RE: [Declude.JunkMail] spf breaks email forwarding -
Nick, What I've done, and I can't be sure its working, is to set up my client's SPF records like this: v=spf1 ip4:[my ip mx range] ip4:[client ip mx range] mx ~all The range format is nnn.nnn.nnn.nnn/nn I haven't had complaints about SPF rejects. George -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Saturday, March 04, 2006 2:40 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] spf breaks email forwarding - Email customers that forward through me are getting their email bounced because of the original sending domain's spf policy. I understand this delima is addressed with Sender Rewriting Scheme http://www.openspf.org/srs.html Does anyone have a solution to this w/Declude Imail? Thanks -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] spf breaks email forwarding -
Nick, Sorry about my last email. I thought you were referring to outbound forwarding, not inbound. George -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Saturday, March 04, 2006 3:27 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] spf breaks email forwarding - The problem is not anything I am doing - it with SPF itself. By design forwarded email will bounce if the receiving MTA is configed that way. Even if I whitelist the emails they will bounce... Let me explain - user@Adelphia.net send an email to user@greenmountainhealth.com which is an alias on my server that forwards to user@surfglobal.net SurfGlobal will bounce the email because it failed Adelphia's SPF. Perfectly legit email - my spf recs are perfect etc. The solution is SRS - otherwise forwarding is dead -Nick John T (Lists) wrote: I think the underlying problem as has been discussed on this list is that an SPF FAIL should not be relied upon as an outright rejection, rather used as part of a weighting system. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Saturday, March 04, 2006 11:40 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] spf breaks email forwarding - Email customers that forward through me are getting their email bounced because of the original sending domain's spf policy. I understand this delima is addressed with Sender Rewriting Scheme http://www.openspf.org/srs.html Does anyone have a solution to this w/Declude Imail? Thanks -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type http://www.openspf.org/srs.htmlDoesanyonehaveasolutiontothisw/DecludeIma il?Thanks-Nick---ThisE- mailcamefromtheDeclude.JunkMailmailinglist.Tounsubscribe,justsendanE- [EMAIL PROTECTED],andtype unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] spf breaks email forwarding -
Hear hear. -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Matt Sent: Saturday, March 04, 2006 4:36 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] spf breaks email forwarding - Someone could write a plug-in or Declude could be modified to handle this, or IMail could be modified to handle this (and then Declude would probably need to be updated to handle what IMail changed). Why implement a work around in a standards compliant platform in order to deal with a flawed mechanism in use at another provider, when that mechanism is rare? I would prefer that SPF just disappeared. You will probably spend less time telling your client that their destination server has issues that you can't fix and that they should take it up with them. It is not your, my, nor anyone else's responsibility to implement SRS in the current framework. SRS isn't a an RFC standard, in fact according to that page that you provided, it seems that they are moving towards the SUBMITTER parameter. Maybe people should have thought about these issues before rushing to support SPF in the first place? SPF, in it's current form, will die. Just give it time. The more support that you give for it, the more resistance to change will exist.and the longer it will take for it to die. The implementation of SPF was always severely flawed, and two years later, there has been hardly any progress at fixing those issues, and there are now several competing sender validation mechanisms, all of which are flawed in one way or another. The technology is all ridiculously short-sighted. It's a problem and not a solution. Matt Nick Hayer wrote: Matt wrote: Real-world issues include working around bad implementation, such as surfglobal.net not configuring their server to reject messages that fail SPF. SRS is a work around - and I'm simply asking if anyone has implemented it on an Imail/Declude platform. Kindly stay on topic I am aware of your feelings about SPF - all I'm doing is working out a solution with what is in place - an MTA bouncing my legit email. I suggest you tell your customer that they can't forward their E-mail reliably unless surfglobal.net removes their SPF restrictions, and there is nothing that you can do about it. Should I stamp my feet and make a face when I tell them that? :) I can simply ask SurfGlobal to accept me as a trusted sender - but I am trying to avoid that via SRS - so I will not have to make that call or any others. -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] MXRATE FYI
Scott, Thanks very much for the info. George -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Wednesday, March 01, 2006 12:14 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] MXRATE FYI FYI: It looks like around Janurary 26th the pub.mxrate.com IP4R DNS services were made private. Since then I've had no response from the DNS lists. They have discontinued the public service and made a private service available. If you are interested the URL is here: http://www.mxrate.com/Subscribe.asp - Scott Fisher Director of IT Farm Progress Companies 191 S Gary Ave Carol Stream, IL 60188 630-462-2323 This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Although Farm Progress Companies has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] V4 and Console
I noticed a console.txt file after upgrading to v4. This appears to have the summary line information from the V1 Console (deccon.exe). Is this a step towards the Console functionality being added back (I hope)? V4 seems to be OK so far. Thanks, George
RE: [Declude.JunkMail] Changes @ Declude
Same here too. -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Dave Doherty Sent: Friday, February 10, 2006 2:27 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Changes @ Declude Same here... - Original Message - From: John Carter [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, February 10, 2006 2:17 PM Subject: RE: [Declude.JunkMail] Changes @ Declude Sorry, Barry, not doubting you sent it, but didn't get the message here. John C -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, February 10, 2006 12:47 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Changes @ Declude In the last 10 days we have received a number of inquiries to the email sent to every customer explaining the changes that are happening here at Declude. To summarize the answers to those questions: * No existing customer is required to move to the new annual pricing. * Our current customers can continue to pay the annual Service Agreements. * No customer is required to move to 4.0 Over and above that we are continuing to enhance and support both 3.0 and 4.0 and we have provided great deals for customers wishing to move to the 4.0 version and also committed to keeping them on Service Agreements. I have responded to each and every customer who has contacted me since the email was sent out and if any one has any further questions they can contact me either by email or telephone (978) 499-2933. Barry --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Changes @ Declude
Hi Andy, Like you, I didn't get the e-mail from Barry. I did do as Kevin suggested in an earlier e-mail in this thread and called Barry. We had a very pleasant conversation during which he explained everything to me and answered all of my questions to my satisfaction. It's too bad that so many of us (and seemingly the vocal ones) didn't receive the original explanatory email. This thread would never have gotten to this point. George -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Friday, February 10, 2006 5:19 PM To: Declude.Virus@declude.com Subject: RE: [Declude.JunkMail] Changes @ Declude Hi Kevin, I understand what you're saying - you believe Declude 4.0 is really just a Declude 3.x Suite vs. the Declude 3.x legacy products. New customers can only purchase the Suite, while old customers will continue to upgrade their individual products. The code base is the same. In that case, the confusion stems from using a version numbering scheme, instead of using a proper packaging scheme. This would be comparable to what IpSwitch did eventually. New customers have to buy the bloated Imail suite, while existing customers can continue buy service agreements for the Imail mail server product. Let's see if Declude can confirm your understanding. Then we'll just have to find out what the subscription is. Is it a service agreement subscription (where you can continue to use the existing product version, even if the subscription is not renewed), or if it is a license subscription (where your license terminates if you fail to renew at some point). Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Friday, February 10, 2006 04:20 PM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Changes @ Declude Declude 4.x is all the products in one with a common license key and are not seperatable. On the buying issue what do you get, the two products will be kept in parity feature wise. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] Behalf Of Andy Schmidt Sent: Friday, February 10, 2006 11:02 AM To: Declude.Virus@declude.com Subject: RE: [Declude.Virus] Changes @ Declude Importance: High Has anyone figured out yet WHAT exactly Declude 4.0 IS? I'm looking around on the web site (figured, it's been days since I receive the notice that it's available), but I still haven't seen anything on the web site that tells me what my extra money would be buying - or, what it is I'd be missing out on if I don't buy? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, February 10, 2006 01:47 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Changes @ Declude In the last 10 days we have received a number of inquiries to the email sent to every customer explaining the changes that are happening here at Declude. To summarize the answers to those questions: * No existing customer is required to move to the new annual pricing. * Our current customers can continue to pay the annual Service Agreements. * No customer is required to move to 4.0 Over and above that we are continuing to enhance and support both 3.0 and 4.0 and we have provided great deals for customers wishing to move to the 4.0 version and also committed to keeping them on Service Agreements. I have responded to each and every customer who has contacted me since the email was sent out and if any one has any further questions they can contact me either by email or telephone (978) 499-2933. Barry --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] elabs3.com
I agree in theory, but the user is the end judge of what they need from a business standpoint. So, add elabs6.com to the list. George -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Erik Sent: Wednesday, February 08, 2006 3:11 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] elabs3.com John, We were at point blocking them or weighted them heavy until several of our customers where complaining about missing emails. In my opinion should be blocked; but we are letting them come in now as well as elabs4.com. To me, they are on the same line as ed10.com, m0.net, etc. Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Wednesday, February 08, 2006 9:01 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] elabs3.com What do others have about this sender? John T eServices For You Seek, and ye shall find! --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Content repetition and weighting
Mike, If you use LOGLEVEL HIGH, the actual match will show in the JunkMail log. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Gable Sent: Wednesday, December 31, 2003 11:59 AM To: Declude (E-mail 2) Subject: [Declude.JunkMail] Content repetition and weighting If a weight is applied to filtered content in the body of a message, does the weight accumulate if the filtered item is repeated? I have a filter thus: BODY 1 CONTAINS ;#10 Messages from some Asian country (Russia?), which looks like this: ???, leak through my filter file despite having dozens or hundreds of instances of this text combination ;#10 in the html body of the message. I was hoping that if the item repeats enough times the accumulted score would push it into the threshold score for hold or delete, but this does not seem to be the case. Also, is there a way for Declude to include the actual filtered item in the X-Declude headers of the message instead of just the line number of the filtered item in the filter file? My filter file has hundreds of lines and it's almost impossible to identify what line it is matching on. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Nigerian Filter Creator Helper
Dan, Why not use Kami's Nigerian Filter? He's done all of the work for you. Just remember to thank him. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Wednesday, December 31, 2003 12:15 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Nigerian Filter Creator Helper Hello, All, I'm looking for a type of utility that either specifically was written to do what I describe below or a utility which is a broad-based text massaging/manipulation utility which could be twisted to do the following. I would like a utility that I could feed the bodies of nigerian scam letters into and it would basically create a list of all phrases of world length X to Y where X and Y are both numbers. It would capture information from each scam letter that I feed in and would generate an ordered list of each time the X to Y word length phrase appears in each letter. So, for example, if my X and Y were 3 and 5 it would generate a list of all 3 word, 4 word and 5 word phrases found in each message. Then it would add 1 to the tally of each time this phrase is found in any given unique nigerian scam letter. After I submit a certain letters, e.g. 20 (?), I would have a list of very commonly found phrases in Nigerian scam letters. I could then create a custom filter for DJM based on those phrases. Ultimately my filter might look something like... # JunkMail.Filter.Nigerian.txt BODY 10 CONTAINS Nigerian Federal Ministry BODY 10 CONTAINS prayed for ALLAHS devine mercies BODY 10 CONTAINS shores of Nigeria BODY 10 CONTAINS we solicit for your I was hoping that their might be a small utility that some of the Nigerian scam fighting organizations had released to generate keyphrase lists. Does this sound like a decent idea? Are there any good utilities to do this? Or is this something I'd have to write myself? Would it be prohibitively complicated to write a program like this for a person who hasn't done much programming? Or is this pretty straightforward? Thanks In Advance, Dan -- - Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Sorting log
John, If you need to do more that group by e-mail, what I do is to import the log into SQL2000 as a single column and then parse it with a T-SQL script using keywords, key phrases, unique characters and spaces in specific locations. Works really well and very fast. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Tuesday, December 30, 2003 2:56 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Sorting log That got it, thanks. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Tuesday, December 30, 2003 11:32 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Sorting log I need to sort a debug log to find all lines for a message. Problem is, some lines include just seconds of time, some include thousands of seconds. This is making it difficult to import into Excel. Can't use space as the delimiter. Can't use fixed width. Can't use tab. Any ideas on the fastest way to do this? You're using the debug mode, which isn't designed to be processed in any way (aside from combining all lines with the same spool file name). The debug mode log file entries include the milliseconds (for debugging purposes G). If you are just looking for all lines for a message, you can use: FIND afe0021101d68bb7 dec.log /i -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality. functionality. functionality.
Matt, Here are two analyses. The 11-15 to 11-30 covers the period from when I implemented your filters until I began using SKIPIFWEIGHT and MAXWEIGHT which obviously has some effect on the stats. The 11-15 to 12-21 expands the prior set to include the additional filters. There's also the weighting effect to consider. While I run the OBFUSCATION and Y!DIRECTED at hold weight (15), I use the GIBBERISH like the COMMENTS test and accumulate weight per hit. Since my SKIPIFWEIGHT is set to my DELETE weight (60), the filters will run until that's reached. These stats aren't a big deal to produce since its all in a SQL database. I'll be implementing your new filter versions this coming weekend (with new names to avoid commingling stats). I do strip out comments since they become meaningless as the filter contents are resequenced by my system. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Monday, December 22, 2003 10:32 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality. functionality. functionality. George, I think that logic can get you 95% of the way there with something as convoluted as this, that is run only about 1/3 of the time, and considering that you are only battling for about 2% of the processing power required by this filter alone, which shouldn't be too terribly much. Removing the comment blocks would probably have a bigger effect :) Changing to the new version of the filter should definitely help, though this isn't by far my most weighty filter. Here's something that I've very curious about though...the Y!DIRECTED filter contains a bunch of BODY searches for obfuscated strings, something that is almost totally redundant with the OBFUSCATION filter. I would be very curious to see how often those lines are hit because they could be dumped for a measurable performance increase. Any chance you want to take a crack at that? I wouldn't be surprised to see them never hit. Matt George Kulman wrote: Matt, I use LOGLEVEL HIGH for my data collection and analysis stuff and, as Bill pointed out, all hits are reflected. I've started to use SKIPIFWEIGHT. The result of course is that filters are bypassed and the statistics are skewed. For example on Friday 12/19, 15291 emails were processed by Declude on my system. Only 4604 were processed by the GIBBERISH filter. Of these 1328 had a total of 3854 hits. My quandary now is to decide whether to use the new control functions of SKIPIFWEIGHT, MAXWEIGHT and END to reduce processing overhead or to collect a full set of evaluation data by letting everything run. It's truly a catch-22 situation. If I collect all of the data, then I gain no benefit, since all of the processing takes place. If I take advantage of the analysis data, I reduce my processing workload but effectively destroy the validity of the statistical data which is now skewed by my filtering control. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Monday, December 22, 2003 3:17 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality. George, That's good data to have. I would have to assume that something tagged as gibberish in the main test would be random, and that's fairly well indicated by the somewhat tight range of the two character strings. Unless you are using a logging feature that I'm not aware of, you are only showing the last hit that the filter produces, and that explains why the Z strings are mostly bunched at the top. I've got these ordered alphabetically and will probably leave them there for management purposes. The counterbalances though are definitely something that I will use your information for reordering them. I believe I made an attempt to order these in the 2.0 filter version according to what I thought would be more common as well as what would be a faster search (BODY searches are slower than other things and will go lower in general, though a BODY search for base64 goes at the top because it is fairly common). Because of this and along with the above mentioned issue, the hit stats therefore aren't a perfect indication of what would save the most processing power, but it definitely helps if you just make some assumptions. I hadn't gathered any stats myself on the Auto-generated Codes that I added in about a month or so ago, and it's nice to see that they're getting hit since I was really just brainstorming about what types of things might be seen. I might remove some entries though if they aren't showing being hit since they are BODY searches
RE: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality.
Matt, I have no desire to get into an argument or flaming contest with you. We agree that standard filters have a valuable place in this environment and we both use standard filters. We agree that neither of us have the desire to spend countless hours tweaking filters and that automated solutions are the way to simplify this effort. We have each taken different approaches using different methodologies and tools to do this, based on our own skill sets, backgrounds, need perceptions and other factors. We are both appreciative of the effort that many people have put into developing and maintaining these products and freely sharing them with us, and I'm sure that we're both willing to contribute in any way we can to assist in these efforts. We happen to disagree regarding the extent that these standard filters can be applied to our own specific environments. So be it. We also disagree on the value of analysis. So be it. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Robertson Sent: Monday, December 22, 2003 10:08 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality. I understand all that stuff, George, but I disagree completely that you can't apply global, updated rules to some aspects of the problem. As such a global filter repository can make a huge dent in virtually everyone's workload. Do we really all need to create our own filters to remove p.en1s pi11z from our inbox? Is having the ability to more quickly react to new spam bad? Think of this as a virus definitiion list, except given Declude's modularity individuals can decide which virii they will allow themselves to be infected with. Nothing in this world is going to be perfect, and certainly you can write your own filters until you're blue in the face. I've been tinkering constantly with Declude for something like two years, and I expect to continue. But I also expect to automate as much of this -- or any other job -- as possible. I have more profitable and less aggravating things to do than this. I'm sure you do too. The community can benefit from some standardization and shared effort. Some here have already gone miles toward this goal, as many on this list know. I'm saying a Next Step should be taken, and anyone who wants to ignore the initiative is welcome to do so. --Matt-- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Order of processing various filter types. types.
Matt, On Dec 11th, Scott replied to John Tolmachoff: --- A while back, I had asked about the comparison in performance of a fromfile and a filter using MAILFROM ENDSWITH. But wouldn't Declude stop processing a fromfile as soon as a match is found, where in a filter to goes through the whole file? That will happen. :) In the current version, it will go through all entries. However, as you pointed out, there is no benefit in continuing processing with a fromfile after the first match is reached -- so the logic will be changed for the next release (and therefore giving the fromfile a slight performance advantage over filters -- but it would only be noticeable if there were a lot, perhaps 1000s, of entries). -Scott - This would indicate that using a MAILFROM filter rather than a fromfile and utilizing SKIPIFWEIGHT and END would provide the functional control without any performance loss. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Tuesday, December 23, 2003 8:30 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Order of processing various filter types. types. Could you give me an idea about the order of processing for the following, or indicate which ones might be run according to where they lie in the Global.cfg? This will of course make a difference in performance, and I would like to provide good guidance myself as I comment up my filters for sharing with others. The types that I can come up with off the top of my head are as follows - ipblacklist - fromblacklist - ipfile - fromfile - spamdomains - filter The very general order is that IP-based spam tests come first, and everything else is done later. You could try looking through debug log file entries to try to get a better understanding of the order the tests are run in. That is something that we do not keep track of, as the tests are not all run at the same time (meaning that other code runs between tests as needed). Also, if it's not that big of a deal in modifying the programming, would it be possible to add SKIPIFWEIGHT functionality to the non-filter types? That would start to get tricky. It works for the filters because each filter has many lines determining what should get caught. Some other tests do this (such as the sender blacklists), but other tests do not. Those that do would require a change in the way the files work (the sender blacklist just lists E-mail addresses or domains, and doesn't contain any commands). It's possible that we may work on this, but it would take a while (as we would have to add code for each test). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality.
Matt, I thought you might be interested in the attached data which analyzes the GIBBERISH and ANTI-GIBBERISH filters by number of hits on my system from 11/15 through yesterday. If you're looking for effectiveness you should set the entries in descending order of probability. I use a variation which looks at date of most recent hit as well as hit count, although that's more important with filters that are being modified on a continual rather that a fairly static filter such as these two. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Monday, December 22, 2003 9:52 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. I've made some huge leaps forward recently in terms of the processing power required to run Declude with the custom filters that I have installed. This was done by way of the SKIPIFWEIGHT functionality introduced in the latest beta, but also by way of re-ordering my filters in the Global.cfg file so that the easiest to process custom filters are run first in the hopes of avoiding the need to run more costly ones. This new version of GIBBERISH makes use of functionality introduced in the 1.77 beta, however the most recent interim release, 1.77i7, should be used in order to guarantee proper operation (initial versions would always end processing, and effectively disabled the filters). The END functionality removes the need to have ANTI filters since the filter can be stopped before it gets to the main filter matches, and it also presents another opportunity to save on the processing power required to run such things. This also makes use of the MAXWEIGHT functionality to limit the max score as well as end processing once a single hit has been scored. Note that the filter will only log (at the LOW setting) and show WARN actions when the filter is tripped and an END was not hit...which is great! No more looking at non-scoring custom filters due to counterbalances :D Please read through the file and follow these instructions if you already have GIBBERISH installed: 1) Comment out the ANTI-GIBBERISH custom filter in your Global.cfg 2) Change the score of the GIBBERISH filter to 0 in your Global.cfg. 3) Change the scoring of the filter to match your system (it is scored by default for base 10 systems). This can be done by changing the MAXWEIGHT and Main Filter lines to reflect the multiple of 10 that your system is based on. 4) Change the SKIPIFWEIGHT score to reflect your delete weight, or whatever weight you would like for the filter to be skipped if the system has already reached it before processing the filter. The file can be downloaded from the following location: http://www.mailpure.com/software/decludefilters/gibberish/Gibberish_v2-0-1.z ip Please report any issues with the new filter format. As soon as bugs stop being reported, I will move to convert the other dual file filters into single file alternatives which make use of the END functionality. Until the functionality goes into a full release, I'm going to continue to primarily provide the old style filters on my site. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. gibberishdata.zip Description: Zip compressed data
RE: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality.
Matt, I use LOGLEVEL HIGH for my data collection and analysis stuff and, as Bill pointed out, all hits are reflected. I've started to use SKIPIFWEIGHT. The result of course is that filters are bypassed and the statistics are skewed. For example on Friday 12/19, 15291 emails were processed by Declude on my system. Only 4604 were processed by the GIBBERISH filter. Of these 1328 had a total of 3854 hits. My quandary now is to decide whether to use the new control functions of SKIPIFWEIGHT, MAXWEIGHT and END to reduce processing overhead or to collect a full set of evaluation data by letting everything run. It's truly a catch-22 situation. If I collect all of the data, then I gain no benefit, since all of the processing takes place. If I take advantage of the analysis data, I reduce my processing workload but effectively destroy the validity of the statistical data which is now skewed by my filtering control. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Monday, December 22, 2003 3:17 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality. George, That's good data to have. I would have to assume that something tagged as gibberish in the main test would be random, and that's fairly well indicated by the somewhat tight range of the two character strings. Unless you are using a logging feature that I'm not aware of, you are only showing the last hit that the filter produces, and that explains why the Z strings are mostly bunched at the top. I've got these ordered alphabetically and will probably leave them there for management purposes. The counterbalances though are definitely something that I will use your information for reordering them. I believe I made an attempt to order these in the 2.0 filter version according to what I thought would be more common as well as what would be a faster search (BODY searches are slower than other things and will go lower in general, though a BODY search for base64 goes at the top because it is fairly common). Because of this and along with the above mentioned issue, the hit stats therefore aren't a perfect indication of what would save the most processing power, but it definitely helps if you just make some assumptions. I hadn't gathered any stats myself on the Auto-generated Codes that I added in about a month or so ago, and it's nice to see that they're getting hit since I was really just brainstorming about what types of things might be seen. I might remove some entries though if they aren't showing being hit since they are BODY searches and expensive. I'll probably still leave that list of Auto-generated Codes in alphabetical order though for management purposes. This shouldn't make a big difference considering that the most common one only gets hit about 1-3% of the time (don't know how common the filter fails a later line which ends up getting logged instead). If Declude did log every line that hits in a filter, you would see things like GIBBERISH hitting some attachments thousands of times per message, and I don't think that's worth the trouble. Data like this will make a much bigger impact on performance if you run it against filters where hits can only occur once in a file due to unique data or exact matching. Kami has a bunch of those. Thanks, Matt George Kulman wrote: Matt, I thought you might be interested in the attached data which analyzes the GIBBERISH and ANTI-GIBBERISH filters by number of hits on my system from 11/15 through yesterday. If you're looking for effectiveness you should set the entries in descending order of probability. I use a variation which looks at date of most recent hit as well as hit count, although that's more important with filters that are being modified on a continual rather that a fairly static filter such as these two. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Monday, December 22, 2003 9:52 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. I've made some huge leaps forward recently in terms of the processing power required to run Declude with the custom filters that I have installed. This was done by way of the SKIPIFWEIGHT functionality introduced in the latest beta, but also by way of re-ordering my filters in the Global.cfg file so that the easiest to process custom filters are run first in the hopes of avoiding the need to run more costly ones. This new version of GIBBERISH makes use of functionality introduced in the 1.77 beta, however the most recent interim release, 1.77i7, should be used in order to guarantee proper
RE: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality.
Matt, I do only use filters that work. There are a number of situations however that I believe make it impossible to effectively use only off the shelf filters. There are also valid reasons to perform my own analysis of filter effectiveness: First, everyone's spam mix is different, just as their e-mail mix is different. That's the first thing that Scott and others try to make clear to a newbie who's looking for a canned solution. Second, not everyone class the same things as spam. I have clients who use dating services and others who don't want that type of e-mail. What kind of complaints would you get if you implemented Ipswitch's URL list as is. I know that I'd have an FP rate that would hurt my effectiveness. I also provide secondary MX services for a number of clients and see a lot of spam attempting to back-door their mail servers. Third, I use many BODY and HEADER filters which range from a few lines to a few thousand lines. These consume a tremendous amount of processing overhead as Scott has pointed out, but I have found them to be the most effective at killing spam. They can be a pain to maintain without a database, ease of updating and dupe checking, automated filter file generation and analysis of effectiveness. Regarding analysis and sequencing of these filters and the use of SKIPIFWEIGHT and END in particular; if I can get 80% of the hits in the first 20% of the entries and eliminate the rest of the unneeded processing, I'd be pretty stupid not to. I was just bemoaning that I'd be giving up some data collection that's been a big help. Thanks to changes that Scott has made lately, at least at a LOGLEVEL HIGH, the ability to effectively use individual log lines for data collection have simplified and enhanced that process. Fourth, I like and use many single function filters, particularly Matt Bramble's and I thank him again for the time he has put into them and his generosity for sharing them freely. Every one of my clients has different needs and defines spam differently and the definitions, filters and actions have to reflect this. I, for one, will definitely pass on a central repository George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Robertson Sent: Monday, December 22, 2003 6:13 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality. My quandary now is to decide whether to use the new control functions of SKIPIFWEIGHT, MAXWEIGHT and END to reduce processing overhead or to collect a full set of evaluation data by letting everything run. It's truly a catch-22 situation. I came into this thread late, so my comments may not be strictly on point, but it seems to me the solution to this is to only use filters that work. Duh, right? In other words let the community validate and update Filter X and you simply plug in what you please. That means a centralized filter storage, update and distribution site. We actually aren't so far off that mark now. Look at Kami Razvan's ftp site and you'll find a treasure trove of filters there. A centralized filter repository would turn analysis of filter results into an academic exercise to satisfy curiosity, rather than the general necessity it is today. I implemented most of Kami's stuff last week (supplementing most of the filters already installed that came from Matt Bramble and the result is a massive surge in my attach-to-kill ratio (on the kill side). There are so many I had to aggressively reorganize my global.cfg, but the results have been splendid, with the most processor-intensive filters not kicking in unless needed. I wrote a ColdFusion routine that downloads my selected filters, alters them to suit my skip and max weights, and uploads them to my mail server (the filters are regularly updated). Anyone who wants a copy let me know. -- --- Matt Robertson, [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- -- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] END Status
Scott, Has the END problem been fixed and released yet? Thanks, George --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Log enhancement request
Scott, Would it be possible to add the filter name to the log entry indicating the SKIPIFWEIGHT action (samples below). 12/09/2003 00:01:14 Q5703017b01e6dac7 Filter: Not skipping E-mail due to current weight of 36. 12/09/2003 00:01:14 Q5703017b01e6dac7 FILTER: Skipping E-mail with a current weight of 61 (=60) Thanks, George --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] WHITELISTFILE format question
In using the WHITELISTFILE option can the subdomain be example.com or must it be .example.com? In other words, if I want to whitelist mail from a domain that also has subdomains can I just use the entry of example.com or am I required to have the multiple entries of @example.com and .example.com? TIA, George --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] END statement in filters
Bill Daniel, I'm running the 1.77 Beta with 8.04 have the same problem. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Monday, December 08, 2003 8:52 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] END statement in filters I reported experiencing the same thing last week with using the END flag, but that was while using the final interim release (I have not tested with the v1.77 beta yet). I found that even if none of the END lines matched, but other lines in the file did match, END causes Declude to skip the entire file without any further processing, which made the flag unusable. Daniel, what version of Declude are you running? If the v1.77 beta, then I won't bother testing it again. Bill - Original Message - From: Daniel Grotjan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, December 08, 2003 5:15 PM Subject: [Declude.JunkMail] END statement in filters Is anyone using the END statement in filters successfully? I am finding on my server that if I have an END anywhere in a filter it always ends, whether it matches that statement or not. I have tried this on several filters just to test and get the same results on all of them. I tried in the following format... BODYEND CONTAINS whatever text here Is this the correct format or am I doing something wrong? Also, not related, but I have setup a filter that many people have reported working successfully with the following... BODY 0 STARTSWITHg This doesn't ever fail on the spam that everyone is getting with the fake html tags. At first I thought it was the CR at the beginning of the email, but I remember Scott saying that declude was fixed so it overlooked it. All of these email have a random gkrsjflksh type tag as the first text in them, but they never fail. Is there something I am missing? -Daniel --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] The first time BONDEDSENDER didn't work for me me
IPBYPASS is great except for the 20 entry limitation. ATT, where many of my clients and myself have mailboxes that forward to my IMail server has 23 mail forwarders. Then add in the secondary MX's, etc. and I have to use multiple hops. BTW, how do you intend to do selective use of multiple hop scanning? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Friday, December 05, 2003 11:34 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] The first time BONDEDSENDER didn't work for me me That's why you should name it BONDEDSENDER-DYNA and why it doesn't matter on my system. The trick here is that Declude will skip over the DNS-based tests on anything beyond the first hop if the name has DUL or DYNA in it. Someone else is using CBL-DYNA in order to keep that test from throwing FP's when the originating computer's IP address is on the list, but used a legit mail server to send the E-mail (instead of direct delivery which is the real issue). Scanning multiple hops seems to be mostly useful in places where E-mail is being forwarded, which only exposes the legit forwarding machine. It would be great if there was some other way to identify when a message has been forwarded at the server level, and skip the last hop when that happenes. I kind of doubt that this would be possible. In the mean-time, I am going to try IPBYPASSing the mail servers that are known to be forwarding to my server which should have the same effect as a selective use of multiple hop scanning. Matt George Kulman wrote: Matt, I do scan multiple hops. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Friday, December 05, 2003 7:14 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] The first time BONDEDSENDER didn't work for me me George, The suggestion by Andrew to rename the test BONDEDSENDER-DYNA would definitely prevent it from scanning prior hops. I find this test to be useful as it is IP based and helps some very important E-mail that tends to have issues with several major RBL's. I haven't started to scan on multiple hops yet, so this doesn't come into play. Matt George Kulman wrote: Rob, Your backup and gateways should have IPBYPASS entries in the GLOBAL.CFG. The BONDEDSENDER should be the originating Server and that should be what's used for this test. I discontinued use within a few days since was letting spam through with it and there were other ways to handle the valid mail. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Grosshandler Sent: Friday, December 05, 2003 6:38 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] The first time BONDEDSENDER didn't work for me me Negative weights on last hop only? How would that affect a gateway (or e-mail that goes to a backup mail server)? Rob --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Hijack Question
John, This is probably more than you wanted but I didn't want to post Scott's explanation out of context. I had a HiJack / Junkmail situation in August. This related to mail where I am the secondary MX. HiJack was doing a very effective job of trapping volume SPAM but I noticed that SPAM was slipping through after being released from HOLD1 and even in the process of being transferred to HOLD2. I had an off-line exchange with Scott and according to him, under these circumstances, the mail released from HOLD1 will NOT be processed by JunkMail. Here's Scott's explanation: Declude Hijack is involved with these E-mails because IMail reports them as external addresses, so Declude Hijack sees E-mails to these domains as being outgoing mail (when in reality they are incoming mail). As a result, if someone sends too much E-mail from one IP to these domain(s), it will be held. That's an interesting side-effect that we had not anticipated. We did decide to have Declude Hijack take priority over Declude JunkMail, because it would save a lot of CPU time during attacks, and the thought was that outgoing E-mail would not need to be scanned by Declude JunkMail. Scott, in response to a follow up message stated that the email would be Virus scanned. Unfortunately, this caused me to discontinue using HiJack since the spam handling was more important than the CPU cycles saved by having HiJack trap the spam up front. Really too bad, it was catching a lot of spam. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Saturday, December 06, 2003 2:02 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Hijack Question When Hijack releases a message from HOLD1, does it go right back to spool, or does it then get scanned for Virus and JunkMail? John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] The first time BONDEDSENDER didn't work for me me
My understanding is that CIDR ranges are not supported by IPBYPASS and I wouldn't want the whole Class C, just the part I need. I'm going to start a new thread on the IPBYPASS situation. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ISPHuset Nordic Sent: Saturday, December 06, 2003 10:54 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] The first time BONDEDSENDER didn't work for me me Is it possibble to set an iprange in IFBYPASS ? So that all 128 ips are set there ? Instead og using all the entrys for this ? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of George Kulman Sent: 6. desember 2003 09:49 To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] The first time BONDEDSENDER didn't work for me me IPBYPASS is great except for the 20 entry limitation. ATT, where many of my clients and myself have mailboxes that forward to my IMail server has 23 mail forwarders. Then add in the secondary MX's, etc. and I have to use multiple hops. BTW, how do you intend to do selective use of multiple hop scanning? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Friday, December 05, 2003 11:34 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] The first time BONDEDSENDER didn't work for me me That's why you should name it BONDEDSENDER-DYNA and why it doesn't matter on my system. The trick here is that Declude will skip over the DNS-based tests on anything beyond the first hop if the name has DUL or DYNA in it. Someone else is using CBL-DYNA in order to keep that test from throwing FP's when the originating computer's IP address is on the list, but used a legit mail server to send the E-mail (instead of direct delivery which is the real issue). Scanning multiple hops seems to be mostly useful in places where E-mail is being forwarded, which only exposes the legit forwarding machine. It would be great if there was some other way to identify when a message has been forwarded at the server level, and skip the last hop when that happenes. I kind of doubt that this would be possible. In the mean-time, I am going to try IPBYPASSing the mail servers that are known to be forwarding to my server which should have the same effect as a selective use of multiple hop scanning. Matt George Kulman wrote: Matt, I do scan multiple hops. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Friday, December 05, 2003 7:14 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] The first time BONDEDSENDER didn't work for me me George, The suggestion by Andrew to rename the test BONDEDSENDER-DYNA would definitely prevent it from scanning prior hops. I find this test to be useful as it is IP based and helps some very important E-mail that tends to have issues with several major RBL's. I haven't started to scan on multiple hops yet, so this doesn't come into play. Matt George Kulman wrote: Rob, Your backup and gateways should have IPBYPASS entries in the GLOBAL.CFG. The BONDEDSENDER should be the originating Server and that should be what's used for this test. I discontinued use within a few days since was letting spam through with it and there were other ways to handle the valid mail. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Grosshandler Sent: Friday, December 05, 2003 6:38 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] The first time BONDEDSENDER didn't work for me me Negative weights on last hop only? How would that affect a gateway (or e-mail that goes to a backup mail server)? Rob --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail
[Declude.JunkMail]
Scott, There was a thread started the other day regarding the limitation of 20 IPBYPASS entries. I mentioned in a separate thread that I require 23 for ATT forwarders plus my secondary MX's and a couple of other forwarders used by my clients. Can you increase the number of entries to a more realistic value of at least 50 - 100 or provide some other method as you did with the WHITELIST FILE? Thanks, George --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude not taking action
Keith, Thanks. I hadn't seen it but I'll be on the lookout now. George -Original Message- From: Keith Johnson [mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson Sent: Saturday, December 06, 2003 2:10 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Declude not taking action Although this is not the same issue as Declude not getting called, I did want to bring it to everyones attention. For those of you that Store and Forward to other email servers, Imail 8.04 is having issues with removing body text from emails on the smtp rdeliver action to a remote server. I have tested it numerous times and have been able to reproduce it. Ipswitch is aware of it and acknowledges an issue and their dev. team is working to fix it. Keith attachment: winmail.dat
RE: [Declude.JunkMail] High % of spam from this IP range:
Marc Don't forget 64.119.208.0/24 George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc Catuogno Sent: Saturday, December 06, 2003 2:42 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] High % of spam from this IP range: 64.119.209.70 64.119.210.70 64.119.222.157 64.119.194.100 64.119.210.70 64.119.217.134 64.119.222.156 64.119.222.157 Out of about 40 held messages this morning these IP's were in about 10 of them. I'm going to add the following to a weighted (10) IP file so it will pass my delete weight if it fails just about any other test. A 64.119.209.0/24 64.119.210.0/24 64.119.222.0/24 64.119.194.0/24 64.119.217.0/24 After closer inspection, some of these ranges are already in one file, sigh... I hate spam... Maybe it's the blizzard, but I just felt like sharing this with all of you. Those of you on the east with me, stay safe and warm. Marc --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] The first time BONDEDSENDER didn't work for me me
Rob, Your backup and gateways should have IPBYPASS entries in the GLOBAL.CFG. The BONDEDSENDER should be the originating Server and that should be what's used for this test. I discontinued use within a few days since was letting spam through with it and there were other ways to handle the valid mail. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Grosshandler Sent: Friday, December 05, 2003 6:38 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] The first time BONDEDSENDER didn't work for me me Negative weights on last hop only? How would that affect a gateway (or e-mail that goes to a backup mail server)? Rob --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] The first time BONDEDSENDER didn't work for me me
Matt, I do scan multiple hops. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Friday, December 05, 2003 7:14 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] The first time BONDEDSENDER didn't work for me me George, The suggestion by Andrew to rename the test BONDEDSENDER-DYNA would definitely prevent it from scanning prior hops. I find this test to be useful as it is IP based and helps some very important E-mail that tends to have issues with several major RBL's. I haven't started to scan on multiple hops yet, so this doesn't come into play. Matt George Kulman wrote: Rob, Your backup and gateways should have IPBYPASS entries in the GLOBAL.CFG. The BONDEDSENDER should be the originating Server and that should be what's used for this test. I discontinued use within a few days since was letting spam through with it and there were other ways to handle the valid mail. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Grosshandler Sent: Friday, December 05, 2003 6:38 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] The first time BONDEDSENDER didn't work for me me Negative weights on last hop only? How would that affect a gateway (or e-mail that goes to a backup mail server)? Rob --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: FireWall VPN Opinion
Kevin, I'm not familiar with the Watchguard do I'll just comment on the Sonicwall where I use support over 20 of them (various models). The SOHO3 will do what you've defined, VPN between them and remote VPN from client machines at the same time. Your choice whether to allow a VPN session on one Sonicwall to also VPN to the other Sonicwall. I use the Sonicwall client for the remote clients rather than the M$ IPSec. A couple of more bucks but more flexibility. We also use TELE3 TZ's at workers homes to isolate their home business PC's. For interbranch communication one will require a static IP. For remote client VPN a static IP will also be needed on the second. An experienced user can set each one up from scratch (out of the box) in 15 min including VPN. Feel free to contact me OL or by phone (6 AM - 11 PM) EST. George Kulman Partner Ridge Systems, L.L.C. Cell - 201-647-3250 or 631-252-9026 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Sunday, November 16, 2003 3:49 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] OT: FireWall VPN Opinion I need to setup a VPN between two offices with under 25 computers one location and 5 at the other end. Both offices also need client remote VPN from windows XP What are your opinions on the SONICWALL and WATCHGUARD products Sonicwall SOHO 3 or Warchguard SOHO 6tc Kevin Bilbee --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Request for additional filtering functionality
THANK YOU Scott! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Friday, November 14, 2003 9:44 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Request for additional filtering functionality As I continue to look for new potential in filtering, I have repeatedly come across some limitations which restrict what can be done effectively, difficulty in figuring the scoring of some variable filters, and challenges from the additional processing power required to counterbalance some filters, so I just wanted to request three different things which appear like they might be somewhat reasonable extensions to the current environment. I'm putting these all together in one message because, at least from my perspective, they are all related, and I didn't want to bother you repeatedly with such requests. Those requests are as follows: Thanks for the suggestions. Giving the number of people that are now using filters in Declude JunkMail, and the size of them, it's about time for us to expand them a bit. LOG: 11/13/2003 20:43:02 Q331903a90080bcc8 Msg failed IPLINKED ([Score: 7] Message failed IPLINKED test (189)). Action=WARN. WARN: X-RBL-Warning: IPLINKED: [Score: 7] Message failed IPLINKED test (226) These two will be changed to use Message failed IPLINKED test (line 189, weight 7). TESTSFAILED: X-Weight: 16 (REVDNS [0], IPNOTINMX [0], IPLINKED [7], SPAMCOP [9]) This can be done in the next release with a new %TESTSFAILEDWITHWEIGHTS% variable. 2) Provide a method of defeating a custom filter (zero points) based on failing a specially marked test. This will be in the next release. END instead of the weight will force the test to end. 3) Provide a method of defining a maximum and/or minimum number of points that a particular custom filter can score. A MAXWEIGHT option will be in the next release, that will allow you to define the maximum weight that the test can add. If the maximum weight is reached, processing will stop (so any negative weights would need to go at the beginning of the test), and the maximum weight will be used instead of the actual weight (IE if you have MAXWEIGHT 60, and the filter is at 55 points with a line that would add 10 points, processing would stop with a weight of 60, not 65). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] URL Redirectors
Hi all, I have an IMail client who doesn't have budget funds available for Declude where these are easily filterable. A fair amount of their spam contains a URL redirection such as: http://drs.yahoo.com/effloresce/*http://click.com-click.com.ph/click.php?id= leneyeiID=40gi=hallmark 1. Is anyone aware of a dnsbl that deals with spamming URL redirectors? 2. Is anyone aware of legitimate email using this type of URL? 3. Is the drs.yahoo.com ever used for legitimate email. TIA, George --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] URL Redirectors
Matt, Thanks for the info. It's still difficult for me to imagine a legitimate user having a redirected web site being pointed to as their web site in an email. More research I guess. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Wednesday, November 12, 2003 2:37 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] URL Redirectors George, Spammers will use a variety of Yahoo sub-domains, most of which are valid. I'm not familiar with that one in particular, but it might help to search Google for examples of that showing up (that's how I do some of my research). http://www.google.com/search?hl=enlr=ie=UTF-8client=googletq=%22drs.yaho o.%2Bcom%22 Blocking that one address though would only be a fraction of the spam that actually uses Yahoo's redirection though. Yahoo does use it themselves of course, and they also have it configured for links in messages sent by third parties, such as Classmates for instance. Matt George Kulman wrote: Hi all, I have an IMail client who doesn't have budget funds available for Declude where these are easily filterable. A fair amount of their spam contains a URL redirection such as: http://drs.yahoo.com/effloresce/*http://click.com-click.com.ph/click.php?id = leneyeiID=40gi=hallmark 1. Is anyone aware of a dnsbl that deals with spamming URL redirectors? 2. Is anyone aware of legitimate email using this type of URL? 3. Is the drs.yahoo.com ever used for legitimate email. TIA, George --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] URL Redirectors
Title: Message Matt, I'm familiar with the Y!DIRECTED and other tests that you've so kindly made available. In this case I'm trying to find a way to identify these and block them with the basic IMail tests. If I can't, then I'll have to route all of their mail through my Declude Pro environment. George -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew BrambleSent: Wednesday, November 12, 2003 5:16 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] URL RedirectorsGeorge,I did build a test for this exact thing and shared it on my site (called Y!DIRECTED), but I thought that you might have been more interested in that URL in particular and replied accordingly. My Y!DIRECTED filter will stop most of this stuff and it allows for places like Yahoo and Yahoo's ads (and counterbalances for the chance that a link might be forwarded or replied to and sent to a local user). It only works with Declude Pro (like all other custom filters). MailPure :: Filter Software :: Declude Filters http://www.mailpure.com/software/decludefilters/MattGeorge Kulman wrote: Matt, Thanks for the info. It's still difficult for me to imagine a "legitimate" user having a redirected web site being pointed to as "their web site" in an email. More research I guess. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matthew Bramble Sent: Wednesday, November 12, 2003 2:37 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] URL Redirectors George, Spammers will use a variety of Yahoo sub-domains, most of which are valid. I'm not familiar with that one in particular, but it might help to search Google for examples of that showing up (that's how I do some of my research). http://www.google.com/search?hl=enlr=ie=UTF-8client=googletq=%22drs.yaho o.%2Bcom%22 Blocking that one address though would only be a fraction of the spam that actually uses Yahoo's redirection though. Yahoo does use it themselves of course, and they also have it configured for links in messages sent by third parties, such as Classmates for instance. Matt George Kulman wrote: Hi all, I have an IMail client who doesn't have budget funds available for Declude where these are easily filterable. A fair amount of their spam contains a URL redirection such as: http://drs.yahoo.com/effloresce/*http://click.com-click.com.ph/click.php?id = leneyeiID=40gi=hallmark 1. Is anyone aware of a dnsbl that deals with spamming URL redirectors? 2. Is anyone aware of legitimate email using this type of URL? 3. Is the drs.yahoo.com ever used for legitimate email. TIA, George --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] ldeliver interpretation
Katie, If you want the fully loaded mail / recipient count on the incomings try find RCPT TO: sys.txt /C /I George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, November 12, 2003 6:39 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] ldeliver interpretation Okay, so is there a way I can get a count before scanning by Declude? One option would be to count HELO and EHLO's, such as: find HELO sys.txt /c find EHLO sys.txt /c and add them. The drawback to this is that it will also include non-delivered E-mail (for example, someone doing a dictionary attack), and groups incoming/outgoing together. Alternatively, you could add the number of ldeliver/rdelivers to the number of E-mails held/deleted. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Delete based on word filter!
Dan, First, use phrases where possible instead of single words to minimize substring issues such as the end of e_s_s_e_x and many others like that. Second, after you have developed your list of words or phrases, run it by management for their analysis of any entries which could be part of legitimate mail. Third, in the beginning, use a COPYTO yourself or a special mailbox so that you can screen what's being deleted and easily recover a copy if needed. George Kulman Partner Ridge Systems, L.L.C. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Horne Sent: Wednesday, October 15, 2003 11:23 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Delete based on word filter! My superiors have asked me to start deleting email based on a word filter. The issue arose when the receptionist, who is our designated Spam Reviewer, complained that she saw the same words over and over and couldn't we just delete those spams before they got to her? Because as soon as she sees those words, she hits delete, so why can't Declude? We all know what types of words these are... I won't even attempt to get them past your own filters. Well, my answer was that Declude can, but the risks of accidentally deleting good mail outweighed the convenience of not having to hit delete. She went over my head and got the bosses on her side. Now I've gotta have a meeting with them and come up with a solution. Any suggestions? Prior to this, we haven't deleted anything outright until reviewed by the receptionist. Every time I hear them utter the word delete, my skin crawls. So my request from the list: Can you either give me some ammo to back up my side, or provide me with a solution that keeps her from having to see the nastygrams while still minimizing false-positives? Regards, Dan Horne, CCNA Web Services Administrator TAIS Web Wilcox World Travel Tours [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] scrambled url in source of e-mail
Title: Message Harry, A filter line of: BODY CONTAINS 0 %3982%30%37.biz will handle it just fine. I usually leave the www out of the filter to make it a shorter comparison. George -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry VanderzandSent: Thursday, September 04, 2003 9:33 AMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] scrambled url in source of e-mail How does one deal with scrambles source in the e-mail. For example I find the following address: www.%3982%30%37.biz I like to us the address in my filter file but am not sure if the scrambled form will work as I assume there must be a translation going on when this code gets processed thanks Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W.Kitchener, ONN2M 1L2 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark SmithSent: Thursday, September 04, 2003 8:43 AMTo: [EMAIL PROTECTED]Subject: RE: [Declude.JunkMail] Placing Weight in Header Duuuh.. Why didn't I think of that. FWIW, if you just put Weight: %WEIGHT% in the header then you might be breaking RFC's. There should be an X- before your "Weight"linewhich will denote a comment line. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GlobalWeb.net WebmasterSent: Thursday, September 04, 2003 8:25 AMTo: [EMAIL PROTECTED]Subject: RE: [Declude.JunkMail] Placing Weight in Header we use , in our global.cfg file, XINHEADERWeight: %WEIGHT% so you could out in yours: XINHEADERX-DECLDUE-WEIGHT:%WEIGHT% Sincerely,Randy ArmbrechtGlobal Web Solutions, Inc.804-346-5300 ext. 1877-800-GLOBAL (4562) ext. 1http://globalweb.net -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark SmithSent: Thursday, September 04, 2003 7:39 AMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] Placing Weight in Header Is there any way to place the total weight in the SMTP header? Something like: X-DECLUDE-WEIGHT: yyy
RE: [Declude.JunkMail] Need aid on Declude Header rule
Scott, Could this be done with some form of DNS based test where the test result(s) are only used in the $default$.junkmail for the specific domain? George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, September 03, 2003 7:55 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Need aid on Declude Header rule Since we house mulitple domains (using spam filtering) and this filter test is used in the Global file it seems it would fail every other domain email (i.e. 1000 weight) that we house on the same box?! Is there a way to only define it for use in the default config file for that domain (we have the pro version), thus not be used for other domains? Thanks again for the aid. Unfortunately, there isn't any way to have different weights applied to different domains. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] More and more email getting past Declude
The following ipblacklist entry with a high enough weight to reject will kill their stuff: 64.119.218.192/27 advertisingbymail.com George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Foulks Sent: Tuesday, September 02, 2003 10:16 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] More and more email getting past Declude Scott, I doubt it's a setup issue because I'm using the same setup that I've used for a year now. Also I am not the only one receiving more spam.. All of my users are as well... Anyway here is a piece of spam recently received (I've already blacklisted the sender) but it seems as soon as I blacklist a sender a new one is created. Received: from p.advertisingbymail.com [64.119.218.212] by mail.nfti.com (SMTPD32-6.06) id A91816D01A4; Tue, 02 Sep 2003 08:12:08 -0400 To: [EMAIL PROTECTED] Date: Tue, 2 Sep 2003 04:20:23 -0800 Message-ID: [EMAIL PROTECTED] From: Weight Solution [EMAIL PROTECTED] Return-Path: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Subject: Lose 10lbs in 1 Week X-MimeOLE: Prodigy Compatibility V 4.5c810f26 or later Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Declude-Sender: [EMAIL PROTECTED] [64.119.218.212] X-Declude-Spoolname: D89181a4.SMD X-Note: This E-mail was scanned by NFTISERV's Declude JunkMail for spam. X-Spam-Tests-Failed: None X-Weight: 0 X-Note: This E-mail was sent from p.advertisingbymail.com ([64.119.218.212]). X-RCPT-TO: [EMAIL PROTECTED] X-UIDL: 359866453 Status: U Greg -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Tuesday, September 02, 2003 9:53 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] More and more email getting past Declude Is it just me or have spammers found other ways to get past scanners? I've been getting slammed lately with more and more spam that is getting past declude without a single hit. The two most common reasons for this are [1] A setup issue (a gateway/backup that Declude doesn't know about, bad DNS server, etc.), or [2] quasi-legitimate E-mail (for example, E-mail that you get after giving your E-mail address to a company but forgetting to uncheck the box that says It's OK to give my E-mail address to your affiliates or whatever). If you can post the full headers (including Received: headers; no need for the message body), I can probably provide some pointers for how to improve spam detection. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- -- -- [This E-mail was scanned for viruses by Declude Virus Scanner on mail.nfti.com] -- [This E-mail was scanned for viruses by Declude Virus Scanner on mail.nfti.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] More and more email getting past Declude
Greg, After checking my ipblacklist, I have the entire Class C blocked due to multiple spammers. The entry is: 64.119.218.0/24 Assorted SPAM George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Foulks Sent: Tuesday, September 02, 2003 10:16 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] More and more email getting past Declude Scott, I doubt it's a setup issue because I'm using the same setup that I've used for a year now. Also I am not the only one receiving more spam.. All of my users are as well... Anyway here is a piece of spam recently received (I've already blacklisted the sender) but it seems as soon as I blacklist a sender a new one is created. Received: from p.advertisingbymail.com [64.119.218.212] by mail.nfti.com (SMTPD32-6.06) id A91816D01A4; Tue, 02 Sep 2003 08:12:08 -0400 To: [EMAIL PROTECTED] Date: Tue, 2 Sep 2003 04:20:23 -0800 Message-ID: [EMAIL PROTECTED] From: Weight Solution [EMAIL PROTECTED] Return-Path: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Subject: Lose 10lbs in 1 Week X-MimeOLE: Prodigy Compatibility V 4.5c810f26 or later Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Declude-Sender: [EMAIL PROTECTED] [64.119.218.212] X-Declude-Spoolname: D89181a4.SMD X-Note: This E-mail was scanned by NFTISERV's Declude JunkMail for spam. X-Spam-Tests-Failed: None X-Weight: 0 X-Note: This E-mail was sent from p.advertisingbymail.com ([64.119.218.212]). X-RCPT-TO: [EMAIL PROTECTED] X-UIDL: 359866453 Status: U Greg -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Tuesday, September 02, 2003 9:53 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] More and more email getting past Declude Is it just me or have spammers found other ways to get past scanners? I've been getting slammed lately with more and more spam that is getting past declude without a single hit. The two most common reasons for this are [1] A setup issue (a gateway/backup that Declude doesn't know about, bad DNS server, etc.), or [2] quasi-legitimate E-mail (for example, E-mail that you get after giving your E-mail address to a company but forgetting to uncheck the box that says It's OK to give my E-mail address to your affiliates or whatever). If you can post the full headers (including Received: headers; no need for the message body), I can probably provide some pointers for how to improve spam detection. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- -- -- [This E-mail was scanned for viruses by Declude Virus Scanner on mail.nfti.com] -- [This E-mail was scanned for viruses by Declude Virus Scanner on mail.nfti.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Daily humor.../ obfuscation techniques
Rusty, Since they're all trying to get your money, they always have a URL or phone number, possibly obfuscated, which you can block with a filter if you have the PRO Version. I think that this is my fastest growing filter file. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rusty Sent: Thursday, August 21, 2003 7:29 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Daily humor.../ obfuscation techniques How about this: W!--9355qlucdaaj1r--e ca!--f82i0s3gi8--n he!--bq9mouyeg00--lp! W!--xw2caw20blq--e c!--ayad78v6wy622--an conso!--n9yzt03rfbczu--lidate The entire message was coded like this as HTML, so when the user received it, all the comment tags were not shown. rusty -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Thursday, August 21, 2003 11:46 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Daily humor... Check-out this obfuscation technique: ;-) -E---y---P---G -n---o---e---u -l---u---n---a -a---r---i---r -r---s---a -g---n -e---t -e -e -d Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Picking up just User Name in email?
Title: Message Kami, Why not MAILFROM0STARTSWITH*@ George -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami RazvanSent: Tuesday, August 19, 2003 7:34 AMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] Picking up just User Name in email? Hi: Is there a filter that can only pickup the UserID rather than theentire Mailfrom? [EMAIL PROTECTED] [EMAIL PROTECTED] we are seeing a lot of spam from [EMAIL PROTECTED] and it would be good to be able to have a filter like: USERIDIS * Regards, Kami
RE: [Declude.JunkMail] dashes in domains
Title: Message Kami, Please whitelist my Almost-On-Line.com domain which I use for AOL convertees and also use as a honey pot. George KulmanPartnerRidge Systems, L.L.C. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami RazvanSent: Thursday, July 24, 2003 9:15 AMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] dashes in domains Hi; It seems like with all the spammish domains being taken now more more we see domains with lots of dashes.. Double dashes! - @ADULT---WEB-CAM.COM - @CHINA--V.COM - @girls--panties.com Single dashes! - @home-loan-quotes-direct.com - @horny-wild-girls.us - @u-need-1nk-we-th1nk.com - .2-buy-drugs-online4sale.com - .best-adult-mail.com - .best-offers-found-here.com - .cheat-on-my-husband.com - .come-n-get-me.com - .cut-to-the-chase.com - .daily-specials-daily1.com - .daily-specials-now.com - .debt-consolidation-direct-online.com - .direct-online-sales.com - .dont-miss-this-deal.com - .drug-store-4-now.com - .fast-quotes-direct.com - .fix-the-computer.com - .for-your-credit.com this is just a simple querry of our database many more as I am sure you agree... What if? a test that we can give weight on number of dashes in a domain? I am yet to see companies with more than one dash.. I can even go as far as two dashes but any company with more than 2 dashes in their domain is somehow looking at a marketing issue since giving that address to anyone is just too difficult. I am sure in this group of all admins we can do a good review of domains and see if this observation makes any sense. Thoughts? Regards, Kami
RE: [Declude.JunkMail] Tuning Declude
Dan, I feel that this is as much art as science and that there's no simple 'one size fits all' solution. I haven't done any hard statistical testing but here's my setup. I use the JunkMail default weightings and find that a WEIGHT of 16 gives very few false positives, probably less than 1 in a thousand, so I class of that all as SPAM and HOLD IT. I do a cursory manual review once a day before deleting them. I COPYTO an analysis address (similar to your jmillionaire) all with a WEIGHT of 10 to 15 for evaluation. I have an IPBLACKLIST file with approx 330 addresses and ranges that I've developed from the evaluation process. I use the reverse DNS lookup at www.samspade.org as a helpful tool for this. I also have a number of filters for domains and countries (over 600 entries), mailservers, and content. I treat all of these as SPAM when matched. I have found that each of the domains I process for has a different group of spammers. It all depends on what their business is, where they go on the web, etc. I'd strongly recommend that you not rely on your single domain for evaluation but that you use a COPYTO for various tests in all of the domains you process to get a more accurate feel for what's being processed. Even if you add a few at a time so that you're not buried in the deluge. It took me about a month to get to where I was happy with the result and now takes about an hour a day to review stay on top of it. My volume is a paltry 10K e-mails a day with about 60% SPAM. There are many tools available as well as filter lists that you can use as a starting point - check the Declude web site for Tools. George Kulman Partner Ridge Systems, L.L.C. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Geiser Sent: Thursday, February 13, 2003 12:27 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Tuning Declude Hello, All, I've been running Declude.JunkMail for a few days now. We have about 90 domains on our IMail v6.06 Server. I have setup Declude.JunkMail to ignore all of the domains except for one, our in-house domain NEXUSTECHGROUP.COM. My $default$.junkmail for NEXUSTECHGROUP.COM still has all of the default tests enabled. I have setup a bogus e-mail address, [EMAIL PROTECTED], and for each test my action is COPYTO [EMAIL PROTECTED] so I can see all of the e-mails that Declude.JunkMail sees as possible spam. On my e-mail client I have setup a folder to drop all of the jmillionaire mail into. As messages are filtered into this folder I divide them into 2 categories, False Positives and True Positives. For each message I am tracking which Declude.JunkMail tests those messages are failing which has given me a sheet full of data which looks something like this... False Positives === BADHEADERS II BASE64 I DSBL I HELOBOGUS III IPNOTINMX III MAILFROM I MONKEYPROXIES I NOABUSE NOPOSTMASTER II OSSRC REVDNS I ROUTING III SPAMCOP I SPAMHEADERS WEIGHT10 I WEIGHT20 I WIREHUB-DNSBL II True Positives == BADHEADERS I DSBL I HELOBOGUS III IPNOTINMX III MONKEYPROXIES I NOPOSTMASTER I OSPROXY I REVDNS SPAMCOP I WEIGHT10 III WEIGHT20 I WIREHUB-DNSBL I This data sheet allows me to see which tests are catching a lot of False Positives. (Note: From reading the Manual I'm aware that IPNOTINMX will catch a lot of false positives but that it can be used when weighting comes into play) Has anyone else done it this way? So in the above example I can see that IPNOTINMX is catching a heck of a lot of FALSE POSITIVES. If I was trying to minimize the amount of FALSE POSITIVES I could switch that to IGNORE and then I could start tracking message again and see if my True Positive numbers stay up while my False Positive number go down. Anyway, just using the tests themselves without any sort of weighting seems to be a heavy-handed way of doing things so obviously I would like to bring weighting into the picture but I am at sort of an impasse in my knowledge so I'm reaching out to the group. Quandry #1) How to use Declude.JunkMail to weight messages from a technical standpoint I understand the concept of weighting the e-mails from an abstract level but it's not clear to me from a technical level how Declude implements it. There are big holes in my understanding of the purpose of the global.cfg vs. the $default$.junkmail files. Is there a step-by-step breakdown of each line of global.cfg somewhere that I can read? I've been reading the JunkMail Manual and it makes mention of different entries as needed but there doesn't seem to be a comprehensive explanation of the cfg as a whole. Once I understand what each line in the cfg does I would then like to read a how-to concerning how one goes about implementing weighting
[Declude.JunkMail] IPBlacklist CIDR Question
Scott, When JunkMail does a CIDR calculation from an entry in ipblacklist.txt file does it use the actual value of the IP address that is listed or does it calculate what it believes to be the correct range of addresses? For example, how would the following entry be interpreted? 216.162.101.110/27 A. from 216.162.101.110 to 216.162.101.141 or B. from 216.192.101.96 to 216.162.101.127 TIA, George Kulman Partner Ridge Systems, L.L.C. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] HiJack Enhancement
Scott, I find that HiJack catches a meaningful amount of SPAM for the store and forward domains and probably also helps out on Dictionary Attacks as well. It seems like some spammers deliberately target secondary MX's with the thought that they can sneak stuff through more easily. It appears that HiJack keeps it records in memory and, if there's a restart on Declude.exe the statistics are reset. If this is a correct interpretation, would it be possible to maintain this data in a editable file which would be loaded by HiJack on a restart? Also to add a persistence parameter that would enable us to set a time period for retention of entries in the file, 10 days for example. That would keep the list from growing infinitely. George Kulman Partner Ridge Systems, L.L.C. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] IPBlacklist CIDR Question
Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Sunday, February 02, 2003 9:12 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] IPBlacklist CIDR Question When JunkMail does a CIDR calculation from an entry in ipblacklist.txt file does it use the actual value of the IP address that is listed or does it calculate what it believes to be the correct range of addresses? It calculates the full range of addresses. So: For example, how would the following entry be interpreted? 216.162.101.110/27 A. from 216.162.101.110 to 216.162.101.141 or B. from 216.192.101.96 to 216.162.101.127 This would be treated as B. That way, if you have an IP, you can enter it and the CIDR range without having to make sure that it is set up properly (so you can enter 192.0.2.25/24 and get the whole 192.0.2.0-192.0.2.255 range without having to change it to 192.0.2.0/24). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] HiJack Enhancement
Thanks again Scott. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Sunday, February 02, 2003 9:28 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] HiJack Enhancement I find that HiJack catches a meaningful amount of SPAM for the store and forward domains and probably also helps out on Dictionary Attacks as well. It seems like some spammers deliberately target secondary MX's with the thought that they can sneak stuff through more easily. Yes, many spammers have caught on that sending to secondary MX's makes it more likely that the E-mail will not get caught. It appears that HiJack keeps it records in memory and, if there's a restart on Declude.exe the statistics are reset. Correct. If this is a correct interpretation, would it be possible to maintain this data in a editable file which would be loaded by HiJack on a restart? Also to add a persistence parameter that would enable us to set a time period for retention of entries in the file, 10 days for example. That would keep the list from growing infinitely. That's a very good idea -- I'll see if we can incorporate that into Declude Hijack. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Filter Question
Hi Scott, Nothing like a quiet Sunday morning to get the questions going. I have a filter question and will use the following header to explain. The e-mail is being handled correctly by JunkMail according to the GLOBAL.CFG settings I would like to be able to filter on the domain names of mailservers in the chain. In this case I would like to have an entry such as WHATEVER CONTAINS .aebolts.com (Where WHATEVER is a valid filter screening criteria for the mailservers in the chain). I know I can use HEADER for this but is there a parameter I've missed that would let me have these checked as JunkMail is parsing to do its thing on each of the hops. I have HOPHIGH 6 in my GLOBAL.CFG. I realize that this particular piece of SPAM has been identified as such by many other tests, but that's not the question here. As always, thanks for the time. George Kulman Partner Ridge Systems, L.L.C. Example Header follows: *** Received: from mtiwmhc14.worldnet.att.net [204.127.131.114] by mail.ridge-systems.com with ESMTP (SMTPD32-7.13) id A1E0250252; Sun, 02 Feb 2003 09:57:36 -0500 Received: from mtiwmhc14.worldnet.att.net ([127.0.0.1]) by mtiwmhc14.worldnet.att.net (InterMail vM.5.01.05.12 201-253-122-126-112-20020820) with ESMTP id [EMAIL PROTECTED] net for [EMAIL PROTECTED]; Sun, 2 Feb 2003 14:56:07 + Received: from data.aebolts.com ([216.171.211.31]) by mtiwmhc14.worldnet.att.net (mtiwmhc14) with ESMTP id 2003020214560611400kmvlje; Sun, 2 Feb 2003 14:56:06 + Received: from data.aebolts.com (data.aebolts.com [216.171.211.31] (may be forged)) by data.aebolts.com (8.12.6/8.12.6) with ESMTP id h12FSook018111 for [EMAIL PROTECTED]; Sun, 2 Feb 2003 07:28:50 -0800 Received: (from root@localhost) by data.aebolts.com (8.12.6/8.12.6/Submit) id h12FSo64018109; Sun, 2 Feb 2003 07:28:50 -0800 Message-Id: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] From: Rick Wagner [EMAIL PROTECTED] Subject: Date: Sun Feb 2 01:05:00 PST 2003 MIME-Version: 1.0 Content-Type: text/html; Content-Transfer-Encoding: 7bit X-RBL-Warning: SPAMCOP: Blocked - see http://spamcop.net/bl.shtml?216.171.211.31 X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [801e]. X-Declude-Sender: [EMAIL PROTECTED] [127.0.0.1] X-Declude-Spoolname: D31e0002502523542.SMD X-Spam-Tests-Failed: 15 SPAMCOP, BADHEADERS, IPNOTINMX, WEIGHT10 X-Note: This E-mail was sent from (Private IP) ([127.0.0.1]). X-Country-Chain: UNITED STATES-destination X-ALLRECIPS: [EMAIL PROTECTED] X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 341851603 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter Question
Scott, OK. I'll leave you alone for the rest of today G. BTW, HiJack has trapped over 500 pieces of SPAM this weekend for 2 domains whose Primary MX's have been up and running the entire time. JunkMail got another 400+ for 1 of those domains. Just shows how the spammers are going after the secondary MX's. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Sunday, February 02, 2003 11:59 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Filter Question I would like to be able to filter on the domain names of mailservers in the chain. In this case I would like to have an entry such as WHATEVER CONTAINS .aebolts.com (Where WHATEVER is a valid filter screening criteria for the mailservers in the chain). I know I can use HEADER for this but is there a parameter I've missed that would let me have these checked as JunkMail is parsing to do its thing on each of the hops. I have HOPHIGH 6 in my GLOBAL.CFG. No, there isn't any other parameter aside from HEADERS that you could filter on in this case. Although Declude JunkMail does look at the server names, the only one it cares about is one corresponding to the remote mailserver (the HELO parameter in filtering). In this case, I would recommend using something like: HEADERS 5 CONTAINS .aebolts.com ( Adding the ( there should prevent virtually all other headers from triggering the filter (for example, you could have Subject: We have to do something about these .aebolts.com E-mails! that wouldn't get caught). It's not quite as accurate as it would be if there was a parameter that just searched the server names, but it's pretty close. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Final Action
Scott, I run Junkmail at a log setting of HIGH. After switching to 166i11 I have noticed that the last log entry for every e-mail reads Final Action = IGNORE. This is the case even though various tests may show Actions of WARN, COPYTO, or ROUTETO. What's the story? Thanks, George Kulman Partner Ridge Systems, L.L.C. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: Pots Kettles in the Clair de Lune
They belong on the same list as Citicorp its subsidiaries. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Sanford Whiteman Sent: Thursday, January 09, 2003 2:54 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] OT: Pots Kettles in the Clair de Lune All, A noteworthy encounter with the officious admin of a combination draconian/broken server. I think my state of mind will be picked up pretty quickly from the following snippet. IPs and hosts changed to protect the not-so-innocent--including us, since I did screw up, too, but STILL... ...our firewall does a reverse lookup. mail.clientco.com resolves as 1.1.1.1...Since these two IP addresses do not match, our firewall rejects the connection... This strict constraint is certainly not evident from the 421 message returned by your server. Moreover, your own mail servers do not meet this requirement! Your mail server at 2.2.2.2 uses EHLO text-- EHLO [3.3.3.3] --a violation of your own requirement, since the PTR, ptr.draco.com, does not even have an A record at all. If ClientCo employed your policy, *they* would reject *your* mail! This EHLO is also a violation of RFC 2821, which states that an address literal is only allowed if a host has no name (3.3.3.3 does have a PTR record, and therefore does have a name), and a violation of the common test to see if EHLO and PTR match (since a PTR cannot, by definition, resolve to an address literal). Though I appreciate the anti-spam utility of deeply verifying EHLO arguments, returning a 4xx code rather than a 5xx undermines any educational utility, wasting everybody's bandwidth and delaying issue resolution. And if you should have occasion to review this policy in the future, I do hope you consider that your own systems violate it. :) Sincerely yours, Sandy -Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Unable to get filter to work
David, You'll also have to put a line in your $default$.junkmail (and GLOBAL.CFG for outgoing) if you want to see the test result in the headers. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of David Lewis-Waller Sent: Thursday, November 28, 2002 8:42 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Unable to get filter to work Any help appreciated... I have in my global.cfg file the line MYFILTER filter c:\imail\declude\myfilter.txt x 0 0 myfilter.txt has the following lines MAILFROM -10 CONTAINS @talk21.com MAILFROM -10 CONTAINS @passport.com MAILFROM -10 CONTAINS @economist.com MAILFROM -10 CONTAINS .ft.com MAILFROM -10 CONTAINS .bbc.co.uk I hold email on a weight of 30. I have a test account with talk21.com which normally fails a number of tests resulting in a total weight of 33. I would have expected the weight to drop to 23 because of myfilter.txt but it doesn't. I tried silly numbers as well e.g. -60 but still end up with a total weight o 33. I'm obviously missing something fundamental. Sent email headers: Received: from wmpmta04-app.mail-store.com [194.73.242.6] by mail.nthost.co.uk with ESMTP (SMTPD32-7.13) id ACAC128E00CC; Thu, 28 Nov 2002 13:39:56 + Received: from wmpmtavirtual ([10.216.84.18]) by wmpmta04-app.mail-store.com with SMTP id 20021128133955.RBKO6682.wmpmta04-app.mail-store.com@wmpmtavirtual for [EMAIL PROTECTED]; Thu, 28 Nov 2002 13:39:55 + Received: from 62.189.235.109 by t21web08-lrs ([10.216.84.18]); Thu, 28 Nov 02 13:30:20 GMT+00:00 X-Mailer: talk21 v1.26 - http://talk21.btopenworld.com From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] X-Talk21Ref: none Date: Thu, 28 Nov 2002 13:30:20 GMT+00:00 Subject: SPAM: (No Subject) Message-Id: 20021128133955.RBKO6682.wmpmta04-app.mail-store.com@wmpmtavirtual X-RBL-Warning: NOPOSTMASTER: Not supporting postmaster@domain X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [804f]. X-RBL-Warning: REVDNS: This E-mail was sent from a mail server 194.73.242.6 with no reverse DNS entry. X-RBL-Warning: SNIFFER: Message failed SNIFFER: 4. X-RBL-Warning: WEIGHT10: Weight of 33 reaches or exceeds the limit of 10. X-Declude-Sender: [EMAIL PROTECTED] [194.73.242.6] X-Note: This E-mail was scanned by Declude JunkMail for evidence of spam. X-Note: This E-mail was sent from [No Reverse DNS] ([194.73.242.6]). Thanks in advance. David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Patnode Sent: 28 November 2002 08:57 To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] BASE64 usage I have John. While Base64 is a great test, a number of newsletters and normal emails have come across using it. I have weakened my system to let these types of messages through and pull my hair out every time a spam gets through because of it. Dan On Wednesday, November 27, 2002 8:02, John Tolmachoff [EMAIL PROTECTED] wrote: Even thought it has been determined that there is no legit REASON to use BASE64 encoding in the body, I am finding and increasing use of it. Most of these are junk, but it has caught a number of legit messages. Therefore, I have downgraded BASE64 from 15 to 12. Any one experiencing similar? John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Unable to get filter to work
David, It would have been nice if I mentioned that the line to be added is: MYFILTERWARN George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of David Lewis-Waller Sent: Thursday, November 28, 2002 8:42 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Unable to get filter to work Any help appreciated... I have in my global.cfg file the line MYFILTER filter c:\imail\declude\myfilter.txt x 0 0 myfilter.txt has the following lines MAILFROM -10 CONTAINS @talk21.com MAILFROM -10 CONTAINS @passport.com MAILFROM -10 CONTAINS @economist.com MAILFROM -10 CONTAINS .ft.com MAILFROM -10 CONTAINS .bbc.co.uk I hold email on a weight of 30. I have a test account with talk21.com which normally fails a number of tests resulting in a total weight of 33. I would have expected the weight to drop to 23 because of myfilter.txt but it doesn't. I tried silly numbers as well e.g. -60 but still end up with a total weight o 33. I'm obviously missing something fundamental. Sent email headers: Received: from wmpmta04-app.mail-store.com [194.73.242.6] by mail.nthost.co.uk with ESMTP (SMTPD32-7.13) id ACAC128E00CC; Thu, 28 Nov 2002 13:39:56 + Received: from wmpmtavirtual ([10.216.84.18]) by wmpmta04-app.mail-store.com with SMTP id 20021128133955.RBKO6682.wmpmta04-app.mail-store.com@wmpmtavirtual for [EMAIL PROTECTED]; Thu, 28 Nov 2002 13:39:55 + Received: from 62.189.235.109 by t21web08-lrs ([10.216.84.18]); Thu, 28 Nov 02 13:30:20 GMT+00:00 X-Mailer: talk21 v1.26 - http://talk21.btopenworld.com From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] X-Talk21Ref: none Date: Thu, 28 Nov 2002 13:30:20 GMT+00:00 Subject: SPAM: (No Subject) Message-Id: 20021128133955.RBKO6682.wmpmta04-app.mail-store.com@wmpmtavirtual X-RBL-Warning: NOPOSTMASTER: Not supporting postmaster@domain X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [804f]. X-RBL-Warning: REVDNS: This E-mail was sent from a mail server 194.73.242.6 with no reverse DNS entry. X-RBL-Warning: SNIFFER: Message failed SNIFFER: 4. X-RBL-Warning: WEIGHT10: Weight of 33 reaches or exceeds the limit of 10. X-Declude-Sender: [EMAIL PROTECTED] [194.73.242.6] X-Note: This E-mail was scanned by Declude JunkMail for evidence of spam. X-Note: This E-mail was sent from [No Reverse DNS] ([194.73.242.6]). Thanks in advance. David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Patnode Sent: 28 November 2002 08:57 To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] BASE64 usage I have John. While Base64 is a great test, a number of newsletters and normal emails have come across using it. I have weakened my system to let these types of messages through and pull my hair out every time a spam gets through because of it. Dan On Wednesday, November 27, 2002 8:02, John Tolmachoff [EMAIL PROTECTED] wrote: Even thought it has been determined that there is no legit REASON to use BASE64 encoding in the body, I am finding and increasing use of it. Most of these are junk, but it has caught a number of legit messages. Therefore, I have downgraded BASE64 from 15 to 12. Any one experiencing similar? John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Hop High Testing
I may be missing something regarding this testing but it doesn't seem to be working as I understand the manual. I'm running 1.62 Junkmail Pro. The applicable settings in my GLOBAL.CFG are: HOP 0 HOPHIGH 6 I would expect to see much more reporting if I look at the headers in an email such as the example below if every hop were processed. I realize that this example is still being identified as spam but there are others that have slipped through in the past. This is just meant to examine the multi hop question. Thanks, George Kulman Partner Ridge Systems, L.L.C. Other germane GLOBAL.CFG Settings are: IPBYPASS204.127.131.123 Header follows: Received: from mtiwgwc13.worldnet.att.net [204.127.131.123] by mail.ridge-systems.com with ESMTP (SMTPD32-7.13) id A20336700EE; Sat, 23 Nov 2002 11:51:15 -0500 Received: from [200.204.145.51] ([203.91.134.163]) by mtiwgwc13.worldnet.att.net (InterMail vM.5.01.05.12 201-253-122-126-112-20020820) with SMTP id 20021123165055.KOTW432.mtiwgwc13.worldnet.att.net@[200.204.145.51] for [EMAIL PROTECTED]; Sat, 23 Nov 2002 16:50:55 + Received: from 155.89.28.179 ([155.89.28.179]) by rly-xw05.mx.aol.com with smtp; Nov, 23 2002 8:28:06 AM -0800 Received: from 30.215.79.204 ([30.215.79.204]) by m10.grp.snv.yahoo.com with SMTP; Nov, 23 2002 7:50:07 AM +1200 Received: from 34.57.158.148 ([34.57.158.148]) by rly-xr02.mx.aol.com with local; Nov, 23 2002 6:27:17 AM +0600 Received: from 82.49.149.76 ([82.49.149.76]) by hd.regsoft.net with asmtp; Nov, 23 2002 5:49:16 AM +1100 From: qhxvissi [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: Subject: We got a a little dirty but it was all worth rvx Sender: qhxvissi [EMAIL PROTECTED] Mime-Version: 1.0 Content-Type: text/html; charset=iso-8859-1 Date: Sat, 23 Nov 2002 08:52:30 -0800 X-Mailer: Microsoft Outlook Express 5.00.2615.200 Message-Id: 20021123165055.KOTW432.mtiwgwc13.worldnet.att.net@[200.204.145.51] X-RBL-Warning: BHOLE-BRAZIL: Brazil blocked by brazil.blackholes.us X-RBL-Warning: ROUTING: This E-mail was routed in a poor manner consistent with spam [210f]. X-RBL-Warning: WEIGHT10: Weight of 34 reaches or exceeds the limit of 10. X-Declude-Sender: [EMAIL PROTECTED] [200.204.145.51] X-Declude-Spoolname: Db203036700eee698.SMD X-Spam-Tests-Failed: BLACKLIST, BHOLE-BRAZIL, IPNOTINMX, ROUTING, WEIGHT10, WEIGHT16 X-Note: This E-mail was sent from 200-204-145-51.terra.com.br ([200.204.145.51]). X-Country-Chain: [IANA Reserved]-UNITED STATES-[Unknown]-URUGUAY-UNITED STATES-destination X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 337918260 The declude log entries for this e-mail follow: (LOGLEVEL HIGH) 11/23/2002 11:52:15 Qb203036700eee698 Triggered filter on uy [weight-20]. 11/23/2002 11:52:15 Qb203036700eee698 BLACKLIST:25 BHOLE-BRAZIL:5 ROUTING:4 . Total weight = 34 11/23/2002 11:52:15 Qb203036700eee698 Using [incoming] CFG file D:\IMail\Declude\$default$.junkmail. 11/23/2002 11:52:15 Qb203036700eee698 Msg failed BLACKLIST (Message failed BLACKLIST test (23)). Action=ROUTETO. 11/23/2002 11:52:15 Qb203036700eee698 Msg failed BHOLE-BRAZIL (Brazil blocked by brazil.blackholes.us). Action=WARN. 11/23/2002 11:52:15 Qb203036700eee698 Msg failed ROUTING (This E-mail was routed in a poor manner consistent with spam [210f].). Action=WARN. 11/23/2002 11:52:15 Qb203036700eee698 Msg failed WEIGHT10 (Weight of 34 reaches or exceeds the limit of 10.). Action=WARN. 11/23/2002 11:52:15 Qb203036700eee698 Msg failed WEIGHT16 (Weight of 34 reaches or exceeds the limit of 16.). Action=ROUTETO. 11/23/2002 11:52:15 Qb203036700eee698 Subject: We got a a little dirty but it was all worth rvx 11/23/2002 11:52:15 Qb203036700eee698 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Declude Console Wish List Request
Scott, Could you activate horizontal scroll capability for the window. Even at full screen there's information that's not visible on the right hand side and no scroll capability exists. Thanks, George Kulman Partner Ridge Systems, L.L.C. Cell - 201-647-3250 or 516-582-0019 Office - 201-291-0600 Fax- 201-291-8887 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] h:routeto
Roland, TESTNAMEROUTETO [EMAIL PROTECTED] Example BLACKLIST ROUTETO [EMAIL PROTECTED] George Kulman Partner Ridge Systems, L.L.C. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Roland Braun Sent: Wednesday, October 02, 2002 2:17 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] h:routeto Hi, what's the correct syntax for the ROUTETO action in JunkMail Pro? Thanks in advance, Roland --- Dr. Roland Braun Max-Planck-Institut fuer auslaendisches oeffentliches Recht und Voelkerrecht Im Neuenheimer Feld 535 ; D-69120 Heidelberg Phone: ++49-(0)6221-482608; Fax: ++49-(0)6221-482278 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] MAILTO Filter Request
Scott, Thanks very much. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Sunday, September 29, 2002 9:14 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] MAILTO Filter Request There was a question last month (8/28 by Marv Gordon) regarding the availability of a MAILTO filter which you said wasn't an option right now. It will be available in the next beta. :) -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] STOP testing if Blacklist
Scott, When you do get to consider this please think about something like STOP to stop testing further in the individual filter or test, and STOPALL to stop all further testing. Thanks, George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Monday, September 30, 2002 8:51 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] STOP testing if Blacklist It would also be great if you could consider adding a stop test consideration. This (and stopping when a certain weight is reached) are in the suggestion database. Given that performance is rarely an issue with Declude JunkMail, it isn't a high priority right now, but it is something that we will definitely be considering for future releases (we don't like the idea of wasting resources if it can be avoided). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] IP Blocking Question? for a NewB
Steve, From the Junkmail Manual: To blacklist a range of IPs, you can use CIDR style IP ranges. For example, 127.0.0.0/8 would blacklist all addresses from 127.0.0.0 through 127.255.255.255. 127.0.0.0/24 would blacklist the Class C range from 127.0.0.0 through 127.0.0.255. George Kulman Partner Ridge Systems, L.L.C. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Steven Cmajdalka Sent: Sunday, September 29, 2002 8:31 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] IP Blocking Question? for a NewB Hello. How do I filter a range of IP addresses. example, this one. 64.49.243.63mail46.thesuperspecialsales.com 64.49.243.115 mail110.thesuperspecialsales.com I block one then they start using 115, do I have to make a entry for each ip? Thanks Steve. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] New Definition of Spam Cop
Title: Message I really couldn't help laughing at discovering spam this morning through an open relay at: mail.kcpd.org Kansas City, MO Police Department Where's SPAMCOP when you need them. George Kulman Partner Ridge Systems, L.L.C.
RE: [Declude.JunkMail] spam rec'd using internal return address
Analytically correct George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Sharyn Schmidt Sent: Tuesday, September 24, 2002 10:05 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] spam rec'd using internal return address question on this filtering.. If I add the following line in myfilter.txt.. Body 0 Contains anal This will cause any email with the word analysis in it to receive whatever action I've given the test. Correct? Sharyn We are the worldwide producer and marketer of the award winning Cruzan Single Barrel Rum, judged Best in the World at the annual San Francisco Wine and Spirits Championships. For more information, please click (go to) htmla href=http://www.cruzanrums.com;www.cruzanrums.com/a/html --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter Processing
Scott, For the wish list please - An additional filter type (or flag) that would exit after the first match. I've been pretty successful with filtering MAILFROM and, to speed up processing it would be beneficial if the filter processing could end after a match. The same would apply to an IP that I'm blocking. There's no need to do further processing in this filter since the match has been made and I'm going to treat the item as SPAM. This would also enable me to sequence the list with the most expected matches at the top. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Tuesday, September 17, 2002 10:26 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Filter Processing I have two questions regarding filter processing. 1. If there are multiple filters listed in the global.cfg are they processed in the order they're listed? Yes. 2. If there is a match on an item in a filter list does processing continue against that list? Yes, so if the weight of each entry in the filter is 1, an E-mail could still end up with a weight higher than 1. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.