RE: [Declude.JunkMail] SPAMDOMAINS update for the att conglomerate
John, Can you list multiple REVDNS on a single line when using spamdomains? For example @bellsouth.net .bellsouth. isp.att. Thanks, Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (lists) Sent: Monday, August 20, 2007 10:55 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] SPAMDOMAINS update for the att conglomerate Does anyone have an updated listed for SPAMDOMAINS test for the AT T conglomerate? I know there is .att. and bellsouth.com and sbc.com but what else is there that could originate from an att.com REVDNS? John T --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPAMDOMAINS update for the att conglomerate
You can but I think the limit is three. Don't forget ATT/SBC is in bed with Yahoo so their email can come through Yahoo too. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson Sent: Friday, October 26, 2007 11:24 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] SPAMDOMAINS update for the att conglomerate John, Can you list multiple REVDNS on a single line when using spamdomains? For example @bellsouth.net .bellsouth. isp.att. Thanks, Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (lists) Sent: Monday, August 20, 2007 10:55 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] SPAMDOMAINS update for the att conglomerate Does anyone have an updated listed for SPAMDOMAINS test for the AT T conglomerate? I know there is .att. and bellsouth.com and sbc.com but what else is there that could originate from an att.com REVDNS? John T --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPAMDOMAINS update for the att conglomerate
The ATT/Yahoo/BellSouth/Ameritech/SBS conglomerate is about to force me to remove all of the entries from the spamdomains file entirely. (Did I leave any one out?) John T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Friday, October 26, 2007 10:46 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] SPAMDOMAINS update for the att conglomerate You can but I think the limit is three. Don't forget ATT/SBC is in bed with Yahoo so their email can come through Yahoo too. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson Sent: Friday, October 26, 2007 11:24 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] SPAMDOMAINS update for the att conglomerate John, Can you list multiple REVDNS on a single line when using spamdomains? For example @bellsouth.net.bellsouth. isp.att. Thanks, Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (lists) Sent: Monday, August 20, 2007 10:55 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] SPAMDOMAINS update for the att conglomerate Does anyone have an updated listed for SPAMDOMAINS test for the AT T conglomerate? I know there is .att. and bellsouth.com and sbc.com but what else is there that could originate from an att.com REVDNS? John T --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
re: [Declude.JunkMail] SPAMDOMAINS update for the att conglomerate
I'm interested in finding this out too - we had a few legit emails get caught the last 2 days primarily due to the SPAMDOMAINS test coming from a bellsouth.net address that went thru an ATT server Randy A. From: John T \(lists\) [EMAIL PROTECTED] Sent: Monday, August 20, 2007 11:06 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] SPAMDOMAINS update for the att conglomerate Does anyone have an updated listed for SPAMDOMAINS test for the AT T conglomerate? I know there is .att. and bellsouth.com and sbc.com but what else is there that could originate from an att.com REVDNS? John T --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spamdomains test
Stu, The spamdomains test uses the mailfrom address. Declude derives all its sender and recipient information from the envelope, not the message headers. David Franco-Rocha Declude Technical / Engineering - Original Message - From: [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, January 06, 2006 10:50 AM Subject: [Declude.JunkMail] Spamdomains test Does the Spamdomains tests use the mailfrom or the From: address to compare to the revdns. I'm betting it is the mailfrom address. Thanks Stu --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPAMDOMAINS and No Reverse DNS
I have a couple of SPAMDOMAINS where I would like to have No Reverse DNS be a viable alternative to the domain but still block on everything else. Can I just put that string No Reverse DNS in second column to pass through domains which only match domain.com and No Reverse DNS? Unfortunately, that will not work -- the SPAMDOMAINS tests will not work with IPs that have no reverse DNS entry. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPAMDOMAINS and No Reverse DNS
Would this alternative filter work? TESTSFAILED END NOTCONTAINS REVDNS MAILFROM 1 ENDSWITH.msn.com # ok it is from msn and there is no revdns Ah, good thinking -- that should work. You might also want to add a line: REVDNS END CONTAINS.msn.com to make sure that the test is not triggered if .msn.com appears in the reverse DNS entry. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spamdomains
It sounds like the problem is that Declude JunkMail is scanning the first hop (the forwarding server), which it should not be doing. If that is the case, you should be using the IPBYPASS option to let Declude JunkMail know that the forwarding server is not the true source of the E-mail. David Franco-Rocha Declude Technical Support - Original Message - From: John Olden [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 10, 2004 11:13 AM Subject: [Declude.JunkMail] Spamdomains Is there a way to change the Spamdomains test to test the first rather than last? Our main e-mail address is hosted by another company and automatically forwarded to me and the Spamdomains test is showing the forwarded location. John Olden - Systems Administrator Champaign Park District --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spamdomains
I do already have IPBYPASS set for this first hop. I don't have a current example message in the hold folder so I'll have to double check it as another one gets caught to make sure the IP address hasn't changed. John Olden - Systems Administrator Champaign Park District - Original Message - From: David Franco-Rocha [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 10, 2004 11:15 AM Subject: Re: [Declude.JunkMail] Spamdomains It sounds like the problem is that Declude JunkMail is scanning the first hop (the forwarding server), which it should not be doing. If that is the case, you should be using the IPBYPASS option to let Declude JunkMail know that the forwarding server is not the true source of the E-mail. David Franco-Rocha Declude Technical Support - Original Message - From: John Olden [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 10, 2004 11:13 AM Subject: [Declude.JunkMail] Spamdomains Is there a way to change the Spamdomains test to test the first rather than last? Our main e-mail address is hosted by another company and automatically forwarded to me and the Spamdomains test is showing the forwarded location. John Olden - Systems Administrator Champaign Park District --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [MSGID=Df63b0156003cd9c0.SMD] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spamdomains prodigy.net.mx
I had a legit email fail Spamdomains for prodigy.net. X-RBL-Warning: SPAMDOMAINS: Spamdomain 'prodigy.net' found: Address of [EMAIL PROTECTED] sent from invalid . The problem here is that there appears to be no reverse DNS entry for the IP that Declude JunkMail used. What IP did Declude JunkMail use (I'm guessing 148.235.52.27?)? You should have an X-Declude-Sender: header with the IP in it. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spamdomains prodigy.net.mx
Scott, AX-Declude-Sender: [EMAIL PROTECTED] [148.235.52.27] Todd - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, July 02, 2004 11:11 AM Subject: Re: [Declude.JunkMail] Spamdomains prodigy.net.mx I had a legit email fail Spamdomains for prodigy.net. X-RBL-Warning: SPAMDOMAINS: Spamdomain 'prodigy.net' found: Address of [EMAIL PROTECTED] sent from invalid . The problem here is that there appears to be no reverse DNS entry for the IP that Declude JunkMail used. What IP did Declude JunkMail use (I'm guessing 148.235.52.27?)? You should have an X-Declude-Sender: header with the IP in it. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spamdomains prodigy.net.mx
AX-Declude-Sender: [EMAIL PROTECTED] [148.235.52.27] That's strange -- that IP does have a reverse DNS entry, and it is set up properly. My guess is that they were having DNS problems where their DNS servers were sending invalid data, which would account for the blank reverse DNS entry that Declude JunkMail saw. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spamdomains test
Thanks Bill. I checked the archives and found one from Nov.28,2003 ... just got it setup. thanks again, Larry Craddock - Original Message - From: Bill Landry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, May 28, 2004 12:34 AM Subject: Re: [Declude.JunkMail] Spamdomains test - Original Message - From: Larry Craddock [EMAIL PROTECTED] Thanks everyone. Now that I understand how to use the test, does anyone have a spamdomains.txt file that includes the entries for the domains most commonly used that they could share? Check the archives, Larry. I have posted mine to the list several times. If you cannot locate it, send me a e-mail off-list and I will send it to you. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spamdomains test
But I'm sure I've seen discussion someplace with reference to lines containing more than just a domain name in the spamdomains.txt file ... or is that all that's needed besides enabling the test? That's a new feature, that allows you to have an alias (for lack of a better word) that can be used in conjunction with the domain name. So a line example.com would require that any E-mail address from @example.com must have a reverse DNS entry containing example.com. However, if legitimate @example.com E-mail can also be sent from @example.net, then you could have a line example.com example.net. With that line, an E-mail from @example.com could have a reverse DNS entry containing example.com or example.net (but it would not apply to users with an @example.net return address). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spamdomains test
Using the dnsbl type of test and a custom zone, you could extend this through DNS. For instance: MPBL-SPAMDOMAINS dnsbl %REVDNS%.%RHSBL%.spamdomains.example.com 127.0.0.2 4 0 In your custom zone, you could construct records like so: *.aol.com.aol.comA 127.0.0.1 TXT ( "Good Entry" ) *.aol.comA 127.0.0.2 TXT ( "Bad Entry" ) I haven't yet tested this, but I believe that the wildcarding will work to give you the proper result. Essentially you define a single bad entry, and then one good entry for every set of reverse DNS with Mail >From domain. Unlike SPAMDOMAINS, this could accomodate more than two different reverse DNS domains. The downside is that I don't know what it will do if Declude can't resolve a reverse DNS entry, or more accurately, what value will Declude use in place of the reverse DNS entry (this might be something to provide as an exception for each entry). Alternatively, you could also use the %HELO% in combination with %RHSBL% since those don't need to do lookups. Same thing goes for %IP4R% as well if you wish to do it in a fashion similar to SPF. Matt Sanford Whiteman wrote: So a line "example.com" would require that any E-mail address from @example.com must have a reverse DNS entry containing "example.com". However, if legitimate @example.com E-mail can also be sent from @example.net, then you could have a line "example.com example.net". Scott, any thoughts on my suggestion of an extended SPFDOMAINS test type with which you could manually maintain SPF-formatted policies for given domains, running the data through the existing SPF parser? --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange Addresses into IMail Aliases! http://www.mailmage.com/products/software/freeutils/exchange2aliases/download/release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] Spamdomains test
I've been planing on trying this for about a week now, and I'm still not convinced that it will work. From my standpoint though, this represents a good way to remove a tad bit more processing and maintain a system to be shared on multiple servers without having to update text files. This idea originally came from my desire to qualify two pieces of information when whitelisting. Using this technique, you could effectively whitelist without fear of forging, though of course the possibility would still exist. You could credit messages that pass such a test such as from amazon.com, coming from an amazon.com reverse DNS entry, and that would be much stronger than systems like BondedSener which relies only on the IP, where servers can still be hijacked or infected. This is also a much more efficient way to credit messages than to maintain long lists of whitelist address and as above, it's a good format for a distributed system with multiple scanning servers that can be updated in real-time. My biggest wish though is that both the To: address and the Reply-To: address were exposed through variables and filters, because that would allow me to apply credit to things that use VERP and also put it in DNS instead of using body or header filters to do the dirty work. Matt Sanford Whiteman wrote: Using the dnsbl type of test and a custom zone, you could extend this through DNS. For instance: MPBL-SPAMDOMAINS dnsbl%REVDNS%.%RHSBL%.spamdomains.example.com 127.0.0.240 Interesting idea, Matt. Still way too much management compared to SPF-compatibleformatting,though. The ability to append ._spf.example.com to SPF queries, or use the SPFDOMAINS text list, would be a lot easier. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange Addresses into IMail Aliases! http://www.mailmage.com/products/software/freeutils/exchange2aliases/download/release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] Spamdomains test
Thanks everyone. Now that I understand how to use the test, does anyone have a spamdomains.txt file that includes the entries for the domains most commonly used that they could share? Larry Craddock
Re: [Declude.JunkMail] Spamdomains test
- Original Message - From: Larry Craddock [EMAIL PROTECTED] Thanks everyone. Now that I understand how to use the test, does anyone have a spamdomains.txt file that includes the entries for the domains most commonly used that they could share? Check the archives, Larry. I have posted mine to the list several times. If you cannot locate it, send me a e-mail off-list and I will send it to you. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS?
Thank you so much, Kami! I can definitely understand your concise explanation and it sounds like a great way to handle what I am trying to do or at least add another trick in the bag. I'll have to see how I can incorporate this into my current setup. Thanks, Again! Dan - Original Message - From: Kami Razvan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, May 14, 2004 4:32 PM Subject: RE: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS? I don't even know how to mentally parse the below code that you've listed. REVDNS END ENDSWITH .hotmail.com MAILFROM 3 ENDSWITH @hotmail.com HELO 5 ENDSWITH .hotmail.com Hi Dan: This is what the above means. REVDNS END ENDSWITH .hotmail.com -- if reverse dns ends with Hotmail.com end the filter and do not process the rest of the filter. This way it won't even trigger the test as being run. What that means is the reverse DNS is hotmail.com MAILFROM 3 ENDSWITH @hotmail.com -- naturally if line 2 is executed it means that reverse DNS is NOT hotmail.com and if the mailfrom endswith hotmail.com then add 3 to the weight. As stated this is one of the many filters we have on Good ISP filters. This filter penalizes an email if the sender's email is hotmail but the reverse dns and helo are not. Similarly on line 3- HELO 5 ENDSWITH .hotmail.com Add 5 points if HELO ends with hotmail.com So if someone's email is [EMAIL PROTECTED] and the reverse dns is not hotmail.com the email gets 3 and if HELO is hotmail.com then it gets 8 points. Hope that explains it.. Kami --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS?
Scott, I know it's been awhile since you posted the answer to my original question but I would _love_ to have a test which functions exactly the same as spamdomains but instead of searching the reverse DNS in a CONTAINS type manner it searched it an ENDSWITH type manner. That would allow me to create a file like the below (that would be used with the ENDSWITH-typespamdomains test)... - a.edu b.edu c.edu d.edu . . . w.edu x.edu y.edu z.edu - which I would use to add a small amount of points for the end of every SENDER that doesn't match the end of every REVDNS in the edu TLD. With edu especially a large majority of the time it does match so points for not matching would be great. And that's just one example of how that would be very useful to me. .Just another request to give consideration for the future. Thanks, Dan Geiser [EMAIL PROTECTED] - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, March 02, 2004 7:11 PM Subject: Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS? If I have a SPAMDOMAINS type test in my GLOBAL.CFG... SD-TLD spamdomains D:\iMail\declude\JunkMail.SpamDomains.TLD.txt x 5 0 ...and I have some entries in the corresponding flat text file like below... .mil will SPAMDOMAINS search the reverse DNS entry in a CONTAINS type manner or an ENDSWITH type manner? It will work like CONTAINS, so: For example would the host name .milton-bradley.com in the below... - X-Note: Sent with HELO [mail] from Reverse DNS [mail.milton-bradley.com] - get flagged as passing or failing the SPAMDOMAINS test? That one would get caught, if the reverse DNS entry did not contain .mil in it. So if the E-mail was from [EMAIL PROTECTED], and the reverse DNS entry was mail.milton-bradley.com, the E-mail would not fail the test (but if the reverse DNS was mail.someone_else.com, it would fail the test). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS?
Dan.. Can you not use a filter file for this? Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Friday, May 14, 2004 9:09 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS? Scott, I know it's been awhile since you posted the answer to my original question but I would _love_ to have a test which functions exactly the same as spamdomains but instead of searching the reverse DNS in a CONTAINS type manner it searched it an ENDSWITH type manner. That would allow me to create a file like the below (that would be used with the ENDSWITH-typespamdomains test)... - a.edu b.edu c.edu d.edu . . . w.edu x.edu y.edu z.edu - which I would use to add a small amount of points for the end of every SENDER that doesn't match the end of every REVDNS in the edu TLD. With edu especially a large majority of the time it does match so points for not matching would be great. And that's just one example of how that would be very useful to me. .Just another request to give consideration for the future. Thanks, Dan Geiser [EMAIL PROTECTED] - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, March 02, 2004 7:11 PM Subject: Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS? If I have a SPAMDOMAINS type test in my GLOBAL.CFG... SD-TLD spamdomains D:\iMail\declude\JunkMail.SpamDomains.TLD.txt x 5 0 ...and I have some entries in the corresponding flat text file like below... .mil will SPAMDOMAINS search the reverse DNS entry in a CONTAINS type manner or an ENDSWITH type manner? It will work like CONTAINS, so: For example would the host name .milton-bradley.com in the below... - X-Note: Sent with HELO [mail] from Reverse DNS [mail.milton-bradley.com] - get flagged as passing or failing the SPAMDOMAINS test? That one would get caught, if the reverse DNS entry did not contain .mil in it. So if the E-mail was from [EMAIL PROTECTED], and the reverse DNS entry was mail.milton-bradley.com, the E-mail would not fail the test (but if the reverse DNS was mail.someone_else.com, it would fail the test). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS?
Kami, How do you see me using a filter file to add a small amount of points for the end of every SENDER that doesn't match the end of every REVDNS in the edu TLD.? I don't know how to use a filter file to compare a string in one field to a string in another. If it can be done that would be great. Thanks, Dan Geiser [EMAIL PROTECTED] - Original Message - From: Kami Razvan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, May 14, 2004 9:22 AM Subject: RE: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS? Dan.. Can you not use a filter file for this? Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Friday, May 14, 2004 9:09 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS? Scott, I know it's been awhile since you posted the answer to my original question but I would _love_ to have a test which functions exactly the same as spamdomains but instead of searching the reverse DNS in a CONTAINS type manner it searched it an ENDSWITH type manner. That would allow me to create a file like the below (that would be used with the ENDSWITH-typespamdomains test)... - a.edu b.edu c.edu d.edu . . . w.edu x.edu y.edu z.edu - which I would use to add a small amount of points for the end of every SENDER that doesn't match the end of every REVDNS in the edu TLD. With edu especially a large majority of the time it does match so points for not matching would be great. And that's just one example of how that would be very useful to me. .Just another request to give consideration for the future. Thanks, Dan Geiser [EMAIL PROTECTED] - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, March 02, 2004 7:11 PM Subject: Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS? If I have a SPAMDOMAINS type test in my GLOBAL.CFG... SD-TLD spamdomains D:\iMail\declude\JunkMail.SpamDomains.TLD.txt x 5 0 ...and I have some entries in the corresponding flat text file like below... .mil will SPAMDOMAINS search the reverse DNS entry in a CONTAINS type manner or an ENDSWITH type manner? It will work like CONTAINS, so: For example would the host name .milton-bradley.com in the below... - X-Note: Sent with HELO [mail] from Reverse DNS [mail.milton-bradley.com] - get flagged as passing or failing the SPAMDOMAINS test? That one would get caught, if the reverse DNS entry did not contain .mil in it. So if the E-mail was from [EMAIL PROTECTED], and the reverse DNS entry was mail.milton-bradley.com, the E-mail would not fail the test (but if the reverse DNS was mail.someone_else.com, it would fail the test). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing
RE: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS?
Dan.. May be I am not understanding the question. But I basically have a couple of combination tests that are like the following: REVDNS END ENDSWITH.hotmail.com MAILFROM3 ENDSWITH@hotmail.com HELO5 ENDSWITH.hotmail.com So with this logic you can add weight if someone is using Hotmail as return address but is not using hotmail to send mail. We have this for a lot of ISP's. Is this what you are trying to do? Regards, -Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Friday, May 14, 2004 9:31 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS? Kami, How do you see me using a filter file to add a small amount of points for the end of every SENDER that doesn't match the end of every REVDNS in the edu TLD.? I don't know how to use a filter file to compare a string in one field to a string in another. If it can be done that would be great. Thanks, Dan Geiser [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS?
Hi, Kami, I don't even know how to mentally parse the below code that you've listed. Would this go inside a filter file? What does each line signify? For example, REVDNS END ENDSWITH .hotmail.com. I've not seen that syntax before. Is END a valid value in that column? What does it do? When was the END value introduced? I am currently running v1.75 and I know there's been a lot of stuff introduced since our Service Agreement expired. Thanks for your feedback. Dan - Original Message - From: Kami Razvan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, May 14, 2004 9:40 AM Subject: RE: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS? Dan.. May be I am not understanding the question. But I basically have a couple of combination tests that are like the following: REVDNS END ENDSWITH .hotmail.com MAILFROM 3 ENDSWITH @hotmail.com HELO 5 ENDSWITH .hotmail.com So with this logic you can add weight if someone is using Hotmail as return address but is not using hotmail to send mail. We have this for a lot of ISP's. Is this what you are trying to do? Regards, -Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Friday, May 14, 2004 9:31 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS? Kami, How do you see me using a filter file to add a small amount of points for the end of every SENDER that doesn't match the end of every REVDNS in the edu TLD.? I don't know how to use a filter file to compare a string in one field to a string in another. If it can be done that would be great. Thanks, Dan Geiser [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS?
The END in the weight column is valid starting somewhere in the 1.77s. It causes the filter to immediately end with the current score. Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 05/14/04 03:01PM Hi, Kami, I don't even know how to mentally parse the below code that you've listed. Would this go inside a filter file? What does each line signify? For example, REVDNS END ENDSWITH .hotmail.com. I've not seen that syntax before. Is END a valid value in that column? What does it do? When was the END value introduced? I am currently running v1.75 and I know there's been a lot of stuff introduced since our Service Agreement expired. Thanks for your feedback. Dan - Original Message - From: Kami Razvan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, May 14, 2004 9:40 AM Subject: RE: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS? Dan.. May be I am not understanding the question. But I basically have a couple of combination tests that are like the following: REVDNS END ENDSWITH .hotmail.com MAILFROM 3 ENDSWITH @hotmail.com HELO 5 ENDSWITH .hotmail.com So with this logic you can add weight if someone is using Hotmail as return address but is not using hotmail to send mail. We have this for a lot of ISP's. Is this what you are trying to do? Regards, -Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Friday, May 14, 2004 9:31 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS? Kami, How do you see me using a filter file to add a small amount of points for the end of every SENDER that doesn't match the end of every REVDNS in the edu TLD.? I don't know how to use a filter file to compare a string in one field to a string in another. If it can be done that would be great. Thanks, Dan Geiser [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spamdomains question
I just had an email fail spamdomains for [EMAIL PROTECTED] X-RBL-Warning: SPAMDOMAINS: Spamdomain 'swbell.net' found: Address of [EMAIL PROTECTED] sent from invalid mta7.pltn13.pbi.net. pbi.net is registered to SBC and is valid (pacific bell internet) In my spam domains file I have this: swbell.net .prodigy.net would I just add another line like this? swbell.net .pbi.net No. With both those lines, E-mail from @swbell.net will fail the test unless the reverse DNS contains swbell.net in it. For example, an E-mail from @swbell.net with a reverse DNS entry of mail.prodigy.net would pass the first line, but fail the second line, causing the test to fail. or can they be placed on the same line like this? swbell.net .prodigy.net .pbi.net This is something that we hope to add later. Question 2: Is there a way to turn the headers off in the mail archive so everyones declude header messages arent the bulk of the search results? Unfortunately, I'm not aware of any way to do that. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spamdomains question
I believe you are only allowed two columns in the spam domain line. Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 05/11/04 03:40PM I just had an email fail spamdomains for [EMAIL PROTECTED] X-RBL-Warning: SPAMDOMAINS: Spamdomain 'swbell.net' found: Address of [EMAIL PROTECTED] sent from invalid mta7.pltn13.pbi.net. pbi.net is registered to SBC and is valid (pacific bell internet) In my spam domains file I have this: swbell.net .prodigy.net would I just add another line like this? swbell.net .pbi.net or can they be placed on the same line like this? swbell.net .prodigy.net .pbi.net Question 2: Is there a way to turn the headers off in the mail archive so everyones declude header messages arent the bulk of the search results? Rick Davidson National Systems Manager North American Title Group - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPAMDOMAINS Failure
I'd be leary of a spamdomain att.net .airdata.com If you received e-mail from catt.net, it would fail the above line. I made up catt.net, but valid non-ATT domains ending in att.net may exist. perhaps mobile.att.net .airdata.com @att.net .att.net or .att.net.airdata.com @att.net .att.net [EMAIL PROTECTED] 4/28 7:22p Hello, Had a client forward me an e-mail that failed the SPAMDOMAIN test (along with a couple others). Below are the internet headers of the SPAMDOMAINs failure (I can post the full inet headers if desired): X-RBL-Warning: SPAMDOMAINS: Spamdomain 'att.net' found: Address of [EMAIL PROTECTED] sent from invalid emhmta02.cdpd.airdata.com. X-Declude-Sender: [EMAIL PROTECTED] [199.88.234.47] I have an entry of: att.net in our spamdomains.txt file. Now to add this entry to the spamdomains.txt file, I would make the following entry, correct? att.net .airdata.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPAMDOMAINS - Netscape.com
Ok.. Makes sense.. Thanks.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Monday, April 19, 2004 2:29 PM To: '[EMAIL PROTECTED]' Subject: RE: [Declude.JunkMail] SPAMDOMAINS - Netscape.com Jeff, the main problem with figuring out spamdomains entries is that you really have to receive valid mail from the domain to really know. If they have an SPF record, that's the easiest way to research them, but you can also try the website at http://www.SenderBase.org to see what they've noticed. They've noticed one more host: dust.netscape.com The problem with checking the MX record is that it is only for recording inbound mail to Netscape.com, it doesn't necessarily say anything about outbound mail from them, which is what you're after. I suspect that your suggestion will work fine, as I think that they keep their corporate domain for netscape.com separate from the customer business as netscape.net ... Andrew 8) -Original Message- From: Jeff Maze - Hostmaster [mailto:[EMAIL PROTECTED] Sent: Monday, April 19, 2004 11:07 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] SPAMDOMAINS - Netscape.com Hello, I got a message that was from [EMAIL PROTECTED] but came from RoadRunners networks. There isn't a netscape entry in my SPAMDOMAINS.TXT file. I was just wondering what I would enter to make it so. I did a NSLOOKUP on netscape.com and the MX record points to mail.nescape.everyone.net. So the entry I would enter would be: netscape.comnetscape.everyone.net Is this correct? Just want to make sure if there are more later. I want to understand this so I don't keep asking. Thanks.. -Jeff --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPAMDOMAINS - Netscape.com
Andrew and Jeff, Unfortunately Netscape.net is actually handled by aol.com when it is outgoing (which is what matters in this case). I sometimes search my known good E-mail for outgoing servers, or Google for it by looking for header code along with the address and keeping in mind that a lot of that stuff is forged especially in newsgroups. Here are the headers from a test of my own account: Received: from imo-d01.mx.aol.com [205.188.157.33] by mx1.mailpure.com with ESMTP (SMTPD32-8.05) id AE31AB9B0140; Mon, 19 Apr 2004 14:45:05 -0400 Received: from [EMAIL PROTECTED] by imo-d01.mx.aol.com (mail_out_v37_r1.2.) id j.1b5.a579353 (16239) for [EMAIL PROTECTED]; Mon, 19 Apr 2004 14:45:00 -0400 (EDT) Received: from netscape.net (mow-d23.webmail.aol.com [205.188.139.164]) by air-in03.mx.aol.com (v98.19) with ESMTP id MAILININ33-3f6f40841e2c327; Mon, 19 Apr 2004 14:45:00 -0500 Date: Mon, 19 Apr 2004 14:45:00 -0400 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: test MIME-Version: 1.0 Message-ID: [EMAIL PROTECTED] X-Mailer: Atlas Mailer 2.0 X-AOL-IP: 24.195.119.188 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-MailPure: X-MailPure: RFC-NOABUSE: Failed, listed in abuse.rfc-ignorant.org (weight 1). X-MailPure: RFC-NOPOSTMASTER: Failed, listed in postmaster.rfc-ignorant.org (weight 1). X-MailPure: X-MailPure: Spam Score: 2 X-MailPure: Scan Time: 14:45:12 on 04/19/2004 X-MailPure: Spool File: D1e31ab9b01404b3e.SMD X-MailPure: Server Name: imo-d01.mx.aol.com X-MailPure: SMTP Sender: [EMAIL PROTECTED] X-MailPure: Received From: imo-d01.mx.aol.com [205.188.157.33] X-MailPure: Country Chain: UNITED STATES-destination X-MailPure: X-MailPure: Spam and virus blocking services provided by MailPure.com X-MailPure: Colbeck, Andrew wrote: Jeff, the main problem with figuring out spamdomains entries is that you really have to receive valid mail from the domain to really know. If they have an SPF record, that's the easiest way to research them, but you can also try the website at http://www.SenderBase.org to see what they've noticed. They've noticed one more host: dust.netscape.com The problem with checking the MX record is that it is only for recording inbound mail to Netscape.com, it doesn't necessarily say anything about outbound mail from them, which is what you're after. I suspect that your suggestion will work fine, as I think that they keep their corporate domain for netscape.com separate from the customer business as netscape.net ... Andrew 8) -Original Message- From: Jeff Maze - Hostmaster [mailto:[EMAIL PROTECTED] Sent: Monday, April 19, 2004 11:07 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] SPAMDOMAINS - Netscape.com Hello, I got a message that was from [EMAIL PROTECTED] but came from RoadRunners networks. There isn't a netscape entry in my SPAMDOMAINS.TXT file. I was just wondering what I would enter to make it so. I did a NSLOOKUP on netscape.com and the MX record points to mail.nescape.everyone.net. So the entry I would enter would be: netscape.com netscape.everyone.net Is this correct? Just want to make sure if there are more later. I want to understand this so I don't keep asking. Thanks.. -Jeff --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPAMDOMAINS - Netscape.com
Well, Matt, that's a great example for Netscape.net, but Jeff was asking about Netscape.com So I guess to round out the conversation, here's the two entries in spamdomains that everybody seems to have, to cover Netscape.net: aol.com netscape.net netscape.netaol.com I'm pretty sure that we have Bill Landry to thank for the seminal work on sd.txt from which everyone has benefitted (hey, credit where credit is due!) Andrew 8) -Original Message- From: Matt [mailto:[EMAIL PROTECTED] Sent: Monday, April 19, 2004 11:52 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SPAMDOMAINS - Netscape.com Andrew and Jeff, Unfortunately Netscape.net is actually handled by aol.com when it is outgoing (which is what matters in this case). I sometimes search my known good E-mail for outgoing servers, or Google for it by looking for header code along with the address and keeping in mind that a lot of that stuff is forged especially in newsgroups. Here are the headers from a test of my own account: Received: from imo-d01.mx.aol.com [205.188.157.33] by mx1.mailpure.com with ESMTP (SMTPD32-8.05) id AE31AB9B0140; Mon, 19 Apr 2004 14:45:05 -0400 Received: from [EMAIL PROTECTED] by imo-d01.mx.aol.com (mail_out_v37_r1.2.) id j.1b5.a579353 (16239) for [EMAIL PROTECTED]; Mon, 19 Apr 2004 14:45:00 -0400 (EDT) Received: from netscape.net (mow-d23.webmail.aol.com [205.188.139.164]) by air-in03.mx.aol.com (v98.19) with ESMTP id MAILININ33-3f6f40841e2c327; Mon, 19 Apr 2004 14:45:00 -0500 Date: Mon, 19 Apr 2004 14:45:00 -0400 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: test MIME-Version: 1.0 Message-ID: [EMAIL PROTECTED] X-Mailer: Atlas Mailer 2.0 X-AOL-IP: 24.195.119.188 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-MailPure: X-MailPure: RFC-NOABUSE: Failed, listed in abuse.rfc-ignorant.org (weight 1). X-MailPure: RFC-NOPOSTMASTER: Failed, listed in postmaster.rfc-ignorant.org (weight 1). X-MailPure: X-MailPure: Spam Score: 2 X-MailPure: Scan Time: 14:45:12 on 04/19/2004 X-MailPure: Spool File: D1e31ab9b01404b3e.SMD X-MailPure: Server Name: imo-d01.mx.aol.com X-MailPure: SMTP Sender: [EMAIL PROTECTED] X-MailPure: Received From: imo-d01.mx.aol.com [205.188.157.33] X-MailPure: Country Chain: UNITED STATES-destination X-MailPure: X-MailPure: Spam and virus blocking services provided by MailPure.com X-MailPure: Colbeck, Andrew wrote: Jeff, the main problem with figuring out spamdomains entries is that you really have to receive valid mail from the domain to really know. If they have an SPF record, that's the easiest way to research them, but you can also try the website at http://www.SenderBase.org to see what they've noticed. They've noticed one more host: dust.netscape.com The problem with checking the MX record is that it is only for recording inbound mail to Netscape.com, it doesn't necessarily say anything about outbound mail from them, which is what you're after. I suspect that your suggestion will work fine, as I think that they keep their corporate domain for netscape.com separate from the customer business as netscape.net ... Andrew 8) -Original Message- From: Jeff Maze - Hostmaster [mailto:[EMAIL PROTECTED] Sent: Monday, April 19, 2004 11:07 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] SPAMDOMAINS - Netscape.com Hello, I got a message that was from [EMAIL PROTECTED] but came from RoadRunners networks. There isn't a netscape entry in my SPAMDOMAINS.TXT file. I was just wondering what I would enter to make it so. I did a NSLOOKUP on netscape.com and the MX record points to mail.nescape.everyone.net. So the entry I would enter would be: netscape.com netscape.everyone.net Is this correct? Just want to make sure if there are more later. I want to understand this so I don't keep asking. Thanks.. -Jeff --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software
Re: [Declude.JunkMail] SPAMDOMAINS - Netscape.com
Oops, sorry. I'm not sure about netscape.com, but E-mail from that domain has been quite rare in the past since they don't have hardly any employees, and even if you had their primary reverse DNS entries, it's quite possible that they send out as netscape.com from third-parties just like symantec.com does (which is quite boneheaded for an AV/Anti-Spam provider). This is what I'm using for netscape.com: @netscape.com .aol. This might be a good example of a domain though that really needs benefit of two columns, i.e.: netscape.com .aol. I have no idea what they are doing for their new ISP service as far as E-mail goes, but I would expect for them to channel everything through aol.com just as they have with netscape.net. I don't see why they would seek to establish a new network exclusively for this new service. FYI, I never found a reason for the following entry: aol.com netscape.net Omitting it hasn't caused any problems that I am aware of. I did of course though use Bill's original list as the starting point for mine and for the most part it remains intact except that I got anal about the @ thing :) Matt Colbeck, Andrew wrote: Well, Matt, that's a great example for Netscape.net, but Jeff was asking about Netscape.com So I guess to round out the conversation, here's the two entries in spamdomains that everybody seems to have, to cover Netscape.net: aol.com netscape.net netscape.netaol.com I'm pretty sure that we have Bill Landry to thank for the seminal work on sd.txt from which everyone has benefitted (hey, credit where credit is due!) Andrew 8) -Original Message- From: Matt [mailto:[EMAIL PROTECTED]] Sent: Monday, April 19, 2004 11:52 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SPAMDOMAINS - Netscape.com Andrew and Jeff, Unfortunately Netscape.net is actually handled by aol.com when it is outgoing (which is what matters in this case). I sometimes search my known good E-mail for outgoing servers, or Google for it by looking for header code along with the address and keeping in mind that a lot of that stuff is forged especially in newsgroups. Here are the headers from a test of my own account: Received: from imo-d01.mx.aol.com [205.188.157.33] by mx1.mailpure.com with ESMTP (SMTPD32-8.05) id AE31AB9B0140; Mon, 19 Apr 2004 14:45:05 -0400 Received: from [EMAIL PROTECTED] by imo-d01.mx.aol.com (mail_out_v37_r1.2.) id j.1b5.a579353 (16239) for [EMAIL PROTECTED]; Mon, 19 Apr 2004 14:45:00 -0400 (EDT) Received: from netscape.net (mow-d23.webmail.aol.com [205.188.139.164]) by air-in03.mx.aol.com (v98.19) with ESMTP id MAILININ33-3f6f40841e2c327; Mon, 19 Apr 2004 14:45:00 -0500 Date: Mon, 19 Apr 2004 14:45:00 -0400 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: test MIME-Version: 1.0 Message-ID: [EMAIL PROTECTED] X-Mailer: Atlas Mailer 2.0 X-AOL-IP: 24.195.119.188 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-MailPure: X-MailPure: RFC-NOABUSE: Failed, listed in abuse.rfc-ignorant.org (weight 1). X-MailPure: RFC-NOPOSTMASTER: Failed, listed in postmaster.rfc-ignorant.org (weight 1). X-MailPure: X-MailPure: Spam Score: 2 X-MailPure: Scan Time: 14:45:12 on 04/19/2004 X-MailPure: Spool File: D1e31ab9b01404b3e.SMD X-MailPure: Server Name: imo-d01.mx.aol.com X-MailPure: SMTP Sender: [EMAIL PROTECTED] X-MailPure: Received From: imo-d01.mx.aol.com [205.188.157.33] X-MailPure: Country Chain: UNITED STATES-destination X-MailPure: X-MailPure: Spam and virus blocking services provided by MailPure.com X-MailPure: Colbeck, Andrew wrote: Jeff, the main problem with figuring out spamdomains entries is that you really have to receive valid mail from the domain to really know. If they have an SPF record, that's the easiest way to research them, but you can also try the website at http://www.SenderBase.org to see what they've noticed. They've noticed one more host: dust.netscape.com The problem with checking the MX record is that it is only for recording inbound mail to Netscape.com, it doesn't necessarily say anything about outbound mail from them, which is what you're after. I suspect that your suggestion will work fine, as I think that they keep their corporate domain for netscape.com separate from the customer business as netscape.net ... Andrew 8) -Original Message- From: Jeff Maze - Hostmaster [mailto:[EMAIL PROTECTED]] Sent: Monday, April 19, 2004 11:07 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] SPAMDOMAINS - Netscape.com Hello, I got a message that was "from" [EMAIL PROTECTED] but came from RoadRunners networks. There isn't a netscape entry in my SPAMDOMAINS.TX
RE: [Declude.JunkMail] SPAMDOMAINS - Netscape.com
Title: Message astonishmentWhat, Matt, you get anal about your work!?/astonishment Don't worry, I won't make you the butt of any jokes. Andrew 8) -Original Message-From: Matt [mailto:[EMAIL PROTECTED] Sent: Monday, April 19, 2004 1:47 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] SPAMDOMAINS - Netscape.comOops, sorry. I'm not sure about netscape.com, but E-mail from that domain has been quite rare in the past since they don't have hardly any employees, and even if you had their primary reverse DNS entries, it's quite possible that they send out as netscape.com from third-parties just like symantec.com does (which is quite boneheaded for an AV/Anti-Spam provider). This is what I'm using for netscape.com:@netscape.com .aol.This might be a good example of a domain though that really needs benefit of two columns, i.e.:netscape.com .aol.I have no idea what they are doing for their new ISP service as far as E-mail goes, but I would expect for them to channel everything through aol.com just as they have with netscape.net. I don't see why they would seek to establish a new network exclusively for this new service.FYI, I never found a reason for the following entry:aol.com netscape.netOmitting it hasn't caused any problems that I am aware of. I did of course though use Bill's original list as the starting point for mine and for the most part it remains intact except that I got anal about the @ thing :)MattColbeck, Andrew wrote: Well, Matt, that's a great example for Netscape.net, but Jeff was asking about Netscape.com So I guess to round out the conversation, here's the two entries in spamdomains that everybody seems to have, to cover Netscape.net: aol.com netscape.net netscape.netaol.com I'm pretty sure that we have Bill Landry to thank for the seminal work on sd.txt from which everyone has benefitted (hey, credit where credit is due!) Andrew 8) -Original Message- From: Matt [mailto:[EMAIL PROTECTED]] Sent: Monday, April 19, 2004 11:52 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SPAMDOMAINS - Netscape.com Andrew and Jeff, Unfortunately Netscape.net is actually handled by aol.com when it is outgoing (which is what matters in this case). I sometimes search my known good E-mail for outgoing servers, or Google for it by looking for header code along with the address and keeping in mind that a lot of that stuff is forged especially in newsgroups. Here are the headers from a test of my own account: Received: from imo-d01.mx.aol.com [205.188.157.33] by mx1.mailpure.com with ESMTP (SMTPD32-8.05) id AE31AB9B0140; Mon, 19 Apr 2004 14:45:05 -0400 Received: from [EMAIL PROTECTED] by imo-d01.mx.aol.com (mail_out_v37_r1.2.) id j.1b5.a579353 (16239) for [EMAIL PROTECTED]; Mon, 19 Apr 2004 14:45:00 -0400 (EDT) Received: from netscape.net (mow-d23.webmail.aol.com [205.188.139.164]) by air-in03.mx.aol.com (v98.19) with ESMTP id MAILININ33-3f6f40841e2c327; Mon, 19 Apr 2004 14:45:00 -0500 Date: Mon, 19 Apr 2004 14:45:00 -0400 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: test MIME-Version: 1.0 Message-ID: [EMAIL PROTECTED] X-Mailer: Atlas Mailer 2.0 X-AOL-IP: 24.195.119.188 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-MailPure: X-MailPure: RFC-NOABUSE: Failed, listed in abuse.rfc-ignorant.org (weight 1). X-MailPure: RFC-NOPOSTMASTER: Failed, listed in postmaster.rfc-ignorant.org (weight 1). X-MailPure: X-MailPure: Spam Score: 2 X-MailPure: Scan Time: 14:45:12 on 04/19/2004 X-MailPure: Spool File: D1e31ab9b01404b3e.SMD X-MailPure: Server Name: imo-d01.mx.aol.com X-MailPure: SMTP Sender: [EMAIL PROTECTED] X-MailPure: Received From: imo-d01.mx.aol.com [205.188.157.33] X-MailPure: Country Chain: UNITED STATES-destination X-MailPure: X-MailPure: Spam and virus blocking services provided by MailPure.com X-MailPure: Colbeck, Andrew wrote: Jeff, the main problem with figuring out spamdomains entries is that you really have to receive valid mail from the domain to really know. If they have an SPF record, that's the easiest way to research them, but you can also try the website at http://www.SenderBase.org to see what they've noticed. They've noticed one more host: dust.netscape.com The problem with checking the MX record is that it is only for recording inbound mail to Netscape.com, it doesn't necessarily say anything about outbound mail from them, which is what you're after. I suspect that your suggestion will work fine, as I think that they keep their corporate domain for netscape.com separate from the customer business as netscape.net ... Andrew 8
Re: [Declude.JunkMail] SPAMDOMAINS works as ENDSWITH or CONTAINS?
If I have a SPAMDOMAINS type test in my GLOBAL.CFG... SD-TLD spamdomains D:\iMail\declude\JunkMail.SpamDomains.TLD.txt x 5 0 ...and I have some entries in the corresponding flat text file like below... .mil will SPAMDOMAINS search the reverse DNS entry in a CONTAINS type manner or an ENDSWITH type manner? It will work like CONTAINS, so: For example would the host name .milton-bradley.com in the below... - X-Note: Sent with HELO [mail] from Reverse DNS [mail.milton-bradley.com] - get flagged as passing or failing the SPAMDOMAINS test? That one would get caught, if the reverse DNS entry did not contain .mil in it. So if the E-mail was from [EMAIL PROTECTED], and the reverse DNS entry was mail.milton-bradley.com, the E-mail would not fail the test (but if the reverse DNS was mail.someone_else.com, it would fail the test). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamDomains test not working consistently
Scott, I am noticing SpamDomains test is not working consistently. Lots of messages are being properly flagged, but many that should be flagged but are not. I can provide samples, if you would like. Yes, samples would be very helpful. Also, what version are you running? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamDomains test not working consistently
- Original Message - From: R. Scott Perry [EMAIL PROTECTED] Scott, I am noticing SpamDomains test is not working consistently. Lots of messages are being properly flagged, but many that should be flagged but are not. I can provide samples, if you would like. Yes, samples would be very helpful. Also, what version are you running? Never mind, I see what's happening. My name server is not responding to queries for about 3 minutes right after midnight while some reports are being generated. Sorry for the false alarm. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPAMDOMAINS and REVDNS
John, nothing should be listed in spamdomains unless it has a valid PTR , that's the very nature of the test - to test the mailfrom domain of a message that has a matching domain listed in spamdomains (again, which should already be confirmed to have valid PTR records), and reject those that either have no PTR or have an invalid PTR. Bill - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, December 13, 2003 12:52 AM Subject: [Declude.JunkMail] SPAMDOMAINS and REVDNS When a message comes from an IP that has no PTR record, and the sender domain is in the SPAMDOMAINS list, it is getting double penalized for the same violation. That is not the desired effect. Is there a way that SPAMDOMAINS can be configured not to fail if there is no PTR record, based on the assumption that most of us use the REVDNS test? John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. e.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPAMDOMAINS and REVDNS
John, nothing should be listed in spamdomains unless it has a valid PTR , that's the very nature of the test - to test the mailfrom domain of a message that has a matching domain listed in spamdomains (again, which should already be confirmed to have valid PTR records), and reject those that either have no PTR or have an invalid PTR. Ah, I guess that is what I get for being busy and not fully paying attention to how the test works. Thanks. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamDomains
Well, then the best of both worlds is to change the spamdomains test to an ENDSWITH qualifier and it will support your needs and mine. The current CONTAINS qualifier only effectively supports your needs, and does so, at that, with limited capabilities. Bill - Original Message - From: Matthew Bramble [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 8:23 PM Subject: Re: [Declude.JunkMail] SpamDomains Bill Landry wrote: If you use the @ symbol in the first column, then you have severely limited yourself to supporting only one RDNS per domain. I don't feel limited, in fact, I have a lot more confidence in this test not FP'ing on VERP stuff which may be forwarded to an account hosted on my machine, i.e. to [EMAIL PROTECTED] forwarded to [EMAIL PROTECTED] This is especially important if you build a spamdomains file for local domains. If you need to support delivery of e-mail from [EMAIL PROTECTED] and sometime it comes from a mail server with RDNS of xxx.mindspring.com and sometimes it comes from xxx.earthlink.com, how would you venture to support this in your scenario by starting every domain in the first column with the @ sign? If it really mattered to you, you could leave it off for some domains where this is an issue. I've gone through some of the entries that have been shared on this list in the past and found that a lot of these matches don't exist, it seems that someone just guessed that there might be such a possibility, and other things such as your buy.com example where they use a third-party trusted bulk mailer is taken care of with a separate 'white' file on my system. It's much easier to credit points to DartMail across the board rather than keep track of which companies are using them and might be also in a spamdomains file. I've tried it both ways, and I like the idea of separate files with the addition of a white file and using @ symbols. I think that it's critical for instance to have a FRAUDDOMAINS file with listings for Ebay, PayPal, Microsoft, Symantec and McAfee for instance, and a white file for reverse DNS lookups for places like americangreetings.com and ebay.com. Don't knock it until you try it :) Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamDomains
Why would this be caught with SPAMDOMAINS when closeout-sale.com is not in the spamdomains.txt file? X-RBL-Warning: SPAMDOMAINS: Spamdomain 'domain.moc' found: Address of [EMAIL PROTECTED] sent from invalid mail.closeout-sale.com. That's because the SPAMDOMAINS test looks for the domain within the E-mail address, even if it appears in the username. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamDomains
John, If you include an @ symbol before the domain name, it will stop it from tagging this VERP stuff. @domain.moc domain.moc @aol.com .aol.com @yahoo. .yahoo. etc... The only drawback here is that you can only have one match (the second column) because the first column will never produce a match on REVDNS this way. Matt John Tolmachoff (Lists) wrote: Why would this be caught with SPAMDOMAINS when closeout-sale.com is not in the spamdomains.txt file? X-RBL-Warning: SPAMDOMAINS: Spamdomain 'domain.moc' found: Address of [EMAIL PROTECTED] sent from invalid mail.closeout-sale.com. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SpamDomains
That's because the SPAMDOMAINS test looks for the domain within the E-mail address, even if it appears in the username. But wouldn't that create a lot of false positives in such things like newsletters that have the receipients address embedded in the from address as part of the user part? John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SpamDomains
Question.. SPAMDOMAIN will test the REVDNS only for the domains included in the spamdomains.txt file ?? Any domain not included will not be tested ?? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Wednesday, December 03, 2003 2:42 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SpamDomains John, If you include an @ symbol before the domain name, it will stop it from tagging this VERP stuff. @domain.moc domain.moc @aol.com .aol.com @yahoo. .yahoo. etc... The only drawback here is that you can only have one match (the second column) because the first column will never produce a match on REVDNS this way. Matt John Tolmachoff (Lists) wrote: Why would this be caught with SPAMDOMAINS when closeout-sale.com is not in the spamdomains.txt file? X-RBL-Warning: SPAMDOMAINS: Spamdomain 'domain.moc' found: Address of [EMAIL PROTECTED] sent from invalid mail.closeout-sale.com. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamDomains
That's why making the SPAMDOMAINS test an ENDSWITH instead of CONTAINS type of test would resolve lots of these kinds of questions and headaches. Bill - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 1:29 PM Subject: Re: [Declude.JunkMail] SpamDomains Why would this be caught with SPAMDOMAINS when closeout-sale.com is not in the spamdomains.txt file? X-RBL-Warning: SPAMDOMAINS: Spamdomain 'domain.moc' found: Address of [EMAIL PROTECTED] sent from invalid mail.closeout-sale.com. That's because the SPAMDOMAINS test looks for the domain within the E-mail address, even if it appears in the username. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamDomains
Bill Landry wrote: That's why making the SPAMDOMAINS test an ENDSWITH instead of CONTAINS type of test would resolve lots of these kinds of questions and headaches. ...and create some others at the same time. No one option is perfect, so if Scott decides to change the functionality of this test, I would prefer a more open format allowing choice, and even other options possibly. something like: ENDSWITH aol.com ENDSWITH aol.com CONTAINS@yahoo. CONTAINS .yahoo. ENDSWITH @mailpure.com ISmail.mailpure.com Opening it up further might look like two separate filter tests that both need to match, i.e. If x and If y Then True, or If x and Not If y Then False. I see no reason to change the SPAMDOMAINS functionality when working around VERP issues is done quite simply with an @ symbol, and I haven't yet found any examples where a domain that I would include in this test could have two REVDNS domains instead of just one which could benefit from matches on both columns. Fixing it to ENDSWITH would make it more difficult to track multi-TLD domains like Yahoo, while making it easier to track multi-sub domains like rr.com, and in the end, it would seem to be a draw. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamDomains
Alejandro, From the Declude JunkMail manual page: This test will catch E-mail that is not coming from a mailserver that it should be coming from. This test will only work if you set up a file listing domains that you wish to be included in this test. Specifically, it will check the return address of the E-mail, and then check to see if the reverse DNS entry of the IP that the E-mail was sent from contains the domain name. If not, the E-mail fails the test. For example, if hotmail.com is listed in the \IMail\Declude\spamdomains.txt file, then an E-mail coming from law2.hotmail.com would not fail the test, but an E-mail from mail.example.ru would fail the test. You can search the archives for some discussions of this. It's hardly foolproof, things like greeting cards and send-a-link sites will often fail the test because they send E-mail with a MAILFROM address of the person sending the note and not the service sending the note. I suggest that you always use the @ symbol in the first column, and you should set up two different files and score them differently. One should be for ISP's and E-mail providers such as AOL, HotMail, Yahoo, etc., and the other should be for businesses that are often spoofed such as Microsoft, PayPal, Symantec/Norton, McAfee. Be careful not to include companies that may use thrid-party mass mailers for newsletters. The second type of test can be scored higher because you are less likely to be getting greeting cards from people with real addresses at these companies than you are from places like AOL. You might also be thinking of including your own domains in this test, but that again should be in a totally different file, and scored very low because even if you are using WHITELIST AUTH functionality, you will most definitely get users sending E-mail with your hosted addresses configured in their E-mail program but are using someone else's mail server, or without WHITELIST AUTH, they will fail when using your own mail server. Matt Alejandro Valenzuela wrote: Question.. SPAMDOMAIN will test the REVDNS only for the domains included in the spamdomains.txt file ?? Any domain not included will not be tested ?? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Wednesday, December 03, 2003 2:42 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SpamDomains John, If you include an @ symbol before the domain name, it will stop it from tagging this VERP stuff. @domain.moc domain.moc @aol.com .aol.com @yahoo. .yahoo. etc... The only drawback here is that you can only have one match (the second column) because the first column will never produce a match on REVDNS this way. Matt John Tolmachoff (Lists) wrote: Why would this be caught with SPAMDOMAINS when closeout-sale.com is not in the spamdomains.txt file? X-RBL-Warning: SPAMDOMAINS: Spamdomain 'domain.moc' found: Address of [EMAIL PROTECTED] sent from invalid mail.closeout-sale.com. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamDomains
I don't know how hard it would be, but what about just adding in a pre filter in the spamdomains test that will bypass the test. Like: Spamdomains.txt: [RDNS excluded from check] ebay.com greetingcardvendor.com [includes] .yahoo.com @msn.com etc, etc This would also allow us to build our list of acceptable excluded addresses together, further improving the tests accuracy. Jason -- Original Message -- From: Matthew Bramble [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 03 Dec 2003 19:38:18 -0500 Alejandro, From the Declude JunkMail manual page: This test will catch E-mail that is not coming from a mailserver that it should be coming from. This test will only work if you set up a file listing domains that you wish to be included in this test. Specifically, it will check the return address of the E-mail, and then check to see if the reverse DNS entry of the IP that the E-mail was sent from contains the domain name. If not, the E-mail fails the test. For example, if hotmail.com is listed in the \IMail\Declude\spamdomains.txt file, then an E-mail coming from law2.hotmail.com would not fail the test, but an E-mail from mail.example.ru would fail the test. You can search the archives for some discussions of this. It's hardly foolproof, things like greeting cards and send-a-link sites will often fail the test because they send E-mail with a MAILFROM address of the person sending the note and not the service sending the note. I suggest that you always use the @ symbol in the first column, and you should set up two different files and score them differently. One should be for ISP's and E-mail providers such as AOL, HotMail, Yahoo, etc., and the other should be for businesses that are often spoofed such as Microsoft, PayPal, Symantec/Norton, McAfee. Be careful not to include companies that may use thrid-party mass mailers for newsletters. The second type of test can be scored higher because you are less likely to be getting greeting cards from people with real addresses at these companies than you are from places like AOL. You might also be thinking of including your own domains in this test, but that again should be in a totally different file, and scored very low because even if you are using WHITELIST AUTH functionality, you will most definitely get users sending E-mail with your hosted addresses configured in their E-mail program but are using someone else's mail server, or without WHITELIST AUTH, they will fail when using your own mail server. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamDomains
Everything is already excluded from the spamdomains test except that which you specifically included. So I'm not sure I understand what you're asking for here? Bill - Original Message - From: Jason Newland [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 5:29 PM Subject: Re: [Declude.JunkMail] SpamDomains I don't know how hard it would be, but what about just adding in a pre filter in the spamdomains test that will bypass the test. Like: Spamdomains.txt: [RDNS excluded from check] ebay.com greetingcardvendor.com [includes] .yahoo.com @msn.com etc, etc This would also allow us to build our list of acceptable excluded addresses together, further improving the tests accuracy. Jason -- Original Message -- From: Matthew Bramble [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 03 Dec 2003 19:38:18 -0500 Alejandro, From the Declude JunkMail manual page: This test will catch E-mail that is not coming from a mailserver that it should be coming from. This test will only work if you set up a file listing domains that you wish to be included in this test. Specifically, it will check the return address of the E-mail, and then check to see if the reverse DNS entry of the IP that the E-mail was sent from contains the domain name. If not, the E-mail fails the test. For example, if hotmail.com is listed in the \IMail\Declude\spamdomains.txt file, then an E-mail coming from law2.hotmail.com would not fail the test, but an E-mail from mail.example.ru would fail the test. You can search the archives for some discussions of this. It's hardly foolproof, things like greeting cards and send-a-link sites will often fail the test because they send E-mail with a MAILFROM address of the person sending the note and not the service sending the note. I suggest that you always use the @ symbol in the first column, and you should set up two different files and score them differently. One should be for ISP's and E-mail providers such as AOL, HotMail, Yahoo, etc., and the other should be for businesses that are often spoofed such as Microsoft, PayPal, Symantec/Norton, McAfee. Be careful not to include companies that may use thrid-party mass mailers for newsletters. The second type of test can be scored higher because you are less likely to be getting greeting cards from people with real addresses at these companies than you are from places like AOL. You might also be thinking of including your own domains in this test, but that again should be in a totally different file, and scored very low because even if you are using WHITELIST AUTH functionality, you will most definitely get users sending E-mail with your hosted addresses configured in their E-mail program but are using someone else's mail server, or without WHITELIST AUTH, they will fail when using your own mail server. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamDomains
- Original Message - From: Matthew Bramble [EMAIL PROTECTED] That's why making the SPAMDOMAINS test an ENDSWITH instead of CONTAINS type of test would resolve lots of these kinds of questions and headaches. ...and create some others at the same time. No one option is perfect, so if Scott decides to change the functionality of this test, I would prefer a more open format allowing choice, and even other options possibly. something like: ENDSWITH aol.com ENDSWITH aol.com CONTAINS@yahoo. CONTAINS .yahoo. ENDSWITH @mailpure.com ISmail.mailpure.com Opening it up further might look like two separate filter tests that both need to match, i.e. If x and If y Then True, or If x and Not If y Then False. I see no reason to change the SPAMDOMAINS functionality when working around VERP issues is done quite simply with an @ symbol, and I haven't yet found any examples where a domain that I would include in this test could have two REVDNS domains instead of just one which could benefit from matches on both columns. Fixing it to ENDSWITH would make it more difficult to track multi-TLD domains like Yahoo, while making it easier to track multi-sub domains like rr.com, and in the end, it would seem to be a draw. Having the ability to define the test type (*WITH) per line would be nice. However, short of that, how many people would wonder why: sale.com in the spamdomains.txt file would cause this to fail: [EMAIL PROTECTED] versus this in the spamdomains.txt file: domains.com which caused this to fail: [EMAIL PROTECTED] At least ENDSWITH gives you much greater control and understanding of why messages trigger the test. Granted, it may cause you to have to add a few extra rows of domains in your spamdomains.txt file, but I feel that the greater simplicity and greater control it would provide would outweighs the minimal extra effort. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SpamDomains
Say for example I have 10,000 people using MSN.com addresses to spam me with. I add the spamdomains test and enter in @msn.com into it. Now it does well to stop the spammers, but now I am falsely tagging mail from ebay.com [EMAIL PROTECTED] making a bid inquiry. If we could have a spamdomains RDNS whitelist, then anything with a .ebay.com address is whitelisted, or whatever we put in the list. I know we can whitelist in the main .cfg file, but I'm not sure I would want to whitelist ebay from every test, just whitelist from the spamdomains test. Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Wednesday, December 03, 2003 8:20 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SpamDomains Everything is already excluded from the spamdomains test except that which you specifically included. So I'm not sure I understand what you're asking for here? Bill - Original Message - From: Jason Newland [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 5:29 PM Subject: Re: [Declude.JunkMail] SpamDomains I don't know how hard it would be, but what about just adding in a pre filter in the spamdomains test that will bypass the test. Like: Spamdomains.txt: [RDNS excluded from check] ebay.com greetingcardvendor.com [includes] .yahoo.com @msn.com etc, etc This would also allow us to build our list of acceptable excluded addresses together, further improving the tests accuracy. Jason -- Original Message -- From: Matthew Bramble [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 03 Dec 2003 19:38:18 -0500 Alejandro, From the Declude JunkMail manual page: This test will catch E-mail that is not coming from a mailserver that it should be coming from. This test will only work if you set up a file listing domains that you wish to be included in this test. Specifically, it will check the return address of the E-mail, and then check to see if the reverse DNS entry of the IP that the E-mail was sent from contains the domain name. If not, the E-mail fails the test. For example, if hotmail.com is listed in the \IMail\Declude\spamdomains.txt file, then an E-mail coming from law2.hotmail.com would not fail the test, but an E-mail from mail.example.ru would fail the test. You can search the archives for some discussions of this. It's hardly foolproof, things like greeting cards and send-a-link sites will often fail the test because they send E-mail with a MAILFROM address of the person sending the note and not the service sending the note. I suggest that you always use the @ symbol in the first column, and you should set up two different files and score them differently. One should be for ISP's and E-mail providers such as AOL, HotMail, Yahoo, etc., and the other should be for businesses that are often spoofed such as Microsoft, PayPal, Symantec/Norton, McAfee. Be careful not to include companies that may use thrid-party mass mailers for newsletters. The second type of test can be scored higher because you are less likely to be getting greeting cards from people with real addresses at these companies than you are from places like AOL. You might also be thinking of including your own domains in this test, but that again should be in a totally different file, and scored very low because even if you are using WHITELIST AUTH functionality, you will most definitely get users sending E-mail with your hosted addresses configured in their E-mail program but are using someone else's mail server, or without WHITELIST AUTH, they will fail when using your own mail server. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamDomains
Yes, it would be nice if you could add more that just one alternate domain per line in the spamdomains.txt file, like: @msn.com.msn.com .hotmail.com .ebay.com Maybe in a future release (hint, hint)... ;-) Bill - Original Message - From: Jason [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 6:44 PM Subject: RE: [Declude.JunkMail] SpamDomains Say for example I have 10,000 people using MSN.com addresses to spam me with. I add the spamdomains test and enter in @msn.com into it. Now it does well to stop the spammers, but now I am falsely tagging mail from ebay.com [EMAIL PROTECTED] making a bid inquiry. If we could have a spamdomains RDNS whitelist, then anything with a .ebay.com address is whitelisted, or whatever we put in the list. I know we can whitelist in the main .cfg file, but I'm not sure I would want to whitelist ebay from every test, just whitelist from the spamdomains test. Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Wednesday, December 03, 2003 8:20 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SpamDomains Everything is already excluded from the spamdomains test except that which you specifically included. So I'm not sure I understand what you're asking for here? Bill - Original Message - From: Jason Newland [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 5:29 PM Subject: Re: [Declude.JunkMail] SpamDomains I don't know how hard it would be, but what about just adding in a pre filter in the spamdomains test that will bypass the test. Like: Spamdomains.txt: [RDNS excluded from check] ebay.com greetingcardvendor.com [includes] .yahoo.com @msn.com etc, etc This would also allow us to build our list of acceptable excluded addresses together, further improving the tests accuracy. Jason -- Original Message -- From: Matthew Bramble [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 03 Dec 2003 19:38:18 -0500 Alejandro, From the Declude JunkMail manual page: This test will catch E-mail that is not coming from a mailserver that it should be coming from. This test will only work if you set up a file listing domains that you wish to be included in this test. Specifically, it will check the return address of the E-mail, and then check to see if the reverse DNS entry of the IP that the E-mail was sent from contains the domain name. If not, the E-mail fails the test. For example, if hotmail.com is listed in the \IMail\Declude\spamdomains.txt file, then an E-mail coming from law2.hotmail.com would not fail the test, but an E-mail from mail.example.ru would fail the test. You can search the archives for some discussions of this. It's hardly foolproof, things like greeting cards and send-a-link sites will often fail the test because they send E-mail with a MAILFROM address of the person sending the note and not the service sending the note. I suggest that you always use the @ symbol in the first column, and you should set up two different files and score them differently. One should be for ISP's and E-mail providers such as AOL, HotMail, Yahoo, etc., and the other should be for businesses that are often spoofed such as Microsoft, PayPal, Symantec/Norton, McAfee. Be careful not to include companies that may use thrid-party mass mailers for newsletters. The second type of test can be scored higher because you are less likely to be getting greeting cards from people with real addresses at these companies than you are from places like AOL. You might also be thinking of including your own domains in this test, but that again should be in a totally different file, and scored very low because even if you are using WHITELIST AUTH functionality, you will most definitely get users sending E-mail with your hosted addresses configured in their E-mail program but are using someone else's mail server, or without WHITELIST AUTH, they will fail when using your own mail server. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http
Re: [Declude.JunkMail] SpamDomains
Jason, I have a separate 'white' filter for that sort of thing :) Matt Jason Newland wrote: I don't know how hard it would be, but what about just adding in a pre filter in the spamdomains test that will bypass the test. Like: Spamdomains.txt: [RDNS excluded from check] ebay.com greetingcardvendor.com [includes] .yahoo.com @msn.com etc, etc This would also allow us to build our list of acceptable excluded addresses together, further improving the tests accuracy. Jason -- Original Message -- From: Matthew Bramble [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 03 Dec 2003 19:38:18 -0500 Alejandro, From the Declude JunkMail manual page: This test will catch E-mail that is not coming from a mailserver that it should be coming from. This test will only work if you set up a file listing domains that you wish to be included in this test. Specifically, it will check the return address of the E-mail, and then check to see if the reverse DNS entry of the IP that the E-mail was sent from contains the domain name. If not, the E-mail fails the test. For example, if hotmail.com is listed in the \IMail\Declude\spamdomains.txt file, then an E-mail coming from law2.hotmail.com would not fail the test, but an E-mail from mail.example.ru would fail the test. You can search the archives for some discussions of this. It's hardly foolproof, things like greeting cards and send-a-link sites will often fail the test because they send E-mail with a MAILFROM address of the person sending the note and not the service sending the note. I suggest that you always use the @ symbol in the first column, and you should set up two different files and score them differently. One should be for ISP's and E-mail providers such as AOL, HotMail, Yahoo, etc., and the other should be for businesses that are often spoofed such as Microsoft, PayPal, Symantec/Norton, McAfee. Be careful not to include companies that may use thrid-party mass mailers for newsletters. The second type of test can be scored higher because you are less likely to be getting greeting cards from people with real addresses at these companies than you are from places like AOL. You might also be thinking of including your own domains in this test, but that again should be in a totally different file, and scored very low because even if you are using WHITELIST AUTH functionality, you will most definitely get users sending E-mail with your hosted addresses configured in their E-mail program but are using someone else's mail server, or without WHITELIST AUTH, they will fail when using your own mail server. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamDomains
Bill Landry wrote: Having the ability to define the test type (*WITH) per line would be nice. However, short of that, how many people would wonder why: sale.com in the spamdomains.txt file would cause this to fail: [EMAIL PROTECTED] versus this in the spamdomains.txt file: domains.com which caused this to fail: [EMAIL PROTECTED] At least ENDSWITH gives you much greater control... Well, IMO, they would be using the test in the wrong way if they were build the file that way :) Always use the @ symbol in the first column, that basically makes the filter act like an ENDSWITH filter since there can only be one @ symbol in an E-mail address. The extra flexibility of a CONTAINS filter on the second column causes no real harm. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SpamDomains
You CAN create your own RDNS whitelist. You can even use your DNS server to maintain it. Not sure if that's what your trying to do? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamDomains
. @presidency.com.outblaze. @priest.com.outblaze. @programmer.net.outblaze. @publicist.com.outblaze. @realtyagent.com.outblaze. @registerednurses.com.outblaze. @repairman.com.outblaze. @representative.com.outblaze. @rescueteam.com.outblaze. @rome.com.outblaze. @saintly.com.outblaze. @samerica.com.outblaze. @sanfranmail.com.outblaze. @scientist.com.outblaze. @seductive.com.outblaze. @singapore.com.outblaze. @sociologist.com.outblaze. @soon.com.outblaze. @teacher.com.outblaze. @techie.com.outblaze. @techie.com.outblaze. @technologist.com.outblaze. @tokyo.com.outblaze. @umpire.com.outblaze. @usa.com.outblaze. @usa.com.outblaze. @whoever.com.outblaze. @winning.com.outblaze. @witty.com.outblaze. @writeme.com.outblaze. @yours.com.outblaze. Jason wrote: Say for example I have 10,000 people using MSN.com addresses to spam me with. I add the spamdomains test and enter in @msn.com into it. Now it does well to stop the spammers, but now I am falsely tagging mail from ebay.com [EMAIL PROTECTED] making a bid inquiry. If we could have a spamdomains RDNS whitelist, then anything with a .ebay.com address is whitelisted, or whatever we put in the list. I know we can whitelist in the main .cfg file, but I'm not sure I would want to whitelist ebay from every test, just whitelist from the spamdomains test. Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Wednesday, December 03, 2003 8:20 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SpamDomains Everything is already excluded from the spamdomains test except that which you specifically included. So I'm not sure I understand what you're asking for here? Bill - Original Message - From: Jason Newland [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 5:29 PM Subject: Re: [Declude.JunkMail] SpamDomains I don't know how hard it would be, but what about just adding in a pre filter in the spamdomains test that will bypass the test. Like: Spamdomains.txt: [RDNS excluded from check] ebay.com greetingcardvendor.com [includes] .yahoo.com @msn.com etc, etc This would also allow us to build our list of acceptable excluded addresses together, further improving the tests accuracy. Jason -- Original Message -- From: Matthew Bramble [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 03 Dec 2003 19:38:18 -0500 Alejandro, From the Declude JunkMail manual page: This test will catch E-mail that is not coming from a mailserver that it should be coming from. This test will only work if you set up a file listing domains that you wish to be included in this test. Specifically, it will check the return address of the E-mail, and then check to see if the reverse DNS entry of the IP that the E-mail was sent from contains the domain name. If not, the E-mail fails the test. For example, if hotmail.com is listed in the \IMail\Declude\spamdomains.txt file, then an E-mail coming from law2.hotmail.com would not fail the test, but an E-mail from mail.example.ru would fail the test. You can search the archives for some discussions of this. It's hardly foolproof, things like greeting cards and send-a-link sites will often fail the test because they send E-mail with a MAILFROM address of the person sending the note and not the service sending the note. I suggest that you always use the @ symbol in the first column, and you should set up two different files and score them differently. One should be for ISP's and E-mail providers such as AOL, HotMail, Yahoo, etc., and the other should be for businesses that are often spoofed such as Microsoft, PayPal, Symantec/Norton, McAfee. Be careful not to include companies that may use thrid-party mass mailers for newsletters. The second type of test can be scored higher because you are less likely to be getting greeting cards from people with real addresses at these companies than you are from places like AOL. You might also be thinking of including your own domains in this test, but that again should be in a totally different file, and scored very low because even if you are using WHITELIST AUTH functionality, you will most definitely get users sending E-mail with your hosted addresses configured in their E-mail program but are using someone else's mail server, or without WHITELIST AUTH, they will fail when using your own mail server. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe
RE: [Declude.JunkMail] SpamDomains
Ahh, but us poor folks that have the standard version are out of luck :-( Guess I have a good reason to upgrade now. Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Wednesday, December 03, 2003 9:17 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SpamDomains Jason, I have a separate 'white' filter for that sort of thing :) Matt Jason Newland wrote: I don't know how hard it would be, but what about just adding in a pre filter in the spamdomains test that will bypass the test. Like: Spamdomains.txt: [RDNS excluded from check] ebay.com greetingcardvendor.com [includes] .yahoo.com @msn.com etc, etc This would also allow us to build our list of acceptable excluded addresses together, further improving the tests accuracy. Jason -- Original Message -- From: Matthew Bramble [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 03 Dec 2003 19:38:18 -0500 Alejandro, From the Declude JunkMail manual page: This test will catch E-mail that is not coming from a mailserver that it should be coming from. This test will only work if you set up a file listing domains that you wish to be included in this test. Specifically, it will check the return address of the E-mail, and then check to see if the reverse DNS entry of the IP that the E-mail was sent from contains the domain name. If not, the E-mail fails the test. For example, if hotmail.com is listed in the \IMail\Declude\spamdomains.txt file, then an E-mail coming from law2.hotmail.com would not fail the test, but an E-mail from mail.example.ru would fail the test. You can search the archives for some discussions of this. It's hardly foolproof, things like greeting cards and send-a-link sites will often fail the test because they send E-mail with a MAILFROM address of the person sending the note and not the service sending the note. I suggest that you always use the @ symbol in the first column, and you should set up two different files and score them differently. One should be for ISP's and E-mail providers such as AOL, HotMail, Yahoo, etc., and the other should be for businesses that are often spoofed such as Microsoft, PayPal, Symantec/Norton, McAfee. Be careful not to include companies that may use thrid-party mass mailers for newsletters. The second type of test can be scored higher because you are less likely to be getting greeting cards from people with real addresses at these companies than you are from places like AOL. You might also be thinking of including your own domains in this test, but that again should be in a totally different file, and scored very low because even if you are using WHITELIST AUTH functionality, you will most definitely get users sending E-mail with your hosted addresses configured in their E-mail program but are using someone else's mail server, or without WHITELIST AUTH, they will fail when using your own mail server. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamDomains
- Original Message - From: Matthew Bramble [EMAIL PROTECTED] Having the ability to define the test type (*WITH) per line would be nice. However, short of that, how many people would wonder why: sale.com in the spamdomains.txt file would cause this to fail: [EMAIL PROTECTED] versus this in the spamdomains.txt file: domains.com which caused this to fail: [EMAIL PROTECTED] At least ENDSWITH gives you much greater control... Well, IMO, they would be using the test in the wrong way if they were build the file that way :) Always use the @ symbol in the first column, that basically makes the filter act like an ENDSWITH filter since there can only be one @ symbol in an E-mail address. The extra flexibility of a CONTAINS filter on the second column causes no real harm. If you use the @ symbol in the first column, then you have severely limited yourself to supporting only one RDNS per domain. I use @ whenever I can, however, I cannot do that and support all of the domains that I list that use multiple delivery domains. For example: altavista. .av.com amazon.com .forevermail.com ameritech.net .sbc.com attbi.com .comcast. bellatlantic.net .verizon.net buy.com .dartmail.com compuserve.com .aol.com concentric.com .cnchost.com concentric.net .cnc.net earthlink. .mindspring. ebay.com .emailebay.com excite.com .excitenetwork.com gateway.com .dartmail.net geocities.com .yahoo.com hp.com .compaq.com juno.com .untd.com mindspring. .earthlink. msn.com .hotmail.com netscape. .aol.com netzero. .untd.com prodigy.net .yahoo. psi. .cogentco.com qwest. .uswest. sprint. .sprintlink.net swbell.net .prodigy.net uswest. .qwest. verio. .veriomail.com verizon.com .gte.com verizon.net .bellatlantic. If you need to support delivery of e-mail from [EMAIL PROTECTED] and sometime it comes from a mail server with RDNS of xxx.mindspring.com and sometimes it comes from xxx.earthlink.com, how would you venture to support this in your scenario by starting every domain in the first column with the @ sign? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamDomains
Well that and at least 10 other filters that have been shared on this list or available at my site. It really depends on how tight you want your system of course and how much processing power you can throw at things. The recent beta functionality to limit the processing of filters helps a bunch though. Filters helped me to get my system to over 98% blocking while lowering my FP rate, and of course I'm deleting much more E-mail now that comes in well above my delete weight. I fail at 10, currently delete at 30, but 80% to 90% of the spam is scoring higher than that. Again though, you can do up to maybe 95% with the standard version if you tweak it carefully, which is just fine for many companies. It would be nice if Scott would add REVDNS pseudo-whitelisting by points to the standard version, that's kind of basic IMO. Matt Jason wrote: Ahh, but us poor folks that have the standard version are out of luck :-( Guess I have a good reason to upgrade now. Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Wednesday, December 03, 2003 9:17 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SpamDomains Jason, I have a separate 'white' filter for that sort of thing :) Matt Jason Newland wrote: I don't know how hard it would be, but what about just adding in a pre filter in the spamdomains test that will bypass the test. Like: Spamdomains.txt: [RDNS excluded from check] ebay.com greetingcardvendor.com [includes] .yahoo.com @msn.com etc, etc This would also allow us to build our list of acceptable excluded addresses together, further improving the tests accuracy. Jason -- Original Message -- From: Matthew Bramble [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 03 Dec 2003 19:38:18 -0500 Alejandro, From the Declude JunkMail manual page: This test will catch E-mail that is not coming from a mailserver that it should be coming from. This test will only work if you set up a file listing domains that you wish to be included in this test. Specifically, it will check the return address of the E-mail, and then check to see if the reverse DNS entry of the IP that the E-mail was sent from contains the domain name. If not, the E-mail fails the test. For example, if hotmail.com is listed in the \IMail\Declude\spamdomains.txt file, then an E-mail coming from law2.hotmail.com would not fail the test, but an E-mail from mail.example.ru would fail the test. You can search the archives for some discussions of this. It's hardly foolproof, things like greeting cards and send-a-link sites will often fail the test because they send E-mail with a MAILFROM address of the person sending the note and not the service sending the note. I suggest that you always use the @ symbol in the first column, and you should set up two different files and score them differently. One should be for ISP's and E-mail providers such as AOL, HotMail, Yahoo, etc., and the other should be for businesses that are often spoofed such as Microsoft, PayPal, Symantec/Norton, McAfee. Be careful not to include companies that may use thrid-party mass mailers for newsletters. The second type of test can be scored higher because you are less likely to be getting greeting cards from people with real addresses at these companies than you are from places like AOL. You might also be thinking of including your own domains in this test, but that again should be in a totally different file, and scored very low because even if you are using WHITELIST AUTH functionality, you will most definitely get users sending E-mail with your hosted addresses configured in their E-mail program but are using someone else's mail server, or without WHITELIST AUTH, they will fail when using your own mail server. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamDomains
Bill Landry wrote: If you use the @ symbol in the first column, then you have severely limited yourself to supporting only one RDNS per domain. I don't feel limited, in fact, I have a lot more confidence in this test not FP'ing on VERP stuff which may be forwarded to an account hosted on my machine, i.e. to [EMAIL PROTECTED] forwarded to [EMAIL PROTECTED] This is especially important if you build a spamdomains file for local domains. If you need to support delivery of e-mail from [EMAIL PROTECTED] and sometime it comes from a mail server with RDNS of xxx.mindspring.com and sometimes it comes from xxx.earthlink.com, how would you venture to support this in your scenario by starting every domain in the first column with the @ sign? If it really mattered to you, you could leave it off for some domains where this is an issue. I've gone through some of the entries that have been shared on this list in the past and found that a lot of these matches don't exist, it seems that someone just guessed that there might be such a possibility, and other things such as your buy.com example where they use a third-party trusted bulk mailer is taken care of with a separate 'white' file on my system. It's much easier to credit points to DartMail across the board rather than keep track of which companies are using them and might be also in a spamdomains file. I've tried it both ways, and I like the idea of separate files with the addition of a white file and using @ symbols. I think that it's critical for instance to have a FRAUDDOMAINS file with listings for Ebay, PayPal, Microsoft, Symantec and McAfee for instance, and a white file for reverse DNS lookups for places like americangreetings.com and ebay.com. Don't knock it until you try it :) Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SpamDomains
Bill, it has been a lonnngg week. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamDomains
Looks like it did fail the spamdomains test: X-RBL-Warning: TESTS FAILED: SORBS-DUL, NOABUSE, NOPOSTMASTER, BADHEADERS, WHITEFILTER1, SPAMCHECK, SPAMDOMAINS Why do you ask, don't the log entries for this message support this? Bill - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, November 28, 2003 5:24 PM Subject: [Declude.JunkMail] SpamDomains Why didn't this message fail spamdomains? Received: from bzq-218-101-218.red.bezeqint.net [81.218.101.218] by mail.localdomain.moc (SMTPD32-8.04) id A88A13960090; Fri, 28 Nov 2003 14:56:58 -0500 Received: from [51.180.2.49] by bzq-218-101-218.red.bezeqint.net id 5JCQ8r8Lw22M; Fri, 28 Nov 2003 23:57:03 +0400 Message-ID: [EMAIL PROTECTED] From: Alden Parham [EMAIL PROTECTED] Reply-To: Alden Parham [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: 20 Free amateur Pics - Hot xgnvnb Date: Fri, 28 Nov 03 23:57:03 GMT X-Mailer: Microsoft Outlook, Build 10.0.2616 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=EF.F4.__.45 X-Priority: 3 X-MSMail-Priority: Normal X-RBL-Warning: SORBS-DUL: Dynamic IP Address See: http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=81.218.101.218 X-RBL-Warning: NOABUSE: Not supporting [EMAIL PROTECTED] X-RBL-Warning: NOPOSTMASTER: Not supporting [EMAIL PROTECTED] X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8014000f]. X-RBL-Warning: WHITEFILTER1: Message failed WHITEFILTER1 test (line 67, weight -5) X-RBL-Warning: SPAMCHECK: Message failed SPAMCHECK: 4. X-Declude-Sender: [EMAIL PROTECTED] [81.218.101.218] X-Declude-Spoolname: Da88a13960090f6a9.SMD X-RBL-Warning: Total weight: 30 X-RBL-Warning: TESTS FAILED: SORBS-DUL, NOABUSE, NOPOSTMASTER, BADHEADERS, WHITEFILTER1, SPAMCHECK, SPAMDOMAINS X-Note: This E-mail was sent from bzq-218-101-218.red.bezeqint.net ([81.218.101.218]). From the spamdomains.txt file: amazon.com ameritech.net yahoo.com aol.com netscape.net @att. .att. attbi.com bellatlantic.net verizon.net bellsouth.net charter.net china.com comcast.net compuserve. .aol.com concentric. .cnchost.com cox.net @cs.com .aol.com earthlink. email.it webmessenger.it excite.com excitenetwork.com geocities.com .yahoo. @go.com .go.com gte.net verizon.net hotmail.com msn.com juno.com untd.com lycos.com lycos.at spray.net mac.com apple.com mailcity.com lycos.com mindspring. earthlink. msn.com hotmail.com netscape.net aol.com netzero.com untd.com prodigy.net qwest. .uswest. rocketmail.com yahoo. .rr.com sbc.com sympatico.ca bellnexxia.net t-online.de t-online.com usa.net mx.net verizon.net .bellatlantic. wanadoo.fr @yahoo. .yahoo. zzn.com mailcentro.com @aol.ca @2die4.com outblaze.com @accountant.com outblaze.com @adexec.com outblaze.com @africamail.com outblaze.com @allergist.com outblaze.com @alumnidirector.com outblaze.com @archaeologist.com outblaze.com @arcticmail.com outblaze.com @artlover.com outblaze.com @asia.com outblaze.com @australiamail.com outblaze.com @berlin.com outblaze.com @bikerider.com outblaze.com @catlover.com outblaze.com @cheerful.com outblaze.com @chemist.com outblaze.com @clerk.com outblaze.com @cliffhanger.com outblaze.com @columnist.com outblaze.com @comic.com outblaze.com @consultant.com outblaze.com @counsellor.com outblaze.com @cutey.com outblaze.com @deliveryman.com outblaze.com @diplomats.com outblaze.com @doctor.com outblaze.com @doglover.com outblaze.com @dr.com outblaze.com @dublin.com outblaze.com @earthling.net outblaze.com @email.com outblaze.com @engineer.com outblaze.com @europe.com outblaze.com @execs.com outblaze.com @financier.com outblaze.com @gardener.com outblaze.com @geologist.com outblaze.com @graphic-designer.com outblaze.com @hairdresser.net outblaze.com @hot-shot.com outblaze.com @iname.com outblaze.com @inorbit.com outblaze.com @insurer.com outblaze.com @japan.com outblaze.com @journalist.com outblaze.com @lawyer.com outblaze.com @legislator.com outblaze.com @lobbyist.com outblaze.com @london.com outblaze.com @loveable.com outblaze.com @mad.scientist.com outblaze.com @madrid.com outblaze.com @mail.com outblaze.com @mindless.com outblaze.com @minister.com outblaze.com @moscowmail.com outblaze.com @munich.com outblaze.com @musician.org outblaze.com @myself.com outblaze.com @nycmail.com outblaze.com @optician.com outblaze.com @paris.com outblaze.com @pediatrician.com outblaze.com @playful.com outblaze.com @poetic.com outblaze.com @popstar.com outblaze.com @post.com outblaze.com @presidency.com outblaze.com @priest.com outblaze.com @programmer.net outblaze.com @publicist.com outblaze.com @realtyagent.com outblaze.com @registerednurses.com outblaze.com @repairman.com outblaze.com @representative.com outblaze.com @rescueteam.com outblaze.com @rome.com outblaze.com @saintly.com outblaze.com @samerica.com outblaze.com @sanfranmail.com
Re: [Declude.JunkMail] Spamdomains
Can anybody give me a clue as to why my spamdomains test doesn't work? I have this in global.cfg SPAMDOMAINSspamdomains x x 15 0 and this in $default$.junkmail : SPAMDOMAINS WARN and a text file named spamdomains.txt in /imail/declude The line in the global.cfg file should be: SPAMDOMAINSspamdomains C:\IMail\Declude\spamdomains.txt x 15 0 Otherwise, Declude JunkMail won't know where to find the list of spamdomains. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spamdomains
What do you have in your spamdomains.txt file? Bill - Original Message - From: David Daniels [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 26, 2003 1:46 PM Subject: [Declude.JunkMail] Spamdomains Can anybody give me a clue as to why my spamdomains test doesn't work? I have this in global.cfg SPAMDOMAINSspamdomains x x 15 0 and this in $default$.junkmail : SPAMDOMAINS WARN and a text file named spamdomains.txt in /imail/declude David Daniels Administrator Starfish Internet Service [EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spamdomains
because you didn't tell declude the name of the file: SPAMDOMAINS spamdomains C:\IMail\Declude\spamdomains.txtx 6 0 -Original Message- From:David Daniels Can anybody give me a clue as to why my spamdomains test doesn't work? I have this in global.cfg SPAMDOMAINSspamdomains x x 15 0 and this in $default$.junkmail : SPAMDOMAINS WARN and a text file named spamdomains.txt in /imail/declude --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spamdomains
Oh, and you need to include the file path in you global.cfg entry, something like: SPAM-DOMAINS spamdomains C:\IMail\Declude\spamdomains.txt x 15 0 Bill - Original Message - From: David Daniels [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 26, 2003 1:46 PM Subject: [Declude.JunkMail] Spamdomains Can anybody give me a clue as to why my spamdomains test doesn't work? I have this in global.cfg SPAMDOMAINSspamdomains x x 15 0 and this in $default$.junkmail : SPAMDOMAINS WARN and a text file named spamdomains.txt in /imail/declude David Daniels Administrator Starfish Internet Service [EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPAMDOMAINS redux
Both might be failing because of the way you have it set up. I just started to configure this on my server, and the way I am doing it is as follows: @ebay.com .ebay. @hotmail.com .hotmail. @verizon.net .verizon. @yahoo. .yahoo. When you include the @, it will prevent the test from picking up the VERP stuff, which can be problematic, especially when you have E-mail forwarded by a place like Yahoo to a local account and something with VERP comes in. An example of VERP might look like the following: X-Declude-Sender: [EMAIL PROTECTED] X-Note: This E-mail was sent from mx.verizon.net ([216.40.33.45]). (note: this is fake info) If you excluded the @ and just had yahoo.com in the first column, it would produce a false positive on this message because the search works as a MAILFROM CONTAINS and then REVERSE DNS CONTAINS. When you include the @ symbol, you limit the potential of a false positive with this test, in this case, only @verizon.net would hit, and that would match .verizon. If you have your own domains listed in SPAMDOMAINS, you will see a lot of this VERP stuff failing SPAMDOMAINS unless you include the @. In the REVDNS column, I listed the domain without the TLD just in case they ever make a change to their SMTP domain, even if it is all from yahoo.com currently. Setting the test up this way also will require you to have two columns for each entry no matter what because the default SPAMDOMAINS functionality will try a match for REVDNS on both columns and you can't have an @ symbol in a domain. Another note about how I have things set up. If you notice, I listed @yahoo. without the domain extension. I did this because Yahoo has many domains for ccTLD's, so that broadens the test a bit and I'm pretty confident that they all use the same reverse DNS domain architecture. For the most part, it's probably safer to limit things in the first column as much as possible, and make the second column as broad as possible because false positives are very unfortunate. I've been testing SPAMDOMAINS in this manner for about 3 days now with absolutely no false positives on 1,305 catches so far. Almost all of those hits have been on just a few lines. I plan on adding all of the ISP's that are suitable and over 500,000 customers or so, as well as the popular and reverse DNS verifiable free E-mail providers. Unfortunately, because I spent so much time writing filters of other types, SPAMDOMAINS only resulted in failing 18 out of those 1,305 that would have otherwise passed, or as a percentage 1.4% of hits. I've been scoring at 60% of fail weight, and every hit on this test ended up failing, and only two scored at 120% of my fail weight or below. So if you have a lot of other filters going, you might want to weaken SPAMDOMAINS a little just in case you continue to see some false positives. Here's the brunt of my list. When I'm further down the line, and have done more testing, I will share the complete file. @yahoo..yahoo. @yahoo-inc.com.yahoo. @hotmail.com.hotmail. @msn.com.hotmail. @aol.com.aol. @earthlink.com.earthlink. @microsoft.com.microsoft. @cox.net.cox. @t-online..t-online. @t-dialin.net.t-online. @wanadoo.fr.wanadoo. @netscape.net.aol. @netscape.com.aol. @amazon.com.amazon. @apple.com.apple. @att.net.att. @att.com.att. @attbi.com.attbi. @bellsouth.net.bellsouth. @charter.net.charter. @juno.com.untd. @verizon.net.verizon. @verizon.com.verizon. @cgocable.ca.cgocable. Matt Sheldon Koehler wrote: Ebay and greeting card companies fail the SPAMDOMAINS test on a regular basis. Since they also fail the nopostmaster and noabuse and a few other small ones, this adds up to a reject. Any suggestions on keeping these false positives from happening? Christmas is coming and the E-cards are going to get real busy again... As Matt has demonstrated with his wonderful filters, is there a good way to set up and AntiSpamdomains test? Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spamdomains and ebay
I'm pretty sure that you can have multiple listings for either column also, so the filter looks for either no failures or no passes when considering whether or not the test was failed as a whole (Scott, please correct me if I'm wrong). No. Each line is treated separately If you have a line example.com example.net, that says that if the return address contains example.com, then the reverse DNS entry must contain example.com or example.net. If you have a second line example.com example.us, it says that if the return address contains example.com, then the reverse DNS entry must contain example.com or example.us. With both those lines, an E-mail with a reverse DNS entry that does not contain example.com would fail at least one of those two lines, causing the test to fail. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spamdomains and ebay
Shoot. Thanks for the clarification. Instead of making another feature suggestion, could you maybe give us a little insight into what you have planned if anything for filtering in general. No need to go too far out and nothing at all in the short-term would be fully understood. Thanks, Matt R. Scott Perry wrote: I'm pretty sure that you can have multiple listings for either column also, so the filter looks for either no failures or no passes when considering whether or not the test was failed as a whole (Scott, please correct me if I'm wrong). No. Each line is treated separately If you have a line example.com example.net, that says that if the return address contains example.com, then the reverse DNS entry must contain example.com or example.net. If you have a second line example.com example.us, it says that if the return address contains example.com, then the reverse DNS entry must contain example.com or example.us. With both those lines, an E-mail with a reverse DNS entry that does not contain example.com would fail at least one of those two lines, causing the test to fail. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spamdomains and ebay
Instead of making another feature suggestion, could you maybe give us a little insight into what you have planned if anything for filtering in general. No need to go too far out and nothing at all in the short-term would be fully understood. Most of what appears in the suggestion database right now about filters are minor things (such as a filter that checks both the subject and the body, which is just a timesaver, as the functionality can already be accomplished). So there are no major changes to filtering in the works. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPAMDOMAINS question
This may have been asked already, but I could not find it in the archives... in the spamdomains.txt file, can I use an entry like: .br to block all mail from Brazil or is that going to be too broad? That would work (blocking any E-mail with a return address with .br in it, which came from a reverse DNS entry without .br in it). The one catch is that it would apply to any E-mail with .br in the return address, including @mail.brook.com. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPAMDOMAINS
I would like to see an updated list also. Todd - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, September 13, 2003 3:56 PM Subject: [Declude.JunkMail] SPAMDOMAINS Any one have an updated list to share? John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] spamdomains
A few days ago I mentioned that I've had to reduce the weight I give to the spamdomains test drastically due to false positives. Here is an example of the type of thing I am running into: ... Again, this isn't a criticism. I just wanted to show what is happening in the real world. Just a few notes here: [1] The SPAMDOMAINS test should not be set up so that failing the SPAMDOMAINS test alone will block an E-mail (for exactly the reason you describe -- there are some services that send out E-mail on behalf of others that may be using a Hotmail or similar E-mail address). [2] If an E-mail is caught and your SPAMDOMAINS test isn't weighted heavily enough to block the E-mail on its own, then the problem often lies with the sender. If someone is going to be sending out E-mail on behalf of their customers (such as Kodak and eBay), they need to make sure that their mailserver is set up perfectly. While it may be acceptable for a small company to have some problems with their mailserver (such as no reverse DNS entry), it isn't acceptable for a company the size of Kodak or eBay. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spamdomains com.
Title: Message I think that while the spamdomains test is wonderful, many people are trying to overuse it as a test. IMO it is there to protect against forgeries of the major e-mailservices, and it does that task great. It's usefullness declines when it is used in a greater fashion. For example, we stop a couple hundred e-mails that use aol, msn, hotmail, yahoo, etc, but we stop only 1-3 on smaller domains. Using this test for the smaller domains isn't worth the false positives that it produces. But again in the defense of spamdomains, this isn't "his" fault. It just wasn't mean for that... Jason -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd - Smart MailSent: Friday, August 01, 2003 6:45 PMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] Spamdomains com. FYI Spamdomians failed this. Which it should have based on my SP entry ofcom.although it was a valid email. Its an invoice sent by someone to my client though intuits online invoicing system. What is everyone using for "com." Received: from mail2.smart-mail.net [65.16.167.134] by net.smart-mail.net (SMTPD32-7.07) id AC92AD90152; Fri, 01 Aug 2003 16:33:06 -0500Received: from sdm3.quickbooks.net ([208.240.241.110])by mail2.smart-mail.net (SAVSMTP 3.0.1.45) with SMTP id M2003080116330213145for [EMAIL PROTECTED]; Fri, 01 Aug 2003 16:33:02 -0500Received: from ipp3.qbn.ie.intuit.com (ipp3.qbn.ie.intuit.com [10.9.2.76])by sdm3.quickbooks.net (8.11.6/8.11.6) with SMTP id h71LX2V27979for [EMAIL PROTECTED]; Fri, 1 Aug 2003 14:33:02 -0700 (PDT)Message-ID: [EMAIL PROTECTED]Date: Fri, 1 Aug 2003 14:33:02 -0700 (PDT)From: [EMAIL PROTECTED] X-RBL-Warning: SPAMDOMAINS: Spamdomain 'com.' found: Address of [EMAIL PROTECTED] sent from invalid sdm3.quickbooks.net. Thanks, Todd
Re: [Declude.JunkMail] Spamdomains question
Title: Re: [Declude.JunkMail] dashes in domains Joshua, What about... netscape. .aol ? Dan - Original Message - From: Joshua Levitsky To: [EMAIL PROTECTED] Sent: Thursday, July 24, 2003 6:26 PM Subject: [Declude.JunkMail] Spamdomains question Question on SpamDomains... X-RBL-Warning: SPAMDOMAINS: Spamdomain 'netscape.' found: Address of [EMAIL PROTECTED] sent from invalid r2d2.aoltw.net The above header was in an email to me from a netscape employee I work with. (changed it to snoopy so she doesn't get spam) Mail from Netscape comes from aoltw.net as that is one of our internal domains at AOL Time Warner. In Spamdomains I have netscape. aol. Should I make it looser with netscape. aol removing the period on the end of "aol" ? I know this opens it up to matching many more hosts, but it still will fail many spammers. Is there a better solution? -Josh
Re: [Declude.JunkMail] Spamdomains question
Title: Re: [Declude.JunkMail] dashes in domains Oh that is smart... cool... I think that will do it for me. -Josh - Original Message - From: Dan Geiser To: [EMAIL PROTECTED] Sent: Thursday, July 24, 2003 6:42 PM Subject: Re: [Declude.JunkMail] Spamdomains question Joshua, What about... netscape. .aol ? Dan - Original Message - From: Joshua Levitsky To: [EMAIL PROTECTED] Sent: Thursday, July 24, 2003 6:26 PM Subject: [Declude.JunkMail] Spamdomains question Question on SpamDomains... X-RBL-Warning: SPAMDOMAINS: Spamdomain 'netscape.' found: Address of [EMAIL PROTECTED] sent from invalid r2d2.aoltw.net The above header was in an email to me from a netscape employee I work with. (changed it to snoopy so she doesn't get spam) Mail from Netscape comes from aoltw.net as that is one of our internal domains at AOL Time Warner. In Spamdomains I have netscape. aol. Should I make it looser with netscape. aol removing the period on the end of "aol" ? I know this opens it up to matching many more hosts, but it still will fail many spammers. Is there a better solution? -Josh
Re: [Declude.JunkMail] SPAMDOMAINS and Aliasing on LegitE-Mail Systems That Have More Than 2 Legit Domains
Since the SPAMDOMAINS test only has 2 possible columns one for the domain name and one for a possible alias... When using the SPAMDOMAINS test, if you have a legit sender that has three interchangeable domains in use on their mail servers, e.g. HOTMAIL.COM, MICROSOFT.COM and MSN.COM (this is just an example I know these aren't necessarily interchangeable), will entries in SD.TXT like... HOTMAIL.COM MSN.COM HOTMAIL.COM MICROSOFT.COM keep an e-mail message from [EMAIL PROTECTED] that originates from a server with a Reverse DNS of MICROSOFT.COM server from failing the SPAMDOMAINS test? No. The problem is that an E-mail that comes from [EMAIL PROTECTED] with a reverse DNS that includes microsoft.com will fail the test on the first line. We are looking into a way to allow for more than one alias. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPAMDOMAINS: No Reverse DNS or ReverseDNS Lookup Times Out
If I am using the SPAMDOMAINS test what happens when it does a reverse DNS lookup and it times out? Does the e-mail message pass or fail the SPAMDOMAINS test? It will automatically pass the SPAMDOMAINS test. Also, what happens when it does a reverse DNS lookup and there is no reverse DNS entry? Is that even possible for it to not have a reverse DNS entry? (I believe the answer is yes.) If it is possible and it doesn't have one, does the e-mail message pass or fail the SPAMDOMAINS test? If it has no reverse DNS entry (which is possible, and fairly common -- the REVDNS test checks for that), it should fail the SPAMDOMAINS test (assuming the return address uses a domain that is listed in the spamdomains file). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPAMDOMAINS?
I had this mail fail both SPAMDOMAINS and HELOBOGUS. The message is an OK message the syslog shows the message actually arriving from a hotmail server. Should this not have been OK or do I have something wrong? The problem here is with your HOP/IPBYPASS settings: Received: from hotmail.com [65.54.169.8] by mx2.netraprise.com with ESMTP (SMTPD32-7.15) id A9BB58029C; Wed, 16 Jul 2003 11:13:47 -0500 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 16 Jul 2003 09:13:46 -0700 Received: from 204.220.153.70 by by3fd.bay3.hotmail.msn.com with HTTP; Wed, 16 Jul 2003 16:13:46 GMT Here, we see that your mailserver received the E-mail from 65.54.169.8 -- and that's the IP that you want Declude JunkMail to scan, since that isn't a trusted mailserver (one under your control). However: Msg failed HELOBOGUS (Domain 204.220.153.70 has no MX or A records.). Action=WARN. Msg failed SPAMDOMAINS (Spamdomain 'msn.com' found: Address of [EMAIL PROTECTED] sent from invalid 70.reverse.microgistix.com.). Here, Declude JunkMail is looking at the 3rd Received: header for the IP (and HELO/EHLO), which is why it is getting a domain named 204.220.153.70 and a reverse IP of 70.reverse.microgistix.com. In this case, you should use HOP 0 -- I'm guessing you are using HOP 2, which you should not be using (HOP 2 should be used if there are two mailservers of yours in front of your IMail server). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPAMDOMAINS?
Yes indeed. Just changed it. All fixed. The problem here is with your HOP/IPBYPASS settings: Thanks David Stavert --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPAMDOMAINS
Any chance that SPAMDOMAINS can have three entries. MSN uses Qwest DSL in my neighbourhood. Is there another way to handle this? That's something that we are looking into. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPAMDomains- Prodigy?
Title: Message This looks to be most likely a dynamic DSL customer of Unity Telephone: dig -x 200.67.73.3 ;; ANSWER SECTION:3.73.67.200.in-addr.arpa. 3380 IN PTR dsl-200-67-73-3.prodigy.net.mx. ;; AUTHORITY SECTION:73.67.200.in-addr.arpa. 3380 IN NS nsgdl2.uninet.net.mx.73.67.200.in-addr.arpa. 3380 IN NS nsmex2.uninet.net.mx.73.67.200.in-addr.arpa. 3380 IN NS nsmex4.uninet.net.mx.73.67.200.in-addr.arpa. 3380 IN NS nsmty2.uninet.net.mx.73.67.200.in-addr.arpa. 3380 IN NS dnsadm-interno.uninet.net.mx. ;; ADDITIONAL SECTION:nsgdl2.uninet.net.mx. 680 IN A 200.23.242.201nsmex2.uninet.net.mx. 680 IN A 200.33.146.201nsmex4.uninet.net.mx. 680 IN A 200.33.146.217nsmty2.uninet.net.mx. 680 IN A 200.33.148.201dnsadm-interno.uninet.net.mx. 680 IN A 200.33.150.193= whois -h whois.networksolutions.com uninet.net Registrant:Unity Telephone (UNINET2-DOM) 25 Main St Unity, ME 04988 US Domain Name: UNINET.NET Administrative Contact, Technical Contact: Unitel, Inc. (NA4701-ORG) [EMAIL PROTECTED] 25 Main St Unity, ME 04988 US 207-948-3900 Record expires on 03-Dec-2008. Record created on 04-May-2002. Database last updated on 26-Jun-2003 19:25:32 EDT. Domain servers in listed order: NS1.MEGALINK.NET 205.243.60.3 NS2.MEGALINK.NET 63.164.60.7 AUTH50.NS.UU.NET 198.6.1.161 This one most certainly should have failed the spamdomains test, and would have if setup correctly. Bill - Original Message - From: Kami Razvan To: [EMAIL PROTECTED] Sent: Thursday, June 26, 2003 3:02 PM Subject: [Declude.JunkMail] SPAMDomains- Prodigy? Hi; Does anyone know of the Spamdomain entries for Prodigy? This is what I saw in a spam.. X-Spam-Tests-Failed: NOABUSE, NOPOSTMASTER, IPNOTINMX, NOLEGITCONTENT, BASE64, FILTER-SUBJECT, FILTER-HEADER-XMAIL, COUNTRY, WEIGHT20s, WEIGHT20r, FREEEMAILSX-Weight: 49X-Mailfrom: ggreggoryspre.prodigy.netX-Note: Sent from: [EMAIL PROTECTED]X-Note: Sent from Reverse DNS: dsl-200-67-73-3.prodigy.net.mx ([200.67.73.3]). Is this the correct revdns for this? Regards, Kami
Re: [Declude.JunkMail] SPAMDomains- Prodigy?
Title: Message Scott, after thinking some more about Kami's situation, would this scenario pass or fail the spamdomains test?: == SpamDomain.txt file entry: prodigy.net Message from (X-Declude Sender): [EMAIL PROTECTED] Connecting mail server (or one tested based on HOP and IPBYPASS settings) IP Address: 1.2.3.4 RDNS for 1.2.3.4: abc.prodigy.net.biz == If the spamdomains test is setup as "CONTAINS", then I suspect it would pass the test. However, I don't think that is what we want, asin Kami's real-life example. This would most likely be a messages you would want to fail the spamdomains test. Several people, including myself, have asked for a way to define an exact match, or a way to define a delimiter in the config file so that we could define, for example, the spamdomains tests like: global.cfg: DELIMITER ~ prodigy.net~ ~mx1.abc.net~ ~mx2.xyz. ~mx5.cbs.com~ .nbc.net~.msnbc.com~ This could apply to the filter tests, as well. This would certainly remove a lot of the ambiguity and uncertainty surrounding these tests. Bill - Original Message - From: Bill Landry To: [EMAIL PROTECTED] Sent: Thursday, June 26, 2003 4:32 PM Subject: Re: [Declude.JunkMail] SPAMDomains- Prodigy? This looks to be most likely a dynamic DSL customer of Unity Telephone:
Re: [Declude.JunkMail] SPAMDomains- Prodigy?
Scott, after thinking some more about Kami's situation, would this scenario pass or fail the spamdomains test?: == SpamDomain.txt file entry: prodigy.net Message from (X-Declude Sender): mailto:[EMAIL PROTECTED][EMAIL PROTECTED] Connecting mail server (or one tested based on HOP and IPBYPASS settings) IP Address: 1.2.3.4 RDNS for 1.2.3.4: abc.prodigy.net.biz == Yes, it would. Several people, including myself, have asked for a way to define an exact match, or a way to define a delimiter in the config file so that we could define, for example, the spamdomains tests like: The real question is whether or not this will really happen -- I'm not sure that spammers will go to the trouble (and legal risk!) of doing something like that. If they have enough control over an IP that they can change the reverse DNS entry, they are very likely trackable, and if they use a Prodigy return address *and* use a reverse DNS entry with prodigy in it, they could very likely get sued for anything that they may have made from the spamming. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPAMDOMAINS
Yesterday I posted that ameritech.net was coming from a yahoo mail server. Today this one os coming from adelphia.net... as a result I have removed amertiech.net from the sd.txt file. Is this not only because there is some user with an ameritech.net address using the adelphia smtp-server? Yesterday I've divided my sd file in two files and defined 2 tests: SPAMDOMAINS_HIGH and SPAMDOMAINS_LOW From now on I move all domains that has had false positives on HIGH to the LOW file. I give 70% of our hold value to the high test and 35% of our hold value to the low test. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sheldon Koehler Sent: Wednesday, June 25, 2003 8:46 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] SPAMDOMAINS Received: from Hyperion.tenforward.com [65.161.10.61] by tenforward.com with ESMTP (SMTPD32-7.15) id A6C982F01F6; Wed, 25 Jun 2003 11:15:37 -0700 Received: from mta8.adelphia.net (mta8.adelphia.net [64.8.50.196]) by Hyperion.tenforward.com (Postfix) with ESMTP id 02D803ADD5 for [EMAIL PROTECTED]; Wed, 25 Jun 2003 11:15:35 -0700 (PDT) Received: from nick0hp8iie4j8 ([68.70.184.73]) by mta8.adelphia.net (InterMail vM.5.01.05.32 201-253-122-126-132-20030307) with ESMTP id [EMAIL PROTECTED] for [EMAIL PROTECTED]; Wed, 25 Jun 2003 14:15:33 -0400 From: PCP Unlimited Sales Team [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: Undeliverable Mail Date: Wed, 25 Jun 2003 14:14:59 -0400 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600. Importance: Normal In-Reply-To: [EMAIL PROTECTED] X-Declude-Sender: [EMAIL PROTECTED] [64.8.50.196] X-Note: This E-mail was scanned for spam. X-Spam-Tests-Failed: Whitelisted X-Note: This E-mail was scanned for Viruses and found clean. X-Note: This E-mail was sent from mta8.adelphia.net ([64.8.50.196]). X-Spam-Prob: 0.05 X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 319669515 Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPAMDOMAINS
Would you mind sharing your two lists? I would like to be more aggressive with SPAMDOMAINS, but I know the FP potential. Thanks, Chuck Frolick ArgoNet, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Wednesday, June 25, 2003 4:04 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] SPAMDOMAINS Yesterday I posted that ameritech.net was coming from a yahoo mail server. Today this one os coming from adelphia.net... as a result I have removed amertiech.net from the sd.txt file. Is this not only because there is some user with an ameritech.net address using the adelphia smtp-server? Yesterday I've divided my sd file in two files and defined 2 tests: SPAMDOMAINS_HIGH and SPAMDOMAINS_LOW From now on I move all domains that has had false positives on HIGH to the LOW file. I give 70% of our hold value to the high test and 35% of our hold value to the low test. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sheldon Koehler Sent: Wednesday, June 25, 2003 8:46 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] SPAMDOMAINS Received: from Hyperion.tenforward.com [65.161.10.61] by tenforward.com with ESMTP (SMTPD32-7.15) id A6C982F01F6; Wed, 25 Jun 2003 11:15:37 -0700 Received: from mta8.adelphia.net (mta8.adelphia.net [64.8.50.196]) by Hyperion.tenforward.com (Postfix) with ESMTP id 02D803ADD5 for [EMAIL PROTECTED]; Wed, 25 Jun 2003 11:15:35 -0700 (PDT) Received: from nick0hp8iie4j8 ([68.70.184.73]) by mta8.adelphia.net (InterMail vM.5.01.05.32 201-253-122-126-132-20030307) with ESMTP id [EMAIL PROTECTED] for [EMAIL PROTECTED]; Wed, 25 Jun 2003 14:15:33 -0400 From: PCP Unlimited Sales Team [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: Undeliverable Mail Date: Wed, 25 Jun 2003 14:14:59 -0400 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600. Importance: Normal In-Reply-To: [EMAIL PROTECTED] X-Declude-Sender: [EMAIL PROTECTED] [64.8.50.196] X-Note: This E-mail was scanned for spam. X-Spam-Tests-Failed: Whitelisted X-Note: This E-mail was scanned for Viruses and found clean. X-Note: This E-mail was sent from mta8.adelphia.net ([64.8.50.196]). X-Spam-Prob: 0.05 X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 319669515 Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPAMDOMAINS
At the moment I haven't moved any domain from Bill's list to the low file. I've also some .it-domains in the spamdomains file because we've a lot of italian traffic here. In the last days we've had a lot of fp's with some of this it-domains and some spam getting trough because the weight for spamdomains was too low. So I've decided to divide the file and give a different weight. Probably someone who has a lot of legit spamdomain-traffic on his server can share his results. I'm also interested on this information. Thanks Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charles Frolick Sent: Wednesday, June 25, 2003 11:52 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] SPAMDOMAINS Would you mind sharing your two lists? I would like to be more aggressive with SPAMDOMAINS, but I know the FP potential. Thanks, Chuck Frolick ArgoNet, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Wednesday, June 25, 2003 4:04 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] SPAMDOMAINS Yesterday I posted that ameritech.net was coming from a yahoo mail server. Today this one os coming from adelphia.net... as a result I have removed amertiech.net from the sd.txt file. Is this not only because there is some user with an ameritech.net address using the adelphia smtp-server? Yesterday I've divided my sd file in two files and defined 2 tests: SPAMDOMAINS_HIGH and SPAMDOMAINS_LOW From now on I move all domains that has had false positives on HIGH to the LOW file. I give 70% of our hold value to the high test and 35% of our hold value to the low test. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sheldon Koehler Sent: Wednesday, June 25, 2003 8:46 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] SPAMDOMAINS Received: from Hyperion.tenforward.com [65.161.10.61] by tenforward.com with ESMTP (SMTPD32-7.15) id A6C982F01F6; Wed, 25 Jun 2003 11:15:37 -0700 Received: from mta8.adelphia.net (mta8.adelphia.net [64.8.50.196]) by Hyperion.tenforward.com (Postfix) with ESMTP id 02D803ADD5 for [EMAIL PROTECTED]; Wed, 25 Jun 2003 11:15:35 -0700 (PDT) Received: from nick0hp8iie4j8 ([68.70.184.73]) by mta8.adelphia.net (InterMail vM.5.01.05.32 201-253-122-126-132-20030307) with ESMTP id [EMAIL PROTECTED] for [EMAIL PROTECTED]; Wed, 25 Jun 2003 14:15:33 -0400 From: PCP Unlimited Sales Team [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: Undeliverable Mail Date: Wed, 25 Jun 2003 14:14:59 -0400 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600. Importance: Normal In-Reply-To: [EMAIL PROTECTED] X-Declude-Sender: [EMAIL PROTECTED] [64.8.50.196] X-Note: This E-mail was scanned for spam. X-Spam-Tests-Failed: Whitelisted X-Note: This E-mail was scanned for Viruses and found clean. X-Note: This E-mail was sent from mta8.adelphia.net ([64.8.50.196]). X-Spam-Prob: 0.05 X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 319669515 Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPAMDOMAINS strangeness
Make the spamdomains entry for yahoo: yahoo. instead of: @yahoo. .yahoo. There is no need to have it setup with these extra parameters. Let us know if that resolves your problem. I made the change yesterday, but have not heard from anyone yet. Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPAMDOMAINS sprintpcs.com
Hi, Actually, your sprintPCS email did NOT have ANY valid Reverse DNS according to the header you included: X-Note: This E-mail was sent from [No Reverse DNS] ([63.167.114.16]). Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sheldon Koehler Sent: Tuesday, June 24, 2003 11:54 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] SPAMDOMAINS sprintpcs.com I have two today that I question. First it seems sprintpcs.com is coming from not only sprint.com but sprintip.com: Received: from Hyperion.tenforward.com [65.161.10.61] by tenforward.com with ESMTP (SMTPD32-7.15) id A859C0A90086; Mon, 23 Jun 2003 18:24:41 -0700 Received: from dedicated59-bos.wh.sprintip.net (unknown [63.167.114.16]) by Hyperion.tenforward.com (Postfix) with ESMTP id A42663AE0B for [EMAIL PROTECTED]; Mon, 23 Jun 2003 18:24:38 -0700 (PDT) Received: from TRAVELERS (000-116-823.area7.spcsdns.net [68.25.203.238]) by dedicated59-bos.wh.sprintip.net (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) with ESMTPA id [EMAIL PROTECTED] for [EMAIL PROTECTED]; Tue, 24 Jun 2003 01:24:38 + (GMT) Date: Mon, 23 Jun 2003 18:24:29 -0700 From: traveler [EMAIL PROTECTED] Subject: delivery problem please help To: [EMAIL PROTECTED] Message-id: [EMAIL PROTECTED] MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600. X-Mailer: Microsoft Outlook Express 6.00.2600. Content-type: multipart/mixed; boundary=Boundary_(ID_CWjq/YnYkzKdW4cfcZlOYw) X-Priority: 3 X-MSMail-priority: Normal X-Declude-Sender: [EMAIL PROTECTED] [63.167.114.16] X-Note: This E-mail was scanned for spam. X-Spam-Tests-Failed: Whitelisted X-Note: This E-mail was scanned for Viruses and found clean. X-Note: This E-mail was sent from [No Reverse DNS] ([63.167.114.16]). X-Spam-Prob: 0.000430 X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 319667998 Would the SD.TXT file work with: sprintpcs.comsprint No punctuation or anything? How about: sprintsprint And then Prodigy strikes again with: Received: from Hyperion.tenforward.com [65.161.10.61] by tenforward.com with ESMTP (SMTPD32-7.15) id A57C14C20150; Tue, 24 Jun 2003 05:35:08 -0700 Received: from pimout6-ext.prodigy.net (pimout6-ext.prodigy.net [207.115.63.78]) by Hyperion.tenforward.com (Postfix) with ESMTP id 5094D3ACEB for [EMAIL PROTECTED]; Tue, 24 Jun 2003 05:35:06 -0700 (PDT) Received: from compaq (adsl-65-43-166-101.dsl.bcvloh.ameritech.net [65.43.166.101]) by pimout6-ext.prodigy.net (8.12.9/8.12.9) with SMTP id h5OCZ46r029590 for [EMAIL PROTECTED]; Tue, 24 Jun 2003 08:35:04 -0400 Message-ID: [EMAIL PROTECTED] From: Joan Gibbs [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Fw: Undeliverable Mail Date: Tue, 24 Jun 2003 08:35:27 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.1 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 X-Declude-Sender: [EMAIL PROTECTED] [207.115.63.78] X-Note: This E-mail was scanned for spam. X-Spam-Tests-Failed: Whitelisted X-Note: This E-mail was scanned for Viruses and found clean. X-Note: This E-mail was sent from pimout6-ext.prodigy.net ([207.115.63.78]). X-Spam-Prob: 0.000430 X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 319668419 Is Ameritech part of Prodigy/Yahoo? What a mess... Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPAMDOMAINS strangeness
Some yahoogroups.com email is bouncing and some is not... Below is a header. Right now my sd.txt file has: @yahoo. .yahoo. That line means that any E-mail with a return address including @yahoo must have a reverse DNS entry with .yahoo. in it (or @yahoo., but that won't appear in a reverse DNS entry). X-Declude-Sender: [EMAIL PROTECTED] m [66.218.66.99] X-Spam-Tests-Failed: Whitelisted X-Note: This E-mail was sent from n31.grp.scd.yahoo.com ([66.218.66.99]). This E-mail should not have failed the SPAMDOMAINS test, but it was whitelisted, so it is not possible to tell whether or not it failed the SPAMDOMAINS test without looking at the log file. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPAMDOMAINS strangeness
This E-mail should not have failed the SPAMDOMAINS test, but it was whitelisted, so it is not possible to tell whether or not it failed the SPAMDOMAINS test without looking at the log file. This was the last email she received from the list. She is now getting messages saying her email is being rejected for this group but her other group is fine. And my HAM radio IRLP group is working... The fact that most yahoogroup email is getting through is what has me stumped. I am going through log files, but DANG! A lot of our users are on yahoogroups... and my dec log files are about 20mb per day... Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPAMDOMAINS strangeness
Make the spamdomains entry for yahoo: yahoo. instead of: @yahoo. .yahoo. There is no need to have it setup with these extra parameters. Let us know if that resolves your problem. Bill - Original Message - From: Sheldon Koehler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 23, 2003 8:42 AM Subject: [Declude.JunkMail] SPAMDOMAINS strangeness Some yahoogroups.com email is bouncing and some is not... Below is a header. Right now my sd.txt file has: @yahoo. .yahoo. Any suggestions? Received: from Hyperion.tenforward.com [65.161.10.61] by tenforward.com with ESMTP (SMTPD32-7.15) id A4CA78D0088; Mon, 16 Jun 2003 15:29:30 -0700 Received: from n31.grp.scd.yahoo.com (n31.grp.scd.yahoo.com [66.218.66.99]) by Hyperion.tenforward.com (Postfix) with SMTP id 2752B3AD68 for [EMAIL PROTECTED]; Mon, 16 Jun 2003 15:29:29 -0700 (PDT) X-eGroups-Return: [EMAIL PROTECTED] m Received: from [66.218.67.200] by n31.grp.scd.yahoo.com with NNFMP; 16 Jun 2003 22:27:02 - X-Sender: [EMAIL PROTECTED] X-Apparently-To: [EMAIL PROTECTED] Received: (qmail 23134 invoked from network); 16 Jun 2003 22:27:01 - Received: from unknown (66.218.66.218) by m8.grp.scd.yahoo.com with QMQP; 16 Jun 2003 22:27:01 - Received: from unknown (HELO web10602.mail.yahoo.com) (216.136.130.166) by mta3.grp.scd.yahoo.com with SMTP; 16 Jun 2003 22:27:01 - Message-ID: [EMAIL PROTECTED] Received: from [64.118.100.102] by web10602.mail.yahoo.com via HTTP; Mon, 16 Jun 2003 15:27:01 PDT To: [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] From: Christine Toll [EMAIL PROTECTED] X-Yahoo-Profile: silksbychristine MIME-Version: 1.0 Mailing-List: list [EMAIL PROTECTED]; contact [EMAIL PROTECTED] Delivered-To: mailing list [EMAIL PROTECTED] Precedence: bulk List-Unsubscribe: mailto:[EMAIL PROTECTED] Date: Mon, 16 Jun 2003 15:27:01 -0700 (PDT) Subject: Re: [silkpainters] Brownie's field trip Reply-To: [EMAIL PROTECTED] Content-Type: multipart/alternative; boundary=0-569215176-1055802421=:3627 X-Declude-Sender: [EMAIL PROTECTED] m [66.218.66.99] X-Note: This E-mail was scanned for spam. X-Spam-Tests-Failed: Whitelisted X-Note: This E-mail was scanned for Viruses and found clean. X-Note: This E-mail was sent from n31.grp.scd.yahoo.com ([66.218.66.99]). X-Spam-Prob: 0.78 X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 326342966 Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPAMDOMAINS prodigy.net
Follow-up... I guess I must have missed the news last year that Yahoo purchased Prodigy. Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain - Original Message - From: Sheldon Koehler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, June 17, 2003 9:10 AM Subject: [Declude.JunkMail] SPAMDOMAINS prodigy.net I am having a lot of people using prodigy complain about being rejected. With the headers that have been sent, they are ALL being sent through yahoo.com. Is yahoo and prodigy in cahoots for email or something? I have temporarily added: prodigy.netyahoo.com to the sd.txt file. So far this seems to work. Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SpamDomains Weight
We have monitored the results for this test for a long time. We have not seen a single FP. We now hold on that test. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Sent: Sunday, June 15, 2003 8:51 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] SpamDomains Weight Whats the average weight on the Spamdomains test that people are using. I'm getting good results with Bills list and thinking about increasing the weight to 10 or so... -- Rich Griebel [EMAIL PROTECTED] http://www.kendra.com Scanned for Viruses using Declude and F-Prot --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SpamDomains Weight
We give for this test a weight of 55 points and hold on 100. FP's occur if a client uses a sender-domain listed in the spamdomains-file but uses another smtp-server (from his ISP) to send out legit messages. Another case: A message send from a web form with the sender-adress inserted by the visitor. For example booking-, information- or contact-requests. This is very common because the recipient can simply reply to the request. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spamdomains: Which IP ?
Note, that for internal email, the IP address used in SPAMDOMAINS is the email address of the sender. So, for us, that gets translated to our ISP's name, as only the mail server has rDNS set up (we trap on our own mail server address in spamdomains, as that was being faked by quite a bit of email and slipping thru (we used to whitelist our own server)). So, this am, all email sent inhouse started getting held (I was updating weights) until I added an alternative domain name to the list. I assume that outside mail would have used the IP of the transmitting mail server, not that of the sender (unless they were the same). Karen -Original Message- From: R. Scott Perry The RDNS test is run against the IP address of the original sending mail server, not the IP of the client machine that drafted the message. I don't believe that intermediate hops are considered in this test, just the RDNS of the originating mail server. Scott, can confirm this. Declude JunkMail uses the same IP that it uses for getting the reverse DNS entry, and that is used for IP-based spam tests. By default, this is the IP address that connected to IMail. However, depending on the IPBYPASS and HOP settings, it may be different (for example, the IP address that connected to a backup or gateway mailserver). --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spamdomains: Which IP ?
Note, that for internal email, the IP address used in SPAMDOMAINS is the email address of the sender. So, for us, that gets translated to our ISP's name, as only the mail server has rDNS set up (we trap on our own mail server address in spamdomains, as that was being faked by quite a bit of email and slipping thru (we used to whitelist our own server)). So, this am, all email sent inhouse started getting held (I was updating weights) until I added an alternative domain name to the list. I assume that outside mail would have used the IP of the transmitting mail server, not that of the sender (unless they were the same). In the case of E-mail from your users, the IP of their computer would be used. But, if you only list domains in the spamdomains file that your users should not be sending from, you will be fine (IE if your users are not allowed to send out E-mail with an @earthlink.com address, you could have that listed in the spamdomains file). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spamdomains lookup timeout
Ok, I understand. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Sunday, June 15, 2003 3:42 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Spamdomains lookup timeout Markus, The idea is, that we don't want to block VALID email. So, if a reverse lookup times out, there is no way to determine if there is no valid match and we can't just assume that it is SPAM. Time-outs could be temporary problems with a particular DNS server, it could be a routing problem on the Internet - any number of reasons. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Saturday, June 14, 2003 09:22 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Spamdomains lookup timeout Hi all, I'm not sure about this, but I've seen some spam messages coming from domains contained in our sd-file. (hotmail.com) However the messages hasn't failed the SPAMDOMAINS test. For example from the Sender-IP: 218.25.255.18 Can it be, because it's not possible to finish the REVDNS-query? http://www.dnsstuff.com/tools/ptr.ch?ip=218.25.255.18 Question? If it's so, that a timeout in a REVDNS-query doesn't trigger the test, can we change this, so that a timeout triggers the test? What if a query for a legit sender-IP times out? Why a REVDNS-query can time out? Isn't so, that any reachable IP is assigned to someone? Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spamdomains: Which IP ?
The RDNS test is run against the IP address of the original sending mail server, not the IP of the client machine that drafted the message. I don't believe that intermediate hops are considered in this test, just the RDNS of the originating mail server. Scott, can confirm this. The theory is that most of the large mail host providers, and frequently forged domain hosts (like aol.com, yahoo.com, hotmail.com, etc.), have their DNS configured correctly so that if queried for the PTR record of the originating mail server's IP address (RDNS), it will respond with the domain listed in the from address somewhere in the response, or that of another domain defined in the SpamDomains file (a good match). If it does not contain the from domain, or an alternate predefined domain, somewhere in the response, then it probably was not sent from a designated mail server for that domain and is most likely spam. HTH to clarify. Bill - Original Message - From: Serge [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, June 15, 2003 8:41 AM Subject: [Declude.JunkMail] Spamdomains: Which IP ? After reading 100+ archive message about spamdomain, I was thinking that the ip used for the RDNS query is the one of the original remote smtp server but after playing arround with a dummy domain i set up, i have now some doubts that the test is using the IP of the ip of the original client that sent the message, and not the remote smtp server so which is it, and why ? and if it is the smtp server and there are several intermediary gateways, will the ip be that of the original server, or the final one ? TIA --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spamdomains: Which IP ?
The RDNS test is run against the IP address of the original sending mail server, not the IP of the client machine that drafted the message. I don't believe that intermediate hops are considered in this test, just the RDNS of the originating mail server. Scott, can confirm this. Declude JunkMail uses the same IP that it uses for getting the reverse DNS entry, and that is used for IP-based spam tests. By default, this is the IP address that connected to IMail. However, depending on the IPBYPASS and HOP settings, it may be different (for example, the IP address that connected to a backup or gateway mailserver). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spamdomains: Which IP ?
Okay, thanks for the clarification Scott. Bill - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, June 15, 2003 10:32 AM Subject: Re: [Declude.JunkMail] Spamdomains: Which IP ? The RDNS test is run against the IP address of the original sending mail server, not the IP of the client machine that drafted the message. I don't believe that intermediate hops are considered in this test, just the RDNS of the originating mail server. Scott, can confirm this. Declude JunkMail uses the same IP that it uses for getting the reverse DNS entry, and that is used for IP-based spam tests. By default, this is the IP address that connected to IMail. However, depending on the IPBYPASS and HOP settings, it may be different (for example, the IP address that connected to a backup or gateway mailserver). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
