[Declude.JunkMail] OT: (Re-post) Dial-Up Services for San Diego, CA
If there is anyone who provides dial-up services in San Diego, California who would be interested in acquiring approximately 50+ user accounts, please contact me off list. [EMAIL PROTECTED] No one has responded from my first post from a week ago. I am not trying to sell these accounts...just looking for someone to take them over! -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] OT: Dial-Up Services for San Diego, CA
If there is anyone who provides dial-up services in San Diego, California who would be interested in acquiring approximately 50+ user accounts, please contact me off list. Kim W. Premuda [EMAIL PROTECTED] -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Per User Filtering
Can someone tell me what to put in the per user 'user.junkmail' file that would cause all messages to effectively be whitelisted for that user (user does not want anything tested by JunkMail)? Currently, all tests are set to 'WARN', but that's not producing the desired results. Thanks! Kim W. Premuda -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] California Regional Intranet
-- Original Message -- From: Kevin Bilbee [EMAIL PROTECTED] This IPS seems to be very friendly with the Spammers. What are your thoughts about blocking their entire assigned IP range?? California Regional Intranet, Inc. is a San Diego, CA based ISP (www.cari.net). We have received nothing but spam from their network within the following two CIDRs: CIDR: 71.6.128.0/19 CIDR: 209.126.128.0/17 Consequently, we block these CIDRs in Imail (not Declude). I hope this helps! Kim W. Premuda FastWave Internet Services San Diego, CA -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spam leak?
Ummm... Did anybody else get a piece of spam this morning with subject SPAMSPCE: that seems to have been relayed through Declude.com? Yes, we did. -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Global.cfg lines for SPF
This is what we have in our 'global.cfg' file: SPFFAIL spffail x x 3 0 Is this old syntax? A remnant of version 1.86? We are currently running JunkMail 3.0.5.20. Also, why are the weights all zero? Shouldn't a fail add weight, and a pass subtract weight? Or, am I misunderstanding the 'spf' test? Thanks! Kim -- Original Message -- From: David Barker [EMAIL PROTECTED] Reply-To: Declude.JunkMail@declude.com Date: Mon, 21 Nov 2005 16:26:13 -0500 This is the correct syntax. SPFFAILspf failx 0 0 SPFPASSspf passx 0 0 SPFUNKNOWN spf unknown x 0 0 David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brad Morgan Sent: Monday, November 21, 2005 4:00 PM To: Declude.JunkMail@declude.com Cc: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Global.cfg lines for SPF I use: SPFPASS spf pass x 0 0 SPFUNKNOWN spf unknown x 0 0 SPFFAIL spf fail x 50 0 Set 1: SPFFAIL spf fail x 9 0 SPFPASS spf pass x 0 0 Thanks for the quick responses. I did have the correct pair of lines in my global.cfg file but I have received messages over the weekend which Imail's SPF check marked as SPFFAIL but Declude did not. The messages were what F-Prot is now calling W32/[EMAIL PROTECTED] and appear to be from my own domain. Since I have an SPF record, they should have failed the Declude check but they did not. As a result the first few that arrived before F-Prot updated their databases and were delivered to my users. I'm aware of at least one user who attempted to open the zip file. Is this a bug in 2.0.6.16? Is it fixed in 3.0.5.20? Brad Morgan IT Manager Horizon Interactive Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Any fix released for the corrupt message character issues in 3.0.5?
-- Original Message -- From: John T \(Lists\) [EMAIL PROTECTED] Reply-To: Declude.JunkMail@declude.com Date: Thu, 29 Sep 2005 15:05:10 -0700 Actually, looks they have official released 3.0.5.5 which fixed the problem. Hi, John. Have you tested this? This was supposedly fixed in two prior beta releases, and we both know that wasn't true. Thanks! Kim W. Premuda -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] JunkMail 3.0.5 100% CPU Usage
IMail 8.05 HF3 JunkMail 3.0.5.5 We are still seeing times when 'decludeproc.exe' will burst the CPU usage to 100% for 20-30 seconds up to a minute or two. We've adjusted the WAITFORTHREADS and WAITBETWEENTHREADS to various values, and it doesn't seem to make any difference. The current values we are using are: WAITFORTHREADS 1 WAITBETWEENTHREADS 1 As an example, the 'work' folder will have several messages in process, so you would expect to see the CPU usage go up for the first thread, then down to minimal levels for 10 seconds, then back up again for each additional message thread processed. But, what we see is the CPU usage hitting 100% and staying there while processing the messages in the 'work' folder. If additional messages show up in the 'proc' folder and are transferred to the 'work' folder before the current THREAD run has completed, they are immediately processed thereby keeping the CPU usage at 100%. When everything is eventually processed, the CPU usage returns to normal levels. This only seems to be a problem under heavy load. Is anyone else experiencing this behavior? Also, does anyone know if the THREADS value can be reduced to a number below the Declude recommended minimum of 5 (and not break anything)? My thinking here was Thanks! -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Beta 3.0.4.4 update 09/24/05A
John, Attached is the d*.smd file that I reported to Declude last Thursday which causes both the 3.0.3 and 3.0.4.4 'decludeproc.exe' services to stop. The message content looks very similar to the 3 files you posted, and I thought you might want to take a look at it (out of curiosity). Kim -- Original Message -- From: John Tolmachoff \(Lists\) [EMAIL PROTECTED] Reply-To: Declude.JunkMail@declude.com Date: Sat, 24 Sep 2005 13:25:49 -0700 Through a time consuming process, I have apparently identified the trigger for the problem with the decludeproc stopping and messages backing up. Attached are text files which are D files for messages that caused this. The 2 times in the last 4 days that the decludeproc has stopped. Each time, one of these files was in the work folder. After disabling the decludeproc, moving the entire contents of the work folder to a temp folder, then feeding one pair of files to the proc folder at a time, I was able to isolate it to these. Each one of the 3 is identical in the included characters and body formatting. I would ask that any one else having this problem please check and see if you have any of these kind of files stuck in the work folder. If you need any help in figuring this out, please let me know. If we can all confirm this, Declude will be able to fix the problem that faster. John T eServices For You -- Kim W. Premuda FastWave Internet Services San Diego, CA -- d263f0014025a42ef.smd Description: Binary data
[Declude.JunkMail] Beta 3.0.4.4 Problem
IMail 8.05 HF3 Downloaded and installed 3.0.4.4. Message file pairs were appearing in the 'proc' folder, subsequently moved to 'work' folder, then dispositioned as needed. Observed this for 10-15 minutes, then went about business. Checking back, I found that the 'decludedproc.exe' service was stopped, and that approximately 400 messasges were sitting in the 'proc' folder. Restarted the service only to have it immediately stop. Tried serveral more times and got the same results. My 'declude.cfg' file contained the following: THREADS 5 WAITFORMAIL 1 WAITFORTHREADS 1500 WAITBETWEENTHREADS 1 Since this was a similar situation as before, I stopped the 'decludeproc.exe' and IMail services, then copied those 400 messages to a temporary folder. Uninstalled 3.0.4.4 and re-installed 3.0.3, and started everything up. Grabbed the first 5 message file pairs in the temporary folder and put them in the 'proc' folder. I watched them get transferred to the 'work' folder. Within 30 seconds, the 'decludeproc.exe' version 3.0.3 stopped. I attempted to restart the service serveral times, but it would immediately stop. Copied the 5 message pairs back to the temporary folder. I made certain 'decludeproc.exe' version 3.0.3 had started. Then, starting with the LAST set of 5 message file pairs in the temporary folder, copied them to the 'proc' folder and watched them get processed. After 5 sets (and slowly working my way back to the top were the original 5 message file pairs are), thought I better post this to warn others. When (and if) I determine which file is causing both versions 3.0.3 and 3.0.4.4 to stop, I will send it and the log files to Declude for analysis. -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Beta 3.0.4.4 Problem
-- Original Message -- From: John Tolmachoff \(Lists\) [EMAIL PROTECTED] Reply-To: Declude.JunkMail@declude.com Date: Thu, 22 Sep 2005 17:49:41 -0700 I would ask that you go back to 3.0.4.4 and keep running. If you have this problem again, please do the same think and isolate the files, then send them to Declude along with the log files. This was seen before and was hopefully fixed, but if you are seeing it please continue to run 3.0.4.4 and if possible put the Declude JM log into debug. John, I did manage to isolate the message file pair that caused the problem and sent them, along with the log file (set to DEBUG mode), to Declude. Hopefully, the developers at Declude can spot something in the log file. -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Problem with a per domain filter file
That was my guess as well. That is, the ALLRECIPS test is a logical AND function and requires that ALL ending domains be the same for the test to be true. Any one domain not matching the requisite domain (the one you are testing for) will cause the test to fail. -- Original Message -- From: Darrell \([EMAIL PROTECTED]) [EMAIL PROTECTED] Reply-To: Declude.JunkMail@declude.com Date: Wed, 21 Sep 2005 09:15:09 -0400 I am going to take a stab at this... The line shows this - filter DOMAIN_C on local-domain.com [weight-0; [EMAIL PROTECTED], [EMAIL PROTECTED] With the allrecips being a comma value of all recipients I would suspect the [EMAIL PROTECTED] came after the local-domain.com hence meeting the NOTENDSWITH tag. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. John Tolmachoff (Lists) writes: I have created filter files for each domain that warrants them to counteract tests failed because of keywords or other things some what unique to that domain. Here is the END line in the filter: ALLRECIPSEND NOTENDSWITH local-domain.com However, in the log lines below, you can see that the processing of the filter file ended saying the END condition was meet, but it was not. 09/21/2005 00:21:41.306 q09ef03ec22c5.smd Doing filter file C:\Imail\Declude\filters\A_Local_Domain.txt. 09/21/2005 00:21:41.306 q09ef03ec22c5.smd Triggered ALLRECIPS !ENDSWITH filter DOMAIN_C on local-domain.com [weight-0; [EMAIL PROTECTED], [EMAIL PROTECTED] 09/21/2005 00:21:41.306 q09ef03ec22c5.smd Filter: END command conditions met; ending this filter. Can some one see where I am doing something wrong? John T eServices For You --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Beta 3.0.4
Hi, John. Just curious... What method did you use to determine that those 4 messages were causing the 'decludeproc.exe' service to unexpectedly stop? I would like to be able to send Declude the messages in our 'proc' folder that are causing the same problem here. Regards, Kim -- Original Message -- From: John Tolmachoff \(Lists\) [EMAIL PROTECTED] The problem appears to be caused/centered/triggered/co-incidental to 4 spam messages. Also, a large Dr Watson log file and dmp were created when this happened. After isolating these messages, stopping the Imail SMTP, QueueManager services, disabling and stopping the decludeproc service, clearing both the proc and proc\work directories of everything, then reenabling the decludeproc service and restarting the SMTP and QueueManger services, the server is running as expected. -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Beta 3.0.4 not Processing Files in 'proc' Folder
Hi, John. Yeah...did all that, except running the JunkMail log in 'HIGH' mode. So, I re-ran the test this morning with the log mode set to 'HIGH'. I ran the test between 7:10A and 7:20A. At the start of the test, both the 'proc' and the 'proc\work' folders were empty. As the test progressed, the 'proc' folder began to fill with 'd*.smd' and 'q*.smd' files. The 'proc\work' folder remained empty during the entire 10 minute test. I could also see the 'decludeproc.exe' service running in Task Manager, but it was running with a minimum of CPU usage. At the end of the test, reverted back to 3.0.3, and all the backlog in the 'proc' folder was immediately processed. That is, I could see the files in the 'proc' folder being moved to the 'proc\work' folder, whereupon they would subsequently disappear (presumably deleted, held, or moved to the 'spool' folder). Upon examining the JunkMail log file, note that there is a gap of information during the test time period: 09/16/2005 07:07:20.515 qd16d0f3f0048a1ec From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 72.26.215.59 ID: 09/16/2005 07:07:20.515 qd16d0f3f0048a1ec Action(s) taken for [EMAIL PROTECTED] = WHITELISTED [LAST ACTION=WHITELISTED] 09/16/2005 07:07:20.515 qd16d0f3f0048a1ec Cumulative action(s) taken on this email = IGNORE [LAST ACTION=IGNORE] 09/16/2005 07:22:55.015 qd31201ec029c0f5f Tests failed [weight=39]: NOPOSTMASTER=WARN[1] SNIFFER=WARN[20] CMDSPACE=WARN[8] IPNOTINMX=IGNORE[0] NOLEGITCONTENT=IGNORE[0] ROUTING=WARN[2] WEIGHT10=HOLD[10] WEIGHT17=DELETE[17] WEIGHT20=DELETE[20] CATCHALLMAILS=IGNORE[0] TLD-TRUSTED-MAILFROM=WARN[0] DRUGS-MEDICATIONS=WARN[8] 09/16/2005 07:22:55.500 qd31201ec029c0f5f Action(s) taken for [EMAIL PROTECTED] = IGNORE WARN HOLD DELETE [LAST ACTION=DELETE] 09/16/2005 07:22:56.078 qd31201ec029c0f5f Cumulative action(s) taken on this email = IGNORE WARN HOLD DELETE [LAST ACTION=DELETE] 09/16/2005 07:22:53.218 qd2de00f6024c43a2 Tests failed [weight=24]: SNIFFER=WARN[20] IPNOTINMX=IGNORE[0] NOLEGITCONTENT=IGNORE[0] REVDNS=WARN[4] WEIGHT10=HOLD[10] WEIGHT17=DELETE[17] WEIGHT20=DELETE[20] CATCHALLMAILS=IGNORE[0] TLD-TRUSTED-HELO=WARN[0] TLD-TRUSTED-MAILFROM=WARN[0] TLD-TRUSTED-REVDNS=WARN[0] Is this another sign that the 'decludeproc.exe' was not doing anything? Also, please remember, we are using the older IMail 8.05 HF3, and that our results can definitely be different from yours. With regards, Kim -- Original Message -- From: John Tolmachoff \(Lists\) [EMAIL PROTECTED] Reply-To: Declude.JunkMail@declude.com Date: Thu, 15 Sep 2005 23:56:18 -0700 I am sure you did, but let's check. Did you stop the Imail SMTP service, stop the Imail Queue Manager service, wait for both the proc and work folders to be empty, stop the DecludeProc service, copy in the new decludeproc.exe file, start the DecludeProc service, start the Imail Queue Manager service, start the Imail SMTP server, put the Declude JM log into Debug mode for say 15 mintues and then review the log to see what happened? John T eServices For You --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Beta 3.0.4 not Processing Files in 'proc' Folder
John, I performed the suggestions you gave and got the same results. We shall be giving David at Declude access to our mail server, so they can see what's happening first hand. I'll keep the list posted. Kim -- Original Message -- From: John Tolmachoff \(Lists\) [EMAIL PROTECTED] Download the DecludeProc.exe again from the site. Maybe something went wrong there. The version of Imail should make no difference in the processing as it is definitely being handed to declude.exe. Do you have a Declude.cfg file in the Imail\Declude folder? Try putting WAITFORMAIL 1 in there. Again, try putting the log into DEBUG mode during the test. Maybe the server needs a kick? ;) John T eServices For You --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] 3.0.4
Gawck! At first, I thought No way did I do that!, but I hadn't closed the browser session to the Declude beta site. Upon checking, I was astounded to find that I did, indeed, download the SmarterMail version of 'decludeproc.exe' (it was still highlighted)...3 TIMES OVER THE PAST TWO DAYS and didn't even notice! After downloading and installing the IMail version of 'decludeproc.exe' version 3.0.4, things look to be running normally. My apologies to the list (and Declude) for the 'false' reports, and thanks to the Ncl admin for pointing this out. Kim -- Original Message -- From: Ncl Admin [EMAIL PROTECTED] If files are not moving from proc to work make sure you downloaded the right version, I grabbed smartermail version this AM and it does exactly nada under Imail. Duh. Got the Imail version and of course its running now. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Beta 3.0.4
IMail 8.05 HF3 After installing JunkMail beta 3.0.4 (for IMail) this morning, everything seemed to be working. That is, I could see the THREAD requisite number of d*.smd and q*.smd file pairs being moved to the 'proc\work' folder, whereupon they would get processed and disappear. I visually monitored this for several minutes, then decided to go about business. When I returned to check, I discovered that the 'decludeproc.exe' service had stopped. When I restarted the service, I could see file pairs being processed until the service again stopped. I repeated this procedure 10-15 times. Determined to keep the service running, I set the service's recovery mode to 'Restart the service' on all failures; this made no difference. There are no service stop items logged in the Event Viewer for 'decludeproc.exe', only start items. Also, I was running JunkMail in DEBUG mode, but things look normal (I'm not certain what to look for specifically). Observation: The THREADS value was initially set to 25 and this seemed to keep the service running for about 45 seconds or so. As I incrementally lowered the THREADS value, the 'decludeproc.exe' service would stop sooner, around 5-10 seconds with a THREADS value of 10. I ended up reverting to 3.0.3 to get things moving again. Kim -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Beta 3.0.4 not Processing Files in 'proc' Folder
IMail 8.05 HF3
I installed the JunkMail beta 3.0.4, and had the same results as with 3.0.3.8.
That is, the 'decludeproc.exe' service was running (as indicated by Task
Manager), however, nothing was being processed ('decludeproc.exe' was near the
bottom of the Task Manager list when sorted by CPU time, and no external files
like Sniffer running). Files were being added to the 'proc' directory, but the
'proc\work' directory remained empty. Let things run this way for approximately
15 minutes, then reverted back to version 3.0.3. Once 3.0.3 was up and running,
the files in the 'proc' directory were immediately processed ('decludeproc.exe'
at or near the top 5 entries in Task Manager, Sniffer executables now showing
in Task Manager, backlog of files in 'proc' folder are gone).
Kim W. Premuda
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude 3.0.3 update
I experienced the maxed out processor(s) - I only tried it for a few min and then went back to 2.0.16. Haven't tried it since! -Nick Nick, The beta version 3.0.3 does not automatically create the 'work' folder below the 'proc' folder (ie. 'proc\work'). If you create the folder manually, 3.0.3 will start to work (after stopping and restarting the 'decludeproc.exe' service). Declude has fixed this problem in later releases, with the latest being 3.0.3.7. Caution...we attempted to run 3.0.3.7 yesterday and had to revert back to 3.0.3, because 3.0.3.7 would not run more than a minute or two before the 'decludeproc.exe' service stopped. You may or may not have the same results. Declude has been notified of this problem. Kim -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Sniffer error in Declude log
Over the weekend, a lot of spam has been getting through. Checking the Declude JunkMail log file shows the following: 09/10/2005 00:01:41.906 q84a2205001d48c60 ERROR: External program SNIFFER didn't finish quick enough; terminating. Can anyone shed some light on this? That is, what would cause Sniffer to not complete in a timely manner? Thanks! -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude 3.0.3 update
We installed the latest 3.0.3 beta tonight; the decludeproc service shot to 99% of CPU and stayed there for 15 minutes. During this time we accumulated over 1000 items in the proc folder; nothing was going out. Anyone else experienced this? We loaded JunkMail 3.0.3 last night and, this morning, had to revert back to 2.0.6.16 for the same reason...the '\proc' directory was filled with over 2,000 unprocessed items. Our CPU usage was unusally low (most likely, due to JunkMail not processing those files). The Declude log showed the following (ad nauseum): 09/02/2005 23:58:03.875 q47210e4201f24dd0 Could not open envelope file C:\IMail\spool\proc\work\q47210e4201f24dd0.smd. 09/02/2005 23:58:03.875 q47210e4201f24dd0 Error: Failed; could not open C:\IMail\spool\proc\work\D47210e4201f24dd0.smd 09/02/2005 23:58:03.875 q47210e4201f24dd0 Cumulative action(s) taken on this email = NO ACTIONS WERE TAKEN 09/03/2005 00:03:08.546 q47210e4201f24dd0 Couldn't rename SMD to SM$ [3]. Priority back to 32. Error String: [The system cannot find the path specified.] [C:\IMail\spool\proc\work\D47210e4201f24dd0.smd] [C:\IMail\spool\proc\work\D47210e4201f24dd0.sm$] -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude 3.0.3 update
Those were the same error messages that I seen when the work directory was not created. Please see my earlier post - you need to make sure you have a /spool/proc/work directory. Darrell Thanks, Darrell. I did read your previous post, but not until I had already sent my posting to the list. In fact, I recalled seeing your original post on this matter but had forgotten about it. I created the 'work' directory per your previous post, then reloaded JunkMail 3.0.3 ...and, things started working. The trouble was that the backlog in the 'proc' directory took about 1.5 hours to clear while keeping the CPU at 100%. However, things look fairly normal at this time...thanks, again. I am a little surprised that the 'work' directory auto-creation was not implemented in version 3.0.3, as I believe you reported this before this latest release. -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude 3.0.3 update
Now the other thing to make sure of is did you increase the amount of threads that it will use in the declude.cfg file? By default it appears to use only 5 threads. I bumped mine up to 25 and that seems to be working very well. The other thing which is documented on the beta page is if you have more than one CPU where it will sleep for a period of time when it should not. I wasn't that daring...I only bumped the number of threads to 10, thinking I could increase it later if warranted. I was initially concerned with 10 threads due to the high volume of unprocessed items in the 'proc' directory and the 100% CPU usage. However, now that the backlog has been processed, CPU usage is back to normal, and the 'proc' folder is empty every time I look at it. So, for the moment, 10 threads is a stable place to be until we get more experience with this new version of JunkMail. We're running a single CPU mail server but are considering moving to a dual processor system that just became available. Hopefully, I can remember your warning about multiple processors when we make the switch! g -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] VIRUS WARNING
VIRUS WARNING - For the past 2 days, our server that runs IMail was bringing the rest of our network to a crawl. If we disconnected this server from the network, then the network would restore to normal. Just in case anyone else is having network problems, this may be the cause. Here's what we did to fix it. In the Windows Task Manager, look for either of two programs/processes: mousebm.exe mousesync.exe You will not be able to end these processes from Task Manager. You must first open the Registry Editor and search for the following folders and delete them: HKLM/System/ControlSet001/Services/Mousebm HKLM/System/ControlSet001/Services/Mousesync HKLM/System/ControlSet002/Services/Mousebm HKLM/System/ControlSet002/Services/Mousesync Then reboot the server. After rebooting, you will now be able to delete the two offending files. They are located in: c:\winnt\system32\mousebm.exe c:\winnt\system32\mousesync.exe If you find that the offending files re-appear in the Task Manager, look for the following file and delete it: c:\winnt\system32\i You will then have to repeat the above steps again. We searched Trend Micro, Symantec, McAfee, and Google for these files, but none of these web sites had any information on them. Perhaps, this virus has not yet been identified by them. Good luck! -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] How they deal w/ Spammers in Russia
http://www.mosnews.com/news/2005/07/25/spammerdead.shtml -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Custom Filter Diagnosis Help
Are you using anything like SKIPIFWEIGHT options in the filter or ENDS clauses. Yes, this particular custom filter has the following two lines at the beginning of the filter definition: TESTSFAILED END CONTAINS BYPASS SKIPIFWEIGHT 16 BYPASS never shows up in the line of filter tests, so SKIPIFWEIGHT may be the culprit. I'll comment out the SKIPIFWEIGHT line and see what happens (most likely, my misunderstanding of how SKIPIFWEIGHT works). Thanks for the help! -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Custom Filter Diagnosis Help
Also, one thing that can affect the filter files that I have seen in the past is spammers will put fake html tags in the middle of the URI to get it past filters Example: americfaketagaspharm.com - the email client will normally interpret this correctly and display americaspharm.com (i.e. not rendering the fake tag). My original post that contained the offending message was in plain-text format showing no embedded HTML tags in the domain name. I did save the 'D*.SMD' file...here is how the URL shows in plain-text: http://americaspharma.com/ I suspect that the test is not being run at all, and that something (another test, perhaps?) is preventing this...but, I have no idea what to look for. -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Custom Filter Diagnosis Help
I created a custom filter to help trap drug related spam called DRUGS-MEDICATIONS.TXT. This filter contains the following line: BODY 12 CONTAINS americaspharma.com Yet, spam containing 'americaspharma.com' does not get flagged by Declude JunkMail (see sample message below). Note that DRUGS-MEDICATIONS does not show up in the 'X-Spam-Tests-Failed:' line of the message header, nor does it show in the Declude log for this message. The 'global.config' file contains the following entry: DRUGS-MEDICATIONS filter C:\IMail\Declude\Filters\Drugs-Medications.txt x 0 0 and the '$default$.junkmail' contains the following entry: DRUGS-MEDICATIONS WARN I looking for recommendations as how to find the cause of failure for this filter. Any suggestions would be appreciated. Thanks! Kim Premuda FastWave Internet Services San Diego, CA --- Declude log file content --- 05/11/2005 10:44:29 Q44790a54022a0e51 Tests failed [weight=12]: HELOBOGUS=WARN IPNOTINMX=IGNORE MAILFROM=WARN WEIGHT10=HOLD CATCHALLMAILS=IGNORE TLD-TRUSTED-REVDNS=WARN --- Q44790a54022a0e51.SMD file contents --- QC:\IMail\spool\D44790a54022a0e51.SMD Hns3.fastwave.net WC:\IMail E0, S[EMAIL PROTECTED] NRCPT To:[EMAIL PROTECTED] R[EMAIL PROTECTED] --- D44790a54022a0e51.SMD file contents --- Received: from un2 [64.214.203.155] by ns3.fastwave.net with ESMTP (SMTPD32-8.05) id A479A54022A; Wed, 11 May 2005 10:44:25 -0700 Received: from localhost.localdomain (un2 [127.0.0.1]) by un2 (8.12.11/8.12.11) with ESMTP id j4BHgdMu025798 for [EMAIL PROTECTED]; Wed, 11 May 2005 12:42:39 -0500 Received: (from [EMAIL PROTECTED]) by localhost.localdomain (8.12.11/8.12.11/Submit) id j4BHgcTc025797; Wed, 11 May 2005 12:42:38 -0500 Date: Wed, 11 May 2005 12:42:38 -0500 Message-Id: [EMAIL PROTECTED] From: OS [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Info MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-RBL-Warning: HELOBOGUS: Domain un2 has no MX or A records [0301]. X-RBL-Warning: MAILFROM: Domain localhost.localdomain has no MX or A records [0301]. X-RBL-Warning: TLD-TRUSTED-REVDNS: Message failed TLD-TRUSTED-REVDNS test (line 37, weight 0) X-Declude-Sender: [EMAIL PROTECTED] [64.214.203.155] X-Declude-Spoolname: D44790a54022a0e51.SMD X-Note: X-Note: Scanned by Declude JunkMail, Version 1.82 X-Spam-Tests-Failed: HELOBOGUS [5], MAILFROM [12], WEIGHT10 [10], TLD-TRUSTED-REVDNS [0] TOTAL [12] X-Note: This E-mail was sent from host-64-214-203-155.optynex.com ([64.214.203.155]). X-Note: Get your rx without leaving home. We ship throughout the United States (except AZ,FL,MN,RI,PR ND) http://americaspharma.com/ We ship FDA approved products only. Thanks. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Custom Filter Diagnosis Help
Couple of gotha's we usually see [1] Make sure there are no hidden or extra spaces after the name. [2} If it is the last item in the filter do an extra return so that your line is not the last line in the filter. Darrell Hi, Darrel. Thanks for responding! There is no space character after 'americaspharma.com', and it is not the last item in the filter (there are over 100 lines after this one). Also, I should have mentioned that we are using JM 1.82. Another point of interest... When I sent my original message to the list, it was trapped by JM on the filter line containing 'americaspharma.com'. Kim --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] MTLDB Hotmail
We've been having problems with MTLDB doing the same thing...started around 8:00A PST (California, US). -- Original Message -- From: Kami Razvan [EMAIL PROTECTED] Reply-To: Declude.JunkMail@declude.com Date: Tue, 29 Mar 2005 17:06:14 -0500 Hi; Am I imagining things or Declude.mtldb has listed a Hotmail ip address in the blacklist? X-RBL-Warning: [DECLUDE.ip4r.MTLDB]: IP is listed in MTLDB Spamcop has also that IP listed.. X-RBL-Warning: [SPAMCOP.ip4r]: Blocked - see http://www.spamcop.net/bl.shtml?64.4.61.200; The IP: X-Note: Reverse DNS IP: bay102-dav3.bay102.hotmail.com [64.4.61.75] I am seeing a lot of emails with Hotmail being tagged.. Regards, Kami -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Line Modifier: = ? i s o - 8 8 5 9 - 1 ? Q ?
Thanks Andy, Matt, and Markus for your feedback...I really appreciate your comments. -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Line Modifier: = ? i s o - 8 8 5 9 - 1 ? Q ?
We have received spam messages in the past whose 'To:', 'From:', 'Subject:', and 'Sender:' lines contain the character string: = ? i s o - 8 8 5 9 - 1 ? Q ? (spaces added to avoid filters) so, we created an external filter (SUBJECT) to detect the string. Now, it appears, this may be a bad idea, because legitimate messages with this string are also being caught by the filter (see message header below from 'lightinguniverse.com' as an example). Can someone verify what this character string means, and whether or not it is okay for this character string to appear in these lines? Also, is it the sender's mail client 'JMail 4.3.0 Free Version by Dimac' that is causing this? Thanks! [Sample Header] Received: from db2.lightinguniverse.com [216.162.208.53] by ns3.fastwave.net with ESMTP (SMTPD32-8.05) id A81B4AB501A4; Wed, 23 Mar 2005 09:32:11 -0800 Received: from www2.lightinguniverse.com ([192.168.1.58]) by db2.lightinguniverse.com with Microsoft SMTPSVC(5.0.2195.6713); Wed, 23 Mar 2005 08:58:41 -0800 Subject: = ? i s o - 8 8 5 9 - 1 ? Q ?LightingUniverse=2Ecom_Order(s):_#280844_status_update=2E?= Sender: = ? i s o - 8 8 5 9 - 1 ? Q ?LightingUniverse=2Ecom_Order_Fullfillment?= [EMAIL PROTECTED] From: = ? i s o - 8 8 5 9 - 1 ? Q ?LightingUniverse=2Ecom_Order_Fullfillment?= [EMAIL PROTECTED] Date: Wed, 23 Mar 2005 09:31:12 -0800 To: = ? i s o - 8 8 5 9 - 1 ? Q [EMAIL PROTECTED] [EMAIL PROTECTED] X-Priority: 3 X-MSMail-Priority: Normal MIME-Version: 1.0 X-Mailer: JMail 4.3.0 Free Version by Dimac Content-Type: multipart/alternative; boundary=--NEXT_BM_C05FF9D6F4B54DD5A4593FAF0577D05A Return-Path: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] X-OriginalArrivalTime: 23 Mar 2005 16:58:41.0843 (UTC) FILETIME=[910D5830:01C52FC9] X-RBL-Warning: SUBJECT: Message failed SUBJECT test (line 26, weight 20) X-RBL-Warning: TLD-TRUSTED-HELO: Message failed TLD-TRUSTED-HELO test (line 27, weight 0) X-RBL-Warning: TLD-TRUSTED-MAILFROM: Message failed TLD-TRUSTED-MAILFROM test (line 27, weight 0) X-RBL-Warning: TLD-TRUSTED-REVDNS: Message failed TLD-TRUSTED-REVDNS test (line 37, weight 0) X-Declude-Sender: [EMAIL PROTECTED] [216.162.208.53] X-Declude-Spoolname: Da81b4ab501a4206f.SMD X-Note: X-Note: Scanned by Declude JunkMail, Version 1.82 X-Spam-Tests-Failed: WEIGHT10 [10], SUBJECT [20], TLD-TRUSTED-HELO [0], TLD-TRUSTED-MAILFROM [0], TLD-TRUSTED-REVDNS [0] TOTAL [15] X-Note: This E-mail was sent from db2.lightinguniverse.com ([216.162.208.53]). X-Note: -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] BONDEDEDSENDER and SNIFFER
Thanks Matt, Scott, and Andrew, for your feedback and your perspectives on this matter. It appears BONDEDSENDER isn't as trustworthy as they claim. Best regards, -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] 'X-Declude-Sender:' Question
Our IMail server trapped a spam message that was whitelisted by Declude JunkMail. The header of the message is shown below: Received: from fastwave.net [210.221.79.126] by ns3.fastwave.net (SMTPD32-8.05) id AB32D5301D8; Sat, 29 Jan 2005 10:51:30 -0800 Message-ID: [EMAIL PROTECTED] Return-Path: [EMAIL PROTECTED] From: Kevin John [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: I got XP and Office Xp cheap. Date: Sun, 30 Jan 2005 03:52:40 +0900 X-Mailer: Version 1.32 Content-Type: text/html; charset=ISO-8859-1 MIME-Version: 1.0 X-Priority: 1 X-Declude-Sender: [EMAIL PROTECTED] [210.221.79.126] X-Declude-Spoolname: Ddb320d5301d8d507.SMD X-Note: X-Note: Scanned by Declude JunkMail, Version 1.82 X-Spam-Tests-Failed: Whitelisted TOTAL [0] X-Note: This E-mail was sent from [No Reverse DNS] ([210.221.79.126]). X-Note: From: [EMAIL PROTECTED] X-RCPT-TO: [EMAIL PROTECTED] Status: R X-UIDL: 397015868 Note that the 'X-Declude-Sender:' line contains a valid e-mail address (altered for this list) on our IMail server, yet the originating IP address [210.221.79.126]is located in Korea. We are not whitelisting the [210.221.79.126] IP address. Is this an indication that our customer's e-mail account has been compromised and is being used to propagate spam into our network? Or, is there some other explanation? TIA -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] 'X-Declude-Sender:' Question
Thanks Matt and Darrell. I would imagine that you have AUTOWHITELIST ON and that your customer has his own E-mail address in his Web mail address book. You both were correct...AUTOWHITELIST is ON and the customer's e-mail address was listed in his Web mail address book. -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] DNSSTUFF.COM Web Site Down?
It's 4:30A PST, and I cannot access the 'dnsstuff.com' web site. Is anyone else having the same problem? -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DNSSTUFF.COM Web Site Down?
The site was being reset -- normally it's only down for a few seconds, but this morning it was down for about 10 minutes. -Scott Thanks, Scott and Pete. I gave up after about 10 mintues of 'page cannot be found' messages. Go figure. It's working fine now. -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] BONDEDEDSENDER and SNIFFER
I seem to get a fair number of messages that 'fail' both BONDEDSENDER and SNIFFER: X-Spam-Tests-Failed: BONDEDSENDER [-10], SNIFFER [20], WEIGHT10 [10], TLD-TRUSTED-HELO [0], TLD-TRUSTED-MAILFROM [0], TLD-TRUSTED-REVDNS [0] TOTAL [10] Both tests are supposed to be highly trusted/accurate, so how do you resolve such diametrically opposed weightings? Who wins? -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] WAY OT: Syslog entries from Cisco ACL question
-- Original Message -- From: Rick Davidson [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 8 Dec 2004 15:17:27 -0500 Does anyone know what traffic uses a destination and source port of 0? FYI: From the Internet Protocols Handbook published by the Coriolis Group, Scottsdale, AZ: quote The TCP and UDP port number spaces are divided into three sections: Well-known ports (0 through 1023) Registered ports (1024 through 49151) Dynamic or private ports (49152 through 65535) The first section is controlled by the IANA, and port 0 for both TCP and UDP is reserved. /quote -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Need NDR Filter Help
We are receiving thousands of NDR messaages daily due to some spammer forging his message headers with our mail server name and IP address, 'ns3.fastwave.net' and '[207.212.80.137]' (below - note, it is not an IMail header): Received: (from [EMAIL PROTECTED]) by mailgate3.nec.co.jp (8.11.7/3.7W-MAILGATE-NEC) id iABBF0N18133 for [EMAIL PROTECTED]; Thu, 11 Nov 2004 20:15:00 +0900 (JST) Received: from no-wucking-furries.com ([211.223.136.240]) by TYO205.gate.nec.co.jp (8.11.7/3.7W01080315) with SMTP id iABBEtF01977 for [EMAIL PROTECTED]; Thu, 11 Nov 2004 20:14:56 +0900 (JST) Received: from fastwave.net (ns3.fastwave.net [207.212.80.137]) by no-wucking-furries.com (Postfix) with ESMTP id D2C16DA045 for [EMAIL PROTECTED]; Thu, 11 Nov 2004 05:13:08 -0600 Our customers who are targeted to receive the NDRs are complaining, and my first attempt at writing a JunkMail filter to (temporarily, at least) trap these NDRs has failed (it doesn't seem to be working). I want to trap on the 'From:' line, since that seems to be the most commom element in all the NDRs: From: Mail Delivery Subsystem [EMAIL PROTECTED] From: [EMAIL PROTECTED] (Mail Delivery System) From: Mail Administrator [EMAIL PROTECTED] From: [EMAIL PROTECTED] etc. So, I created a filter called JOEJOBNDR that contains the following: MAILFROM 0 CONTAINSMAILER-DAEMON MAILFROM 0 CONTAINSpostmaster MAILFROM 0 CONTAINSBarracuda Spam Firewall MAILFROM 0 CONTAINSmailmaster MAILFROM 0 CONTAINSautomated-response with the 'global.cfg' and '$default$.junkmail' files containing (respectively): JOEJOBNDR filter C:\IMail\Declude\Filters\JoeJob.txt x 25 0 JOEJOBNDR WARN Can someone tell me why the filter is not working? Also, I am open to any other methods or suggestions for getting the job done. Thanks in advance, Kim Premuda FastWave San Diego, CA -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Need NDR Filter Help
Thanks Scott and Matt for clearing up the '' issue...it's a far better approach than what I was attempting. Scott... What is the interaction between your two tests, MAILFROM-NULL-SENDER and USER-JOE-JOB? The reason I am asking is that I can only get MAILFROM-NULL-SENDER to trigger and not the user-specific USER-JOB-JOB test. It appears to me that they are mutually exclusive tests: Mailfrom-Null-sender.txt: TESTSFAILED 1 CONTAINS USER-JOE-JOB user-joe-job.txt: TESTSFAILED END NOTCONTAINS MAILFROM-NULL-SENDER MAILFROM-NULL-SENDER does not fail unless USER-JOE-JOB also fails but USER-JOE-JOB ends if MAILFROM-NULL-SENDER hasn't already failed It's kinda like a catch 22 sort of thing. Is my logic wrong? Which brings me to another question...does the order in which the tests appear in the 'global.config' file matter? Thanks! Kim -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
FWD: Re: Re[2]: [Declude.JunkMail] Spam getting through
-- Original Message -- From: Sheldon Koehler [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 28 Oct 2004 12:12:11 -0700 It is obvious they are using disposable domain names. They come in flavors like gbzqrx.info and so on. --- Interesting point. At first, I could not understand how spammers could afford disposable domain names. Then, I came to the conclusion that they are also bona fide domain name registrars...it costs them nothing to register thousands of disposable domain names. -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Newbie help/guidance needed!
Matt, Some of the your new filters replace existing filters (eg. Gibberish v1.0.7 with Gibberish v2.1.1.). The older versions have anti-xxx filters, but the new filters don't. When using the newer filters, should I keep or delete the older anti-xxx filters? Many thanks for all the help! -- Original Message -- From: Matt [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 13 Oct 2004 19:39:57 -0400 If you are using Declude JunkMail Pro 1.81 (the most recent release), I would try using the filters listed in a special section of my site that were designed to make use of some of the new capabilities: http://www.mailpure.com/software/decludefilters/beta/ -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Newbie help/guidance needed!
The 'all_list.dat' file was included with the distribution. Thanks for the additional blacklists...I was not aware that they existed. -- Original Message -- From: Scott Fisher [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 14 Oct 2004 09:24:10 -0500 Some other thoughts... 1. Make sure you have the all_list.dat file in the declude folder for the country tests to run. Matt's beta filters are definitely better than his non beta filters. 2. Other ip4r/rhsbl to consider: FABEL ip4r spamsources.fabel.dk127.0.0.2 5 0 99.7% effective. I weight at 50% of my hold weight. Better at South American and Asian targets. MAILPOLICE-BULK rhsbl bulk.rhs.mailpolice.com 127.0.0.2 6 0 99.0% effective. I weight at 65% of my hold weight. MAILPOLICE-PORN rhsbl porn.rhs.mailpolice.com 127.0.0.2 8 0 98.4% effective. I weight at 85% of my hold weight. NJABL-DYNABLOCK ip4r dynablock.njabl.org 127.0.0.3 0 0 99.7% effective. I weight at 75% of my hold weight. May duplciate efforts with SORBS-DUHL, so you could false positive on both tests... SENDERDB-BLACK-ALL ip4rpub.senderdb.net 127.0.0.2 4 0 98.43% effective. I weight at 40% of my hold weight. 3. Other Declude tests: NONENGLISH nonenglish x x 3 0 99.6% effective. I weight at 30% of my hold weight. Detects no english character sets -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Test - New User
Just testing to see if my posts make it to the list. No need to reply. -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
