Re: [Declude.JunkMail] why have spam scores jumped?
Very succinct. But I need further explanation... Forget forwarding. We'd like to keep it to off-load the server and network traffic, but we can live without. However, I need one server to be both recursive for our mail server and non-recursive for our authoritative zones. We don't have to worry about our internal workstations because those I can set up to directly use the Comcast DNS servers (small network so I don't need internal DNS). But the mail server presents us the same kind of problem. The perfect solution would be a setting that tells the MS DNS server to accept recursive requests only from specified client IPs, but I don't see any way to do that. Any ideas? Thanks, Ben -Original Message- From: Scott Fosseen Sent: Friday, March 15, 2013 10:33 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? Another way to look at it. Recursion: Off: DNS server can only answer queries from its local zone files. Queries for any other records returns no results. Used when server is authoritative for Public domains (declude.com, nasa.gov) On: DNS server will try to answer all Queries. If it does not know the answer it will call out to other DNS servers to get the answer. ( I run both. I have 4 non-recursive DNS servers for hosting zone files, and 2 recursive DNS servers for workstations to point to. ) Forwarders: Valid only if Recurion is on. If Forwarder is set and DNS server does not know the answer to a query, the DNS server will ask the Forwarder DNS server for the answer. If no Forwarder is set and the DNS server does not know the answer to a query the DNS server will contact the Root servers and find the answer itself. My experience with MS DNS is that forwarders are setup at installation because the installer assumes a blank forwarder means the DNS server will be unable to lookup addresses. Because DNS works with a forwarder the setting gets left on. About the only time I recommend forwarders is if the site uses something like OpenDNS for Content Filtering, in which case all queries should go tot he OpenDNS servers. -Original Message- From: Sanford Whiteman sa...@cypressintegrated.com Sent 3/15/2013 8:08:14 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? The challenge for me is in not using forwarding. For MS DNS servers, forwarding and recursion are tied together; turn off one and you lose both. Incorrect. Turning off recursion turns off forwarders, but not vice versa. You can have a perfectly operating recursive MS DNS server that does not delegate recursion to any other server (forwarding amounts to delegating recursion, but the server as a whole is still recursive, thus the unidirectional relationship between the two settings). You only MUST use forwarders if you are not allowed to pass DNS requests out past your ISP's border (similar to when you have to use the ISP's outbound SMTP gateway). So if I turn off recursion and forwarding, then all my DNS requests will have to go to the root servers for resolution. No, if you turn off recursion completely, you can't get responses for domains that aren't on your box. No one is going to do it for you -- the root servers sure won't. I do understand the dangers of being an open resolver You're mixing up a lot of terms here. An open resolver is one that will perform recursive lookups for any address on the open internet. but I am also under the impression that resolving only through root servers is bad. It's not bad, it doesn't exist. Since MS seems to recommend forwarding I doubt that... With a stub zone, queries to URIBL.com are resolved directly through the URIBL Name servers... ... and there is no reason to go down this road. If you can get DNS requests past your ISP, there's no reason to have forwarders. -- S. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] why have spam scores jumped?
Ahhh, yes, but that’s the answer I don't want. Right now, I could take our existing old authoritative DNS server and make it non-recursive, then put a recursive name server on the mail server itself, but listening only to the internal IP and that would seem to follow your suggestion. Although, when I look at the Interface tab in Properties, I don't see a local or 127.0.0.1 IP. Maybe it's that funny IPv6 string I see? The problem is that we're downsizing and consolidating this stuff, so we'd like to move all the DNS functions over to just the mail server and retire the old DNS server. In that case, of course, we only have one DNS server. I've been looking online to see how others might handle this. It seems that BIND can do this one way or another. You might be able to tell it to listen for recursive requests only on certain IPs or you can disable all recursion for the server but then override it for each of your authoritative zones. Unfortunately, I have yet to find either of those features as part of MS DNS and I'm not about to launch into the world of BIND. The second idea was to consolidate the DNS server onto the mail server, enable recursion, but then block recursive requests from the outside world. For example, use a firewall to block recursive requests (but only those that are recursive) from the outside. I found some online discussion of people trying to do this, possibly using port 53, but no indications that anyone actually succeeded. So for now, I'm still stuck. -Original Message- From: Darin Cox Sent: Friday, March 15, 2013 11:11 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? Hi Ben, You'll want to set up at least two DNS servers for that. One recursive for mail server lookups, most likely on the mail server. The DNS service on the mail server should not be publicly accessible. The other non-recursive DNS server can be used as your nameserver and, of course, publicly accessible. Since you need multiple nameservers anyway, this is not likely an issue. And you'll want them on separate subnets, network connections, etc... as much separation as you can get to avoid common points of failure. Another reason to separate the nameservers from your web and email services is that if you host any websites that process credit cards, PCI-DSS compliance requires any publicly accessible DNS services on the web or email server to have recursion turned off. Hope this helps, Darin. -Original Message- From: SM Admin Sent: Saturday, March 16, 2013 1:55 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? Thanks, Sandy. Of course, if I had understood everything perfectly (or even reasonably), I wouldn't have had to post my questions here. On our old DNS server that ran under Windows 2000 Advanced Server, you could actually toggle Forwarding and Recursion separately. However, under Windows 2008 server this isn't the case. You are correct that it's not symmetric as I claimed, although I really did no better. Turning off recursion from the Advanced properties tab turns off forwarding. Turning off forwarding I assume is done by just not having any forwarders listed. So what I said previously was wrong, although I don't see where it really changes what I was thinking about. The challenge here is that our DNS server has two purposes: it is the authoritative name server for a bunch of zone and it is also the primary name server used by our mail server. For purposes of being authoritative for our hosted zones we don't need either recursion or forwarding. Requests come to us, get what they need, and then go away. For purposes of our mail server we need our DNS server to be recursive, at the least. We set up forwarding to the Comcast name servers to offload server and network traffic. They can do all the recursion and then pass back the results to our DNS server, which passes the results back to our mail server. So I gather the recommendation here is to skip the forwarding and do all the work ourselves. I don't understand your remark about open resolver because you don't explain where I'm wrong in my understanding. What I understand is that if you have a DNS server that does recursion on a public IP, then it is an open resolver and could be attacked. Is that wrong? And if we turn off forwarding but leave on recursion, then won't our name server still be an open resolver? It needs to be that way so that the mail server can resolve its requests against it. In theory, I only need our name server to be recursive on requests from our mail server and to be non-recursive for everyone else. However, I haven't seen any way to configure that. Thanks, Ben -Original Message- From: Sanford Whiteman Sent: Friday, March 15, 2013 6:08 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? The challenge for me is in not using forwarding
Re: [Declude.JunkMail] why have spam scores jumped?
Ben, You may be able to run multiple instances of BIND on different IPs on the same server, or a combination of MS DNS and BIND on different IPs on the same server, but you _really_ don't want to. Downsizing redundancy in your nameserver DNS is just plain the wrong thing to do. The reason you're not finding the answers you want is that you're asking the wrong question. Sorry, Darin. -Original Message- From: SM Admin Sent: Saturday, March 16, 2013 2:51 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? Ahhh, yes, but that’s the answer I don't want. Right now, I could take our existing old authoritative DNS server and make it non-recursive, then put a recursive name server on the mail server itself, but listening only to the internal IP and that would seem to follow your suggestion. Although, when I look at the Interface tab in Properties, I don't see a local or 127.0.0.1 IP. Maybe it's that funny IPv6 string I see? The problem is that we're downsizing and consolidating this stuff, so we'd like to move all the DNS functions over to just the mail server and retire the old DNS server. In that case, of course, we only have one DNS server. I've been looking online to see how others might handle this. It seems that BIND can do this one way or another. You might be able to tell it to listen for recursive requests only on certain IPs or you can disable all recursion for the server but then override it for each of your authoritative zones. Unfortunately, I have yet to find either of those features as part of MS DNS and I'm not about to launch into the world of BIND. The second idea was to consolidate the DNS server onto the mail server, enable recursion, but then block recursive requests from the outside world. For example, use a firewall to block recursive requests (but only those that are recursive) from the outside. I found some online discussion of people trying to do this, possibly using port 53, but no indications that anyone actually succeeded. So for now, I'm still stuck. -Original Message- From: Darin Cox Sent: Friday, March 15, 2013 11:11 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? Hi Ben, You'll want to set up at least two DNS servers for that. One recursive for mail server lookups, most likely on the mail server. The DNS service on the mail server should not be publicly accessible. The other non-recursive DNS server can be used as your nameserver and, of course, publicly accessible. Since you need multiple nameservers anyway, this is not likely an issue. And you'll want them on separate subnets, network connections, etc... as much separation as you can get to avoid common points of failure. Another reason to separate the nameservers from your web and email services is that if you host any websites that process credit cards, PCI-DSS compliance requires any publicly accessible DNS services on the web or email server to have recursion turned off. Hope this helps, Darin. -Original Message- From: SM Admin Sent: Saturday, March 16, 2013 1:55 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? Thanks, Sandy. Of course, if I had understood everything perfectly (or even reasonably), I wouldn't have had to post my questions here. On our old DNS server that ran under Windows 2000 Advanced Server, you could actually toggle Forwarding and Recursion separately. However, under Windows 2008 server this isn't the case. You are correct that it's not symmetric as I claimed, although I really did no better. Turning off recursion from the Advanced properties tab turns off forwarding. Turning off forwarding I assume is done by just not having any forwarders listed. So what I said previously was wrong, although I don't see where it really changes what I was thinking about. The challenge here is that our DNS server has two purposes: it is the authoritative name server for a bunch of zone and it is also the primary name server used by our mail server. For purposes of being authoritative for our hosted zones we don't need either recursion or forwarding. Requests come to us, get what they need, and then go away. For purposes of our mail server we need our DNS server to be recursive, at the least. We set up forwarding to the Comcast name servers to offload server and network traffic. They can do all the recursion and then pass back the results to our DNS server, which passes the results back to our mail server. So I gather the recommendation here is to skip the forwarding and do all the work ourselves. I don't understand your remark about open resolver because you don't explain where I'm wrong in my understanding. What I understand is that if you have a DNS server that does recursion on a public IP, then it is an open resolver and could be attacked. Is that wrong? And if we turn off forwarding but leave on recursion
RE: [Declude.JunkMail] why have spam scores jumped?
If you're that small - how many PUBLIC domains do you have to be authoritative for? What is the change frequency in a year, that you need this to be on your local DNS. For redundancy and availability purposes, why not host your public DNS at your registry, block incoming DNS queries at your border router/firewall - and set up your strinctly IN-HOUSE DNS server recursive? -Original Message- From: SM Admin [mailto:imailad...@bcwebhost.net] Sent: Saturday, March 16, 2013 2:04 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? Very succinct. But I need further explanation... Forget forwarding. We'd like to keep it to off-load the server and network traffic, but we can live without. However, I need one server to be both recursive for our mail server and non-recursive for our authoritative zones. We don't have to worry about our internal workstations because those I can set up to directly use the Comcast DNS servers (small network so I don't need internal DNS). But the mail server presents us the same kind of problem. The perfect solution would be a setting that tells the MS DNS server to accept recursive requests only from specified client IPs, but I don't see any way to do that. Any ideas? Thanks, Ben -Original Message- From: Scott Fosseen Sent: Friday, March 15, 2013 10:33 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? Another way to look at it. Recursion: Off: DNS server can only answer queries from its local zone files. Queries for any other records returns no results. Used when server is authoritative for Public domains (declude.com, nasa.gov) On: DNS server will try to answer all Queries. If it does not know the answer it will call out to other DNS servers to get the answer. ( I run both. I have 4 non-recursive DNS servers for hosting zone files, and 2 recursive DNS servers for workstations to point to. ) Forwarders: Valid only if Recurion is on. If Forwarder is set and DNS server does not know the answer to a query, the DNS server will ask the Forwarder DNS server for the answer. If no Forwarder is set and the DNS server does not know the answer to a query the DNS server will contact the Root servers and find the answer itself. My experience with MS DNS is that forwarders are setup at installation because the installer assumes a blank forwarder means the DNS server will be unable to lookup addresses. Because DNS works with a forwarder the setting gets left on. About the only time I recommend forwarders is if the site uses something like OpenDNS for Content Filtering, in which case all queries should go tot he OpenDNS servers. -Original Message- From: Sanford Whiteman sa...@cypressintegrated.com Sent 3/15/2013 8:08:14 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? The challenge for me is in not using forwarding. For MS DNS servers, forwarding and recursion are tied together; turn off one and you lose both. Incorrect. Turning off recursion turns off forwarders, but not vice versa. You can have a perfectly operating recursive MS DNS server that does not delegate recursion to any other server (forwarding amounts to delegating recursion, but the server as a whole is still recursive, thus the unidirectional relationship between the two settings). You only MUST use forwarders if you are not allowed to pass DNS requests out past your ISP's border (similar to when you have to use the ISP's outbound SMTP gateway). So if I turn off recursion and forwarding, then all my DNS requests will have to go to the root servers for resolution. No, if you turn off recursion completely, you can't get responses for domains that aren't on your box. No one is going to do it for you -- the root servers sure won't. I do understand the dangers of being an open resolver You're mixing up a lot of terms here. An open resolver is one that will perform recursive lookups for any address on the open internet. but I am also under the impression that resolving only through root servers is bad. It's not bad, it doesn't exist. Since MS seems to recommend forwarding I doubt that... With a stub zone, queries to URIBL.com are resolved directly through the URIBL Name servers... ... and there is no reason to go down this road. If you can get DNS requests past your ISP, there's no reason to have forwarders. -- S. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from
Re: [Declude.JunkMail] why have spam scores jumped?
Ben, you'd find Simple DNS Plus an easy cross-grade. We have used it exclusively for all user-facing DNS for many years. We only use MS DNS as a stealth primary. Also, as Andy said, it's hard to believe your authoritiative domains require more than a few dollars a month worth of DNS hosting -- some hosts even have a free plan you might fall under. -- S. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] why have spam scores jumped?
The challenge for me is in not using forwarding. For MS DNS servers, forwarding and recursion are tied together; turn off one and you lose both. Incorrect. Turning off recursion turns off forwarders, but not vice versa. You can have a perfectly operating recursive MS DNS server that does not delegate recursion to any other server (forwarding amounts to delegating recursion, but the server as a whole is still recursive, thus the unidirectional relationship between the two settings). You only MUST use forwarders if you are not allowed to pass DNS requests out past your ISP's border (similar to when you have to use the ISP's outbound SMTP gateway). So if I turn off recursion and forwarding, then all my DNS requests will have to go to the root servers for resolution. No, if you turn off recursion completely, you can't get responses for domains that aren't on your box. No one is going to do it for you -- the root servers sure won't. I do understand the dangers of being an open resolver You're mixing up a lot of terms here. An open resolver is one that will perform recursive lookups for any address on the open internet. but I am also under the impression that resolving only through root servers is bad. It's not bad, it doesn't exist. Since MS seems to recommend forwarding I doubt that... With a stub zone, queries to URIBL.com are resolved directly through the URIBL Name servers... ... and there is no reason to go down this road. If you can get DNS requests past your ISP, there's no reason to have forwarders. -- S. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] why have spam scores jumped?
Thanks, Sandy. Of course, if I had understood everything perfectly (or even reasonably), I wouldn't have had to post my questions here. On our old DNS server that ran under Windows 2000 Advanced Server, you could actually toggle Forwarding and Recursion separately. However, under Windows 2008 server this isn't the case. You are correct that it's not symmetric as I claimed, although I really did no better. Turning off recursion from the Advanced properties tab turns off forwarding. Turning off forwarding I assume is done by just not having any forwarders listed. So what I said previously was wrong, although I don't see where it really changes what I was thinking about. The challenge here is that our DNS server has two purposes: it is the authoritative name server for a bunch of zone and it is also the primary name server used by our mail server. For purposes of being authoritative for our hosted zones we don't need either recursion or forwarding. Requests come to us, get what they need, and then go away. For purposes of our mail server we need our DNS server to be recursive, at the least. We set up forwarding to the Comcast name servers to offload server and network traffic. They can do all the recursion and then pass back the results to our DNS server, which passes the results back to our mail server. So I gather the recommendation here is to skip the forwarding and do all the work ourselves. I don't understand your remark about open resolver because you don't explain where I'm wrong in my understanding. What I understand is that if you have a DNS server that does recursion on a public IP, then it is an open resolver and could be attacked. Is that wrong? And if we turn off forwarding but leave on recursion, then won't our name server still be an open resolver? It needs to be that way so that the mail server can resolve its requests against it. In theory, I only need our name server to be recursive on requests from our mail server and to be non-recursive for everyone else. However, I haven't seen any way to configure that. Thanks, Ben -Original Message- From: Sanford Whiteman Sent: Friday, March 15, 2013 6:08 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? The challenge for me is in not using forwarding. For MS DNS servers, forwarding and recursion are tied together; turn off one and you lose both. Incorrect. Turning off recursion turns off forwarders, but not vice versa. You can have a perfectly operating recursive MS DNS server that does not delegate recursion to any other server (forwarding amounts to delegating recursion, but the server as a whole is still recursive, thus the unidirectional relationship between the two settings). You only MUST use forwarders if you are not allowed to pass DNS requests out past your ISP's border (similar to when you have to use the ISP's outbound SMTP gateway). So if I turn off recursion and forwarding, then all my DNS requests will have to go to the root servers for resolution. No, if you turn off recursion completely, you can't get responses for domains that aren't on your box. No one is going to do it for you -- the root servers sure won't. I do understand the dangers of being an open resolver You're mixing up a lot of terms here. An open resolver is one that will perform recursive lookups for any address on the open internet. but I am also under the impression that resolving only through root servers is bad. It's not bad, it doesn't exist. Since MS seems to recommend forwarding I doubt that... With a stub zone, queries to URIBL.com are resolved directly through the URIBL Name servers... ... and there is no reason to go down this road. If you can get DNS requests past your ISP, there's no reason to have forwarders. -- S. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] why have spam scores jumped?
Thank you Andrew. Every time you write something its an education. Much appreciated. -Nick MadRiverAccess.com|Skywaves.net Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: http://www.skywaves.net/content/secure/support_ticket.htm From: Colbeck, Andrew acolb...@bentallkennedy.com Sent: Monday, March 11, 2013 9:11 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] why have spam scores jumped? Per point 3. Once URIBL starts rejected the requests then every request gets scored as bad Read the URIBL.com site News, and Implementation sections. This is because a rejection isn't quiet, it returns the value 127.0.0.1, so I'll assume that SM is triggering on a result of * instead of 127.0.0.2 and you'll want to go back to SmarterMail to figure out how to be specific about that acceptable response. Perhaps you'll want to use specific tests like the Black test or the Red test instead of the Multi test. Per point 5. I'm not really sure how URIBL even knows which DNS server I use ...last year, I had my SM server configured to use the Comcast national DNS servers Well, that's pretty clear, a lot of people use ComCast, so ComCast has been flagged as a heavy hitter and queries through their servers to URIBL will cause URIBL to respond to Comcast with the 127.0.0.1 value. URIBL doesn't care about your-server-asking-via-Comcast, they care about which server asked URIBL, which was ComCast. Per point 6. I was told that I need to turn off recursion on the DNS server to be considered acceptable to URIBL. Again, I don't know why. Ok, it's plausible that URIBL tests your DNS server to see if it can be abused by bad guys, but I actually doubt that they do this, and it's a red herring. You know that your mail volume is small enough to not be a heavy hitter but you are diagnosed as a heavy hitter anyway. Therefore, someone gave you this advice while trying to diagnose why you are getting heavy hitter results, i.e. that your DNS server is being abused. The big idea here is that your mail server needs to ask a DNS server to resolve stuff for it, including URIBL. However, random people on the Internet should not be able to use your DNS server, because they will certainly abuse it to throw bandwidth at someone they don't like. That's called an open resolver, see here for why that's bad http://dns.measurement-factory.com/surveys/openresolvers.html It's extremely common to use a DNS server right on your email server, and point your antispam queries at that DNS server. Some DNS servers allow you to specify the IP/subnet of allowed clients; Windows 2008 does not, it happily resolves for anyone. So instead of using client ACLs on the DNS server, make sure you're not telling your firewall to allow inbound DNS as a service on that particular IP address; because of course have a wonderful stateful firewall, it will happily allow outbound DNS and the corresponding inbound replies. For your email server to resolve DNS, you don't want to use forwarders, and you do want to use recursion. Per point 7. I tried writing to the URIBL abuse administrator but got no response Your case is pretty straightforward; perhaps they think you want too much help while they've provided what's necessary on their website already. Perhaps they're busy working on their golf swing and not reading email. If you can't reach them from your own domain, write to them from a freemail account instead of the domain that is in trouble, and cite your IP/domain. Be concise. Be polite. Don't use HTML formatting if you can help it. And don't use a legal disclaimer in your footer, because antispam/security admins are notoriously allergic to what they interpret as your attempt to legally bind their communication, and as a result they simply ignore such email. Andrew. From: SM Admin [mailto:imailad...@bcwebhost.net] Sent: Thursday, March 07, 2013 4:32 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? Hi Andrew and thanks! The problem isn't Declude but it is spam related so I'd be interested to see if anyone else has ideas. I spent some time on the SmarterMail forums and this is what it looks like: 1. SM uses a series of built-in tests as well as external tests such as Declude. Among these are a pair of URIBL tests that are based on links embedded in the messages. 2. SM scores a hit for each bad link reported by URIBL and applies the weight score to each hit. With the default weight of 4, a message with five links rejected by URIBL would give a total score of 4 x 5 = 20. 3. Starting some time late 2012, URIBL started rejected some requests based on high volume of calls from a particular server. Various people have experienced this problem at various
RE: [Declude.JunkMail] why have spam scores jumped?
Per point 3. “Once URIBL starts rejected the requests then every request gets scored as bad” Read the URIBL.com site News, and Implementation sections. This is because a rejection isn’t quiet, it returns the value 127.0.0.1, so I’ll assume that SM is triggering on a result of “*” instead of “127.0.0.2” and you’ll want to go back to SmarterMail to figure out how to be specific about that acceptable response. Perhaps you’ll want to use specific tests like the Black test or the Red test instead of the Multi test. Per point 5. “I'm not really sure how URIBL even knows which DNS server I use ...last year, I had my SM server configured to use the Comcast national DNS servers” Well, that’s pretty clear, a lot of people use ComCast, so ComCast has been flagged as a “heavy hitter” and queries through their servers to URIBL will cause URIBL to respond to Comcast with the “127.0.0.1” value. URIBL doesn’t care about your-server-asking-via-Comcast, they care about which server asked URIBL, which was ComCast. Per point 6. “I was told that I need to turn off recursion on the DNS server to be considered acceptable to URIBL. Again, I don't know why.“ Ok, it’s plausible that URIBL tests your DNS server to see if it can be abused by bad guys, but I actually doubt that they do this, and it’s a red herring. You know that your mail volume is small enough to not be a heavy hitter but you are diagnosed as a heavy hitter anyway. Therefore, someone gave you this advice while trying to diagnose why you are getting heavy hitter results, i.e. that your DNS server is being abused. The big idea here is that your mail server needs to ask a DNS server to resolve stuff for it, including URIBL. However, random people on the Internet should not be able to use your DNS server, because they will certainly abuse it to throw bandwidth at someone they don’t like. That’s called an open resolver, see here for why that’s bad http://dns.measurement-factory.com/surveys/openresolvers.html It’s extremely common to use a DNS server right on your email server, and point your antispam queries at that DNS server. Some DNS servers allow you to specify the IP/subnet of allowed clients; Windows 2008 does not, it happily resolves for anyone. So instead of using client ACLs on the DNS server, make sure you’re not telling your firewall to allow inbound DNS as a service on that particular IP address; because of course have a wonderful stateful firewall, it will happily allow outbound DNS and the corresponding inbound replies. For your email server to resolve DNS, you don’t want to use forwarders, and you do want to use recursion. Per point 7. I tried writing to the URIBL abuse administrator but got no response Your case is pretty straightforward; perhaps they think you want too much help while they’ve provided what’s necessary on their website already. Perhaps they’re busy working on their golf swing and not reading email. If you can’t reach them from your own domain, write to them from a freemail account instead of the domain that is in trouble, and cite your IP/domain. Be concise. Be polite. Don’t use HTML formatting if you can help it. And don’t use a legal disclaimer in your footer, because antispam/security admins are notoriously allergic to what they interpret as your attempt to legally bind their communication, and as a result they simply ignore such email. Andrew. From: SM Admin [mailto:imailad...@bcwebhost.net] Sent: Thursday, March 07, 2013 4:32 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? Hi Andrew and thanks! The problem isn't Declude but it is spam related so I'd be interested to see if anyone else has ideas. I spent some time on the SmarterMail forums and this is what it looks like: 1. SM uses a series of built-in tests as well as external tests such as Declude. Among these are a pair of URIBL tests that are based on links embedded in the messages. 2. SM scores a hit for each bad link reported by URIBL and applies the weight score to each hit. With the default weight of 4, a message with five links rejected by URIBL would give a total score of 4 x 5 = 20. 3. Starting some time late 2012, URIBL started rejected some requests based on high volume of calls from a particular server. Various people have experienced this problem at various times over the last three months. Once URIBL starts rejected the requests then every request gets scored as bad. So, for example, every message with five embedded links gets a weight of 20, regardless of the legitimacy of those links. This results in a sudden inflation of spam scores. 4. I don't understand how our mail server would be subject to this. Our volume of mail isn't just small, one might almost call it tiny. The number of calls we make to URIBL are correspondingly very small. 5. The claim made by Those Who Know on the SM forum is that the URIBL
Re: [Declude.JunkMail] why have spam scores jumped?
Hi Andrew and thanks! The problem isn't Declude but it is spam related so I'd be interested to see if anyone else has ideas. I spent some time on the SmarterMail forums and this is what it looks like: 1. SM uses a series of built-in tests as well as external tests such as Declude. Among these are a pair of URIBL tests that are based on links embedded in the messages. 2. SM scores a hit for each bad link reported by URIBL and applies the weight score to each hit. With the default weight of 4, a message with five links rejected by URIBL would give a total score of 4 x 5 = 20. 3. Starting some time late 2012, URIBL started rejected some requests based on high volume of calls from a particular server. Various people have experienced this problem at various times over the last three months. Once URIBL starts rejected the requests then every request gets scored as bad. So, for example, every message with five embedded links gets a weight of 20, regardless of the legitimacy of those links. This results in a sudden inflation of spam scores. 4. I don't understand how our mail server would be subject to this. Our volume of mail isn't just small, one might almost call it tiny. The number of calls we make to URIBL are correspondingly very small. 5. The claim made by Those Who Know on the SM forum is that the URIBL rejection is really directed at those who use high volume public DNS servers. I'm not really sure how URIBL even knows which DNS server I use, but that's the claim. Since last year, I have had my SM server configured to use the Comcast national DNS servers (Comcast being my upstream provider). Since that's supposed to be the problem, I switched to our in-house public DNS server, but that didn't help either. Then I tried setting up a private DNS server on the mail server itself and still couldn't get it to work. 6. Then I was told that I need to turn off recursion on the DNS server to be considered acceptable to URIBL. Again, I don't know why. The problem is that I use the MS DNS server (Win 2008) and when you turn off recursion, it forced off forwarding as well. There are many good reasons for not wanting to turn off forwarding (in fact, MS doesn't recommend it). So now I'm stuck between a rock and a hard place. 7. I tried writing to the URIBL abuse administrator but got no response and couldn't find any other contact information. Anyone able to correct or illuminate me? Thanks, Ben - Original Message - From: Colbeck, Andrew To: Declude.JunkMail@declude.com Sent: Wednesday, March 06, 2013 3:27 PM Subject: RE: [Declude.JunkMail] why have spam scores jumped? Ben, check the archive website here http://www.mail-archive.com/declude.junkmail@declude.com/ for the mail you’ve missed. Andrew. From: SM Admin [mailto:imailad...@bcwebhost.net] Sent: Tuesday, March 05, 2013 10:10 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? Thanks for the heads-up, but I didn’t and still don’t see either my original email or the responses. I just took a look at it via the web interface because sometime Microsoft Live Mail (like Outlook Express before it) will not show some messages where it doesn’t like the header, but I just don’t see either my message or the responses. I’m assuming what happened was exactly what I was asking about – those messages were given him spam scores and deleted. I don’t suppose you could resend those replies to the list? Thanks, Ben From: Randy Armbrecht Sent: Tuesday, March 05, 2013 11:12 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] why have spam scores jumped? Your Friday post did show up and already has 2 or 3 responses to it Sincerely, Randy Armbrecht Global Web Solutions, Inc. Office: 804.442.5300 x112 Toll Free: 877.800.4562 24 /7 Tech Support! Your Internet Source.Since 1996! NEW GlobalSync Remote-BackUp Solutions! Web Hosting - E-Mail - Spam/Virus Gateway Services Hi-Speed DSL, Ethernet and Wireless Internet - T-1/T-3's PC Support - Networking - Virus/MalWare Removal 25% discount on most services for Non-Profits! Call us today! From: SM Admin [mailto:imailad...@bcwebhost.net] Sent: Tuesday, March 05, 2013 1:52 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] why have spam scores jumped? (I sent this message on Friday but it never showed up, so I thought I’d try again.) Hi, I don't know if anyone is still here but I'd like some insights into some strange anti-spam behavior. We have latest SmarterMail and Declude, as well as Sniffer. Over the last few days I noticed a significant drop in email messages. Upon further investigation, I found that messages were being givn much higher spam scores than in the past, with the result that they get classified as spam or just outright deleted. Checking
RE: [Declude.JunkMail] why have spam scores jumped?
Ben, check the archive website here http://www.mail-archive.com/declude.junkmail@declude.com/ for the mail you’ve missed. Andrew. From: SM Admin [mailto:imailad...@bcwebhost.net] Sent: Tuesday, March 05, 2013 10:10 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? Thanks for the heads-up, but I didn’t and still don’t see either my original email or the responses. I just took a look at it via the web interface because sometime Microsoft Live Mail (like Outlook Express before it) will not show some messages where it doesn’t like the header, but I just don’t see either my message or the responses. I’m assuming what happened was exactly what I was asking about – those messages were given him spam scores and deleted. I don’t suppose you could resend those replies to the list? Thanks, Ben From: Randy Armbrecht mailto:ra...@globalweb.us Sent: Tuesday, March 05, 2013 11:12 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] why have spam scores jumped? Your Friday post did show up and already has 2 or 3 responses to it Sincerely, Randy Armbrecht Global Web Solutions, Inc. Office: 804.442.5300 x112 Toll Free: 877.800.4562 24 /7 Tech Support! Your Internet Source.Since 1996! NEW GlobalSync Remote-BackUp Solutions! Web Hosting - E-Mail - Spam/Virus Gateway Services Hi-Speed DSL, Ethernet and Wireless Internet - T-1/T-3's PC Support - Networking - Virus/MalWare Removal 25% discount on most services for Non-Profits! Call us today! From: SM Admin [mailto:imailad...@bcwebhost.net] Sent: Tuesday, March 05, 2013 1:52 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] why have spam scores jumped? (I sent this message on Friday but it never showed up, so I thought I’d try again.) Hi, I don't know if anyone is still here but I'd like some insights into some strange anti-spam behavior. We have latest SmarterMail and Declude, as well as Sniffer. Over the last few days I noticed a significant drop in email messages. Upon further investigation, I found that messages were being givn much higher spam scores than in the past, with the result that they get classified as spam or just outright deleted. Checking the headers, however, I don't see why the scores are coming in so high. Below are a few examples. Does anyone see why the spam scores come out so high? Thanks, Ben *** X-MessageSniffer-Scan-Result: 0 X-MessageSniffer-Rules: 0-0-0-2998-c X-Declude-Sender: mstad...@ghrlawyers.com [70.89.176.73] X-Declude-Spoolname: 195938010.eml X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [0] at 17:26:20 on 01 Mar 2013 X-Declude-Tests: SPFUNKNOWN [1] X-Country-Chain: UNITED STATES-destination X-Declude-Code: e X-HELO: mail.garrettlaw.com X-Identity: 70.89.176.73 | mail.garrettlaw.com | ghrlawyers.com X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 0 [raw: 0], DK_None, DKIM_None, URIBL:3, Declude: 0 X-SmarterMail-TotalSpamWeight: 15 * -MessageSniffer-Scan-Result: 0 X-MessageSniffer-Rules: 0-0-0-32767-c X-Declude-Sender: gha...@ghrlawyers.com [70.89.176.73] X-Declude-Spoolname: 159487572.eml X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [-3] at 16:38:51 on 01 Mar 2013 X-Declude-Tests: SPFUNKNOWN [1] X-Country-Chain: UNITED STATES-destination X-Declude-Code: 1e X-HELO: mail.garrettlaw.com X-Identity: 70.89.176.73 | mail.ghrlawyers.com | ghrlawyers.com X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 0 [raw: 0], DK_None, DKIM_None, URIBL:7, Declude: -3 X-SmarterMail-SpamDetail: 0.0 TVD_SUBJ_ACC_NUM X-SmarterMail-SpamDetail: 0.0 T_OBFU_PDF_ATTACH X-SmarterMail-TotalSpamWeight: 28 ** X-MessageSniffer-Scan-Result: 0 X-MessageSniffer-Rules: 0-0-0-32767-c X-Declude-Sender: gha...@ghrlawyers.com [70.89.176.73] X-Declude-Spoolname: 159487567.eml X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [-3] at 16:35:50 on 01 Mar 2013 X-Declude-Tests: SPFUNKNOWN [1] X-Country-Chain: UNITED STATES-destination X-Declude-Code: 1e X-HELO: mail.garrettlaw.com X-Identity: 70.89.176.73 | mail.ghrlawyers.com | ghrlawyers.com X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 1 [raw: 1], DK_None, DKIM_None, URIBL:10, Declude: -3 X-SmarterMail-TotalSpamWeight: 41 ** Just for comparison, here is an email from the same source from Tuesday (and very typical of past headers): X-MessageSniffer-Scan-Result: 0 X-MessageSniffer-Rules: 0-0-0-27512-c X-Declude-Sender: gha...@ghrlawyers.com
[Declude.JunkMail] why have spam scores jumped?
(I sent this message on Friday but it never showed up, so I thought I’d try again.) Hi, I don't know if anyone is still here but I'd like some insights into some strange anti-spam behavior. We have latest SmarterMail and Declude, as well as Sniffer. Over the last few days I noticed a significant drop in email messages. Upon further investigation, I found that messages were being givn much higher spam scores than in the past, with the result that they get classified as spam or just outright deleted. Checking the headers, however, I don't see why the scores are coming in so high. Below are a few examples. Does anyone see why the spam scores come out so high? Thanks, Ben *** X-MessageSniffer-Scan-Result: 0 X-MessageSniffer-Rules: 0-0-0-2998-c X-Declude-Sender: mstad...@ghrlawyers.com [70.89.176.73] X-Declude-Spoolname: 195938010.eml X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [0] at 17:26:20 on 01 Mar 2013 X-Declude-Tests: SPFUNKNOWN [1] X-Country-Chain: UNITED STATES-destination X-Declude-Code: e X-HELO: mail.garrettlaw.com X-Identity: 70.89.176.73 | mail.garrettlaw.com | ghrlawyers.com X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 0 [raw: 0], DK_None, DKIM_None, URIBL:3, Declude: 0 X-SmarterMail-TotalSpamWeight: 15 * -MessageSniffer-Scan-Result: 0 X-MessageSniffer-Rules: 0-0-0-32767-c X-Declude-Sender: gha...@ghrlawyers.com [70.89.176.73] X-Declude-Spoolname: 159487572.eml X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [-3] at 16:38:51 on 01 Mar 2013 X-Declude-Tests: SPFUNKNOWN [1] X-Country-Chain: UNITED STATES-destination X-Declude-Code: 1e X-HELO: mail.garrettlaw.com X-Identity: 70.89.176.73 | mail.ghrlawyers.com | ghrlawyers.com X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 0 [raw: 0], DK_None, DKIM_None, URIBL:7, Declude: -3 X-SmarterMail-SpamDetail: 0.0 TVD_SUBJ_ACC_NUM X-SmarterMail-SpamDetail: 0.0 T_OBFU_PDF_ATTACH X-SmarterMail-TotalSpamWeight: 28 ** X-MessageSniffer-Scan-Result: 0 X-MessageSniffer-Rules: 0-0-0-32767-c X-Declude-Sender: gha...@ghrlawyers.com [70.89.176.73] X-Declude-Spoolname: 159487567.eml X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [-3] at 16:35:50 on 01 Mar 2013 X-Declude-Tests: SPFUNKNOWN [1] X-Country-Chain: UNITED STATES-destination X-Declude-Code: 1e X-HELO: mail.garrettlaw.com X-Identity: 70.89.176.73 | mail.ghrlawyers.com | ghrlawyers.com X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 1 [raw: 1], DK_None, DKIM_None, URIBL:10, Declude: -3 X-SmarterMail-TotalSpamWeight: 41 ** Just for comparison, here is an email from the same source from Tuesday (and very typical of past headers): X-MessageSniffer-Scan-Result: 0 X-MessageSniffer-Rules: 0-0-0-27512-c X-Declude-Sender: gha...@ghrlawyers.com [70.89.176.73] X-Declude-Spoolname: 159486224.eml X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [-3] at 17:56:38 on 26 Feb 2013 X-Declude-Tests: SPFUNKNOWN [1] X-Country-Chain: UNITED STATES-destination X-Declude-Code: 1e X-HELO: mail.garrettlaw.com X-Identity: 70.89.176.73 | mail.garrettlaw.com | ghrlawyers.com X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 5 [raw: 3], DK_None, DKIM_None, Declude: -3 X-SmarterMail-TotalSpamWeight: 5 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] why have spam scores jumped?
Your Friday post did show up and already has 2 or 3 responses to it Sincerely, Randy Armbrecht Global Web Solutions, Inc. Office: 804.442.5300 x112 Toll Free: 877.800.4562 24 /7 Tech Support! Your Internet Source.Since 1996! NEW GlobalSync Remote-BackUp Solutions! Web Hosting - E-Mail - Spam/Virus Gateway Services Hi-Speed DSL, Ethernet and Wireless Internet - T-1/T-3's PC Support - Networking - Virus/MalWare Removal 25% discount on most services for Non-Profits! Call us today! From: SM Admin [mailto:imailad...@bcwebhost.net] Sent: Tuesday, March 05, 2013 1:52 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] why have spam scores jumped? (I sent this message on Friday but it never showed up, so I thought I’d try again.) Hi, I don't know if anyone is still here but I'd like some insights into some strange anti-spam behavior. We have latest SmarterMail and Declude, as well as Sniffer. Over the last few days I noticed a significant drop in email messages. Upon further investigation, I found that messages were being givn much higher spam scores than in the past, with the result that they get classified as spam or just outright deleted. Checking the headers, however, I don't see why the scores are coming in so high. Below are a few examples. Does anyone see why the spam scores come out so high? Thanks, Ben *** X-MessageSniffer-Scan-Result: 0 X-MessageSniffer-Rules: 0-0-0-2998-c X-Declude-Sender: mstad...@ghrlawyers.com [70.89.176.73] X-Declude-Spoolname: 195938010.eml X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [0] at 17:26:20 on 01 Mar 2013 X-Declude-Tests: SPFUNKNOWN [1] X-Country-Chain: UNITED STATES-destination X-Declude-Code: e X-HELO: mail.garrettlaw.com X-Identity: 70.89.176.73 | mail.garrettlaw.com | ghrlawyers.com X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 0 [raw: 0], DK_None, DKIM_None, URIBL:3, Declude: 0 X-SmarterMail-TotalSpamWeight: 15 * -MessageSniffer-Scan-Result: 0 X-MessageSniffer-Rules: 0-0-0-32767-c X-Declude-Sender: gha...@ghrlawyers.com [70.89.176.73] X-Declude-Spoolname: 159487572.eml X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [-3] at 16:38:51 on 01 Mar 2013 X-Declude-Tests: SPFUNKNOWN [1] X-Country-Chain: UNITED STATES-destination X-Declude-Code: 1e X-HELO: mail.garrettlaw.com X-Identity: 70.89.176.73 | mail.ghrlawyers.com | ghrlawyers.com X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 0 [raw: 0], DK_None, DKIM_None, URIBL:7, Declude: -3 X-SmarterMail-SpamDetail: 0.0 TVD_SUBJ_ACC_NUM X-SmarterMail-SpamDetail: 0.0 T_OBFU_PDF_ATTACH X-SmarterMail-TotalSpamWeight: 28 ** X-MessageSniffer-Scan-Result: 0 X-MessageSniffer-Rules: 0-0-0-32767-c X-Declude-Sender: gha...@ghrlawyers.com [70.89.176.73] X-Declude-Spoolname: 159487567.eml X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [-3] at 16:35:50 on 01 Mar 2013 X-Declude-Tests: SPFUNKNOWN [1] X-Country-Chain: UNITED STATES-destination X-Declude-Code: 1e X-HELO: mail.garrettlaw.com X-Identity: 70.89.176.73 | mail.ghrlawyers.com | ghrlawyers.com X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 1 [raw: 1], DK_None, DKIM_None, URIBL:10, Declude: -3 X-SmarterMail-TotalSpamWeight: 41 ** Just for comparison, here is an email from the same source from Tuesday (and very typical of past headers): X-MessageSniffer-Scan-Result: 0 X-MessageSniffer-Rules: 0-0-0-27512-c X-Declude-Sender: gha...@ghrlawyers.com [70.89.176.73] X-Declude-Spoolname: 159486224.eml X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [-3] at 17:56:38 on 26 Feb 2013 X-Declude-Tests: SPFUNKNOWN [1] X-Country-Chain: UNITED STATES-destination X-Declude-Code: 1e X-HELO: mail.garrettlaw.com X-Identity: 70.89.176.73 | mail.garrettlaw.com | ghrlawyers.com X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 5 [raw: 3], DK_None, DKIM_None, Declude: -3 X-SmarterMail-TotalSpamWeight: 5 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] why have spam scores jumped?
Thanks for the heads-up, but I didn’t and still don’t see either my original email or the responses. I just took a look at it via the web interface because sometime Microsoft Live Mail (like Outlook Express before it) will not show some messages where it doesn’t like the header, but I just don’t see either my message or the responses. I’m assuming what happened was exactly what I was asking about – those messages were given him spam scores and deleted. I don’t suppose you could resend those replies to the list? Thanks, Ben From: Randy Armbrecht Sent: Tuesday, March 05, 2013 11:12 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] why have spam scores jumped? Your Friday post did show up and already has 2 or 3 responses to it Sincerely, Randy Armbrecht Global Web Solutions, Inc. Office: 804.442.5300 x112 Toll Free: 877.800.4562 24 /7 Tech Support! Your Internet Source.Since 1996! NEW GlobalSync Remote-BackUp Solutions! Web Hosting - E-Mail - Spam/Virus Gateway Services Hi-Speed DSL, Ethernet and Wireless Internet - T-1/T-3's PC Support - Networking - Virus/MalWare Removal 25% discount on most services for Non-Profits! Call us today! From: SM Admin [mailto:imailad...@bcwebhost.net] Sent: Tuesday, March 05, 2013 1:52 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] why have spam scores jumped? (I sent this message on Friday but it never showed up, so I thought I’d try again.) Hi, I don't know if anyone is still here but I'd like some insights into some strange anti-spam behavior. We have latest SmarterMail and Declude, as well as Sniffer. Over the last few days I noticed a significant drop in email messages. Upon further investigation, I found that messages were being givn much higher spam scores than in the past, with the result that they get classified as spam or just outright deleted. Checking the headers, however, I don't see why the scores are coming in so high. Below are a few examples. Does anyone see why the spam scores come out so high? Thanks, Ben *** X-MessageSniffer-Scan-Result: 0 X-MessageSniffer-Rules: 0-0-0-2998-c X-Declude-Sender: mstad...@ghrlawyers.com [70.89.176.73] X-Declude-Spoolname: 195938010.eml X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [0] at 17:26:20 on 01 Mar 2013 X-Declude-Tests: SPFUNKNOWN [1] X-Country-Chain: UNITED STATES-destination X-Declude-Code: e X-HELO: mail.garrettlaw.com X-Identity: 70.89.176.73 | mail.garrettlaw.com | ghrlawyers.com X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 0 [raw: 0], DK_None, DKIM_None, URIBL:3, Declude: 0 X-SmarterMail-TotalSpamWeight: 15 * -MessageSniffer-Scan-Result: 0 X-MessageSniffer-Rules: 0-0-0-32767-c X-Declude-Sender: gha...@ghrlawyers.com [70.89.176.73] X-Declude-Spoolname: 159487572.eml X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [-3] at 16:38:51 on 01 Mar 2013 X-Declude-Tests: SPFUNKNOWN [1] X-Country-Chain: UNITED STATES-destination X-Declude-Code: 1e X-HELO: mail.garrettlaw.com X-Identity: 70.89.176.73 | mail.ghrlawyers.com | ghrlawyers.com X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 0 [raw: 0], DK_None, DKIM_None, URIBL:7, Declude: -3 X-SmarterMail-SpamDetail: 0.0 TVD_SUBJ_ACC_NUM X-SmarterMail-SpamDetail: 0.0 T_OBFU_PDF_ATTACH X-SmarterMail-TotalSpamWeight: 28 ** X-MessageSniffer-Scan-Result: 0 X-MessageSniffer-Rules: 0-0-0-32767-c X-Declude-Sender: gha...@ghrlawyers.com [70.89.176.73] X-Declude-Spoolname: 159487567.eml X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [-3] at 16:35:50 on 01 Mar 2013 X-Declude-Tests: SPFUNKNOWN [1] X-Country-Chain: UNITED STATES-destination X-Declude-Code: 1e X-HELO: mail.garrettlaw.com X-Identity: 70.89.176.73 | mail.ghrlawyers.com | ghrlawyers.com X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 1 [raw: 1], DK_None, DKIM_None, URIBL:10, Declude: -3 X-SmarterMail-TotalSpamWeight: 41 ** Just for comparison, here is an email from the same source from Tuesday (and very typical of past headers): X-MessageSniffer-Scan-Result: 0 X-MessageSniffer-Rules: 0-0-0-27512-c X-Declude-Sender: gha...@ghrlawyers.com [70.89.176.73] X-Declude-Spoolname: 159486224.eml X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [-3] at 17:56:38 on 26 Feb 2013 X-Declude-Tests: SPFUNKNOWN [1] X-Country-Chain: UNITED STATES-destination X-Declude-Code: 1e X-HELO: mail.garrettlaw.com X-Identity: 70.89.176.73
RE: [Declude.JunkMail] why have spam scores jumped?
This doesn’t look like Declude is the culprit in your scoring, but rather your SmarterMail Spam scoring is the culprit. Have you changed anything recently in the Spam settings of SmarterMail? Sincerely, Randy Armbrecht Global Web Solutions, Inc. Office: 804.442.5300 x112 Toll Free: 877.800.4562 24 /7 Tech Support! Your Internet Source.Since 1996! NEW GlobalSync Remote-BackUp Solutions! Web Hosting - E-Mail - Spam/Virus Gateway Services Hi-Speed DSL, Ethernet and Wireless Internet - T-1/T-3's PC Support - Networking - Virus/MalWare Removal 25% discount on most services for Non-Profits! Call us today! From: SM Admin [mailto:imailad...@bcwebhost.net] Sent: Friday, March 01, 2013 8:54 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] why have spam scores jumped? Hi, I don't know if anyone is still here but I'd like some insights into some strange anti-spam behavior. We have latest SmarterMail and Declude, as well as Sniffer. Over the last few days I noticed a significant drop in email messages. Upon further investigation, I found that messages were being givn much higher spam scores than in the past, with the result that they get classified as spam or just outright deleted. Checking the headers, however, I don't see why the scores are coming in so high. Below are a few examples. Does anyone see why the spam scores come out so high? Thanks, Ben *** X-MessageSniffer-Scan-Result: 0 X-MessageSniffer-Rules: 0-0-0-2998-c X-Declude-Sender: mstad...@ghrlawyers.com [70.89.176.73] X-Declude-Spoolname: 195938010.eml X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [0] at 17:26:20 on 01 Mar 2013 X-Declude-Tests: SPFUNKNOWN [1] X-Country-Chain: UNITED STATES-destination X-Declude-Code: e X-HELO: mail.garrettlaw.com X-Identity: 70.89.176.73 | mail.garrettlaw.com | ghrlawyers.com X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 0 [raw: 0], DK_None, DKIM_None, URIBL:3, Declude: 0 X-SmarterMail-TotalSpamWeight: 15 * -MessageSniffer-Scan-Result: 0 X-MessageSniffer-Rules: 0-0-0-32767-c X-Declude-Sender: gha...@ghrlawyers.com [70.89.176.73] X-Declude-Spoolname: 159487572.eml X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [-3] at 16:38:51 on 01 Mar 2013 X-Declude-Tests: SPFUNKNOWN [1] X-Country-Chain: UNITED STATES-destination X-Declude-Code: 1e X-HELO: mail.garrettlaw.com X-Identity: 70.89.176.73 | mail.ghrlawyers.com | ghrlawyers.com X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 0 [raw: 0], DK_None, DKIM_None, URIBL:7, Declude: -3 X-SmarterMail-SpamDetail: 0.0 TVD_SUBJ_ACC_NUM X-SmarterMail-SpamDetail: 0.0 T_OBFU_PDF_ATTACH X-SmarterMail-TotalSpamWeight: 28 ** X-MessageSniffer-Scan-Result: 0 X-MessageSniffer-Rules: 0-0-0-32767-c X-Declude-Sender: gha...@ghrlawyers.com [70.89.176.73] X-Declude-Spoolname: 159487567.eml X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [-3] at 16:35:50 on 01 Mar 2013 X-Declude-Tests: SPFUNKNOWN [1] X-Country-Chain: UNITED STATES-destination X-Declude-Code: 1e X-HELO: mail.garrettlaw.com X-Identity: 70.89.176.73 | mail.ghrlawyers.com | ghrlawyers.com X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 1 [raw: 1], DK_None, DKIM_None, URIBL:10, Declude: -3 X-SmarterMail-TotalSpamWeight: 41 ** Just for comparison, here is an email from the same source from Tuesday (and very typical of past headers): X-MessageSniffer-Scan-Result: 0 X-MessageSniffer-Rules: 0-0-0-27512-c X-Declude-Sender: gha...@ghrlawyers.com [70.89.176.73] X-Declude-Spoolname: 159486224.eml X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [-3] at 17:56:38 on 26 Feb 2013 X-Declude-Tests: SPFUNKNOWN [1] X-Country-Chain: UNITED STATES-destination X-Declude-Code: 1e X-HELO: mail.garrettlaw.com X-Identity: 70.89.176.73 | mail.garrettlaw.com | ghrlawyers.com X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 5 [raw: 3], DK_None, DKIM_None, Declude: -3 X-SmarterMail-TotalSpamWeight: 5 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] why have spam scores jumped?
A discussion on the subject that may be of interest in the SmarterMail forum. http://forums.smartertools.com/showthread.php/38483-jump-in-spam-scores Mike Michael Graveen m...@anim8.net Return-Path: declude.junkmail-f83d868d348149c9928eaad64e22d...@declude.com Received: from smtp.declude.com (smtp.declude.com [216.144.195.81]) by ns.pixel8.com with SMTP; Sat, 2 Mar 2013 10:23:43 -0600 Received: from smail.globalweb.net (smail.globalweb.net [208.74.80.105]) by smtp.declude.com with SMTP; Sat, 2 Mar 2013 11:22:35 -0500 Received: from HRADT (173-163-199-121-richmond.hfc.comcastbusiness.net [173.163.199.121]) by smail.globalweb.net with SMTP; Sat, 2 Mar 2013 11:22:22 -0500 From: Randy Armbrecht ra...@globalweb.us To: Declude.JunkMail@declude.com References: 1044585735_52516...@declude.com1056213922_52517...@declude.com1070057329_52517...@declude.com1226673407_52521...@declude.com1245946641_52522...@declude.com 1249494625_52522...@declude.com 1251923344_52522...@declude.com -1916622906_42591...@declude.com In-Reply-To: -1916622906_42591...@declude.com Subject: RE: [Declude.JunkMail] why have spam scores jumped? Date: Sat, 2 Mar 2013 11:22:04 -0500 Message-ID: -1864395546_42592...@declude.com MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_053A_01CE1738.2B571DA0 X-Mailer: Microsoft Outlook 14.0 X-Vipre-Scanned: 0AC03A97003DC80AC03BE4 Thread-Index: AQGfnOsLrnxuRjEYIyUIZ/qhpeQALAIkewrQA4Zvh3wCcEpK0AG5X5wcAlfJDG0BMAgZkQGdxfpImHe4hjA= Content-Language: en-us X-GBUdb-Analysis: 0, 208.74.80.105, Ugly c=0 p=0 Source New X-MessageSniffer-Scan-Result: 0 X-MessageSniffer-SNF-Group: OK X-Declude-Sender: ra...@globalweb.us [208.74.80.105] X-Declude-Spoolname: 42592729.eml X-Declude-RefID: str=0001.0A020208.51322762.00AC,ss=1,fgs=0 X-DECLUDE: -- X-Declude-Note: Scanned by Declude 4.12.01 http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [-3] at 11:23:01 on 02 Mar 2013 by X-Declude-Tests: TOKENS [-5], MAILSPIKE-L2 [6], SPFPASS [-1], CT-UNKNOWN [-1], FILTER-SUBJECT [2], FILTER-SPAM [5], HAM-INDICATOR [-5], X1234X [0], UNSUBSCRIBE [-100], SUBJECT-FWD [-100] X-Country-Chain: UNITED STATES-destination X-Declude-Code: e X-Declude-Recipcount: 1 X-Recipients: declude.junkmail@declude.com X-HELO: smail.globalweb.net X-Identity: 208.74.80.105 | smail.globalweb.net | globalweb.us X-DECLUDE: -- List-Id: listid.Declude.JunkMail.42592764.declude.com X-Mailing-List: Declude.JunkMail@declude.com Reply-to: Declude.JunkMail@declude.com Precedence: list Sender: Randy Armbrecht ra...@globalweb.us X-Rcpt-To: m...@anim8.net X-SmarterMail-Spam: SPF_Pass, ISpamAssassin 0 [raw: 0], DK_None, DKIM_None, Custom Rules [], URIBL:11 X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender) This doesn't look like Declude is the culprit in your scoring, but rather your SmarterMail Spam scoring is the culprit. Have you changed anything recently in the Spam settings of SmarterMail? Sincerely, Randy Armbrecht Global Web Solutions, Inc. Office: 804.442.5300 x112 Toll Free: 877.800.4562 24 /7 Tech Support! Your Internet Source.Since 1996! NEW GlobalSync Remote-BackUp Solutions! Web Hosting - E-Mail - Spam/Virus Gateway Services Hi-Speed DSL, Ethernet and Wireless Internet - T-1/T-3's PC Support - Networking - Virus/MalWare Removal 25% discount on most services for Non-Profits! Call us today! From: SM Admin [mailto:imailad...@bcwebhost.net] Sent: Friday, March 01, 2013 8:54 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] why have spam scores jumped? Hi, I don't know if anyone is still here but I'd like some insights into some strange anti-spam behavior. We have latest SmarterMail and Declude, as well as Sniffer. Over the last few days I noticed a significant drop in email messages. Upon further investigation, I found that messages were being givn much higher spam scores than in the past, with the result that they get classified as spam or just outright deleted. Checking the headers, however, I don't see why the scores are coming in so high. Below are a few examples. Does anyone see why the spam scores come out so high? Thanks, Ben *** X-MessageSniffer-Scan-Result: 0 X-MessageSniffer-Rules: 0-0-0-2998-c X-Declude-Sender: mstad...@ghrlawyers.com [70.89.176.73] X-Declude-Spoolname: 195938010.eml X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [0] at 17:26:20 on 01 Mar 2013 X-Declude-Tests: SPFUNKNOWN [1] X-Country-Chain: UNITED STATES-destination X-Declude-Code: e X-HELO: mail.garrettlaw.com X-Identity: 70.89.176.73 | mail.garrettlaw.com | ghrlawyers.com X-SmarterMail-Spam
