Exactly what field(s) does WHITELIST FROM work on?
The header (at the bottom) is an example of an email that I want to
whitelist.
These are the whitelist commands I've got in my GLOBAL.CFG:
WHITELIST FROM @bbc.reply.tm0.com
WHITELIST FROM @bbs.co.uk
WHITELIST FROM @bbcdailyemail.reply.tm0.com
Scott, I've seen some FP's (or possibly rather just simply legit mail)
tagged for BASE64 coming from AOL 8 (maybe others) when there is an
attachment and no text in the body of the message. I'm wondering if this
is possibly a bug in the BASE64 test, and if so, could/should it be fixed?
It is
Scott, anyone... HELP!
We upgraded to imail 8.03 yesterday, all was well. I come in this morning,
and try running Delog to scan yesterdays logfile. It can't open. Weird, so I
try to open it in notepad, get Too large for notepad The file is 4 GB in
size! What happened? normally 20MB or so, but
WHITELIST FROM @bbc.reply.tm0.com
WHITELIST FROM @bbs.co.uk
WHITELIST FROM @bbcdailyemail.reply.tm0.com
WHITELIST FROM @bounce.lodo.exactis.com
yet it still tagged it as spam.
X-Declude-Sender: [EMAIL PROTECTED]
[64.210.92.56]
The WHITELIST FROM @bounce.lodo.exactis.com
I meant to add I did run DECLUDE.EXE after the install, and stop/start the
smtp service. When I left yesterday, I had checked the log to see that it
was functioning properly, and it was logging just fine. Logging is set to
LOW.
Sorry for the lack of info there, I don't like surprises first thing
Running 1.75. Yeah, I did this first, but added the others when this one
didn't work. It doesn't seem to be working on this particular email.
Do you have over 200 whitelist entries in the global.cfg file? There is a
limit of 200, after which some of the earlier ones will be overwritten.
Color me stupid
I deleted the log file for today, and let Declude recreate it. After 5
minutes the file was up to 112K! So, I opened notepad, and waited..
finally opened, and I saw a bunch of lines:
Unknown test type in enter goof here
ARGH! When I edited out entries in our killfile
We upgraded to imail 8.03 yesterday, all was well. I come in this morning,
and try running Delog to scan yesterdays logfile. It can't open. Weird, so I
try to open it in notepad, get Too large for notepad The file is 4 GB in
size! What happened? normally 20MB or so, but as of 8PM, last
Do you have over 200 whitelist entries in the global.cfg
file? There is a
limit of 200, after which some of the earlier ones will be
overwritten.
aah, yeah. Many more than 200. Possibly 1500. What is the length limit on
a filter.txt file? Perhaps I can do the dirty work there instead of
My server is blocked by five-ten because the author doesn't like Broadwing? I am
immediately going to quit using the five-ten lists because I don't know who else this
gentleman doesn't like.
The response is:
IP address 67.99.44.6 is listed here as broadwing.net spam-support. Please note that
There's the root of the problem: spamming works. If they didn't make money
from spam, they wouldn't do it. Apparently the 1% that are still ignorant
about spam make it worth while to anger the 99%. (I wonder what the real
ratio is?)
I tend to forget that to me it's an annoyance and
that to
One of our upstream providers is Qwest, and we have the same problem.
However, everyone seems to be aware of the SPAM-SUPPORT flaw because it has
never prevented us from getting mail to anyone.
My server is blocked by five-ten because the author doesn't
like Broadwing? I am immediately going
Do you have over 200 whitelist entries in the global.cfg
file? There is a
limit of 200, after which some of the earlier ones will be
overwritten.
aah, yeah. Many more than 200. Possibly 1500. What is the length limit on
a filter.txt file? Perhaps I can do the dirty work there instead of
Especially if the mail server is behind any decent firewall.
The problem here is that E-mail will almost never come from those
IPs. Spoofing a TCP/IP is extremely difficult to do, and
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came
Reply to: Keith Anderson
Re: [SPAM-BADHEADERS][Declude.JunkMail] Five Ten List on Thursday 9:14:19 AM
We used to be on Qwest and had the same problem. Outgoing was not a
problem, but incoming was. The worst we saw of an RBL blocking whole
providers was BLARS which appears to block whole
Yeah, we're aware of that one also. And other than one glitch in receiving
mail, we haven't experienced any problems receiving mail (with one exception
below). Of course, you never know when you don't receive something unless
it was sent by someone important.
The only company that we're aware
There's the root of the problem: spamming works.
Well, for me looks like also spam defense works :)
We've processed 37347 incomming messages in the last 14 days. 17878 of
them was hold as spam.
Our operators manualy check for false positives and have requeued 15
messages in 14 days.
I
| There's the root of the problem: spamming works.
|
|
|Well, for me looks like also spam defense works :)
|Calculate it ho you want: Spam defense works!
|The question is how good it works without public available
|spam blacklists.
I think pretty well... (I'm biased).
Scott publishes
It appears the Sobig.F remailer capabilities are being used. I have
received 4 complaints in the last 2 days about spamming from my dial
pool with headers like these:
Return-Path: [EMAIL PROTECTED]
Delivered-To: x
Received: (qmail 14974 invoked by uid 88); 24 Sep 2003 03:39:33 -
Received:
So, to review, the filter should look like this, correct:
FORGEDHELO-FILTER filter M:\IMail\Declude\ForgedHelo-Filter.txt x 0 0
# To deduct weight for the Netscape issue
HEADERS -7 CONTAINS mozilla
# In case you have mail gateways, deduct equal weight for these hosts
HELO -7 ENDSWITH
On that same subject, I wonder if the same computers affected with Sobig are
the ones sending out Swen?
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On
Actually, you want to apply the weight in the Global.cfg, 7 in this
case, and then all of your positives should be listed as 0 in the filter
file and the Mozilla exception should be scored as a -7. The way it is
now, it will credit 7 points to any message claiming to be Mozilla
generated, and
It might also be a good idea to remove my domains from your files :) I
thought my mail client would use the version saved at the time attached
instead of grabbing them when I sent the E-mail...
Matt
Matthew Bramble wrote:
Actually,
you want to apply the weight in the Global.cfg, 7 in this
Actually, you want to apply the weight in the Global.cfg, 7 in this
case, and then all of your positives should be listed as 0 in the filter
file and the Mozilla exception should be scored as a -7. The way it is
now, it will credit 7 points to any message claiming to be Mozilla
generated,
With the loss in the last month of several spam lists, I am reviewing what I
have been using.
This is the current list. Any recommendations on additions?
DSBLip4rlist.dsbl.org *
6 0
ORDBip4rrelays.ordb.org *
despite the lack of scoring. I'm using some other tweaks such as doing
an IS instead of CONTAINS for the FQDN, and listing the addresses with
and without the mail. in front of my domains since my MX records use the
mail. subdomain.
Acutally, would it not be better to use ENDSWITH rather than
It's a limitation in the filtering capabilities. I certainly don't
want to do that, but there is no way around it. You just have to keep
that in mind when scanning the headers after seeing this test tripped.
The way you had it written, it would be tripped just as often, but it
would have
Hello All.
Below is are the Headers from a message that was Held by declude.
This comes from an in-house system that generates email message
confirmations for job applicants. The system runs on a Web server that
generates the message and sends the message. The job applicant system
uses an
John,
I assume that if someone is going to spoof part of my domain, they
won't add fake stuff to the front of it. If they started, I would
change my methods to yours possibly, but I would then need to provide
exceptions for where my domains are validly used on other servers, such
as my MS
Below are the headers from one of the blocked messages. Why is it
blocking it?
X-Spam-Tests-Failed: IPNOTINMX, REVDNS, SPAMHEADERS [7]
Because it failed the IPNOTINMX, REVDNS, and SPAMHEADERS test -- and you
have one of those set to use the HOLD action.
The IPNOTINMX isn't important -- lots
Can't the HELO contain both a FQDN and IP address?
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
I am not blocking any of those...that is what is sooo strange.
I didn't think you were holding on any of those. :)
Here is my .cfg file to prove. So if not holding, then why did it
block?
Where did you find the E-mail?
-Scott
---
Declude
Hi Scott.
I am not blocking any of those...that is what is sooo strange.
Here is my .cfg file to prove. So if not holding, then why did it
block?
Thanks.
Sam
-Original Message-
From: R. Scott Perry [mailto:[EMAIL PROTECTED]
Sent: Thursday, September 25, 2003 2:32 PM
To: [EMAIL
Can't the HELO contain both a FQDN and IP address?
No. The HELO/EHLO data can contain either a FQDN or a domain literal
(such as a properly formatted IP), but not both. So HELO example.com,
EHLO mail.example.com, HELO [192.0.2.25] are all OK, but HELO
192.0.2.25 is not (not properly
Matt, what the spammers do is use the names that
are listed as you mx records as their helo name, so if your domain is abc.com,
but you have your mx records setup as mx1.abc.com and mx2.abc.com, then you will
either want to use:
HELO 0
IS mx1.abc.com
HELO 0
IS mx2.abc.com
or
HELO
In this filter test, will using HELO be the same if sending server uses
EHLO, or would we need a line EHLO also?
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL
But then that would cause a problem as I
believe Karen had pointed out of when you have a backup MX that sends to the
primary.
Then again, 7 is only about 1/3 of my
hold weight.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
In this filter test, will using HELO be the same if sending server uses
EHLO, or would we need a line EHLO also?
Declude treats both HELO and EHLO SMTP commands exactly the same. So HELO
0 CONTAINS .example.com will catch E-mail from both HELO
mail.example.com and EHLO mail.example.com. It's
Bill,
The first example is what I did. BTW, I have found from monitoring
that most (all so far) spammers just simply use what appears after the
@ symbol instead of having something lookup the MX every time.
Matt
Bill Landry wrote:
Matt, what the spammers do is use
the names
I am blocking weight 10. I think that is what did it.
Thanks for your help.
-Original Message-
From: R. Scott Perry [mailto:[EMAIL PROTECTED]
Sent: Thursday, September 25, 2003 2:46 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Header Questions - Job Applicant System
John,
I think you might be confusing what HELO really is, and what the HELO
filter searches. The HELO filter only searches the hostname that is
sending and not the IP address that it is sending from unless it is
configured to use the IP as the hostname (which is rare and will trigger
other
You should exclude your backup MX servers. This follows along the
lines of using IS instead of CONTAINS or ENDSWITH. It's better IMO to
have the test not score known exclusions along with spoofers of those
known exclusions rather than just applying a score to anything. I'm
scoring at 70% of my
I am getting TONS of this crap on my server. All kinds of
different messages, all with the little MPCM blurb at the
top. I set up two filters in my Wordfilter test to catch it:
BODY 10 CONTAINS mpcmffa.com
BODY 10 CONTAINS MPCM
However, it is not catching it - in fact, the only wordfilter entry I
John, you should whitelist the IP addresses of you
gateways and backup mail exchangers, since you control those systems and because
it is very difficult to spoof IP addresses. That way you will not run into
problem with blocking mail from your own systems.
The other this to consider is that
Maybe so, but why exclude yourself to flagging
other forged combinations of your hostname/domain name? I would still
suggest using either CONTAINS or ENDSWITH so that you can catch all of the
various combinations that spammers might use.
Bill
- Original Message -
From:
Not necessarily. The [xxx.xxx.xxx.xxx] format is a valid and legit hostname
syntax.
Bill
- Original Message -
From: Matthew Bramble [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, September 25, 2003 12:24 PM
Subject: Re: [Declude.JunkMail] Another very effective filter test
I am getting TONS of this crap on my server. All kinds of different
messages, all with the little MPCM blurb at the top. I set up two
filters in my Wordfilter test to catch it:
BODY 10 CONTAINS mpcmffa.com
BODY 10 CONTAINS MPCM
Are there any spaces/tabs after MPCM on that line? Does the line
I think I referenced that :)
Bill Landry wrote:
Not necessarily. The [xxx.xxx.xxx.xxx] format is a valid and legit hostname
syntax.
Bill
- Original Message -
From: Matthew Bramble [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, September 25, 2003 12:24 PM
Subject: Re:
At 04:03 PM 9/25/2003, R. Scott Perry wrote:
Are there any spaces/tabs after
MPCM on that line? Does the line end properly (if it is
the last line in the file, and you use Notepad, can the cursor go to the
line below it)?
The lines are fine - no spaces/tabs, and they are in the middle of the
Are there any spaces/tabs after MPCM on that line? Does the line end
properly (if it is the last line in the file, and you use Notepad, can
the cursor go to the line below it)?
The lines are fine - no spaces/tabs, and they are in the middle of the file.
If you view the source of the E-mail,
Just an idea. In addition to negative scoring in NOLEGITCONTENT and
IPNOTINMX not failing (and crediting points in many configurations),
could it be possible that you have some negative weight tests in your
WORDFILTER file? Declude will only mark one instance of a filter line
in the logs even
Scott MacLean wrote:
*sigh* you're right again, Scott. Still doesn't
explain why it's not
catching my previous wordfilter lines. I'm going to watch this one some
more.
Keep checking your math for the other message :)
NOLEGITCONTENT nolegitcontent x x 0 -5
Subtract that from 9 and it falls
Which is why you subtract points for true IP's of your own servers (to
compensate for the other lines catching the domain name)!
K
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of John Tolmachoff
(Lists)
Sent: Thursday, September 25, 2003 3:21 PM
To: [EMAIL
At 05:10 PM 09/25/2003, Matthew Bramble wrote:
Scott MacLean wrote:
*sigh* you're right again, Scott.
Still doesn't explain why it's not catching my previous wordfilter lines.
I'm going to watch this one some more.
Keep checking your math for the other message :)
NOLEGITCONTENT nolegitcontent x
Do you have any lines in wordfilter that use negative weight? Only the last
one that failed is usually show in the header (could be more that failed).
Karen
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Scott MacLean
Sent: Thursday, September 25, 2003
conversely, I have lots of legit mail that fails it.
K
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Matthew Bramble
Sent: Thursday, September 25, 2003 5:11 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] MPCM?
Scott MacLean wrote:
*sigh*
It appears there is a division, those that fee CONTAINS or ENDSWITH should
be used, and those that fee IS should be used.
I am going to try using ENDSWITH while subtracting weight for my backup MX.
I do not whitelist that IP, as Scott has before recommended not doing that,
and I agree. Rather, I
Just an idea. In addition to negative scoring in NOLEGITCONTENT and
IPNOTINMX not failing (and crediting points in many configurations), could
it be possible that you have some negative weight tests in your WORDFILTER
file? Declude will only mark one instance of a filter line in the logs even
If you use IPBYPASS and HOP settings then why do you need to use a negative
weight for you own IP addresses they should never be seen by the test.
Or am I missing something??
Kevin Bilbee
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of John Tolmachoff
The IPBYPASS and HOP settings are for the DNS based tests, not for filters.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of Kevin Bilbee
Sent:
John,
Just to clarify, the division is related to circumstance and experiences
rather than what is best globally. There is no global answer that is
the best answer in every circumstance. I use IS because it is more
conservative and I have already seen about 4 such violators in the last
year
If I have a REVDNS, HELO line in a filter does it honor the HOP and IPBYPASS
setings? If it does not then that would be confusing for setting up filters
because they would be using different information that the DNS based tests.
The REVDNS and HELO filter types look at just the reverse DNS entry
Scott,
If I have a REVDNS, HELO line in a filter does it honor the HOP and IPBYPASS
setings? If it does not then that would be confusing for setting up filters
because they would be using different information that the DNS based tests.
Kevin Bilbee
-Original Message-
From: [EMAIL
John:
You actually are using some I was not so thanks for posting that. About the
only one that I am using that you are not is NJABL (see entry below). It
does not catch very many per day - about the same amount as ORDB.
NJABL ip4rdnsbl.njabl.org 127.0.0.2 5
Everybody's experiences with spam test, including DNS based tests, are going
to be different. Why be so hesitant to try a test to see how it works for
you. Simply setup the test in your global.cfg and set the action to IGNORE
or LOG, that way you can evaluate the test results without impacting
Everybody's experiences with spam test, including DNS based tests, are
going
to be different. Why be so hesitant to try a test to see how it works for
you. Simply setup the test in your global.cfg and set the action to
IGNORE
or LOG, that way you can evaluate the test results without
Sawmill seems enthusiastic to make custom changes to their Imail log module, based on
customer's needs. They have indicated this on both the Declude and Imail log modules.
-Original Message-
From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED]
Sent: Thursday, September 25, 2003
Dave Marchette wrote:
Sawmill seems enthusiastic snip
I use Sawmill to analyze both Imail and Declude logs. The author, Greg Ferrar, is
very responsive to adding log formats. I'm not sure how he is about custom test
types, though. Can't hurt to ask. Especially if a lot of us are users and
I've been filtering on supposed HTTP links that start with something like
this:
HTTP://%W%/
But I understand now that there is some encoding going on, but I don't know
why anyone would use such a URL, so I block it.
However, I notice companies like PayPal and eBay have links like this in the
Ok. This spam is scary. It has my actual home address and phone number. I'm guessing they cropped it from WHOIS maybe... but that wouldn't make sense since many WHOIS contacts are technical people that wouldn't fall for this. Anyone else get this variation of the typical financial fraud with your
John,
DLAnalyzer has the capabilities you are looking for in the enterprise
version and much more. With the advanced reporting capabilities it can get
even more granular than what you are requesting..
Check it out at http://www.dlanalyzer.com and make sure you request the
unrestricted
Ok. This spam is scary. It has my actual home address and phone
number. I'm guessing they cropped it from WHOIS maybe... but that
wouldn't make sense since many WHOIS contacts are technical people that
wouldn't fall for this.
They did get it from WHOIS -- the 123 123 1234 gives it away. It
Mike,
That issue with PayPal is a scripting error on their part, and it is an
invalid link in HTML. I have only seen one semi-legit outfit using
obfuscation in URL's, but this was a contest opt-in site that would then
turn around and sell your address (that was their business) so I don't
73 matches
Mail list logo
