[Declude.JunkMail] Badheaders, Eudora and Incredimail

2002-09-03 Thread Lachezar Karadjov 

Hi there,

I'm new to this list and to Declude for that matter. I can say however that
it does a terrific job.

I need your advise on the following:

A lot of legitimate e-mail is getting caught because of badheaders.

Although we have set revdns, noabuse, nopostmaster and routing to ignore
it appears that they add weight when combined.

We've also discovered that the way Eudora and Incredimail write header
information makes most if not all mail originating from these mail clients
be caught as spam because of badheaders

Is there any workaround?

Best regards
Lachezar

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Badheaders, Eudora and Incredimail

2002-09-03 Thread Lachezar Karadjov 

Thanks for the prompt reply,

THis is the header from one of the incredimail messages:

Received: from Tyrone Sons [196.31.58.242] by tibiyo.com
  (SMTPD32-7.04) id A7DA483E01C8; Tue, 03 Sep 2002 09:42:18 +0200
MIME-Version: 1.0
Message-Id: 3D74673B.1E.19449@Tyrone Sons.realnet.co.sz
Date: Tue, 3 Sep 2002 09:39:39 +0200 (South Africa Standard Time)
Content-Type: Multipart/related;
  type=multipart/alternative;
  boundary=Boundary-00=_3MQUP4J1VA40
X-Mailer: IncrediMail 2001 (1750690)
From: Tyrone Sons [EMAIL PROTECTED]
X-FID: FEFCEF83-591F-11D4-AF87-0050DAC67E11
X-FVER: 2.0
X-FIT: Letter
X-FCOL: Old Papers
X-FCAT: Stationery
X-FDIS: Celtic Myth
X-Extensions:
SU1CTDEsNDEsgUmBSTgsODQsOMGVTY3FhThNhYUoiU0kOMGdTYGBjYEoJDSZnSyFhUksSU1CTDIs
MCwsSU1CTDMsMCws
X-BG: AAE092E1-BF0E-11D6-8F75-00C0CA1101D1
X-BGT: repeat
X-BGC: #ddbb99
X-BGPX: left
X-BGPY: 0px
X-ASN: EE860250-5330-11D4-BA52-0050DAC68030
X-ASNF: 0
X-ASH: EE860250-5330-11D4-BA52-0050DAC68030
X-ASHF: 1
X-AN: A5BE2A00-37CC-11D4-BA36-0050DAC68030
X-ANF: 0
X-AP: A5BE2A00-37CC-11D4-BA36-0050DAC68030
X-APF: 1
X-AD: 7E485C40-4138-11D4-BA3D-0050DAC68030
X-ADF: 0
X-AUTO: X-ASN,X-ASH,X-AN,X-AP,X-AD
X-CNT: ;
X-Priority: 3
To: [EMAIL PROTECTED]
Subject: Not sending mail
Reply-To: Tyrone Sons [EMAIL PROTECTED]
X-Declude-Sender: [EMAIL PROTECTED] [196.31.58.242]
X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for
spam.
X-Spam-Tests-Failed: BADHEADERS
X-RCPT-TO: [EMAIL PROTECTED]
Status: U
X-UIDL: 323286068

The following is the header from a Eudora mail client:

Received: from johnresting [196.31.58.24] by realnet.co.sz
  (SMTPD32-7.06) id A891E79A011E; Tue, 03 Sep 2002 17:43:13 +0200
X-Sender: [EMAIL PROTECTED]
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1
Date: Tue, 03 Sep 2002 17:45:53 +0200
To: [EMAIL PROTECTED]
From: John Resting [EMAIL PROTECTED]
Subject:
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: 200209031743796.SM00321@johnresting
X-Declude-Sender: [EMAIL PROTECTED] [196.31.58.24]
X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for
spam.
X-Spam-Tests-Failed: None
X-RCPT-TO: [EMAIL PROTECTED]
Status: U
X-UIDL: 912182731

I guess that the reason for the spam test being none is that I whitelisted
the [EMAIL PROTECTED] e-mail address, and yes your note on the IP
address is correct as there is an IP address instead of the server name.

Best regards
Lachezar

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry
Sent: Tuesday, September 03, 2002 4:29 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Badheaders, Eudora and Incredimail



A lot of legitimate e-mail is getting caught because of badheaders.

That is very bad.

Note that any E-mail failing the BADHEADERS test is likely to get caught on
other servers, as well.

Although we have set revdns, noabuse, nopostmaster and routing to ignore
it appears that they add weight when combined.

That is correct, unless you disable those tests, or set the weight to
0.  The IGNORE action only affects the test that it is used with, and does
not take away the weight for that test.

We've also discovered that the way Eudora and Incredimail write header
information makes most if not all mail originating from these mail clients
be caught as spam because of badheaders

Is there any workaround?

I often get mail from people using Eudora and Incredimail, and they do not
fail the BADHEADERS test.  So it is likely a problem with the specific
version(s) that you are running, or a setup error.

There is a bug in some versions of Eudora that can cause the BADHEADERS
test to fail if an IP address is entered as the name of the server.  Eudora
will accept this, but assume that it is a host name (not an IP), so when it
generates the Message-ID: header, it uses the format for a hostname rather
than an IP, which breaks the header.

If you post the full headers of one of the E-mails that was caught
(actually, one for Eudora and one for Incredimail would be best), I can
take a look to see what is wrong.
-Scott

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Badheaders, Eudora and Incredimail

2002-09-03 Thread R. Scott Perry 


THis is the header from one of the incredimail messages:

Message-Id: 3D74673B.1E.19449@Tyrone Sons.realnet.co.sz

This one looks like Incredimail doesn't do an incredible job checking host 
names -- the last I checked, host names could not include a space in them.  :)

The following is the header from a Eudora mail client:

...

I guess that the reason for the spam test being none is that I whitelisted
the [EMAIL PROTECTED] e-mail address, and yes your note on the IP
address is correct as there is an IP address instead of the server name.

Actually, the I address isn't the issue here (although the X-Sender: 
[EMAIL PROTECTED] should be X-Sender: johnrest@[192.168.0.1], the 
RFCs allow anything in the X- headers, so it is technically valid.

This E-mail didn't fail the BADHEADERS test here, just the SPAMHEADERS test 
(because it was sent without a Message-ID: header).  I'm guessing the 
version of Eudora they are running is a beta version, as I haven't heard of 
any legitimate mail clients that don't add the Message-ID: header (usually 
it's poorly designed web apps that have that problem).

-Scott
---
Declude: Anti-virus, Anti-spam and Anti-hijacking solutions for 
IMail.  http://www.declude.com

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.