[Declude.JunkMail] HELOBOGUS only fails with non-local senders
I was scratching my head real hard on this one, but found the answer in the release notes and I think that given changes over time, our friends at Declude should consider revising how this limiting of the HELOBOGUS test works. I noted in the release notes for 1.57 [Beta, 30 Jul 2002] that the HELOBOGUS will now only be tested on non-local senders. With the invention of WHITELIST AUTH, this is unnecessary for any server that is configured for this. Zombie spammers and viruses will often enough forge a local sender in the Mail From along with using bogus HELO names, but the HELOBOGUS test won't trigger in that event due to this old fix. I agree that at the time this was totally necessary just like disabling DUL tests for local senders was, and the only method that could be used was checking the Mail From, but for systems that can whitelist all local users, it would be beneficial to have the added value of these tests under these conditions by way of a switch in the config file. I would imagine that the switch would be in the form of something like LOCALHELOBOGUS ON and LOCALDUL ON. I believe that the DUL part has been discussed before and possibly agreed to that it was a good idea for a future revision. I would hope that the same consideration could be given to the HELOBOGUS skipping of local senders. Thanks, Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] HELOBOGUS only fails with non-local senders
Matt, (pause while I put on my iron codpiece) this sounds like a good place for an IMail implementation to use SPF records as self-defense. It sounds like what you're looking for is a two-fer that maps valid client space with valid domain names to detect spoofing, and HELOBOGUS will only do part of the job. Or am I just putting words in your mouth? Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, April 11, 2005 2:54 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] HELOBOGUS only fails with non-local senders I was scratching my head real hard on this one, but found the answer in the release notes and I think that given changes over time, our friends at Declude should consider revising how this limiting of the HELOBOGUS test works. I noted in the release notes for 1.57 [Beta, 30 Jul 2002] that the HELOBOGUS will now only be tested on non-local senders. With the invention of WHITELIST AUTH, this is unnecessary for any server that is configured for this. Zombie spammers and viruses will often enough forge a local sender in the Mail From along with using bogus HELO names, but the HELOBOGUS test won't trigger in that event due to this old fix. I agree that at the time this was totally necessary just like disabling DUL tests for local senders was, and the only method that could be used was checking the Mail From, but for systems that can whitelist all local users, it would be beneficial to have the added value of these tests under these conditions by way of a switch in the config file. I would imagine that the switch would be in the form of something like LOCALHELOBOGUS ON and LOCALDUL ON. I believe that the DUL part has been discussed before and possibly agreed to that it was a good idea for a future revision. I would hope that the same consideration could be given to the HELOBOGUS skipping of local senders. Thanks, Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HELOBOGUS only fails with non-local senders
Andrew, I think that you misunderstood. If you have a local domain of example.com and an E-mail comes in with a Mail From of [EMAIL PROTECTED] with a HELO of asdfdfasdfsafdsafd.asddsfadfas.asddfs, then HELOBOGUS will not trigger even though this is a bogus HELO. This isn't a bug, this was by design back in the day before you could whitelist authenticated users so that you didn't tag your own users with such tests when they would likely fail them since home PC's tend to not use Internet resolvable HELO names. Now with WHITELIST AUTH, one can safely use this test on all E-mail's that Declude scans, regardless of whether or not the Mail From is a local domain. I also indicated that in addition to the above, there was the known issue (also by design) where Declude disables any IP4R test (possibly others) that contain the letters DUL, DYNA or DUHL in the name for E-mails that have a Mail From that is local to the server, even when forged. My work around for this was to stop using that naming convention for DUL tests since it was only benefiting spammers on my system since I started using WHITELIST AUTH. Unlike the DUL trick, the HELOBOGUS thing can't be worked around. Matt Colbeck, Andrew wrote: Matt, (pause while I put on my iron codpiece) this sounds like a good place for an IMail implementation to use SPF records as self-defense. It sounds like what you're looking for is a two-fer that maps valid client space with valid domain names to detect spoofing, and HELOBOGUS will only do part of the job. Or am I just putting words in your mouth? Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, April 11, 2005 2:54 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] HELOBOGUS only fails with non-local senders I was scratching my head real hard on this one, but found the answer in the release notes and I think that given changes over time, our friends at Declude should consider revising how this limiting of the HELOBOGUS test works. I noted in the release notes for 1.57 [Beta, 30 Jul 2002] that the HELOBOGUS will now only be tested on non-local senders. With the invention of WHITELIST AUTH, this is unnecessary for any server that is configured for this. Zombie spammers and viruses will often enough forge a local sender in the Mail From along with using bogus HELO names, but the HELOBOGUS test won't trigger in that event due to this old fix. I agree that at the time this was totally necessary just like disabling DUL tests for local senders was, and the only method that could be used was checking the Mail From, but for systems that can whitelist all local users, it would be beneficial to have the added value of these tests under these conditions by way of a switch in the config file. I would imagine that the switch would be in the form of something like LOCALHELOBOGUS ON and LOCALDUL ON. I believe that the DUL part has been discussed before and possibly agreed to that it was a good idea for a future revision. I would hope that the same consideration could be given to the HELOBOGUS skipping of local senders. Thanks, Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HELOBOGUS for Email from Postfix Gateway
However, I'm having a problem with Declude triggering on reporting emails that are generated directly ON the gateway itself: That's because the gateway is running an MTA that adds very poor Received: headers. - Declude parses IP Address 0.0.0.0 - Declude parses HELO string of userid Here is the headers that Postfix generates for email that originates from that machine: Received: from mail.dollardays.com [67.132.45.18] by mail.webhost.hm-software.com with ESMTP (SMTPD32-8.14) id A4F0800114; Sat, 08 Jan 2005 04:16:32 -0500 That one is fine. Since you are IPBYPASSing 67.132.45.18, Declude JunkMail skips over that line. Received: by mail.dollardays.com (Postfix) id BD39835A9D2; Sat, 8 Jan 2005 04:16:24 -0500 (EST) This one is a very poor Received: header. It contains almost no useful information (since it is your server, you already know its name, and the time *could* be useful, but only if the server uses NTP). Received: by mail.dollardays.com (Postfix, from userid 0) id A8FC335A9CE; Sat, 8 Jan 2005 04:16:24 -0500 (EST) This, too, is a very poor Received: header. It, too, contains almost no useful information. As you can see, it a) has no FROM field in the received header - that's what's causing the 0.0.0.0 being reported as the IP address Correct. b) it picking up userid form inside an SMTP header comment - the string is included inside paranthesis, thus should NOT be interpreted by Declude. Correct. However, given how many poor (one step above very poor) mailservers there are out there, we have to check inside SMTP comments. There are mailservers out there that include the IP (and probably 'from') in SMTP comments. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] HELOBOGUS for Email from Postfix Gateway
Title: Message Hi Scott, I'm colocating a Postfix gateway for a client - and "external" mail is being routed fine. However, I'm having a problem with Declude triggering on reporting emails that are generated directly ON the gateway itself: -I have IPBYPASS set for 67.132.45.18 (which is how it should be). -Declude parses IP Address 0.0.0.0 -Declude parses HELO string of "userid" Here is what Declude parsed from the RECEIVED header (2nd and even 3rd hop) Mail Server: %REMOTEIP% for %RHSBL% [%SENDERHOST%] DNS Pointer: %REVDNS% Host Name: %HELO% Mail Server: 0.0.0.0 for mail.dollardays.com [mail.dollardays.com] DNS Pointer: (Private IP) Host Name: userid Here is the headers that Postfix generates for email that originates from that machine: Received: from mail.dollardays.com [67.132.45.18] by mail.webhost.hm-software.com with ESMTP (SMTPD32-8.14) id A4F0800114; Sat, 08 Jan 2005 04:16:32 -0500 Received: by mail.dollardays.com (Postfix) id BD39835A9D2; Sat, 8 Jan 2005 04:16:24 -0500 (EST) Received: by mail.dollardays.com (Postfix, from userid 0) id A8FC335A9CE; Sat, 8 Jan 2005 04:16:24 -0500 (EST) As you can see, it a) has no FROM field in the received header - that's what's causing the "0.0.0.0" being reported as the IP address b) it picking up "userid" form inside an SMTP header comment - the string is included inside paranthesis, thus should NOT be interpreted by Declude. I think item b)is truly a malfunction by Declude. At "worst" it should detect the HELO string as null. However, ideally, I wonder whether Declude should only "hop" to the next Receive line, if the receive line actuallyDOES havea "FROM" field. If there is no other Received/From line, then it should use the information from the LASTVALID Receivedtimestamp (which in this case would be the header inserted by Imail) - which would then yield correct results. Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206
RE: [Declude.JunkMail] HELOBOGUS and MAIL GATEWAYS
I am using IPBYPASS already for the host IP, but I still get a warning about the hostNAME. That is unusual. I would recommend upgrading to the latest interim (at http://www.declude.com/version/interim ) to see if that fixes the problem. If not, I can let you know how to use the debug mode, which should give us the information necessary to track down the problem. Note that this problem will (intentionally) occur if the E-mail originates at the gateway server (if there is no IP address of a mailserver connecting to the gateway server). In that case, the only HELO/EHLO that Declude JunkMail will be able to see is the one of the gateway server. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HELOBOGUS and MAIL GATEWAYS
We are using a 3rd party (offsite) gateway service for our inbound mail and some of the host servers that we receive mail from fail the HELOBOGUS test (no MX or A record). Is ther a way to safely skip the HELOBOGUS test on these known hosts? Actually, if those are gateways, the best solution is to use an IPBYPASS line for their IP(s). For example, if they send the mail from 192.0.2.25, you can add a line IPBYPASS 192.0.2.25 to the \IMail\Declude\global.cfg file. This lets Declude JunkMail know that 192.0.2.25 isn't the true source of the E-mail, and then Declude JunkMail can scan it appropriately. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] HELOBOGUS and MAIL GATEWAYS
Hello, We are usinga 3rd party (offsite) gateway service for our inbound mail and some of the host servers that we receive mail from fail the HELOBOGUS test (no MX or A record). Is ther a way to safely skip the HELOBOGUS test on these known hosts? Thanks. -Mike
Re: [Declude.JunkMail] HELOBOGUS, HELOISIP and HELOISIPX questions
Goran Jovanovic wrote: This is parts of a header I received and I just want to check a few things So the spammer thought that he would use my IP address in the HELO line 205.150.108.8 to identify his domain, even though his real IP address is 220.185.227.109? Obviously an IP address is not a valid domain so it fails the HELOBOGUS test? It failed the HELOISIP test because the domain was an IP address? Yes. It would be more correct to say that HELOISIP failed because the domain _contained_ an IP address. 205.150.108.8.this.is.a.host.name would also have failed HELOISIP It failed the HELOISIPX test ... not sure why since there is no reverse DNS to parse? It failed HELOISIPX because the host name is a pure IP address. 205.150.108.8.this.is.a.host.name will *not* fail HELOISIPX. In the next release, both tests will not fail host names bracketed IP format [205.150.108.8] -- --- illigitimi non carborundum --- Bud Durland, CNE Mold-Rite Plastics Network Administrator http://www.mrpcap.com --- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] HELOBOGUS, HELOISIP and HELOISIPX questions
OK I think I was somehow reversed in my tinking Goran Jovanovic The LAN Shoppe Goran Jovanovic wrote: This is parts of a header I received and I just want to check a few things So the spammer thought that he would use my IP address in the HELO line 205.150.108.8 to identify his domain, even though his real IP address is 220.185.227.109? Obviously an IP address is not a valid domain so it fails the HELOBOGUS test? It failed the HELOISIP test because the domain was an IP address? Yes. It would be more correct to say that HELOISIP failed because the domain _contained_ an IP address. 205.150.108.8.this.is.a.host.name would also have failed HELOISIP It failed the HELOISIPX test ... not sure why since there is no reverse DNS to parse? It failed HELOISIPX because the host name is a pure IP address. 205.150.108.8.this.is.a.host.name will *not* fail HELOISIPX. In the next release, both tests will not fail host names bracketed IP format [205.150.108.8] -- --- illigitimi non carborundum --- Bud Durland, CNE Mold-Rite Plastics Network Administrator http://www.mrpcap.com --- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HELOBOGUS, HELOISIP and HELOISIPX questions
I use the forgedhelo filter checks that remote server helo is neither your hostname nor your host IP you can score this test realy high since no server should use the above. HELO 0 CONTAINS ip1.ip2.ip3. HELO 0 ENDSWITH cefib.com HELO 0 ENDSWITH cefib.net - Original Message - From: Goran Jovanovic [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, April 21, 2004 2:57 AM Subject: [Declude.JunkMail] HELOBOGUS, HELOISIP and HELOISIPX questions This is parts of a header I received and I just want to check a few things So the spammer thought that he would use my IP address in the HELO line 205.150.108.8 to identify his domain, even though his real IP address is 220.185.227.109? Obviously an IP address is not a valid domain so it fails the HELOBOGUS test? It failed the HELOISIP test because the domain was an IP address? It failed the HELOISIPX test ... not sure why since there is no reverse DNS to parse? This SPAM only scored 19 (my HELOISIP and HELOISIPX are scored at 0 for now). Can anyone see any other obvious test that could be applied to this? Thanx - Received: from 205.150.108.8 [220.185.227.109] by tlsonline.com (SMTPD32-8.10 ) id A50912CD00DA; Tue, 20 Apr 2004 19:40:57 -0400 Received: from 244.0.228.117 by web229.mail.yahoo.com; Wed, 21 Apr 2004 02:40:39 +0200 Message-ID: [EMAIL PROTECTED] From: Walker Tyson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: I did it, can you? Date: Wed, 21 Apr 2004 06:43:39 +0600 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=--4113080516566895 X-CS-IP: 0.112.4.0 Message-ID: [EMAIL PROTECTED] From: TLS SPAMService [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: ***[SPAM]***[19]***I did it, can you? Date: Tue, 20 Apr 2004 23:41:04 - MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=SomeRandomStuffGoesHere X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command . X-RBL-Warning: HELOBOGUS: Domain 205.150.108.8 has no MX or A records [0301]. X-RBL-Warning: IPNOTINMX: X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected. X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 220.185.227.109 with no reverse DNS entry. X-RBL-Warning: ROUTING: This E-mail was routed in a poor manner consistent with spam [210f]. X-Declude-Sender: [EMAIL PROTECTED] [220.185.227.109] X-Declude-Spoolname: Db50712cd00dae725.SMD X-Note: This E-mail was sent from [No Reverse DNS] ([220.185.227.109]). X-Spam-Tests-Failed: CMDSPACE, HELOBOGUS, IPNOTINMX, NOLEGITCONTENT, REVDNS, ROUTING, WEIGHT10, HELOISIP, HELOISIPX [19] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Note: Total spam weight of this E-mail is 19. X-Country-Chain: Organization: The LAN Shoppe Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] HELOBOGUS, HELOISIP and HELOISIPX questions
Serge, I use the forgedhelo filter HELO 0 CONTAINS ip1.ip2.ip3. HELO 0 ENDSWITH cefib.com HELO 0 ENDSWITH cefib.net I assume that this forgedhelo filter is of your own making? Since I am scanning mail for many domains I could add all their domains to my list since they are never sending through me. Right? Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HELOBOGUS, HELOISIP and HELOISIPX questions
not my own making, someone posted it on this list some time back. and yes, you should add all you domains, but play it safe and use HELO 0 ENDSWITH .domain.com instead of HELO 0 ENDSWITH domain.com so it wont cover allotherdomain.com - Original Message - From: Goran Jovanovic [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, April 21, 2004 3:41 AM Subject: RE: [Declude.JunkMail] HELOBOGUS, HELOISIP and HELOISIPX questions Serge, I use the forgedhelo filter HELO 0 CONTAINS ip1.ip2.ip3. HELO 0 ENDSWITH cefib.com HELO 0 ENDSWITH cefib.net I assume that this forgedhelo filter is of your own making? Since I am scanning mail for many domains I could add all their domains to my list since they are never sending through me. Right? Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HELOBOGUS
Why did this fail HELOBOGUS: X-RBL-Warning: HELOBOGUS: Domain mail.sbapro.com has no MX or A records [0301]. Query: sbapro.com. Query type: Any record Declude JunkMail looks at the host name (mail.sbapro.com), not the parent (otherwise, it would look for com if the HELO/EHLO was example.com). Note that mail.sbapro.com does not have an MX record. It does *currently* have an A record, but I'm guessing it did not when you processed the E-mail (its DNS is handled by root-dns.com/temp-url.com, which smells like some sort of dynamic IP service -- but neither web site works). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HELOBOGUS ?
Any ideas why this email would fail the HELOBOGUS test? The problem here is that: Received: from declude.com [24.107.232.14] by mail.tmlp.com with ESMTP (SMTPD32-7.07) id A7F878950134; Thu, 26 Feb 2004 20:06:00 -0500 Received: from panda.declude.com [192.168.0.4] by declude.com with ESMTP (SMTPD32-8.05) id A7CBEC201D4; Thu, 26 Feb 2004 20:05:15 -0500 The E-mail was received from 24.107.232.14, but Declude JunkMail sees: X-Declude-Sender: mailto:[EMAIL PROTECTED][EMAIL PROTECTED] [192.168.0.4] 192.168.0.4, which is not the correct IP. So it is also seeing panda.declude.com, which is an internal host name, and should cause the HELOBOGUS test to fail. The problem is that your HOP/IPBYPASS settings aren't set up properly. Normally, you should use HOP 0 and have an IPBYPASS line for your gateway/backup mailserver(s). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] HELOBOGUS ?
Scott, Any ideas why this email would fail the HELOBOGUS test? Received: from declude.com [24.107.232.14] by mail.tmlp.com with ESMTP (SMTPD32-7.07) id A7F878950134; Thu, 26 Feb 2004 20:06:00 -0500Received: from panda.declude.com [192.168.0.4] by declude.com with ESMTP (SMTPD32-8.05) id A7CBEC201D4; Thu, 26 Feb 2004 20:05:15 -0500Message-Id: [EMAIL PROTECTED]X-Sender: [EMAIL PROTECTED]X-Mailer: QUALCOMM Windows Eudora Version 5.1Date: Thu, 26 Feb 2004 20:05:04 -0500To: [EMAIL PROTECTED]From: "R. Scott Perry" [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] DNS timeout and DNS configuration -does it get logged?In-Reply-To: [EMAIL PROTECTED]References: [EMAIL PROTECTED]Mime-Version: 1.0Content-Type: text/plain; charset="us-ascii"; format=flowedX-Note: This E-mail was scanned for viruses by Declude Virus (www.declude.com)X-NRecips: 1X-Reverse-IP: (Private IP)X-Weight: 0 (Whitelisted)X-Country-Chain: .X-Declude-Sender: [EMAIL PROTECTED] [192.168.0.4]X-Declude-Spoolname: D97cb0ec201d412fd.SMDX-Declude-Date: 02/27/2004 01:05:04 [0]Precedence: bulkSender: [EMAIL PROTECTED]Reply-To: [EMAIL PROTECTED]X-Declude-Sender: [EMAIL PROTECTED] [24.107.232.14]X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam.X-Spam-Tests-Failed: HELOBOGUSX-RCPT-TO: [EMAIL PROTECTED]Status: UX-UIDL: 372188325 Thanks, Steve
[Declude.JunkMail] HELOBOGUS - WHY?
I had this piece of mail fail the helobogus test. I am wondering why? Here are the message headers. Received: from babel.avstarnews.com [12.24.201.132] by mail1.gannett-tv.com with ESMTP (SMTPD32-7.12) id A6A397880132; Wed, 08 Jan 2003 17:30:59 -0500 Received: by BABEL with Internet Mail Service (5.5.2653.19) id CRNNAKGW; Wed, 8 Jan 2003 16:29:30 -0600 Message-ID: 449249DE8813D711907B0090273F213704E08D@BABEL From: [EMAIL PROTECTED] To: x [EMAIL PROTECTED] Subject: Server Remirroring Procedure Date: Wed, 8 Jan 2003 16:29:26 -0600 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Darrell LaRock --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] HELOBOGUS MAILFROM warnings on legit server
Hello All, I've got a problem with Declude catching mail from my web server. The web server is sending mail from web forms that customers fill out to users hosted on my email server. I'm getting HELOBOGUS and MAILFROM warnings, stating that the domain server_name does not have any MX/A records. How can I resolve this? I don't want to whitelist the server name but I've got to be able to send the email forms to the respective users. I look forward to your help. Troy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] HELOBOGUS MAILFROM warnings on legit server
Add the appropriate records in your DNS. John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED]] On Behalf Of Troy Hilton Sent: Tuesday, January 07, 2003 6:06 AM To: Declude Junkmail Forum (E-mail) Subject: [Declude.JunkMail] HELOBOGUS MAILFROM warnings on legit server Hello All, I've got a problem with Declude catching mail from my web server. The web server is sending mail from web forms that customers fill out to users hosted on my email server. I'm getting HELOBOGUS and MAILFROM warnings, stating that the domain server_name does not have any MX/A records. How can I resolve this? I don't want to whitelist the server name but I've got to be able to send the email forms to the respective users. I look forward to your help. Troy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HELOBOGUS MAILFROM warnings on legitserver
I've got a problem with Declude catching mail from my web server. The web server is sending mail from web forms that customers fill out to users hosted on my email server. I'm getting HELOBOGUS and MAILFROM warnings, stating that the domain server_name does not have any MX/A records. How can I resolve this? I don't want to whitelist the server name but I've got to be able to send the email forms to the respective users. That's because your web server is claiming to be an Internet host named server_name (which isn't valid -- an Internet host needs to be in the format server_name.example.com), and sending mail from a non-existent domain (probably something like webmaster@server_name). The best way to deal with this is to fix the problem, and have the web server send out mail properly, by using server_name.example.com as the host name and a return address of [EMAIL PROTECTED] (or [EMAIL PROTECTED]). That way, the E-mail won't be caught as spam on other servers. The quick fix, though, would be to whitelist the IP address of the web server (WHITELIST IP 192.0.2.25 in the \IMail\Declude\global.cfg file). That will prevent the E-mail from getting caught by Declude JunkMail, but it could still get caught on the receiving server. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Helobogus error..
Hi All, I was wondering if someone can has experienced a error in helobogus. For some weird reason, I consistantly get a error with helobogus like hotmail.com with the msg failed. For some reason cs.com does not resolve either. 11/19/2002 00:05:07 Q0cd19bfb002cf91d HELOBOGUS:8 REVDNS:4 . Total weight = 12 11/19/2002 00:05:07 Q0cd19bfb002cf91d Msg failed HELOBOGUS (Domain [EMAIL PROTECTED] by has no MX/A records.). 11/19/2002 00:05:07 Q0cd19bfb002cf91d Msg failed REVDNS (This E-mail was sent from a MUA/MTA with no reverse DNS entry.). 11/19/2002 00:05:07 Q0cd19bfb002cf91d Msg failed WEIGHT10 (Weight of 12 reaches or exceeds the limit of 10.). 11/19/2002 00:05:07 Q0cd19bfb002cf91d Msg failed WEIGHT12 (Weight of 12 reaches or exceeds the limit of 12.). 11/19/2002 00:05:07 Q0cd19bfb002cf91d Subject: [FWD: Fwd: FW: Fun Stuff] 11/19/2002 00:05:07 Q0cd19bfb002cf91d From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Thanks in advance, eddie :) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Helobogus error..
I was wondering if someone can has experienced a error in helobogus. For some weird reason, I consistantly get a error with helobogus like hotmail.com with the msg failed. For some reason cs.com does not resolve either. 11/19/2002 00:05:07 Q0cd19bfb002cf91d Msg failed HELOBOGUS (Domain [EMAIL PROTECTED] by has no MX/A records.). That isn't cs.com -- that is [EMAIL PROTECTED]. [EMAIL PROTECTED] isn't a hostname, so the HELOBOGUS test fails. Do you have the Received: headers for some of these E-mails, to make sure that Declude JunkMail is detecting the correct hostname? -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] HELOBOGUS not working: follow-up
Recap - In three days, I've only had one message trip the HELOBOGUS test. Here's the recap: 1) I'm catching lots of spam with other tests 2) Scott checked the header of a message (see posting at Thu 10/24/2002 2:17 PM) and didn't note any problems New information: 1) I'm running Declude 1.60 2) I have my DNS servers properly set up in IMail's SMTP section 3) I don't override those servers in my Declude configuration 4) I'm catching a lot of messages with ORDB, REVDNS, MONKEYFORMMAIL, OSRELAY What should I check next? Thanks in advance for any help, -Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HELOBOGUS not working: follow-up
Recap - In three days, I've only had one message trip the HELOBOGUS test. Here's the recap: 1) I'm catching lots of spam with other tests 2) Scott checked the header of a message (see posting at Thu 10/24/2002 2:17 PM) and didn't note any problems New information: 1) I'm running Declude 1.60 2) I have my DNS servers properly set up in IMail's SMTP section 3) I don't override those servers in my Declude configuration 4) I'm catching a lot of messages with ORDB, REVDNS, MONKEYFORMMAIL, OSRELAY What should I check next? The next step would be the debug mode. You can do this by changing the LOGLEVEL LOW line in \IMail\Declude\global.cfg to LOGLEVEL DEBUG. Then, after about 10 or so E-mails have been received, you can then switch back to LOGLEVEL LOW. You can then send me the \IMail\spool\dec.log file (as an attachment), and I should be able to get a better idea of what is going on. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] HELOBOGUS not working: follow-up
Scott, When I reviewed the debug log, I found that I was actually running v1.53 - I had never copied 1.60 to the \IMail folder (I had just copied it to \Imail\Declude). I'm going to let it run over the weekend and then if it isn't looking right, I'll capture a debug log and send it to you. If it comes to that, would you prefer the debug log sent somewhere other than this list? Thanks, -Bill Naber -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-owner;declude.com]On Behalf Of R. Scott Perry Sent: Friday, October 25, 2002 10:16 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] HELOBOGUS not working: follow-up Recap - In three days, I've only had one message trip the HELOBOGUS test. Here's the recap: 1) I'm catching lots of spam with other tests 2) Scott checked the header of a message (see posting at Thu 10/24/2002 2:17 PM) and didn't note any problems New information: 1) I'm running Declude 1.60 2) I have my DNS servers properly set up in IMail's SMTP section 3) I don't override those servers in my Declude configuration 4) I'm catching a lot of messages with ORDB, REVDNS, MONKEYFORMMAIL, OSRELAY What should I check next? The next step would be the debug mode. You can do this by changing the LOGLEVEL LOW line in \IMail\Declude\global.cfg to LOGLEVEL DEBUG. Then, after about 10 or so E-mails have been received, you can then switch back to LOGLEVEL LOW. You can then send me the \IMail\spool\dec.log file (as an attachment), and I should be able to get a better idea of what is going on. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] HELOBOGUS not working: follow-up
When I reviewed the debug log, I found that I was actually running v1.53 - I had never copied 1.60 to the \IMail folder (I had just copied it to \Imail\Declude). I had thought of double-checking that, but since an E-mail had failed the test, I figured you were using 1.60. :) I'm going to let it run over the weekend and then if it isn't looking right, I'll capture a debug log and send it to you. If it comes to that, would you prefer the debug log sent somewhere other than this list? I'm guessing there won't be a problem, but if there is, it is best to send debug logs directly to me (or [EMAIL PROTECTED]). Log file snippets are OK on the list sometimes, if they aren't too long. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] HELOBOGUS Question
I'm running Declude 1.60. I've had exactly one message flagged by HELOBOGUS - I'll take a look at the DNS-based tests and pick this thread up in the morning. Thanks, -Bill -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-owner;declude.com]On Behalf Of R. Scott Perry Sent: Thursday, October 24, 2002 2:17 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] HELOBOGUS Question The header info you requested is listed below. Received: from declude.com [66.189.58.123] by mail.jamesoninns.com with ESMTP (SMTPD32-7.13) id A01E19250134; Thu, 24 Oct 2002 13:38:38 -0400 X-Declude-Sender: [EMAIL PROTECTED] [66.189.58.123] These two headers show that Declude did use the top Received: header, and should have used declude.com for the HELOBOGUS test (which is correct). Are other DNS-based spam tests working properly? Are you running a recent version of Declude JunkMail? Has at least one E-mail failed the HELOBOGUS test? -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HELOBOGUS Suddenly kicked in
I've had declude junkmail pro running well for a few months now...Just bumped up declude.exe to 1.60 last night. Seemed to be receiving things normally and didn't notice an immediate change in filter characteristics. But just this morning, round 11:00, noticed most if not all messages started failing HELOBOGUS. Seems odd. Commented out HELOBOGUS test for now. Any thoughts on what happened?? The HELOBOGUS test was added in 1.54, so if you were running a version before that, the HELOBOGUS test wouldn't have done anything. I'm guessing that if you look at all those E-mails failing the HELOBOGUS test, you'll see that (guess what?) they are using an invalid domain in their HELO data (which you can see on the top Received: header). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HELOBOGUS Suddenly kicked in
OK, well, not 'all messages' but many legit messages which had not previously been caught. Perhaps the version I had in place previously didn't support this test? (was using previous release, not beta) I'll dig through the release notes. Thanks. -- Original Message -- From: Dan Cummings [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 24 Oct 2002 14:44:41 -0500 Quick question I hope, I've had declude junkmail pro running well for a few months now...Just bumped up declude.exe to 1.60 last night. Seemed to be receiving things normally and didn't notice an immediate change in filter characteristics. But just this morning, round 11:00, noticed most if not all messages started failing HELOBOGUS. Seems odd. Commented out HELOBOGUS test for now. Any thoughts on what happened?? Thanks! -Dan -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Dan Cummings Manage.net LLC [EMAIL PROTECTED] (612) 821-5000 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] HELOBOGUS Question
The header info you requested is listed below. Received: from declude.com [66.189.58.123] by mail.jamesoninns.com with ESMTP (SMTPD32-7.13) id A01E19250134; Thu, 24 Oct 2002 13:38:38 -0400 X-Declude-Sender: [EMAIL PROTECTED] [66.189.58.123] These two headers show that Declude did use the top Received: header, and should have used declude.com for the HELOBOGUS test (which is correct). Are other DNS-based spam tests working properly? Are you running a recent version of Declude JunkMail? Has at least one E-mail failed the HELOBOGUS test? -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] HELOBOGUS Question
We do not have a backup mailserver or gateway - any other ideas? Could you post the complete headers of this E-mail? That may provide some clues. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] HELOBOGUS Question
We do not have a backup mailserver or gateway - any other ideas? -Bill -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-owner;declude.com]On Behalf Of R. Scott Perry Sent: Thursday, October 24, 2002 1:01 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] HELOBOGUS Question I've just recently put junkmail into a test phase on my server and have noticed that I am getting almost no hits on the HELOBOGUS test - specifically one hit over a three day/10,000 message period. From what I've been reading on this forum, I'd expect more than that and was wondering what might be inhibiting the HELOBOGUS test. Do you have a backup mailserver or a gateway mailserver that receives the mail before IMail does? -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] HELOBOGUS Question
I've just recently put junkmail into a test phase on my server and have noticed that I am getting almost no hits on the HELOBOGUS test - specifically one hit over a three day/10,000 message period. From what I've been reading on this forum, I'd expect more than that and was wondering what might be inhibiting the HELOBOGUS test. Thanks, -Bill Naber --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HELOBOGUS Question
I've just recently put junkmail into a test phase on my server and have noticed that I am getting almost no hits on the HELOBOGUS test - specifically one hit over a three day/10,000 message period. From what I've been reading on this forum, I'd expect more than that and was wondering what might be inhibiting the HELOBOGUS test. Do you have a backup mailserver or a gateway mailserver that receives the mail before IMail does? -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HELOBOGUS Suddenly kicked in
Yup, very typical in MS exchange setups where the Exchange server is running on a Win2K box with some internal naming convention or the like. Thanks, Declude's working just fineand I actually read the release notes now! ;) -- Original Message -- From: R. Scott Perry [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 24 Oct 2002 15:59:01 -0400 I've had declude junkmail pro running well for a few months now...Just bumped up declude.exe to 1.60 last night. Seemed to be receiving things normally and didn't notice an immediate change in filter characteristics. But just this morning, round 11:00, noticed most if not all messages started failing HELOBOGUS. Seems odd. Commented out HELOBOGUS test for now. Any thoughts on what happened?? The HELOBOGUS test was added in 1.54, so if you were running a version before that, the HELOBOGUS test wouldn't have done anything. I'm guessing that if you look at all those E-mails failing the HELOBOGUS test, you'll see that (guess what?) they are using an invalid domain in their HELO data (which you can see on the top Received: header). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: SPAMCOP:Re: [Declude.JunkMail] HELOBOGUS
It does fail to recognize that ISP's, and especially Hosting Providers, often have people using their email from work or, in the case of personal domains, from another service provider, which means their test messages from [EMAIL PROTECTED] to [EMAIL PROTECTED] would be from a foreign IP. But as a weighted test it would still be very useful since the message shouldn't fail any other tests under normal conditions. Chuck Frolick ArgoNet, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry Sent: Tuesday, September 17, 2002 7:00 PM To: [EMAIL PROTECTED] Subject: Re: SPAMCOP:Re: [Declude.JunkMail] HELOBOGUS The problems here are that you have to enter your IP ranges (so the test wouldn't work automatically), and that some people will send mail from the Internet (especially in the case of sending test messages). If the IP block is setup up in the Global.cfg like Netblock10.10.2.0/22,192.168.1.0/23 Then declude would know the local IP address block and this would make it automatic. Automatic after you enter the IP ranges, and if the IP ranges don't change. :) The non-automatic part is that the test would have to be disabled by default, and people wanting to use it would need to add the list of IPs. However, it could be set up to automatically allow the E-mail if it came from an internal IP address (which would satisfy the needs of a lot of our customers). Now for testing from the Internet I would log on to Hotmail and send from me@hotmail to me@myaddress. This e-mail would pass for the return address and the recipient's address do not match. Good point. :) This test is something that we are still looking into. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] HELOBOGUS
Should this not have triggered HELOBOGUS as it normally does? Craig. Received: from name2.sunbeach.net [205.214.199.131] by sunbeach.net with ESMTP (SMTPD32-6.06) id A2C44EDE0148; Sat, 14 Sep 2002 23:47:16 -0400 Received: from host242-39.pool80205.interbusiness.it (host242-39.pool80205.interbusiness.it [80.205.39.242]) by name2.sunbeach.net (8.9.3/8.9.3) with SMTP id XAA05539 for [EMAIL PROTECTED]; Sat, 14 Sep 2002 23:47:45 -0400 From: [EMAIL PROTECTED] X-Authentication-Warning: name2.sunbeach.net: host242-39.pool80205.interbusiness.it [80.205.39.242] didn't use HELO protocol To: [EMAIL PROTECTED] Received: from sunbeach.net by 0721BV7Y63.sunbeach.net with SMTP for [EMAIL PROTECTED]; Sat, 14 Sep 2002 23:52:09 +0500 Message-Id: [EMAIL PROTECTED] Date: Sat, 14 Sep 2002 23:52:09 +0500 Subject: This will be the best email you ever read Reply-To: [EMAIL PROTECTED] X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Sender: [EMAIL PROTECTED] Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=iso-8859-1 X-RBL-Warning: SPAMCOP: Blocked - see http://spamcop.net/bl.shtml?80.205.39.242 X-RBL-Warning: HEUR10: Heuristic spam detection level 10 [1.00] X-RBL-Warning: WEIGHT10: Weight of 11 reaches or exceeds the limit of 10. X-Declude-Sender: [EMAIL PROTECTED] [80.205.39.242] X-Declude-Spoolname: D02c4148.SMD X-Spam-Tests-Failed: SPAMCOP, HEUR10, WEIGHT10 X-Note: Total spam weight of this E-mail is 11. X-RCPT-TO: [EMAIL PROTECTED] X-UIDL: 318915912 Status: U --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HELOBOGUS
Should this not have triggered HELOBOGUS as it normally does? Received: from name2.sunbeach.net [205.214.199.131] by sunbeach.net with ESMTP (SMTPD32-6.06) id A2C44EDE0148; Sat, 14 Sep 2002 23:47:16 -0400 name2.sunbeach.net does have an A record, so it should not trigger the HELOBOGUS test. Received: from host242-39.pool80205.interbusiness.it (host242-39.pool80205.interbusiness.it [80.205.39.242]) by name2.sunbeach.net (8.9.3/8.9.3) with SMTP id XAA05539 for [EMAIL PROTECTED]; Sat, 14 Sep 2002 23:47:45 -0400 and host242-39.pool80205.interbusiness.it has an A record, as well. X-Spam-Tests-Failed: SPAMCOP, HEUR10, WEIGHT10 So it looks like the test did work properly. The hostname doesn't need to have an MX record, just an A record is fine. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] HELOBOGUS
I spoke in haste, that all makes sense. I am having a tough time with spammers using the mailfrom or return address of the recipient and a wetware problem on the customer end. Is there any way I can stop this? I know, it seems like a catch 22. Craig. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry Sent: Tuesday, September 17, 2002 8:39 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] HELOBOGUS Should this not have triggered HELOBOGUS as it normally does? Received: from name2.sunbeach.net [205.214.199.131] by sunbeach.net with ESMTP (SMTPD32-6.06) id A2C44EDE0148; Sat, 14 Sep 2002 23:47:16 -0400 name2.sunbeach.net does have an A record, so it should not trigger the HELOBOGUS test. Received: from host242-39.pool80205.interbusiness.it (host242-39.pool80205.interbusiness.it [80.205.39.242]) by name2.sunbeach.net (8.9.3/8.9.3) with SMTP id XAA05539 for [EMAIL PROTECTED]; Sat, 14 Sep 2002 23:47:45 -0400 and host242-39.pool80205.interbusiness.it has an A record, as well. X-Spam-Tests-Failed: SPAMCOP, HEUR10, WEIGHT10 So it looks like the test did work properly. The hostname doesn't need to have an MX record, just an A record is fine. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] HELOBOGUS
I spoke in haste, that all makes sense. I am having a tough time with spammers using the mailfrom or return address of the recipient and a wetware problem on the customer end. Is there any way I can stop this? I know, it seems like a catch 22. Unfortunately, there isn't any easy way to stop the E-mail that has the same return address as the recipient's address -- the problem is that quite a few people Cc: themselves on all E-mail, as well as send themselves test messages. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HELOBOGUS
I spoke in haste, that all makes sense. I am having a tough time with spammers using the mailfrom or return address of the recipient and a wetware problem on the customer end. Is there any way I can stop this? I know, it seems like a catch 22. Unfortunately, there isn't any easy way to stop the E-mail that has the same return address as the recipient's address -- the problem is that quite a few people Cc: themselves on all E-mail, as well as send themselves test messages. -Scott Scott, I would believe that there has to be a way to look at the return address and the recipient's address. If they match then compare the senders IP address to a list of my net block if it matches then it is assumed to be from a local user therefore it would pass the test and be sent. If it does not match then it is from the internet and therefore Spam and fails the test. Just an idea on how I think it may work. Lenny Bauman --- [This E-mail scanned for viruses by LRBCG.COM, Inc.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HELOBOGUS
Unfortunately, there isn't any easy way to stop the E-mail that has the same return address as the recipient's address ... I would believe that there has to be a way to look at the return address and the recipient's address. Yes, that part is easy. :) If they match then compare the senders IP address to a list of my net block if it matches then it is assumed to be from a local user therefore it would pass the test and be sent. If it does not match then it is from the internet and therefore Spam and fails the test. Just an idea on how I think it may work. The problems here are that you have to enter your IP ranges (so the test wouldn't work automatically), and that some people will send mail from the Internet (especially in the case of sending test messages). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] HELOBOGUS
It might be a good test to put into the weights. Another one would be a test that looks that the sender's (from their address) and fails if the first MX doesn't match up. _M | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED]] On Behalf Of R. | Scott Perry | Sent: Tuesday, September 17, 2002 10:00 AM | To: [EMAIL PROTECTED] | Subject: RE: [Declude.JunkMail] HELOBOGUS | | | | I spoke in haste, that all makes sense. I am having a tough | time with | spammers using the mailfrom or return address of the recipient and a | wetware problem on the customer end. Is there any way I can | stop this? | I know, it seems like a catch 22. | | Unfortunately, there isn't any easy way to stop the E-mail | that has the | same return address as the recipient's address -- the problem | is that quite | a few people Cc: themselves on all E-mail, as well as send | themselves test | messages. | -Scott | | --- | [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: SPAMCOP:Re: [Declude.JunkMail] HELOBOGUS
The problems here are that you have to enter your IP ranges (so the test wouldn't work automatically), and that some people will send mail from the Internet (especially in the case of sending test messages). If the IP block is setup up in the Global.cfg like Netblock10.10.2.0/22,192.168.1.0/23 Then declude would know the local IP address block and this would make it automatic. Automatic after you enter the IP ranges, and if the IP ranges don't change. :) The non-automatic part is that the test would have to be disabled by default, and people wanting to use it would need to add the list of IPs. However, it could be set up to automatically allow the E-mail if it came from an internal IP address (which would satisfy the needs of a lot of our customers). Now for testing from the Internet I would log on to Hotmail and send from me@hotmail to me@myaddress. This e-mail would pass for the return address and the recipient's address do not match. Good point. :) This test is something that we are still looking into. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Helobogus
I'm getting the HELOBOGUS failure if I send any email to another domain on our server. It's pulling my machine name.Is their any way to fix this or should I not use the helobogus test? It does it with 155i and 156 (I haven't gone back to 155 yet to see if that helps. Here's the warning: X-RBL-Warning: HELOBOGUS: Domain cpq2715 has no MX/A records That's a technical violation of the RFCs -- but the next release of Declude JunkMail will on test the HELO/EHLO for non-local senders (since many mail clients send just the machine name, and not the FQDN). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .