce

Warning for anyone using BlackIce.

We were hit by a destructive worm.
http://www.washingtonpost.com/wp-dyn/articles/A11310-2004Mar20.html

Destroyed most of our servers.

We are in the process of recovering from backups.

Fred
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
unsubscribe Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.


[AUTOMATED NOTE: Your mail server [209.184.248.29] is missing a reverse
DNS entry. All Internet hosts are required to have a reverse DNS entry.
The missing reverse DNS entry will cause your mail to be treated as spam
on some servers, such as AOL.]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
unsubscribe Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] Detecting disguised url's in headers

2004-03-19 Thread Jason
It is a rule.  They are located in a rules.ima (inbound rules file).
The rules.ima file gets placed in the top directory of the domain that
you want to use it on.  There is lots of data about this in the
knowledge base on Imails web site.


Regards,


Jason


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harry
Vanderzand
Sent: Friday, March 19, 2004 12:52 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Detecting disguised url's in headers


Where is this set in imail?  Is it antispam of imail as we do not use
it.

Harry Vanderzand 
inTown Internet  Computer Services 
11 Belmont Ave. W.
Kitchener, ON
N2M 1L2
519-741-1222
Did you know we offer: 
- Province wide dial-up and high speed internet access 
- Web accessible email with anti-spam\antivirus protection
- Computer hardware sales and service
- Experienced website developers 



 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Jason
 Sent: Friday, March 19, 2004 1:41 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [Declude.JunkMail] Detecting disguised url's in headers
 
 
 We created an Imail rule to block these. Here is what we use:
 
 (http\://\d\d\.|http\://\d\d\d\.):spambox
 
 
 This seems to work very well.
 
 
 Jason
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 Harry Vanderzand
 Sent: Friday, March 19, 2004 12:30 PM
 To: [EMAIL PROTECTED]
 Subject: [Declude.JunkMail] Detecting disguised url's in headers
 
 
 IE this url: //205.159.%372.%32%30/mort/  obviously gets
 translated and I could do so also.  It would take a lot of 
 extra time.  I copy the url out of headers of spam that gets 
 through and put it into my filter file. These are bothersome however.
 
 Is there a way that we could just mark these kind of mails as
 spam?  I think it would be just spammers that do this.
 
 thanks
 
 Harry Vanderzand
 inTown Internet  Computer Services 
 
 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and 
 type unsubscribe Declude.JunkMail.  The archives can be 
 found at http://www.mail-archive.com.
 
 [AUTOMATED NOTE: Your mail server [66.140.194.140] is missing
 a reverse DNS entry. All Internet hosts are required to have 
 a reverse DNS entry. The missing reverse DNS entry will cause 
 your mail to be treated as spam on some servers, such as AOL.]
 
 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and 
 type unsubscribe Declude.JunkMail.  The archives can be 
 found at http://www.mail-archive.com.
 

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] Detecting disguised url's in headers

2004-03-19 Thread Jason
Well, let us ask the entire list if there are valid reasons that people
would send an IP in a URL.  I tested this for 2 months and didn't have a
single legitimate e-mail like this.  We did have people sending IP
addresses, but not as a url.  For example:  My server IP is
156.23.140.10.  Not one case had someone say  my website is
http://[insert ip here] 



Jason


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harry
Vanderzand
Sent: Friday, March 19, 2004 1:32 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Detecting disguised url's in headers


I am not sure if my request here is being understood.

I would not want to mark all messages with an IP in the url as spam.
Only those messages that use %nnn%nnn%nnn etc.  When you view source of
an html message you can see this kind of coding. As in this case:
//205.159.%372.%32%30/mort/

We always do a view source and take the url out of the source and then
blacklist that, for those messages that were no caught by anti-spam at
the time.

I do not know what that process is called and have only ever seen it in
source code of certain spam e-mail

Harry Vanderzand 
inTown Internet  Computer Services 
11 Belmont Ave. W.
Kitchener, ON
N2M 1L2
519-741-1222
Did you know we offer: 
- Province wide dial-up and high speed internet access 
- Web accessible email with anti-spam\antivirus protection
- Computer hardware sales and service
- Experienced website developers 



 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Jason
 Sent: Friday, March 19, 2004 1:41 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [Declude.JunkMail] Detecting disguised url's in headers
 
 
 We created an Imail rule to block these. Here is what we use:
 
 (http\://\d\d\.|http\://\d\d\d\.):spambox
 
 
 This seems to work very well.
 
 
 Jason
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 Harry Vanderzand
 Sent: Friday, March 19, 2004 12:30 PM
 To: [EMAIL PROTECTED]
 Subject: [Declude.JunkMail] Detecting disguised url's in headers
 
 
 IE this url: //205.159.%372.%32%30/mort/  obviously gets
 translated and I could do so also.  It would take a lot of 
 extra time.  I copy the url out of headers of spam that gets 
 through and put it into my filter file. These are bothersome however.
 
 Is there a way that we could just mark these kind of mails as
 spam?  I think it would be just spammers that do this.
 
 thanks
 
 Harry Vanderzand
 inTown Internet  Computer Services 
 
 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and 
 type unsubscribe Declude.JunkMail.  The archives can be 
 found at http://www.mail-archive.com.
 
 [AUTOMATED NOTE: Your mail server [66.140.194.140] is missing
 a reverse DNS entry. All Internet hosts are required to have 
 a reverse DNS entry. The missing reverse DNS entry will cause 
 your mail to be treated as spam on some servers, such as AOL.]
 
 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and 
 type unsubscribe Declude.JunkMail.  The archives can be 
 found at http://www.mail-archive.com.
 

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


[Declude.JunkMail] New CMD space test info

2004-02-18 Thread Jason
For some reason this isn't coming up in the archives (though I know I've
seen it)

Can someone shoot me the config line for the new CMDSPACE ?


Thanks


Jason

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] Kill List not working.....

2004-02-10 Thread Jason
Ah, but the Kill.lst is an envelope rejection.  It saves many more
resources this way.

Jason


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew
Sent: Tuesday, February 10, 2004 2:03 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [Declude.JunkMail] Kill List not working.


Bennie, blocking spammers by their domain name only is a losing
proposition. You're already using SBL... I'd suggest that you also
implement the SORBS tests and the MAILPOLICE tests.  

Checking my own spam, we also received mail from this spammer, but we
caught it without having to check for their domain name du jeur.

Andrew.

-Original Message-
From: Bennie [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, February 10, 2004 3:18 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Kill List not working.


Hello all.

I was asked some time ago to add a domail to my kill list.. I added it.
But the customer is still recieving spam from this domail.  They sent me
the headers (I have them listed below) and I see the domail in the
headers.  but I never see where it failed the KillList.

Headers---

Received: from mail.ramthehole.com [66.110.74.50] by mail.pepperlink.net
  (SMTPD32-8.05) id A398669F0140; Mon, 09 Feb 2004 23:52:40 -0500
Date: Mon, 09 Feb 2004 23:57:24 -0500
Subject: Exclusive X-Soaked Model Photos
From: Budapest Bukkake [EMAIL PROTECTED]
To:
Return-Path: [EMAIL PROTECTED]
X-Sender: [EMAIL PROTECTED]
X-Mailer: Mailer Software (rev. 01/15/2004)
Message-Id: [EMAIL PROTECTED]
MIME-version: 1.0
Content-type: multipart/alternative; boundary=iqxhhbldriaiwihk
X-RBL-Warning: SBL: http://www.spamhaus.org/SBL/sbl.lasso?query=SBL12919
X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 66.110.74.50
with no reverse DNS entry.
X-RBL-Warning: WEIGHT10: Weight of 12 reaches or exceeds the limit of
10.
X-Declude-Sender: [EMAIL PROTECTED] [66.110.74.50]
X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com)
for spam.
X-Spam-Tests-Failed: SBL, SORBS-SPAM, NOLEGITCONTENT, REVDNS, WEIGHT10
[12]
X-Note: QueInControl: D6398669f014033a3.SMD (1)
X-Spam-Tests-Failed: SBL, SORBS-SPAM, NOLEGITCONTENT, REVDNS, WEIGHT10
[12]
X-Note: RDNS Real Origin: [No Reverse DNS][66.110.74.50]
X-Note: SMTP Real From: [EMAIL PROTECTED]
X-Note: SMTP Real To:
X-Note: This E-mail was sent from [No Reverse DNS] ([66.110.74.50]).
X-RBL-Warning: Total spam weight of this E-mail is 12.
X-RCPT-TO:
Status: U
X-UIDL: 374908735

Here is the entry in my killl list file

.ramthehole.com  ID-20040204-pep007

here is the line from my GLOBAL.CFG

KFROMfromfile  e:\imail\declude\fromfile.txt x
15 0
KFrom   WARN

Line from $DEFAULT$.JUNKMAIL

KFROM   WARN X-RBL-Warning: This E-mail failed the KILL File test

Thanks
Bennie



---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
unsubscribe Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
unsubscribe Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


RE: Re[4]: [Declude.JunkMail] JunkMail User Friendly Interface

2004-02-08 Thread Jason
Those are both great pages, but coming from the standard user point of
view, most will be confused from this.  The page I was referring to was
3 or 4 radio buttons, and a 1 line explanation of each.  Like   NO
BLOCKING - Everthing will go through, STRICT BLOCKING - Only people in
your online address book can send mail to you

Jason



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Terry Fritts
Sent: Sunday, February 08, 2004 4:50 AM
To: Jason
Subject: Re[4]: [Declude.JunkMail] JunkMail User Friendly Interface



 Someone about 2 months ago had posted that they had a page built into 
 Imail Web Messaging that had 3 or 4 custom settings, like no 
 filter, medium High and whitelist only.

One from Sanford:

 It  can  be built using the IMail Web Messaging interface, but I don't

 think  anybody's  come up with a one-size solution yet. A rather wordy
 sample   is   at  http://webmail.cypressintegrated.com:8383.  See  the
 SPAManager Settings areas.
 
 Username: [EMAIL PROTECTED]
 Password: blue

And another from Erik Hjelholt:

http://www.mail-archive.com/[EMAIL PROTECTED]/msg10239.html

referencing:  https://ss.alberni.net/spamcontrol/Login.asp
  'declude' and the password is 'junkmail'

  

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
unsubscribe Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


RE: Re[2]: [Declude.JunkMail] JunkMail User Friendly Interface

2004-02-07 Thread Jason
Someone about 2 months ago had posted that they had a page built into
Imail Web Messaging that had 3 or 4 custom settings, like no filter,
medium High and whitelist only.  IIRC, they said that they only
needed to clean up their code, and they may post it for all to share.
If that person is still here, is it possible to share your efforts?

Thanks!


Jason



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sanford
Whiteman
Sent: Saturday, February 07, 2004 11:47 AM
To: Joe Wolf
Subject: Re[2]: [Declude.JunkMail] JunkMail User Friendly Interface


 Someone  with  some  skills could probably come up with a user front 
 end  of  some  kind  (biggest  problem that comes to my mind is that 
 there's  no  real  web  server  on an Imail box. I don't know if you 
 could use the Ipswitch features or not.)

We've  built  several user self-configuration interfaces using IMail's
built-in  web  server,  thus preserving single sign-on, look-and-feel,
and simplicity.

Each  project  like  this  is  unique,  so  there's no one prepackaged
interface. Feel free to contact me off-list for further discussion.

--Sandy



Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
e-mail: [EMAIL PROTECTED]

SpamAssassin plugs into Declude!
http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
unsubscribe Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] Distributed Dictionary Attack

2004-02-04 Thread Jason
Try running Black ICE on the server.  It does a pretty decent job of
auto blocking dictionary attacks.  We have it set to close and block a
connection after 6 invalid users from an ip in 30 seconds

Jason


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave Doherty
Sent: Wednesday, February 04, 2004 11:04 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Distributed Dictionary Attack


The interesting thing about these messages is that the ones I've seen
generally don't have multi-hop trails. They look like a zombie
connecting directly to the mail server.

The blocklists are great, but at that volume, I can't run Declude on the
messages without killing the server.  So I seem to have two options,
both of which I am using: block the IPs before the server, and issue
invalid user errors.

One othe thing i noticed this evening that points to a coordinated
effort: There is very little duplication of the to addresses. The most
commonly duplicated address was used only about 150 times in a sample of
275,000 attempts.

This is a small domain, one of about 500 on my system, and it has maybe
eight or nine mailboxes.

Country sources include a lot of Korea and Taiwan, and I have actually
blocked some very large blocks of IP addresses in those places based on
the source IPs being well distributed. But there are a lot coming from
Canada and the US, also. I've seen a lot of the usual suspects -
Comcast, Road Runner, and Rogers.

-Dave


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
unsubscribe Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] Russian letters

2003-12-31 Thread Jason
Friends?   :)


Happy Hollidays Everyone!


Jason



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Doug Anderson
Sent: Wednesday, December 31, 2003 1:24 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Russian letters


Careful if using NonEnglish.
We have Spanish and French users - nonEnglish can catch them. Don't want
to piss off our friends to the north or south.

- Original Message - 
From: R. Scott Perry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, December 31, 2003 1:18 PM
Subject: Re: [Declude.JunkMail] Russian letters



 Is there any way to delete the Russian type spam that you cant read
because
 it is all in Russian but it is a nuisance.

 The NONENGLISH test is designed to do this.  You can use it by adding 
 a
line:

  NONENGLISH  nonenglish  x   x   0   0

 to your \IMail\Declude\global.cfg file.

 -Scott
 ---
 Declude JunkMail: The advanced anti-spam solution for IMail 
 mailservers. Declude Virus: Catches known viruses and is the leader in

 mailserver vulnerability detection. Find out what you've been missing:

 Ask about our free 30-day evaluation.

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To 
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type 
 unsubscribe Declude.JunkMail.  The archives can be found at 
 http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
unsubscribe Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


Re: [Declude.JunkMail] SpamDomains

2003-12-03 Thread Jason Newland
I don't know how hard it would be, but what about just adding in a pre filter in the 
spamdomains test that will bypass the test.  Like:


Spamdomains.txt:

[RDNS excluded from check]

ebay.com
greetingcardvendor.com


[includes]
.yahoo.com
@msn.com
etc, etc


This would also allow us to build our list of acceptable excluded addresses together, 
further improving the tests accuracy.


Jason



-- Original Message --
From: Matthew Bramble [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date:  Wed, 03 Dec 2003 19:38:18 -0500

Alejandro,

 From the Declude JunkMail manual page:

This test will catch E-mail that is not coming from a mailserver
that it should be coming from. This test will only work if you set
up a file listing domains that you wish to be included in this test.
Specifically, it will check the return address of the E-mail, and
then check to see if the reverse DNS entry of the IP that the E-mail
was sent from contains the domain name. If not, the E-mail fails the
test. For example, if hotmail.com is listed in the
\IMail\Declude\spamdomains.txt file, then an E-mail coming from
law2.hotmail.com would not fail the test, but an E-mail from
mail.example.ru would fail the test.

You can search the archives for some discussions of this.  It's hardly 
foolproof, things like greeting cards and send-a-link sites will often 
fail the test because they send E-mail with a MAILFROM address of the 
person sending the note and not the service sending the note.  I suggest 
that you always use the @ symbol in the first column, and you should set 
up two different files and score them differently.  One should be for 
ISP's and E-mail providers such as AOL, HotMail, Yahoo, etc., and the 
other should be for businesses that are often spoofed such as Microsoft, 
PayPal, Symantec/Norton, McAfee.  Be careful not to include companies 
that may use thrid-party mass mailers for newsletters.  The second type 
of test can be scored higher because you are less likely to be getting 
greeting cards from people with real addresses at these companies than 
you are from places like AOL.

You might also be thinking of including your own domains in this test, 
but that again should be in a totally different file, and scored very 
low because even if you are using WHITELIST AUTH functionality, you will 
most definitely get users sending E-mail with your hosted addresses 
configured in their E-mail program but are using someone else's mail 
server, or without WHITELIST AUTH, they will fail when using your own 
mail server.

Matt

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] SpamDomains

2003-12-03 Thread Jason
Say for example I have 10,000 people using MSN.com addresses to spam me
with.

I add the spamdomains test and enter in @msn.com into it.

Now it does well to stop the spammers, but now I am falsely tagging mail
from ebay.com [EMAIL PROTECTED] making a bid inquiry.

If we could have a spamdomains RDNS whitelist, then anything with a
.ebay.com address is whitelisted, or whatever we put in the list.

I know we can whitelist in the main .cfg file, but I'm not sure I would
want to whitelist ebay from every test, just whitelist from the
spamdomains test.


Jason


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry
Sent: Wednesday, December 03, 2003 8:20 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] SpamDomains


Everything is already excluded from the spamdomains test except that
which you specifically included.  So I'm not sure I understand what
you're asking for here?

Bill
- Original Message - 
From: Jason Newland [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, December 03, 2003 5:29 PM
Subject: Re: [Declude.JunkMail] SpamDomains


 I don't know how hard it would be, but what about just adding in a 
 pre
filter in the spamdomains test that will bypass the test.  Like:


 Spamdomains.txt:

 [RDNS excluded from check]

 ebay.com
 greetingcardvendor.com


 [includes]
 .yahoo.com
 @msn.com
 etc, etc


 This would also allow us to build our list of acceptable excluded
addresses together, further improving the tests accuracy.


 Jason



 -- Original Message --
 From: Matthew Bramble [EMAIL PROTECTED]
 Reply-To: [EMAIL PROTECTED]
 Date:  Wed, 03 Dec 2003 19:38:18 -0500

 Alejandro,
 
  From the Declude JunkMail manual page:
 
 This test will catch E-mail that is not coming from a mailserver
 that it should be coming from. This test will only work if you
set
 up a file listing domains that you wish to be included in this
test.
 Specifically, it will check the return address of the E-mail, and
 then check to see if the reverse DNS entry of the IP that the
E-mail
 was sent from contains the domain name. If not, the E-mail fails
the
 test. For example, if hotmail.com is listed in the
 \IMail\Declude\spamdomains.txt file, then an E-mail coming from
 law2.hotmail.com would not fail the test, but an E-mail from
 mail.example.ru would fail the test.
 
 You can search the archives for some discussions of this.  It's 
 hardly foolproof, things like greeting cards and send-a-link sites 
 will often fail the test because they send E-mail with a MAILFROM 
 address of the person sending the note and not the service sending 
 the note.  I suggest that you always use the @ symbol in the first 
 column, and you should set up two different files and score them 
 differently.  One should be for ISP's and E-mail providers such as 
 AOL, HotMail, Yahoo, etc., and the other should be for businesses 
 that are often spoofed such as Microsoft, PayPal, Symantec/Norton, 
 McAfee.  Be careful not to include companies that may use thrid-party

 mass mailers for newsletters.  The second type of test can be scored 
 higher because you are less likely to be getting greeting cards from 
 people with real addresses at these companies than you are from 
 places like AOL.
 
 You might also be thinking of including your own domains in this 
 test, but that again should be in a totally different file, and 
 scored very low because even if you are using WHITELIST AUTH 
 functionality, you will most definitely get users sending E-mail with

 your hosted addresses configured in their E-mail program but are 
 using someone else's mail server, or without WHITELIST AUTH, they 
 will fail when using your own mail server.
 
 Matt
 
 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To 
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type 
 unsubscribe Declude.JunkMail.  The archives can be found at 
 http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
unsubscribe Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] SpamDomains

2003-12-03 Thread Jason
Ahh, but us poor folks that have the standard version are out of luck
:-(


Guess I have a good reason to upgrade now.  


Jason




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble
Sent: Wednesday, December 03, 2003 9:17 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] SpamDomains


Jason,

I have a separate 'white' filter for that sort of thing :)

Matt



Jason Newland wrote:

I don't know how hard it would be, but what about just adding in a 
pre filter in the spamdomains test that will bypass the test.  Like:


Spamdomains.txt:

[RDNS excluded from check]

ebay.com
greetingcardvendor.com


[includes]
.yahoo.com
@msn.com
etc, etc


This would also allow us to build our list of acceptable excluded 
addresses together, further improving the tests accuracy.


Jason



-- Original Message --
From: Matthew Bramble [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date:  Wed, 03 Dec 2003 19:38:18 -0500

  

Alejandro,

From the Declude JunkMail manual page:

   This test will catch E-mail that is not coming from a mailserver
   that it should be coming from. This test will only work if you set
   up a file listing domains that you wish to be included in this
test.
   Specifically, it will check the return address of the E-mail, and
   then check to see if the reverse DNS entry of the IP that the
E-mail
   was sent from contains the domain name. If not, the E-mail fails
the
   test. For example, if hotmail.com is listed in the
   \IMail\Declude\spamdomains.txt file, then an E-mail coming from
   law2.hotmail.com would not fail the test, but an E-mail from
   mail.example.ru would fail the test.

You can search the archives for some discussions of this.  It's hardly
foolproof, things like greeting cards and send-a-link sites will often

fail the test because they send E-mail with a MAILFROM address of the 
person sending the note and not the service sending the note.  I
suggest 
that you always use the @ symbol in the first column, and you should
set 
up two different files and score them differently.  One should be for 
ISP's and E-mail providers such as AOL, HotMail, Yahoo, etc., and the 
other should be for businesses that are often spoofed such as
Microsoft, 
PayPal, Symantec/Norton, McAfee.  Be careful not to include companies 
that may use thrid-party mass mailers for newsletters.  The second
type 
of test can be scored higher because you are less likely to be getting

greeting cards from people with real addresses at these companies than

you are from places like AOL.

You might also be thinking of including your own domains in this test,
but that again should be in a totally different file, and scored very 
low because even if you are using WHITELIST AUTH functionality, you
will 
most definitely get users sending E-mail with your hosted addresses 
configured in their E-mail program but are using someone else's mail 
server, or without WHITELIST AUTH, they will fail when using your own 
mail server.

Matt





---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
unsubscribe Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


[Declude.JunkMail] Setting up local DNSBL

2003-11-25 Thread Jason Newland
I have been thinking about setting up an in-house DNSBL and would
appreciate it if some kind person here could point me in the right
direction on getting started.  I can pretty much figure out how to
create a e-mail submission for the service when I want to make updates,
but I'm not to sure on the DNS setup.


Thanks in Advance!


Jason


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] Opinions on web interface

2003-11-06 Thread Jason Newland
Would you be interested in sharing this. It looks great!

Thanks!

Jason


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Grotjan
Sent: Thursday, November 06, 2003 4:02 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Opinions on web interface


Scot,
The web interface looks good.  I created something similar using ASP and
a custom COM object I wrote.  I uses Imail rules instead of the
individual junkmail files to process the mail based on weight test.  I
implemented it about a month ago and so far we have over a thousand
users using it and all of them are thrilled about it.  I don't have a
demo set up, but I have a screenshot of it if you want to see.
http://www.kimbanet.com/junkmail.jpg

Daniel
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
unsubscribe Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] SPAMCOP Account

2003-10-30 Thread Jason Newland
Typically I only send SPAMCOP e-mails that pass through our Declude
filters.  The theory being that now SPAMCOP will know about that
address, list it, and it won't clear Declude again.

I don't see the reasoning behind sending SPAMCOP thousands of e-mails
per day that are already stopped by your system.  The benefit of
manually sending is exactly what Kami noted below.  You won't
inadvertently submit good guys.  Also, if you poke around SPAMCOPS site,
there is a program you can get called SpamSource that plugs into
Outlook.  Once installed/configured, all I have to do to report spam is
click on the SpamSource button, and it submits to SPAMCOP.  


Jason


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan
Sent: Thursday, October 30, 2003 4:00 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] SPAMCOP Account


Dan..

BE VERY CAREFUL IF YOU DO THIS...

We were doing this and once someone from the list sent me an email with
bunch of keywords in it.. The system automatically forwarded it to the
SPAMCop account.

If you do this make sure you review every spam that goes into your
account and approve them knowing it is a spam and not someone that just
happen to send you bunch of words in your filter file.

Regards,
Kami


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser
Sent: Thursday, October 30, 2003 4:53 PM
To: Declude JunkMail
Subject: [Declude.JunkMail] SPAMCOP Account

Hello, All,
I signed up for a free Spamcop account a few weeks ago and I've been
using it to submit spam via their web-based form.  In addition to
allowing spam submittal via a web-based form they also give you a unique
e-mail address which you can forward spam to.  I was thinking about
setting up Declude JunkMail to send all the mail which I would normally
just DELETE because of High weight to this unique e-mail address.
Before I do this I had a few questions...

1)  Does anyone else do what I am describing?  If so, does it work well?

2)  If I want to forward all mail above a certain weight, say a weight
of 45, would the ROUTETO action be the correct action to use.  I don't
want to keep a copy of the e-mail in my HOLD directory.

3)  If ROUTETO is the correct action, when the message is sent to
Spamcop what will the FROM address be?  Will it be the original sender's
e-mail address or a special e-mail address which DJM assigns to itself?

I think that's all for now.

Thanks, Much!
Dan Geiser [EMAIL PROTECTED]

---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
unsubscribe Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
unsubscribe Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


Re: [Declude.JunkMail] Happy days are here again...

2003-10-03 Thread Jason Newland
So as of Monday are we going to have a new organization running the .com /
.net TLDs?  lol

It's about time

Buh Bye Verislime

Jason

- Original Message -
From: Joshua Levitsky [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, October 03, 2003 2:12 PM
Subject: [Declude.JunkMail] Happy days are here again...


 I could not be happier...

 http://www.icann.org/correspondence/twomey-to-lewis-03oct03.htm


 --
 Joshua Levitsky, CISSP, MCSE
 System Engineer
 AOL Time Warner
 [5957 F27C 9C71 E9A7 274A  0447 C9B9 75A4 9B41 D4D1]

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


Re: [Declude.JunkMail] OBFUSCATION filter

2003-09-15 Thread Jason Newland
But, Kami just listed the revdns whitelists, wouldn't the spammer have to
have a RDNS listing of something in her whitelist (not likely) to take
advantage of the listing?

Jason

- Original Message -
From: Keith Anderson [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, September 15, 2003 10:05 AM
Subject: RE: [Declude.JunkMail] OBFUSCATION filter



 Sorry, my fault for asking.

  Kami, I hope there are no spammers monitoring this list since
  now they know
  how to easily spam your e-mail domains.  It is never a good
  idea to share
  your whitelists in a public forum.


 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] Email addresses on a company webpage?

2003-09-15 Thread Jason wolfe
Generally speaking, what are the bots looking for? Only mailto:'s? Or are they smart 
enough to use a regex search and find any text of the form [EMAIL PROTECTED]?

Jason Wolfe
Lead Developer
Netcomm, Inc.
http://www.netcomm.com
(859) 224-4124
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


[Declude.JunkMail] mailbox forwarding no action

2003-09-10 Thread Jason W. Allen
I'm pretty new to Declude Spam so I may have something setup wrong.

I have --

IMail: 7.0 ?5?
Declude Junkmail: 1.75 Pro

Virtual Domain: mail.example.com
With alias: example.com

Mailbox that has forwarding on it
[EMAIL PROTECTED]
  forwards to: [EMAIL PROTECTED]  [EMAIL PROTECTED]

User1   has user config file (user1.junkmail)
User3   has user config file (user2.junkmail)
mail.example.com   has default config file ($default$.junkmail)

All three config files are basically the say, with the only difference being
the WHITELISTFILE settings.

declude   has default config file ($default.junkmail)
This config file has everything turned off.
**

Now if a message is sent to User1 it fails tests, the log says that it is
moving the message to the spambox mailbox (this is the correct action), but
it never makes it, and the users that are setup to receive the forwarded
message get it.  Now the final users, get the message, in the headers it
says it fails but no action is taken.

If I remove the forward.ima file from the User1 directory (turning off
forwarding) everything behaves as it should ( the message goes into the spam
box).  Put the forwarding back on and it reverts bas to the problem state.

Below is the debug log file, as you can see the log thinks the message is
being moved to the correct place, but it never gets there.  And there are no
logs for the forwarded message to User2 and User3.

Am I doing some wrong. If you want I can show you the config files.

Thanks in advance.

--Jason W. Allen


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] mailbox forwarding no action

2003-09-10 Thread Jason W. Allen
What I don't understand, is that the logs say it is using the correct config
file and then performing the correct action.  But that is as far as it goes.
The message doesn't actually get moved the Spambox Mailbox, but gets
forwarded on to the downstream users and then settings don't pick it up.

The SMTP logs, just show the message being received and then being converted
to a .FWD File and forwarded to User2  User3



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry
Sent: Wednesday, September 10, 2003 10:32 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] mailbox forwarding no action



Virtual Domain: mail.example.com
With alias: example.com

Mailbox that has forwarding on it
[EMAIL PROTECTED]

In this case, all E-mail sent to [EMAIL PROTECTED] will use the
configurations for [EMAIL PROTECTED].  that would be a per-user file
\IMail\Declude\mail.example.com\user1.JunkMail or a per-domain file
\IMail\Declude\mail.example.com.

   forwards to: [EMAIL PROTECTED]  [EMAIL PROTECTED]

That actually isn't relevant here -- the E-mail will be scanned based on
the settings for user1.

Now if a message is sent to User1 it fails tests, the log says that it is
moving the message to the spambox mailbox (this is the correct action), but
it never makes it, and the users that are setup to receive the forwarded
message get it.

Have you checked the IMail SMTP log files?  They should provide some
information as to what is happening.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] mailbox forwarding no action

2003-09-10 Thread Jason W. Allen
I have added the ., to the forward file and now a copy of the message gets
moved to the spambox.  But the message still goes downstream to the
forwarded to Users and does not get picked up as spam.

I think I follow the logic, of why this is not working: the message comes in
from the outside, a copy is made to be processed by the forwarding Engine,
the external (original message) gets tested, and since I don't have a copy
being saved to the original recipient it doesn't do anything (since I
enabled '.', it does get processed by declude and gets moved to the
spambox--Correctly), the FWD Message does not get tested since it is now
internal to the server, and goes to the downstream users, never getting
tested, no action is taken and spam gets through.  Is this the correct
logic, or am I missing something?

Is there a way around this, such as once the message is moved then it is no
longer forwarded, or that an internal message (the FWD message that gets
processed by the SMTP-FWD) gets scanned by the Junkmail?  Or should I revise
my whole policy about forwarding?

--Jason W. Allen

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry
Sent: Wednesday, September 10, 2003 10:52 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] mailbox forwarding no action



What I don't understand, is that the logs say it is using the correct
config
file and then performing the correct action.  But that is as far as it
goes.
The message doesn't actually get moved the Spambox Mailbox, but gets
forwarded on to the downstream users and then settings don't pick it up.

What happens here is Declude JunkMail changes the recipient's address from
[EMAIL PROTECTED] to [EMAIL PROTECTED], and IMail is then
supposed to deliver it to the spambox account.

The SMTP logs, just show the message being received and then being
converted
to a .FWD File and forwarded to User2  User3

Are you sure that you have a ., at the beginning of the forwarding
line?  Without that, IMail won't keep a copy in the original recipient's
mailbox.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] mailbox forwarding no action

2003-09-10 Thread Jason W. Allen
So in other words, If I have mailboxes with forwarding on them Spam will
still get through.

Disappointing...

--Jason W. Allen

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry
Sent: Wednesday, September 10, 2003 11:23 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] mailbox forwarding no action



I have added the ., to the forward file and now a copy of the message gets
moved to the spambox.  But the message still goes downstream to the
forwarded to Users and does not get picked up as spam.

That is the way that it should work.  E-mail that is forwarded from one
user to another automatically in IMail (as opposed to aliases or forwarding
from a mail client) bypasses any scanning.

I think I follow the logic, of why this is not working: the message comes
in
from the outside, a copy is made to be processed by the forwarding Engine,
the external (original message) gets tested, and since I don't have a copy
being saved to the original recipient it doesn't do anything (since I
enabled '.', it does get processed by declude and gets moved to the
spambox--Correctly), the FWD Message does not get tested since it is now
internal to the server, and goes to the downstream users, never getting
tested, no action is taken and spam gets through.  Is this the correct
logic, or am I missing something?

Very close.  The forwarding is actually handled by IMail after the E-mail
is processed by Declude, so there is no evidence of forwarding when Declude
sees the E-mail.

Is there a way around this, such as once the message is moved then it is no
longer forwarded, or that an internal message (the FWD message that gets
processed by the SMTP-FWD) gets scanned by the Junkmail?

Unfortunately, I'm not aware of any way around this.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] mailbox forwarding no action

2003-09-10 Thread Jason W. Allen
It appears that I spoke too soon...

I have figured it out.  I really don't want to beat a dead horse, but I
really needed a solution for this.  We have Addresses that need to have mail
come from them, but note really receive mail, that why it needs to have a
real mailbox (valid user) to send mail.  Such as techsupport, etc.

But these mailboxes are forwarded to multiple people, but with the
configuration all the end mailboxes get a ton of spam, that's why it very
important, that I find a solution.

So for anybody that's interested here is the fix.

For the mailbox that is currently forwarded:  [EMAIL PROTECTED]
Remove all the forwarding on this box.

Create an Alias that has the same name as the Mailbox:  [EMAIL PROTECTED]
Forward this alias to the user(s) you need, to make sure that you can use
the existing config files, make sure you forward to the Full Host, such as
[EMAIL PROTECTED]  You can also setup the forwarding to a list file,
See the Imail documentation for that.

There you have it.  Any spam that comes in for the Alias will get redirected
before in gets tested by declude, making declude think that the message came
directly to the end user and test it accordingly.

--Jason W. Allen


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Jason W. Allen
Sent: Wednesday, September 10, 2003 12:11 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] mailbox forwarding no action


So in other words, If I have mailboxes with forwarding on them Spam will
still get through.

Disappointing...

--Jason W. Allen

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry
Sent: Wednesday, September 10, 2003 11:23 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] mailbox forwarding no action



I have added the ., to the forward file and now a copy of the message gets
moved to the spambox.  But the message still goes downstream to the
forwarded to Users and does not get picked up as spam.

That is the way that it should work.  E-mail that is forwarded from one
user to another automatically in IMail (as opposed to aliases or forwarding
from a mail client) bypasses any scanning.

I think I follow the logic, of why this is not working: the message comes
in
from the outside, a copy is made to be processed by the forwarding Engine,
the external (original message) gets tested, and since I don't have a copy
being saved to the original recipient it doesn't do anything (since I
enabled '.', it does get processed by declude and gets moved to the
spambox--Correctly), the FWD Message does not get tested since it is now
internal to the server, and goes to the downstream users, never getting
tested, no action is taken and spam gets through.  Is this the correct
logic, or am I missing something?

Very close.  The forwarding is actually handled by IMail after the E-mail
is processed by Declude, so there is no evidence of forwarding when Declude
sees the E-mail.

Is there a way around this, such as once the message is moved then it is no
longer forwarded, or that an internal message (the FWD message that gets
processed by the SMTP-FWD) gets scanned by the Junkmail?

Unfortunately, I'm not aware of any way around this.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] mailbox forwarding no action

2003-09-10 Thread Jason W. Allen
Some of the mail is not coming from a client.  I have mail auto generators
on some servers for certain apps, and websites.  If I try to send from an
alias I get relaying errors, since I can't use other settings, other then a
mailfrom.  So that's why I need a valid Email Address.

--Jason W. Allen

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Charles Frolick
Sent: Wednesday, September 10, 2003 1:25 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] mailbox forwarding no action


Why do they have to have a real mail box?  I send mail as aliases all
the time, my support, sales, postmaster, hostmaster, webmaster, staff,
etc., addresses are all aliases but I have no problem sending as them,
as long as the client is configured correctly.

Thanks,
Chuck Frolick
ArgoNet, Inc.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jason W. Allen
Sent: Wednesday, September 10, 2003 11:42 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] mailbox forwarding no action


It appears that I spoke too soon...

I have figured it out.  I really don't want to beat a dead horse, but I
really needed a solution for this.  We have Addresses that need to have
mail
come from them, but note really receive mail, that why it needs to have
a
real mailbox (valid user) to send mail.  Such as techsupport, etc.

But these mailboxes are forwarded to multiple people, but with the
configuration all the end mailboxes get a ton of spam, that's why it
very
important, that I find a solution.

So for anybody that's interested here is the fix.

For the mailbox that is currently forwarded:  [EMAIL PROTECTED]
Remove all the forwarding on this box.

Create an Alias that has the same name as the Mailbox:
[EMAIL PROTECTED]
Forward this alias to the user(s) you need, to make sure that you can
use
the existing config files, make sure you forward to the Full Host, such
as
[EMAIL PROTECTED]  You can also setup the forwarding to a list
file,
See the Imail documentation for that.

There you have it.  Any spam that comes in for the Alias will get
redirected
before in gets tested by declude, making declude think that the message
came
directly to the end user and test it accordingly.

--Jason W. Allen


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Jason W. Allen
Sent: Wednesday, September 10, 2003 12:11 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] mailbox forwarding no action


So in other words, If I have mailboxes with forwarding on them Spam will
still get through.

Disappointing...

--Jason W. Allen

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry
Sent: Wednesday, September 10, 2003 11:23 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] mailbox forwarding no action



I have added the ., to the forward file and now a copy of the message
gets
moved to the spambox.  But the message still goes downstream to the
forwarded to Users and does not get picked up as spam.

That is the way that it should work.  E-mail that is forwarded from one
user to another automatically in IMail (as opposed to aliases or
forwarding
from a mail client) bypasses any scanning.

I think I follow the logic, of why this is not working: the message
comes
in
from the outside, a copy is made to be processed by the forwarding
Engine,
the external (original message) gets tested, and since I don't have a
copy
being saved to the original recipient it doesn't do anything (since I
enabled '.', it does get processed by declude and gets moved to the
spambox--Correctly), the FWD Message does not get tested since it is
now
internal to the server, and goes to the downstream users, never getting
tested, no action is taken and spam gets through.  Is this the correct
logic, or am I missing something?

Very close.  The forwarding is actually handled by IMail after the
E-mail
is processed by Declude, so there is no evidence of forwarding when
Declude
sees the E-mail.

Is there a way around this, such as once the message is moved then it
is no
longer forwarded, or that an internal message (the FWD message that
gets
processed by the SMTP-FWD) gets scanned by the Junkmail?

Unfortunately, I'm not aware of any way around this.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com

Re: [Declude.JunkMail] autowhitelist wildcard?

2003-09-10 Thread Jason Newland
So the e-mail that Mr. Koehler listed yesterday afternoon about this subject
is incorrect?  Darn, that would be an awesome feature.  His e-mail is listed
below...


Personal Whitelist

A personal whitelist allows you to accept email messages from any email
address you want no matter how many Spam tests the message actually fails.

There are three options currently available in the personal whitelist
feature. You can whitelist individual email addresses, whitelist all
messages from a certain domain and, if you do not want the anti-Spam service
at all, you can whitelist all messages sent to your address.

E-mail Options -

1. [EMAIL PROTECTED] - whitelist a single email address.

2. [EMAIL PROTECTED] - whitelist all messages from a certain domain. To
whitelist all messages from hotmail.com enter [EMAIL PROTECTED] For all
messages from aol.com enter [EMAIL PROTECTED]

3. [EMAIL PROTECTED] - whitelist all messages from everyone (turns off Spam
filtering). Enter [EMAIL PROTECTED] to whitelist all messages sent to your
address.




Jason
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, September 10, 2003 11:39 AM
Subject: Re: [Declude.JunkMail] autowhitelist wildcard?



 Is there any wildcard character that can be used in the address book
 addresses for the autowhitelist feature.  For instance, if I was
 subscribed to a newsletter that was sent from [EMAIL PROTECTED],
 where the numbers after someone are different every time, is there some
 way to put it in the address book without having to whitelist
 [EMAIL PROTECTED]

 No, there are no wildcards.

 -Scott
 ---
 Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
 Declude Virus: Catches known viruses and is the leader in mailserver
 vulnerability detection.
 Find out what you have been missing: Ask for a free 30-day evaluation.

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


RE: Re[2]: [Declude.JunkMail] mailbox forwarding no action

2003-09-10 Thread Jason W. Allen
See now you've confused me... Which isn't very hard.

I believe I have Relay for Local Users Only (If I look in the Imail admin
interface, that what it says, but it says relay by addresses in the web
admin).  Yet If I test relaying (by telneting in and trying to send
something with a local user address), I still get a relaying error and it
won't let it.   To me that means I'm am not a Open relay.  But I still need
a local usermailbox to send from my App mailers.

--Jason W. Allen

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Sanford Whiteman
Sent: Wednesday, September 10, 2003 2:13 PM
To: Jason W. Allen
Subject: Re[2]: [Declude.JunkMail] mailbox forwarding no action


 If  I try to send from an alias I get relaying errors, since I can't
 use  other  settings,  other then a mailfrom. So that's why I need a
 valid Email Address.

Please  don't  tell us that you're using 'Relay for Local Users'--i.e.
that  you're  running  an  open  relay  (unless  this  is only exposed
internally).

While some apps can't handle AUTH, is there some reason that you can't
relay by IP? Are these server IPs really changing all that much?

-Sandy



Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
e-mail: [EMAIL PROTECTED]


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


RE: Re[2]: [Declude.JunkMail] mailbox forwarding no action

2003-09-10 Thread Jason W. Allen
Working on it.  Thanks for the tests, I don't know what I was doing wrong.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Charles Frolick
Sent: Wednesday, September 10, 2003 3:32 PM
To: [EMAIL PROTECTED]
Subject: RE: Re[2]: [Declude.JunkMail] mailbox forwarding no action


Just relayed an email through your server from my desk.
Transcript folows:

Opening mail.mpgis.net...
 220 gershwin.mpgis.net (IMail 7.07 36033-2) NT-ESMTP Server X1
 HELO argolink.net
 250 hello gershwin.mpgis.net
 MAIL FROM: [EMAIL PROTECTED]
 250 ok
 RCPT TO: [EMAIL PROTECTED]
 250 ok its for [EMAIL PROTECTED]
 DATA
 354 ok, send it; end with CRLF.CRLF
 Sending Data...
 250 Message queued
 QUIT
 221 Goodbye

You are an open relay. The ONLY acceptable settings are, relay for
address or no relay.

Thank you,
Chuck Frolick
ArgoNet, Inc.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jason W. Allen
Sent: Wednesday, September 10, 2003 1:57 PM
To: [EMAIL PROTECTED]
Subject: RE: Re[2]: [Declude.JunkMail] mailbox forwarding no action


See now you've confused me... Which isn't very hard.

I believe I have Relay for Local Users Only (If I look in the Imail
admin
interface, that what it says, but it says relay by addresses in the web
admin).  Yet If I test relaying (by telneting in and trying to send
something with a local user address), I still get a relaying error and
it
won't let it.   To me that means I'm am not a Open relay.  But I still
need
a local usermailbox to send from my App mailers.

--Jason W. Allen

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


[Declude.JunkMail] Death to Trustic Trustic Service Ending

2003-08-02 Thread Jason Newland


Everyone,

We have decided to close the Trustic service. As has become apparent 
recently, there are several issues with the system as it is designed. As

such, we do not believe Trustic will reach the level of accuracy that we

require. The issue of handling large ISPs that, for the most part, deal 
with spam complaints is one of the main flaws in the Trustic system for 
which we see no apparent solution.

Registrations have been disabled on the site. Within a day the site 
itself will be taken down and replaced with a notice. The DNS blocklist 
will remain for a couple of weeks, but it will be configured to never 
return a match. Please reconfigure your mail servers to not query the 
blocklist.

We remain confident that the problem of spam is a solvable problem. 
Thank you for your help with this great experiment.


Mark

-- 
Mark Fletcher
Trustic, Inc
http://www.trustic.com
http://www.bloglines.com

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] Spamdomains com.

2003-08-01 Thread Jason Newland
Title: Message



I 
think that while the spamdomains test is wonderful, many people are trying to 
overuse it as a test. IMO it is there to protect against forgeries of the 
major e-mailservices, and it does that task great. It's usefullness 
declines when it is used in a greater fashion. For example, we stop a 
couple hundred e-mails that use aol, msn, hotmail, yahoo, etc, but we stop only 
1-3 on smaller domains. Using this test for the smaller domains isn't 
worth the false positives that it produces. But again in the defense of 
spamdomains, this isn't "his" fault. It just wasn't mean for 
that...


Jason



  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Todd - Smart MailSent: Friday, August 01, 2003 
  6:45 PMTo: [EMAIL PROTECTED]Subject: 
  [Declude.JunkMail] Spamdomains com. 
  FYI Spamdomians failed this. Which it 
  should have based on my SP entry ofcom.although it was a valid 
  email. Its an invoice sent by someone to my client though intuits online 
  invoicing system.
  
  What is everyone using for "com." 
  
  
  
  Received: from mail2.smart-mail.net 
  [65.16.167.134] by net.smart-mail.net (SMTPD32-7.07) id AC92AD90152; 
  Fri, 01 Aug 2003 16:33:06 -0500Received: from sdm3.quickbooks.net 
  ([208.240.241.110])by mail2.smart-mail.net (SAVSMTP 3.0.1.45) with 
  SMTP id M2003080116330213145for [EMAIL PROTECTED]; Fri, 01 Aug 2003 
  16:33:02 -0500Received: from ipp3.qbn.ie.intuit.com 
  (ipp3.qbn.ie.intuit.com [10.9.2.76])by sdm3.quickbooks.net 
  (8.11.6/8.11.6) with SMTP id h71LX2V27979for [EMAIL PROTECTED]; Fri, 1 Aug 2003 
  14:33:02 -0700 (PDT)Message-ID: [EMAIL PROTECTED]Date: 
  Fri, 1 Aug 2003 14:33:02 -0700 (PDT)From: [EMAIL PROTECTED]
  
  X-RBL-Warning: SPAMDOMAINS: Spamdomain 'com.' 
  found: Address of [EMAIL PROTECTED] sent from invalid 
  sdm3.quickbooks.net.
  
  
  Thanks,
  
  Todd


Re: [Declude.JunkMail] New spamcop style RBL..

2003-07-28 Thread Jason Newland

- Original Message -
From: Matt Robertson [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, July 28, 2003 11:32 AM
Subject: RE: [Declude.JunkMail] New spamcop style RBL..


 2. To send Trustic your (confirmed!) spam (typically only that
which has received very heavy weighting and you are certain
contains no false positives) Use the ROUTETO command in your
$default$.junkmail file.  For example, if ordinarily you
have a WEIGHT30 test that deletes the message, i.e.
   WEIGHT30 DELETE
Change it to
   WEIGHT30 ROUTETO [EMAIL PROTECTED]
Where again you replace the 'X' values with your Trustic account
number



When I set this up, I get the following error in my SMTP log file:


07:28 11:53 SMTP-(0470) processing C:\IMail\spool\Q54b20182006c927c.SMD
07:28 11:53 SMTP-(0470) Trying mx.trustic.com (0)
07:28 11:53 SMTP-(0470) Connect mx.trustic.com [66.151.128.22:25] (1)
07:28 11:53 SMTP-(0470) 220 w02.trustic.com ESMTP
07:28 11:53 SMTP-(0470) EHLO areatech.com
07:28 11:53 SMTP-(0470) 250-w02.trustic.com
07:28 11:53 SMTP-(0470) 250-PIPELINING
07:28 11:53 SMTP-(0470) 250 8BITMIME
07:28 11:53 SMTP-(0470) MAIL
FROM:[EMAIL PROTECTED]

07:28 11:53 SMTP-(0470) 250 ok
07:28 11:53 SMTP-(0470) RCPT To:[EMAIL PROTECTED]
07:28 11:53 SMTP-(0470) rl-recv: connection reset
07:28 11:53 SMTP-(0470)
07:28 11:53 SMTP-(0470) QUIT
07:28 11:53 SMTP-(0470) rl-recv: connection reset
07:28 11:53 SMTP-(0470)
07:28 11:53 SMTP-(0470) requeuing C:\IMail\spool\Q54b20182006c927c.SMD
R0 T1
07:28 11:53 SMTP-(0470) finished C:\IMail\spool\Q54b20182006c927c.SMD
status=3



Thanks for the help


Jason


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] New spamcop style RBL..

2003-07-27 Thread Jason Newland
All tiffs aside  :),

Can I get some clarity on the operation here?  If I personally submit an
e-mail that says 10.10.10.10 is a spammer IP, and that same address has
10 positives and 1 negative (Me).  I understand that the IP will
probably be trusted, but is there something in the background that when
I do a lookup that returns a fail?  Since I, the person asking has
submitted the only negative.  Conversely, a non-submitter would get a
pass on that IP since they are going on what others are saying?

Sorry if that is confusing

Also, there is a TON of things on the documentation side of things that
still need to be filled out on the site (yes I have sent them the
recommendations),.  Let's just hope they are responsive.


And finally, this seems like it will get better with user
participation



Jason

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] New spamcop style RBL..

2003-07-26 Thread Jason Newland
Josh,

What is the entry you have put in your config file?   (If you don't mind
sharing)


Thanks

Jason




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joshua Levitsky
Sent: Saturday, July 26, 2003 9:11 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] New spamcop style RBL..


This is kind of cool... I'm using it now as an RBL...

http://www.trustic.com/

Trustic is a new solution to the problem of unsolicited email. By
aggregating recommendations from its large community of members, Trustic
maintains a list of email servers that can't be trusted to prevent
spam. This makes Trustic more reliable, accurate, and up-to-date than
other block lists. In addition, Trustic provides an appeal process for
machines listed as untrusted.


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
unsubscribe Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


Re: [Declude.JunkMail] Declude using 50% cpu

2003-07-24 Thread Jason Newland
Title: RE: [Declude.JunkMail] Declude using 50% cpu



Also, can we ask what hardware / OS this is running 
on?


Jason


  - Original Message - 
  From: 
  John Tolmachoff (Lists) 
  To: [EMAIL PROTECTED] 
  Sent: Thursday, July 24, 2003 3:03 
  PM
  Subject: RE: [Declude.JunkMail] Declude 
  using 50% cpu
  
  
  Where is your DNS 
  server you are using in Imail?
  
  
  
  John Tolmachoff MCSE 
  CSSA
  Engineer/Consultant
  eServices For You
  www.eservicesforyou.com
  
  
  -Original 
  Message-From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]] 
  On Behalf Of Mark 
  GordonSent: 
  Thursday, July 24, 
  2003 12:51 
  PMTo: '[EMAIL PROTECTED]'Subject: RE: [Declude.JunkMail] Declude 
  using 50% cpu
  
  On a good 
  day we rev 19000 local deliveries + send 8000 per day. 
  It hits 
  the machine hard average cpu time before was around 44% then when declude was 
  installed it jumped to over 90% average. The version is 1.75
  -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED]] 
  Sent: Thursday, July 24, 
  2003 
  3:37 PM 
  To: 
  [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Declude using 50% 
  cpu 
  
  We 
  are evaluating declude and have noticed a considerable increase in the 
  cpu cycles 
  associated with mail delivery. Is there anyway have it run in 
  an isolated 
  cpu instance? since there are multiple instances of declude.exe running, I would guess it 
  would be hard to lock it down. 
  How many 
  E-mails do you send/receive per day? 
  What 
  version of Declude are you running (you can find out by typing 
  "\IMail\Declude 
  -diag" from a command prompt)? 
  Are you 
  sure that it is Declude using the extra CPU cycles (by sorting the 
  processes in the 
  Task Manager by the "CPU" column)? 
   
  -Scott --- Declude JunkMail: The advanced anti-spam solution for 
  IMail mailservers. Declude Virus: Catches known viruses and is the leader 
  in mailserver vulnerability detection. Find out what you have been missing: Ask 
  for a free 30-day evaluation. 
  --- [This E-mail was scanned for viruses by Declude Virus 
  (http://www.declude.com)] 
  --- This E-mail came from the Declude.JunkMail mailing 
  list. To unsubscribe, just send an E-mail to 
  [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The 
  archives can be found at http://www.mail-archive.com. 



RE: [Declude.JunkMail] DNS Test?

2003-07-18 Thread Jason Newland
Great letter Kevin, but I recently tried to explain this to a company and their 
engineer said that it was by design.  His explanation was that they did it for 
security/obscurity reasons and we were applying to strong restrictions on mail 
delivery.  Sometimes you just can't win with these people.


Jason


-- Original Message --
From: Kevin Bilbee [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date:  Fri, 18 Jul 2003 15:52:25 -0700

Be careful blocking solely on RDNS and HELOBOGUS. There are many legitimate
mail servers out there with ignorant DNS admins. We are lucky to have Scott,
Len (on the Imail list), and DNS Stuff/Report. I have taken the approach to
attempt to enlighten them with the following email. Because my users recover
their own email it make doing this easier.


Hi, I am Kevin Bilbee the Network Administrator at Standard Abrasives.

We are having some issues receiving email from your mail server. I would
appreciate it if you could help me out. Your mail server is missing a few
DNS entries that are required to validate that email is coming from your
server and not someone pretending to be you. About 60% of the mail coming
into our server is unsolicited (SPAM) so being able to identify legitimate
email is important to us. These items are outlined below.

X-RBL-Warning: HELOBOGUS: Domain acsmail1.amas.nl has no MX or A records.
X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 194.151.97.18
with no reverse DNS entry.
This is the link to the Internet Engineering Task Force site and the RFC for
Common DNS Operational and Configuration Errors section 2.1. It discusses
DNS and common configuration errors pertaining to mail servers.
http://www.ietf.org/rfc/rfc1912.txt?number=1912

If you could forward this to your IT department or send me contact
information for them, I would appreciate it.

Mail from your server is not lost, it is delayed 1 day while waiting for
review. If it is found to not be spam, the recipient has the option to
recover the message. If they do not recover it in 14 days, it is purged from
the system.

I understand that mail from your server is not spam and is legitimate
business email. But our spam filter cannot make that determination unless
the above so human intervention is involved to complete delivery to the
final recipient.

After my signiture is a message with the full headers for you to review.

Thank you for your assistance in this matter,
Kevin Bilbee
Network Administrator
Standard Abrasives, Inc.




I have had great results in getting legitimate admins to fix there setups my
biggest problem is with admins in China and admins that think it is a
security risk for their firewall to have these entries. I also had our
international department review the email so as not offend people in other
countries with harsh language.


Kevin Bilbee

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Joshua Levitsky
 Sent: Friday, July 18, 2003 3:29 PM
 To: [EMAIL PROTECTED]
 Subject: Re: [Declude.JunkMail] DNS Test?


 Think of the companies that offer spammers a haven. If you could block
 everything hosted by that ISP it would be wicked nice. There's no
 end to the
 mail servers these bastards can setup, but registered DNS servers
 is a whole
 other story. I don't take mail if there's no PTR, and the HELO has no A
 record so these people spamming me have to use DNS servers which
 are harder
 to switch constantly because it takes 24 - 48 hours for that stuff to
 change.

 -Josh

 - Original Message -
 From: Rifat Levis [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Friday, July 18, 2003 6:08 PM
 Subject: Re: [Declude.JunkMail] DNS Test?


  It is seems like a intersting test , but it will do more harm to ISP ,
  I am just thinking my case , having more than thousands domains.
  If 1 of those domains start doing a spam , thousands of others will have
  problems.
  The isp mail servers also .
 
  Adding a small weight can do the job :)


 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


[Declude.JunkMail] Nolegit test

2003-06-27 Thread Jason Newland



I would like to begin using the NOLEGITCONTENT 
test, but the mail archives are down :(. Can someone send me the lines I 
need in the configs to get this going? 

Thanks

Jason



Re: [Declude.JunkMail] Nolegit test

2003-06-27 Thread Jason Newland
Thanks Scott (and Bill)

We are holding on 20 right now (with very few FPs), so without divulging the
details of the test, is -8 too much or too little a weight?  Or should I
just test test test to see what types of mail are failing/passing the test?

Thanks Gents!

Jason

- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, June 27, 2003 12:16 PM
Subject: Re: [Declude.JunkMail] Nolegit test



 I would like to begin using the NOLEGITCONTENT test, but the mail
archives
 are down :(.  Can someone send me the lines I need in the configs to get
 this going?

 You can use:


  NOLEGITCONTENT  nolegitcontent  x  x 0  -8

 this would go in the global.cfg file (you don't need any other lines for
 this test).

 -Scott
 ---
 Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
 Declude Virus: Catches known viruses and is the leader in mailserver
 vulnerability detection.
 Find out what you have been missing: Ask for a free 30-day evaluation.

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


Re: [Declude.JunkMail] AOL

2003-06-26 Thread Jason Newland
Isn't that backwards?

Firewall with Fixup -  ESMTP will not work, and mail defaults to
ordinary SMTP transaction

Firewall without Fixup -- ESMTP works fine


Jason


- Original Message -
From: Rick Davidson [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, June 26, 2003 1:02 PM
Subject: Re: [Declude.JunkMail] AOL


 Disabling the SMTP Fixup Protocol at the firewall disables ESMTP and
allows
 only SMTP

 Anyone using Imail peering will not be able to disable ESMTP

 Rick Davidson
 Buckeye Internet Inc
 www.buckeyeweb.com
 440-953-1900 ext: 222

 - Original Message -
 From: R. Scott Perry [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Thursday, June 26, 2003 1:48 PM
 Subject: RE: [Declude.JunkMail] AOL


 
  According to you guys its not the mail server it is the
 Firewallright?
 
  Correct.
 
  What needs to be changed on the Firewall
 
  I believe someone said it is the SMTP Fixup Protocol that needs to be
  turned off.
 
  and why is the current setup so bad?
 
  Two reasons:
 
  [1] It makes your server non-RFC-compliant
  [2] The security feature is broken (specifically, it is leaking
 information
  it was designed to hide)
 
  -Scott
  ---
  Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
  Declude Virus: Catches known viruses and is the leader in mailserver
  vulnerability detection.
  Find out what you have been missing: Ask for a free 30-day evaluation.
 
  ---
  [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]
 
  ---
  This E-mail came from the Declude.JunkMail mailing list.  To
  unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
  type unsubscribe Declude.JunkMail.  The archives can be found
  at http://www.mail-archive.com.
 
 

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration

2003-06-16 Thread Jason Newland
Sorry to burst your bubble, but that's not a tarpit.


You have a dynamic IP blocker.  Tarpitting doesn't block, it slows the
attack down, consuming more of their resources, and making their connection
seem like it is stuck in a pit of tar (hence the name)


Jason

- Original Message -
From: Rifat Levis [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, June 16, 2003 7:51 AM
Subject: Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall
integration integration


 Hi Bill ,

 I wrote a small VB program .
 --
 Here is more details about the system.

 I am using the KIWI syslog server software to send the logs to the SQL
 You can specify in IMAIL  syslogs server ip address .(IF you run KIWI on
the
 same machine ,you have to stop IMAIL syslog )

 I have wrote a small Visual Basic Program which scan the SQL database for

 ERR  INVALID USER  lines every 2 min.

 And my little program Open a telnet connection to the firewall ADD the ip
 address to block .
 Then the program remove the ip address after 1 hour.

 On my firewall i wrote a global policie group to deny access to port 25
 So the software add the ip address and specify that it belong to that
group
 lls.

 I decided also to integrate DECLUDE JUNKMAIL with my firewall.
 For weight over 20 i will block for 1 hour
 For weight over 30 will block for 2 hour
 And so on.

 Rifat





 - Original Message -
 From: Bill B. [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Monday, June 16, 2003 3:11 PM
 Subject: Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall
 integration integration


 Rifat,

 What software are you using to do the tarpitting?  Are you running it on
the
 same server as IMail, or on a separate box?

 Bill


 -Original Message-
 From: Rifat Levis
 Sent: Mon, 16 Jun 2003 02:01:45 +0300
 Subject: [Declude.JunkMail] DSN:Tarpitting and declude firewall
integration



 People intersted in tarpitting and Declude firewall integration can read
 this.



 I just finished the tarpitting protection for my IMAIL server
 I am sending logs to the kiwi syslog server and forwarding it to SQL to
 analyse data

 When in a 2 min period a single ip send mail to more than 5 unknown
account
 I am blocking the ip address on my netscreen firewall for 1 hour.


 The next step of this is to integrate Declude to the firewall

 I have 3 weight
 weight 10 warn
 weight 15 warn
 weight 20 delete

 Instead of deleting weight 20 i will forward it to an account to send data
 to SQL analyse it and then block it for 1 hour .

 NOTE : I am sure that KAMI will be interested :)

 Best Regards
 Rifat Levis

 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.



 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


Re: [Declude.JunkMail] Declude Processes Server Load

2003-06-05 Thread Jason Newland
Kami,

Is your DNS that IMAIL/Declude uses local to you?  Or are you using an
upstream DNS?  That many IPV4 tests may warrant this.  We noticed a large
performance boost by using a DNS on the local LAN.


Just a thought


- Original Message -
From: Kami Razvan [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, June 04, 2003 3:58 PM
Subject: RE: [Declude.JunkMail] Declude Processes  Server Load


I truly wish I could explain it..

May be I am dreaming.. But what I see is Declude does not get to 100% CPU
since we moved it to IMail to do IP4r.

This morning for example I saw about 10 or so Declude processes.. One at
19%.. A lot at 0% and then jumping to 10% and going away some hit 100% for 1
second and disappeared.

Before we were seeing 100% CPU staying for several seconds and then each one
of the waiting processes hitting 100%.  We could not even more the mouse..
It would move in steps.. Now we don't have that problem.

Watching this is now my favorite pass time... A cup of coffee and watching
CPU  Declude processes..

Have to try it with beer.. Could be more fun.. But can't imagine anything be
more fun!

:)

Regards,
Kami

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan Patnode
Sent: Wednesday, June 04, 2003 4:19 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Declude Processes  Server Load


Kami,

I'm running ten IP4r tests, referred to in my original email as an external
DB query.  There seems to be a descrepency between this as a cause and
Scott's answer:

  the Declude process should not show high CPU usage in this case.
  Declude uses the Sleep() command, which gives up CPU cycles to
  other  programs (and will prevent the Task Manager from showing CPU
  usage in  Declude during idle times, such as when Declude JunkMail is
  waiting for an  external or DNS-based test to complete).

Assuming we're all talking about the same thing, Declude continues to run as
a process waiting for replies from IP4r requests but does not consume much
CPU time while doing so.  Does pulling out IP4r tests during an episode show
a immidiate decline in CPU use?

Does anyone know how the people hosting the IP4r tests feel about us
slamming them with queries?  Suppose I'm cruising along with 20,000 queries
a day, then jump to 500,000 over a few weeks, surely that makes an
impression somewhere?  Is there a point were we should ask about doing more?

Thanks
Dan



On Wednesday, June 4, 2003 1:33, Kami Razvan [EMAIL PROTECTED]
wrote:
Hi Dan:

We had a similar problem.  I posted a couple of messages regarding this
very issue.  We were having CPU at 100% for minutes..  in one case
when a mail list hit our server with a lot of users receiving the
message at the same time the CPU was at 100% for almost an hour.  We
could not do anything... Finally the Declude processes disappeared and
all was back to normal again.

What I noticed was the cause more than anything else was the IP4r
tests. Declude appears to be fast in filtering and everything that it
does.  The IP4r tests are a different story and naturally out of
Declude hands.  We had a lot of them and by taking them off it brought
things to normal.

I stated this in an earlier posting- we are not doing all of our IP4r
tests in IMail version 8.  It works much faster and since it caches it
seems like it works great.  We have about 60 IP4r tests (majority of
what is listed in Declude/junkmail/manual.htm site.  We will take some
off and add others as we find their effectiveness but for now we are
using a lot of them and no problem.

I am interested to see if this helps you if you try it.

Regards,
Kami

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan Patnode
Sent: Tuesday, June 03, 2003 9:36 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Declude Processes  Server Load


We added about 350 users to our 2000+ user dual server configuration in
the last week and were doing pretty well until this afternoon.
Suddenly the CPU load graph stopped looking like its normal Donky Kong
video game simulation (up and down) and more resembled a 100% highway
with a few dips.  Declude processes were taking quite a while to clear
before finishing, to be replaced by another.  I pulled out some multi
thousand line tests and it nary made a dent.

Just before bringing our 3rd server into the fold, things quieted down.
While I've already ordered 2 new dual processor 1U's, I want to par
down (if not eliminate) the variables invovled:

1) If an external DB query slowed things down, delaying each Declude
process, would Declude still show high CPU consumption while waiting
and would the graph still be pegged?  If not, is there any situation
external to my server that would?

2) Is it possible for Declude to be consuming CPU cycles while idling
for some other reason?

3) If something else is running in the background, eating cyles, does
Declude 'look' like its working 

RE: [Declude.JunkMail] updated spamdomains list

2003-05-31 Thread Jason Newland
Rocketmail.com resolves to yahoo.com

So:


Rocketmail.com yahoo.com


Would be a valid entry


What about the following?

Bigfoot.com
Geocities.com
Rocketmail.com

Markus

 

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


Re: h:Re: [Declude.JunkMail] Declude.JunkMail Statistics

2003-03-03 Thread Jason wolfe
Dan,
Unfortunately we don't currently have a demo/trial version of LogTool available. 
However, we will be adding additional screenshots to the website 
(http://www.netcomm.com/products/logtool) later today, which should give you a better 
idea of how the application works. If you have additional questions, you're also more 
than welcome to contact me by phone at 859 224 4124.

Thanks,

Jason Wolfe
Lead Developer
Netcomm, Inc.
http://www.netcomm.com
(859) 224-4124
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


[Declude.JunkMail] h:Releasing Netcomm LogTool for Declude JunkMail

2003-02-28 Thread Jason wolfe
We would like to announce the release of LogTool for Declude JunkMail. This 
application was designed from the ground up to allow the user to quickly and easily 
drill-down into JunkMail's logs to assist in the fine-tuning of the filters.
In a near future release, we will expand LogTool's capabilities to include the 
processing of Virus' log format.
More information is available at: http://www.netcomm.com/products/logtool

Email us off-list at [EMAIL PROTECTED] if you have any questions, comments or interest.

Thanks,

Jason Wolfe
Lead Developer
Netcomm, Inc.
http://www.netcomm.com
(859) 224-4124
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


NOABUSE:RE: [Declude.JunkMail] Log Analyzer - Comments Needed

2003-02-28 Thread Jason Powell
I would love to try it out as well!!
Sounds very usefull.

[EMAIL PROTECTED]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darrell L.
Sent: Friday, February 28, 2003 6:15 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Log Analyzer - Comments Needed

Keith,

I have a beta available and I am looking for individuals to test it out.
If you are interested the beta will be made available as early as
Monday.

Please let me know if you are interested.

Darrell LaRock


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson
Sent: Thursday, February 06, 2003 4:35 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Log Analyzer - Comments Needed

Darrell,
That is awesome.  I get those same requests from our clients
weekly.   I appreciate your time in writing it. 

Keith

 -Original Message-
 From: Darrell L. [mailto:[EMAIL PROTECTED] 
 Sent: Thursday, February 06, 2003 11:35 AM
 To: [EMAIL PROTECTED]
 Subject: [Declude.JunkMail] Log Analyzer - Comments Needed
 
 
 *Sorry if this is outside the realm in which the forum should be used.
 
 Several of my customers have started asking me for reports on 
 what Declude is blocking for their domain or a certain user.  
 Obtaining this information was challenging manually sifting 
 through the logs - to say the least.  I then decided to write 
 an analyzer that could accomplish what I needed.  
 
 It's a good portion of the way wrote, and I am thinking about 
 making it public at some point when it is completely finished.
 
 However, I was looking for features that people would like 
 that I may not have thought of at this point.
 
 Currently right now it can do the following
 
 1.) Report on Number of messages that fails each test.
 2.) Comprehensive reporting on each individual tests.  
 Reports can be generated based on (to, from, domain, 
 subjects, date, time).
 3.) Report on individual domains and which messages failed which tests
 4.) Report on individual users and which messages failed which tests.
 5.) It is a console application written in C# (.net).  It is 
 self contained and does not need any external databases like 
 SQL Server or MSDE.
 
 Things Still to be added
 1.) Ability to email the reports
   
 
 Thanks
 Darrell
 
 ---
 [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
unsubscribe Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.