Re: [Declude.JunkMail] why have spam scores jumped?

2013-03-16 Thread SM Admin
Very succinct. But I need further explanation...

Forget forwarding. We'd like to keep it to off-load the server and network
traffic, but we can live without.  However, I need one server to be both
recursive for our mail server and non-recursive for our authoritative zones.
We don't have to worry about our internal workstations because those I can
set up to directly use the Comcast DNS servers (small network so I don't
need internal DNS).  But the mail server presents us the same kind of
problem.

The perfect solution would be a setting that tells the MS DNS server to
accept recursive requests only from specified client IPs, but I don't see
any way to do that.  Any ideas?

Thanks,

Ben

-Original Message-
From: Scott Fosseen
Sent: Friday, March 15, 2013 10:33 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] why have spam scores jumped?

Another way to look at it.

Recursion:
  Off: DNS server can only answer queries from its local zone files.
Queries for any other records returns no results.  Used when server is
authoritative for Public domains (declude.com, nasa.gov)
  On:  DNS server will try to answer all Queries.  If it does not know the
answer it will call out to other DNS servers to get the answer.
( I run both.  I have 4 non-recursive DNS servers for hosting zone files,
and 2 recursive DNS servers for workstations to point to.  )

Forwarders:  Valid only if Recurion is on.
If Forwarder is set and DNS server does not know the answer to a query,
the DNS server will ask the Forwarder DNS server for the answer.
If no Forwarder is set and the DNS server does not know the answer to a
query the DNS server will contact the Root servers and find the answer
itself.

My experience with  MS DNS is that forwarders are setup at installation
because the installer assumes a blank forwarder means the DNS server will be
unable to lookup addresses.  Because DNS works with a forwarder the setting
gets left on.  About the only time I recommend forwarders is if the site
uses something like OpenDNS for Content Filtering, in which case all queries
should go tot he OpenDNS servers.



-Original Message-
From: Sanford Whiteman sa...@cypressintegrated.com
Sent 3/15/2013 8:08:14 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] why have spam scores jumped?

 The challenge for me is in not using forwarding. For MS DNS  servers,
 forwarding and recursion are tied together; turn off one  and you lose
 both. Incorrect. Turning off recursion turns off forwarders, but not vice
 versa. You can have a perfectly operating recursive MS DNS server that
 does not delegate recursion to any other server (forwarding amounts to
 delegating recursion, but the server as a whole is still recursive, thus
 the unidirectional relationship between the two settings). You only MUST
 use forwarders if you are not allowed to pass DNS requests out past your
 ISP's border (similar to when you have to use the ISP's outbound SMTP
 gateway).  So if I turn off recursion and forwarding, then all my DNS
 requests  will have to go to the root servers for resolution. No, if you
 turn off recursion completely, you can't get responses for domains that
 aren't on your box. No one is going to do it for you -- the root servers
 sure won't.  I do understand the dangers of being an open resolver You're
 mixing up a lot of terms here. An open resolver is one that will perform
 recursive lookups for any address on the open internet.  but I am also
 under the impression that resolving only through root  servers is bad.
 It's not bad, it doesn't exist.  Since MS seems to recommend forwarding
 I doubt that...  With a stub zone, queries to URIBL.com are resolved
 directly through  the URIBL Name servers... ... and there is no reason to
 go down this road. If you can get DNS requests past your ISP, there's no
 reason to have forwarders. -- S. --- This E-mail came from the
 Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to
 imail...@declude.com, and type unsubscribe Declude.JunkMail. The
 archives can be found at http://www.mail-archive.com.


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.



Re: [Declude.JunkMail] why have spam scores jumped?

2013-03-16 Thread SM Admin
Ahhh, yes, but that’s the answer I don't want.  Right now, I could take our
existing old authoritative DNS server and make it non-recursive, then put a
recursive name server on the mail server itself, but listening only to the
internal IP and that would seem to follow your suggestion.  Although, when I
look at the Interface tab in Properties, I don't see a local or 127.0.0.1
IP.  Maybe it's that funny IPv6 string I see?

The problem is that we're downsizing and consolidating this stuff, so we'd
like to move all the DNS functions over to just the mail server and retire
the old DNS server.  In that case, of course, we only have one DNS server.

I've been looking online to see how others might handle this.  It seems that
BIND can do this one way or another.  You might be able to tell it to listen
for recursive requests only on certain IPs or you can disable all recursion
for the server but then override it for each of your authoritative zones.
Unfortunately, I have yet to find either of those features as part of MS DNS
and I'm not about to launch into the world of BIND.

The second idea was to consolidate the DNS server onto the mail server,
enable recursion, but then block recursive requests from the outside world.
For example, use a firewall to block recursive requests (but only those that
are recursive) from the outside.  I found some online discussion of people
trying to do this, possibly using port 53, but no indications that anyone
actually succeeded.

So for now, I'm still stuck.

-Original Message-
From: Darin Cox
Sent: Friday, March 15, 2013 11:11 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] why have spam scores jumped?

Hi Ben,

You'll want to set up at least two DNS servers for that.  One recursive for
mail server lookups, most likely on the mail server.  The DNS service on the
mail server should not be publicly accessible.  The other non-recursive DNS
server can be used as your nameserver and, of course, publicly accessible.
Since you need multiple nameservers anyway, this is not likely an issue.
And you'll want them on separate subnets, network connections, etc... as
much separation as you can get to avoid common points of failure.

Another reason to separate the nameservers from your web and email services
is that if you host any websites that process credit cards, PCI-DSS
compliance requires any publicly accessible DNS services on the web or email
server to have recursion turned off.

Hope this helps,

Darin.

-Original Message-
From: SM Admin
Sent: Saturday, March 16, 2013 1:55 AM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] why have spam scores jumped?

Thanks, Sandy.  Of course, if I had understood everything perfectly (or even
reasonably), I wouldn't have had to post my questions here.

On our old DNS server that ran under Windows 2000 Advanced Server, you could
actually toggle Forwarding and Recursion separately.  However, under Windows
2008 server this isn't the case.  You are correct that it's not symmetric as
I claimed, although I really did no better.  Turning off recursion from the
Advanced properties tab turns off forwarding.  Turning off forwarding I
assume is done by just not having any forwarders listed.  So what I said
previously was wrong, although I don't see where it really changes what I
was thinking about.

The challenge here is that our DNS server has two purposes: it is the
authoritative name server for a bunch of zone and it is also the primary
name server used by our mail server.

For purposes of being authoritative for our hosted zones we don't need
either recursion or forwarding.  Requests come to us, get what they need,
and then go away.  For purposes of our mail server we need our DNS server to
be recursive, at the least.

We set up forwarding to the Comcast name servers to offload server and
network traffic.  They can do all the recursion and then pass back the
results to our DNS server, which passes the results back to our mail server.
So I gather the recommendation here is to skip the forwarding and do all the
work ourselves.

I don't understand your remark about open resolver because you don't explain
where I'm wrong in my understanding.  What I understand is that if you have
a DNS server that does recursion on a public IP, then it is an open resolver
and could be attacked. Is that wrong? And if we turn off forwarding but
leave on recursion, then won't our name server still be an open resolver? It
needs to be that way so that the mail server can resolve its requests
against it.

In theory, I only need our name server to be recursive on requests from our
mail server and to be non-recursive for everyone else.  However, I haven't
seen any way to configure that.

Thanks,

Ben

-Original Message-
From: Sanford Whiteman
Sent: Friday, March 15, 2013 6:08 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] why have spam scores jumped?

 The challenge for me is in not using forwarding

Re: [Declude.JunkMail] why have spam scores jumped?

2013-03-16 Thread Darin Cox
Ben,

You may be able to run multiple instances of BIND on different IPs on the
same server, or a combination of MS DNS and BIND on different IPs on the
same server, but you _really_ don't want to.  Downsizing redundancy in your
nameserver DNS is just plain the wrong thing to do.

The reason you're not finding the answers you want is that you're asking the
wrong question.

Sorry,

Darin.

-Original Message-
From: SM Admin
Sent: Saturday, March 16, 2013 2:51 AM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] why have spam scores jumped?

Ahhh, yes, but that’s the answer I don't want.  Right now, I could take our
existing old authoritative DNS server and make it non-recursive, then put a
recursive name server on the mail server itself, but listening only to the
internal IP and that would seem to follow your suggestion.  Although, when I
look at the Interface tab in Properties, I don't see a local or 127.0.0.1
IP.  Maybe it's that funny IPv6 string I see?

The problem is that we're downsizing and consolidating this stuff, so we'd
like to move all the DNS functions over to just the mail server and retire
the old DNS server.  In that case, of course, we only have one DNS server.

I've been looking online to see how others might handle this.  It seems that
BIND can do this one way or another.  You might be able to tell it to listen
for recursive requests only on certain IPs or you can disable all recursion
for the server but then override it for each of your authoritative zones.
Unfortunately, I have yet to find either of those features as part of MS DNS
and I'm not about to launch into the world of BIND.

The second idea was to consolidate the DNS server onto the mail server,
enable recursion, but then block recursive requests from the outside world.
For example, use a firewall to block recursive requests (but only those that
are recursive) from the outside.  I found some online discussion of people
trying to do this, possibly using port 53, but no indications that anyone
actually succeeded.

So for now, I'm still stuck.

-Original Message-
From: Darin Cox
Sent: Friday, March 15, 2013 11:11 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] why have spam scores jumped?

Hi Ben,

You'll want to set up at least two DNS servers for that.  One recursive for
mail server lookups, most likely on the mail server.  The DNS service on the
mail server should not be publicly accessible.  The other non-recursive DNS
server can be used as your nameserver and, of course, publicly accessible.
Since you need multiple nameservers anyway, this is not likely an issue.
And you'll want them on separate subnets, network connections, etc... as
much separation as you can get to avoid common points of failure.

Another reason to separate the nameservers from your web and email services
is that if you host any websites that process credit cards, PCI-DSS
compliance requires any publicly accessible DNS services on the web or email
server to have recursion turned off.

Hope this helps,

Darin.

-Original Message-
From: SM Admin
Sent: Saturday, March 16, 2013 1:55 AM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] why have spam scores jumped?

Thanks, Sandy.  Of course, if I had understood everything perfectly (or even
reasonably), I wouldn't have had to post my questions here.

On our old DNS server that ran under Windows 2000 Advanced Server, you could
actually toggle Forwarding and Recursion separately.  However, under Windows
2008 server this isn't the case.  You are correct that it's not symmetric as
I claimed, although I really did no better.  Turning off recursion from the
Advanced properties tab turns off forwarding.  Turning off forwarding I
assume is done by just not having any forwarders listed.  So what I said
previously was wrong, although I don't see where it really changes what I
was thinking about.

The challenge here is that our DNS server has two purposes: it is the
authoritative name server for a bunch of zone and it is also the primary
name server used by our mail server.

For purposes of being authoritative for our hosted zones we don't need
either recursion or forwarding.  Requests come to us, get what they need,
and then go away.  For purposes of our mail server we need our DNS server to
be recursive, at the least.

We set up forwarding to the Comcast name servers to offload server and
network traffic.  They can do all the recursion and then pass back the
results to our DNS server, which passes the results back to our mail server.
So I gather the recommendation here is to skip the forwarding and do all the
work ourselves.

I don't understand your remark about open resolver because you don't explain
where I'm wrong in my understanding.  What I understand is that if you have
a DNS server that does recursion on a public IP, then it is an open resolver
and could be attacked. Is that wrong? And if we turn off forwarding but
leave on recursion

RE: [Declude.JunkMail] why have spam scores jumped?

2013-03-16 Thread Andy Schmidt
If you're that small - how many PUBLIC domains do you have to be authoritative 
for? What is the change frequency in a year, that you need this to be on your 
local DNS.

For redundancy and availability purposes, why not host your public DNS at your 
registry, block incoming DNS queries at your border router/firewall - and set 
up your strinctly IN-HOUSE DNS server recursive?

-Original Message-
From: SM Admin [mailto:imailad...@bcwebhost.net]
Sent: Saturday, March 16, 2013 2:04 AM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] why have spam scores jumped?

Very succinct. But I need further explanation...

Forget forwarding. We'd like to keep it to off-load the server and network 
traffic, but we can live without.  However, I need one server to be both 
recursive for our mail server and non-recursive for our authoritative zones.
We don't have to worry about our internal workstations because those I can set 
up to directly use the Comcast DNS servers (small network so I don't need 
internal DNS).  But the mail server presents us the same kind of problem.

The perfect solution would be a setting that tells the MS DNS server to accept 
recursive requests only from specified client IPs, but I don't see any way to 
do that.  Any ideas?

Thanks,

Ben

-Original Message-
From: Scott Fosseen
Sent: Friday, March 15, 2013 10:33 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] why have spam scores jumped?

Another way to look at it.

Recursion:
  Off: DNS server can only answer queries from its local zone files.
Queries for any other records returns no results.  Used when server is 
authoritative for Public domains (declude.com, nasa.gov)
  On:  DNS server will try to answer all Queries.  If it does not know the 
answer it will call out to other DNS servers to get the answer.
( I run both.  I have 4 non-recursive DNS servers for hosting zone files, and 2 
recursive DNS servers for workstations to point to.  )

Forwarders:  Valid only if Recurion is on.
If Forwarder is set and DNS server does not know the answer to a query, the 
DNS server will ask the Forwarder DNS server for the answer.
If no Forwarder is set and the DNS server does not know the answer to a 
query the DNS server will contact the Root servers and find the answer itself.

My experience with  MS DNS is that forwarders are setup at installation because 
the installer assumes a blank forwarder means the DNS server will be unable to 
lookup addresses.  Because DNS works with a forwarder the setting gets left on. 
 About the only time I recommend forwarders is if the site uses something like 
OpenDNS for Content Filtering, in which case all queries should go tot he 
OpenDNS servers.



-Original Message-
From: Sanford Whiteman sa...@cypressintegrated.com Sent 3/15/2013 8:08:14 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] why have spam scores jumped?

 The challenge for me is in not using forwarding. For MS DNS  servers,
 forwarding and recursion are tied together; turn off one  and you
 lose both. Incorrect. Turning off recursion turns off forwarders, but
 not vice versa. You can have a perfectly operating recursive MS DNS
 server that does not delegate recursion to any other server
 (forwarding amounts to delegating recursion, but the server as a whole
 is still recursive, thus the unidirectional relationship between the
 two settings). You only MUST use forwarders if you are not allowed to
 pass DNS requests out past your ISP's border (similar to when you have
 to use the ISP's outbound SMTP gateway).  So if I turn off recursion
 and forwarding, then all my DNS requests  will have to go to the root
 servers for resolution. No, if you turn off recursion completely, you
 can't get responses for domains that aren't on your box. No one is going to 
 do it for you -- the root servers
 sure won't.  I do understand the dangers of being an open resolver
 You're mixing up a lot of terms here. An open resolver is one that
 will perform recursive lookups for any address on the open internet. 
 but I am also under the impression that resolving only through root  servers 
 is bad.
 It's not bad, it doesn't exist.  Since MS seems to recommend
 forwarding I doubt that...  With a stub zone, queries to URIBL.com
 are resolved directly through  the URIBL Name servers... ... and
 there is no reason to go down this road. If you can get DNS requests
 past your ISP, there's no reason to have forwarders. -- S. --- This
 E-mail came from the Declude.JunkMail mailing list. To unsubscribe,
 just send an E-mail to imail...@declude.com, and type unsubscribe
 Declude.JunkMail. The archives can be found at http://www.mail-archive.com.


---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe, just 
send an E-mail to imail...@declude.com, and type unsubscribe 
Declude.JunkMail.  The archives can be found at http://www.mail-archive.com.




---
This E-mail came from

Re: [Declude.JunkMail] why have spam scores jumped?

2013-03-16 Thread Sanford Whiteman
Ben, you'd find Simple DNS Plus an easy cross-grade. We have used it
exclusively for all user-facing DNS for many years. We only use MS DNS
as a stealth primary.

Also, as Andy said, it's hard to believe your authoritiative domains
require more than a few dollars a month worth of DNS hosting -- some
hosts even have a free plan you might fall under.

-- S.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.



Re: [Declude.JunkMail] why have spam scores jumped?

2013-03-15 Thread Sanford Whiteman
 The challenge for me is in not using forwarding.  For MS DNS
 servers,  forwarding and recursion are tied together; turn off one
 and you lose  both.

Incorrect. Turning off recursion turns off forwarders, but not vice
versa.

You can have a perfectly operating recursive MS DNS server that does
not delegate recursion to any other server (forwarding amounts to
delegating recursion, but the server as a whole is still recursive,
thus the unidirectional relationship between the two settings).

You only MUST use forwarders if you are not allowed to pass DNS
requests out past your ISP's border (similar to when you have to use
the ISP's outbound SMTP gateway).

 So if I turn off recursion and forwarding, then all my DNS requests
 will have to go to the root servers for resolution.

No, if you turn off recursion completely, you can't get responses for
domains that aren't on your box. No one is going to do it for you --
the root servers sure won't.

 I do understand the dangers of being an open resolver

You're mixing up a lot of terms here. An open resolver is one that
will perform recursive lookups for any address on the open internet.

 but I am also under the impression that resolving only through root
 servers is bad.

It's not bad, it doesn't exist.

 Since MS seems to recommend forwarding

I doubt that...

 With a stub zone, queries to URIBL.com are resolved directly through
 the URIBL Name servers...

... and there is no reason to go down this road. If you can get DNS
requests past your ISP, there's no reason to have forwarders.

-- S.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.



Re: [Declude.JunkMail] why have spam scores jumped?

2013-03-15 Thread Scott Fosseen
Another way to look at it.

Recursion:
  Off: DNS server can only answer queries from its local zone files.  Queries 
for any other records returns no results.  Used when server is authoritative 
for Public domains (declude.com, nasa.gov)
  On:  DNS server will try to answer all Queries.  If it does not know the 
answer it will call out to other DNS servers to get the answer.
( I run both.  I have 4 non-recursive DNS servers for hosting zone files, and 2 
recursive DNS servers for workstations to point to.  )

Forwarders:  Valid only if Recurion is on.
If Forwarder is set and DNS server does not know the answer to a query, the 
DNS server will ask the Forwarder DNS server for the answer.
If no Forwarder is set and the DNS server does not know the answer to a 
query the DNS server will contact the Root servers and find the answer itself.

My experience with  MS DNS is that forwarders are setup at installation because 
the installer assumes a blank forwarder means the DNS server will be unable to 
lookup addresses.  Because DNS works with a forwarder the setting gets left on. 
 About the only time I recommend forwarders is if the site uses something like 
OpenDNS for Content Filtering, in which case all queries should go tot he 
OpenDNS servers.



-Original Message-
From: Sanford Whiteman sa...@cypressintegrated.com
Sent 3/15/2013 8:08:14 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] why have spam scores jumped?

 The challenge for me is in not using forwarding. For MS DNS  servers, 
 forwarding and recursion are tied together; turn off one  and you lose both. 
 Incorrect. Turning off recursion turns off forwarders, but not vice versa. 
 You can have a perfectly operating recursive MS DNS server that does not 
 delegate recursion to any other server (forwarding amounts to delegating 
 recursion, but the server as a whole is still recursive, thus the 
 unidirectional relationship between the two settings). You only MUST use 
 forwarders if you are not allowed to pass DNS requests out past your ISP's 
 border (similar to when you have to use the ISP's outbound SMTP gateway).  
 So if I turn off recursion and forwarding, then all my DNS requests  will 
 have to go to the root servers for resolution. No, if you turn off recursion 
 completely, you can't get responses for domains that aren't on your box. No 
 one is going to do it for you -- the root servers sure won't.  I do 
 understand the dangers of being an open resolver You're mixing up a lot of 
 terms here. An open resolver is one that will perform recursive lookups for 
 any address on the open internet.  but I am also under the impression that 
 resolving only through root  servers is bad. It's not bad, it doesn't 
 exist.  Since MS seems to recommend forwarding I doubt that...  With a stub 
 zone, queries to URIBL.com are resolved directly through  the URIBL Name 
 servers... ... and there is no reason to go down this road. If you can get 
 DNS requests past your ISP, there's no reason to have forwarders. -- S. --- 
 This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just 
 send an E-mail to imail...@declude.com, and type unsubscribe 
 Declude.JunkMail. The archives can be found at http://www.mail-archive.com.


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.



Re: [Declude.JunkMail] why have spam scores jumped?

2013-03-15 Thread Sanford Whiteman
 My experience with  MS DNS is that forwarders are setup at
 installation because the installer assumes a blank forwarder means
 the DNS server will be unable to lookup addresses.

Well put. That must explain the feeling that forwarders are
recommended -- they've been turned on for so long that they're thought
to be the necessary.

-- S.




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.



Re: [Declude.JunkMail] why have spam scores jumped?

2013-03-15 Thread SM Admin
Thanks, Sandy.  Of course, if I had understood everything perfectly (or even
reasonably), I wouldn't have had to post my questions here.

On our old DNS server that ran under Windows 2000 Advanced Server, you could
actually toggle Forwarding and Recursion separately.  However, under Windows
2008 server this isn't the case.  You are correct that it's not symmetric as
I claimed, although I really did no better.  Turning off recursion from the
Advanced properties tab turns off forwarding.  Turning off forwarding I
assume is done by just not having any forwarders listed.  So what I said
previously was wrong, although I don't see where it really changes what I
was thinking about.

The challenge here is that our DNS server has two purposes: it is the
authoritative name server for a bunch of zone and it is also the primary
name server used by our mail server.

For purposes of being authoritative for our hosted zones we don't need
either recursion or forwarding.  Requests come to us, get what they need,
and then go away.  For purposes of our mail server we need our DNS server to
be recursive, at the least.

We set up forwarding to the Comcast name servers to offload server and
network traffic.  They can do all the recursion and then pass back the
results to our DNS server, which passes the results back to our mail server.
So I gather the recommendation here is to skip the forwarding and do all the
work ourselves.

I don't understand your remark about open resolver because you don't explain
where I'm wrong in my understanding.  What I understand is that if you have
a DNS server that does recursion on a public IP, then it is an open resolver
and could be attacked. Is that wrong? And if we turn off forwarding but
leave on recursion, then won't our name server still be an open resolver? It
needs to be that way so that the mail server can resolve its requests
against it.

In theory, I only need our name server to be recursive on requests from our
mail server and to be non-recursive for everyone else.  However, I haven't
seen any way to configure that.

Thanks,

Ben

-Original Message-
From: Sanford Whiteman
Sent: Friday, March 15, 2013 6:08 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] why have spam scores jumped?

 The challenge for me is in not using forwarding.  For MS DNS
 servers,  forwarding and recursion are tied together; turn off one
 and you lose  both.

Incorrect. Turning off recursion turns off forwarders, but not vice
versa.

You can have a perfectly operating recursive MS DNS server that does
not delegate recursion to any other server (forwarding amounts to
delegating recursion, but the server as a whole is still recursive,
thus the unidirectional relationship between the two settings).

You only MUST use forwarders if you are not allowed to pass DNS
requests out past your ISP's border (similar to when you have to use
the ISP's outbound SMTP gateway).

 So if I turn off recursion and forwarding, then all my DNS requests
 will have to go to the root servers for resolution.

No, if you turn off recursion completely, you can't get responses for
domains that aren't on your box. No one is going to do it for you --
the root servers sure won't.

 I do understand the dangers of being an open resolver

You're mixing up a lot of terms here. An open resolver is one that
will perform recursive lookups for any address on the open internet.

 but I am also under the impression that resolving only through root
 servers is bad.

It's not bad, it doesn't exist.

 Since MS seems to recommend forwarding

I doubt that...

 With a stub zone, queries to URIBL.com are resolved directly through
 the URIBL Name servers...

... and there is no reason to go down this road. If you can get DNS
requests past your ISP, there's no reason to have forwarders.

-- S.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.



RE: [Declude.JunkMail] why have spam scores jumped?

2013-03-12 Thread Nick Hayer
Thank you Andrew.

Every time you write something its an education.  Much appreciated.

-Nick

MadRiverAccess.com|Skywaves.net Tech Support
US/Canada 877-873-6482 or International +1-802-229-6574
Emergency Support 24/7: supp...@skywaves.net
General and Non-Emergency support ticket:
http://www.skywaves.net/content/secure/support_ticket.htm


 From: Colbeck, Andrew acolb...@bentallkennedy.com
Sent: Monday, March 11, 2013 9:11 PM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] why have spam scores jumped?

 Per point 3. Once URIBL starts rejected the requests then every 
request gets scored as bad   Read the URIBL.com site News, and Implementation 
sections. This is because a rejection isn't quiet, it returns the value 
127.0.0.1, so I'll assume that SM is triggering on a result of * instead of 
127.0.0.2 and you'll want to go back to SmarterMail to figure out how to be 
specific about that acceptable response. Perhaps you'll want to use specific 
tests like the Black test or the Red test instead of the Multi test.   Per 
point 5. I'm not really sure how URIBL even knows which DNS server I use 
...last year, I had my SM server configured to use the Comcast national DNS 
servers   Well, that's pretty clear, a lot of people use ComCast, so ComCast 
has been flagged as a heavy hitter and queries through their servers to URIBL 
will cause URIBL to respond to Comcast with the 127.0.0.1 value. URIBL 
doesn't care about your-server-asking-via-Comcast, they care about which server 
asked URIBL, which was ComCast.   Per point 6. I was told that I need to turn 
off recursion on the DNS server to be considered acceptable to URIBL. Again, I 
don't know why.   Ok, it's plausible that URIBL tests your DNS server to see 
if it can be abused by bad guys, but I actually doubt that they do this, and 
it's a red herring. You know that your mail volume is small enough to not be a 
heavy hitter but you are diagnosed as a heavy hitter anyway. Therefore, someone 
gave you this advice while trying to diagnose why you are getting heavy hitter 
results, i.e. that your DNS server is being abused.   The big idea here is that 
your mail server needs to ask a DNS server to resolve stuff for it, including 
URIBL. However, random people on the Internet should not be able to use your 
DNS server, because they will certainly abuse it to throw bandwidth at someone 
they don't like. That's called an open resolver, see here for why that's bad 
http://dns.measurement-factory.com/surveys/openresolvers.html   It's extremely 
common to use a DNS server right on your email server, and point your antispam 
queries at that DNS server. Some DNS servers allow you to specify the IP/subnet 
of allowed clients; Windows 2008 does not, it happily resolves for anyone. So 
instead of using client ACLs on the DNS server, make sure you're not telling 
your firewall to allow inbound DNS as a service on that particular IP address; 
because of course have a wonderful stateful firewall, it will happily allow 
outbound DNS and the corresponding inbound replies.   For your email server to 
resolve DNS, you don't want to use forwarders, and you do want to use 
recursion.   Per point 7. I tried writing to the URIBL abuse administrator but 
got no response   Your case is pretty straightforward; perhaps they think you 
want too much help while they've provided what's necessary on their website 
already. Perhaps they're busy working on their golf swing and not reading 
email.   If you can't reach them from your own domain, write to them from a 
freemail account instead of the domain that is in trouble, and cite your 
IP/domain. Be concise. Be polite. Don't use HTML formatting if you can help it. 
And don't use a legal disclaimer in your footer, because antispam/security 
admins are notoriously allergic to what they interpret as your attempt to 
legally bind their communication, and as a result they simply ignore such 
email. Andrew.   From: SM Admin [mailto:imailad...@bcwebhost.net]
Sent: Thursday, March 07, 2013 4:32 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] why have spam scores jumped?  Hi Andrew and 
thanks!   The problem isn't Declude but it is spam related so I'd be 
interested to see if anyone else has ideas.  I spent some time on the 
SmarterMail forums and this is what it looks like:   1. SM uses a series of 
built-in tests as well as external tests such as Declude.  Among these are a 
pair of URIBL tests that are based on links embedded in the messages.   2. SM 
scores a hit for each bad link reported by URIBL and applies the weight score 
to each hit.  With the default weight of 4, a message with five links rejected 
by URIBL would give a total score of 4 x 5 = 20.   3. Starting some time late 
2012, URIBL started rejected some requests based on high volume of calls from a 
particular server.  Various people have experienced this problem at various

RE: [Declude.JunkMail] why have spam scores jumped?

2013-03-11 Thread Colbeck, Andrew
Per point 3. “Once URIBL starts rejected the requests then every request gets 
scored as bad”



Read the URIBL.com site News, and Implementation sections. This is because a 
rejection isn’t quiet, it returns the value 127.0.0.1, so I’ll assume that SM 
is triggering on a result of “*” instead of “127.0.0.2” and you’ll want to go 
back to SmarterMail to figure out how to be specific about that acceptable 
response. Perhaps you’ll want to use specific tests like the Black test or the 
Red test instead of the Multi test.



Per point 5. “I'm not really sure how URIBL even knows which DNS server I use 
...last year, I had my SM server configured to use the Comcast national DNS 
servers”



Well, that’s pretty clear, a lot of people use ComCast, so ComCast has been 
flagged as a “heavy hitter” and queries through their servers to URIBL will 
cause URIBL to respond to Comcast with the “127.0.0.1” value. URIBL doesn’t 
care about your-server-asking-via-Comcast, they care about which server asked 
URIBL, which was ComCast.



Per point 6. “I was told that I need to turn off recursion on the DNS server to 
be considered acceptable to URIBL. Again, I don't know why.“



Ok, it’s plausible that URIBL tests your DNS server to see if it can be abused 
by bad guys, but I actually doubt that they do this, and it’s a red herring. 
You know that your mail volume is small enough to not be a heavy hitter but you 
are diagnosed as a heavy hitter anyway. Therefore, someone gave you this advice 
while trying to diagnose why you are getting heavy hitter results, i.e. that 
your DNS server is being abused.



The big idea here is that your mail server needs to ask a DNS server to resolve 
stuff for it, including URIBL. However, random people on the Internet should 
not be able to use your DNS server, because they will certainly abuse it to 
throw bandwidth at someone they don’t like. That’s called an open resolver, see 
here for why that’s bad 
http://dns.measurement-factory.com/surveys/openresolvers.html



It’s extremely common to use a DNS server right on your email server, and point 
your antispam queries at that DNS server. Some DNS servers allow you to specify 
the IP/subnet of allowed clients; Windows 2008 does not, it happily resolves 
for anyone. So instead of using client ACLs on the DNS server, make sure you’re 
not telling your firewall to allow inbound DNS as a service on that particular 
IP address; because of course have a wonderful stateful firewall, it will 
happily allow outbound DNS and the corresponding inbound replies.



For your email server to resolve DNS, you don’t want to use forwarders, and you 
do want to use recursion.



Per point 7. I tried writing to the URIBL abuse administrator but got no 
response



Your case is pretty straightforward; perhaps they think you want too much help 
while they’ve provided what’s necessary on their website already. Perhaps 
they’re busy working on their golf swing and not reading email.



If you can’t reach them from your own domain, write to them from a freemail 
account instead of the domain that is in trouble, and cite your IP/domain. Be 
concise. Be polite. Don’t use HTML formatting if you can help it. And don’t use 
a legal disclaimer in your footer, because antispam/security admins are 
notoriously allergic to what they interpret as your attempt to legally bind 
their communication, and as a result they simply ignore such email.





Andrew.







From: SM Admin [mailto:imailad...@bcwebhost.net]
Sent: Thursday, March 07, 2013 4:32 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] why have spam scores jumped?



Hi Andrew and thanks!



The problem isn't Declude but it is spam related so I'd be interested to see if 
anyone else has ideas.  I spent some time on the SmarterMail forums and this is 
what it looks like:



1. SM uses a series of built-in tests as well as external tests such as 
Declude.  Among these are a pair of URIBL tests that are based on links 
embedded in the messages.

2. SM scores a hit for each bad link reported by URIBL and applies the weight 
score to each hit.  With the default weight of 4, a message with five links 
rejected by URIBL would give a total score of 4 x 5 = 20.

3. Starting some time late 2012, URIBL started rejected some requests based on 
high volume of calls from a particular server.  Various people have experienced 
this problem at various times over the last three months. Once URIBL starts 
rejected the requests then every request gets scored as bad.  So, for example, 
every message with five embedded links gets a weight of 20, regardless of the 
legitimacy of those links.  This results in a sudden inflation of spam scores.

4. I don't understand how our mail server would be subject to this. Our volume 
of mail isn't just small, one might almost call it tiny.  The number of calls 
we make to URIBL are correspondingly very small.

5. The claim made by Those Who Know on the SM forum is that the URIBL

Re: [Declude.JunkMail] why have spam scores jumped?

2013-03-07 Thread SM Admin
Hi Andrew and thanks!

The problem isn't Declude but it is spam related so I'd be interested to see if 
anyone else has ideas.  I spent some time on the SmarterMail forums and this is 
what it looks like:

1. SM uses a series of built-in tests as well as external tests such as 
Declude.  Among these are a pair of URIBL tests that are based on links 
embedded in the messages.
2. SM scores a hit for each bad link reported by URIBL and applies the weight 
score to each hit.  With the default weight of 4, a message with five links 
rejected by URIBL would give a total score of 4 x 5 = 20.
3. Starting some time late 2012, URIBL started rejected some requests based on 
high volume of calls from a particular server.  Various people have experienced 
this problem at various times over the last three months. Once URIBL starts 
rejected the requests then every request gets scored as bad.  So, for example, 
every message with five embedded links gets a weight of 20, regardless of the 
legitimacy of those links.  This results in a sudden inflation of spam scores.
4. I don't understand how our mail server would be subject to this. Our volume 
of mail isn't just small, one might almost call it tiny.  The number of calls 
we make to URIBL are correspondingly very small.
5. The claim made by Those Who Know on the SM forum is that the URIBL rejection 
is really directed at those who use high volume public DNS servers. I'm not 
really sure how URIBL even knows which DNS server I use, but that's the claim.  
Since last year, I have had my SM server configured to use the Comcast national 
DNS servers (Comcast being my upstream provider). Since that's supposed to be 
the problem, I switched to our in-house public DNS server, but that didn't help 
either.  Then I tried setting up a private DNS server on the mail server itself 
and still couldn't get it to work.
6. Then I was told that I need to turn off recursion on the DNS server to be 
considered acceptable to URIBL. Again, I don't know why.  The problem is that I 
use the MS DNS server (Win 2008) and when you turn off recursion, it forced off 
forwarding as well.  There are many good reasons for not wanting to turn off 
forwarding (in fact, MS doesn't recommend it). So now I'm stuck between a rock 
and a hard place.
7. I tried writing to the URIBL abuse administrator but got no response and 
couldn't find any other contact information.

Anyone able to correct or illuminate me?

Thanks,

Ben
  - Original Message -
  From: Colbeck, Andrew
  To: Declude.JunkMail@declude.com
  Sent: Wednesday, March 06, 2013 3:27 PM
  Subject: RE: [Declude.JunkMail] why have spam scores jumped?


  Ben, check the archive website here 
http://www.mail-archive.com/declude.junkmail@declude.com/ for the mail you’ve 
missed.





  Andrew.





  From: SM Admin [mailto:imailad...@bcwebhost.net]
  Sent: Tuesday, March 05, 2013 10:10 PM
  To: Declude.JunkMail@declude.com
  Subject: Re: [Declude.JunkMail] why have spam scores jumped?



  Thanks for the heads-up, but I didn’t and still don’t see either my original 
email or the responses.  I just took a look at it via the web interface because 
sometime Microsoft Live Mail (like Outlook Express before it) will not show 
some messages where it doesn’t like the header, but I just don’t see either my 
message or the responses. I’m assuming what happened was exactly what I was 
asking about – those messages were given him spam scores and deleted.



  I don’t suppose you could resend those replies to the list?



  Thanks,



  Ben



  From: Randy Armbrecht

  Sent: Tuesday, March 05, 2013 11:12 AM

  To: Declude.JunkMail@declude.com

  Subject: RE: [Declude.JunkMail] why have spam scores jumped?



  Your Friday post did show up and already has 2 or 3 responses to it







  Sincerely,



  Randy Armbrecht

  Global Web Solutions, Inc.

  Office: 804.442.5300 x112

  Toll Free: 877.800.4562



  24 /7 Tech Support!

  Your Internet Source.Since 1996!



  NEW GlobalSync Remote-BackUp Solutions!



  Web Hosting  -  E-Mail  -  Spam/Virus Gateway Services

  Hi-Speed DSL, Ethernet and Wireless Internet -  T-1/T-3's

  PC Support - Networking - Virus/MalWare Removal



  25% discount on most services for Non-Profits!  Call us today!



  From: SM Admin [mailto:imailad...@bcwebhost.net]
  Sent: Tuesday, March 05, 2013 1:52 PM
  To: Declude.JunkMail@declude.com
  Subject: [Declude.JunkMail] why have spam scores jumped?



  (I sent this message on Friday but it never showed up, so I thought I’d try 
again.)



  Hi,



  I don't know if anyone is still here but I'd like some insights into some 
strange anti-spam behavior.



  We have latest SmarterMail and Declude, as well as Sniffer. Over the last few 
days I noticed a significant drop in email messages.  Upon further 
investigation, I found that messages were being givn much higher spam scores 
than in the past, with the result that they get classified as spam or just 
outright deleted.  Checking

RE: [Declude.JunkMail] why have spam scores jumped?

2013-03-06 Thread Colbeck, Andrew
Ben, check the archive website here 
http://www.mail-archive.com/declude.junkmail@declude.com/ for the mail you’ve 
missed.





Andrew.





From: SM Admin [mailto:imailad...@bcwebhost.net]
Sent: Tuesday, March 05, 2013 10:10 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] why have spam scores jumped?



Thanks for the heads-up, but I didn’t and still don’t see either my original 
email or the responses.  I just took a look at it via the web interface because 
sometime Microsoft Live Mail (like Outlook Express before it) will not show 
some messages where it doesn’t like the header, but I just don’t see either my 
message or the responses. I’m assuming what happened was exactly what I was 
asking about – those messages were given him spam scores and deleted.



I don’t suppose you could resend those replies to the list?



Thanks,



Ben



From: Randy Armbrecht mailto:ra...@globalweb.us

Sent: Tuesday, March 05, 2013 11:12 AM

To: Declude.JunkMail@declude.com

Subject: RE: [Declude.JunkMail] why have spam scores jumped?



Your Friday post did show up and already has 2 or 3 responses to it







Sincerely,



Randy Armbrecht

Global Web Solutions, Inc.

Office: 804.442.5300 x112

Toll Free: 877.800.4562



24 /7 Tech Support!

Your Internet Source.Since 1996!



NEW GlobalSync Remote-BackUp Solutions!



Web Hosting  -  E-Mail  -  Spam/Virus Gateway Services

Hi-Speed DSL, Ethernet and Wireless Internet -  T-1/T-3's

PC Support - Networking - Virus/MalWare Removal



25% discount on most services for Non-Profits!  Call us today!



From: SM Admin [mailto:imailad...@bcwebhost.net]
Sent: Tuesday, March 05, 2013 1:52 PM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] why have spam scores jumped?



(I sent this message on Friday but it never showed up, so I thought I’d try 
again.)



Hi,



I don't know if anyone is still here but I'd like some insights into some 
strange anti-spam behavior.



We have latest SmarterMail and Declude, as well as Sniffer. Over the last few 
days I noticed a significant drop in email messages.  Upon further 
investigation, I found that messages were being givn much higher spam scores 
than in the past, with the result that they get classified as spam or just 
outright deleted.  Checking the headers, however, I don't see why the scores 
are coming in so high.  Below are a few examples.  Does anyone see why the spam 
scores come out so high?



Thanks,



Ben



***

X-MessageSniffer-Scan-Result: 0
X-MessageSniffer-Rules: 0-0-0-2998-c
X-Declude-Sender: mstad...@ghrlawyers.com [70.89.176.73]
X-Declude-Spoolname: 195938010.eml
X-Declude-RefID:
X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm;
X-Declude-Scan: Incoming Score [0] at 17:26:20 on 01 Mar 2013
X-Declude-Tests: SPFUNKNOWN [1]
X-Country-Chain: UNITED STATES-destination
X-Declude-Code: e
X-HELO: mail.garrettlaw.com
X-Identity: 70.89.176.73 | mail.garrettlaw.com | ghrlawyers.com
X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 0 [raw: 0], DK_None, DKIM_None, 
URIBL:3, Declude: 0
X-SmarterMail-TotalSpamWeight: 15

*

-MessageSniffer-Scan-Result: 0
X-MessageSniffer-Rules: 0-0-0-32767-c
X-Declude-Sender: gha...@ghrlawyers.com [70.89.176.73]
X-Declude-Spoolname: 159487572.eml
X-Declude-RefID:
X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm;
X-Declude-Scan: Incoming Score [-3] at 16:38:51 on 01 Mar 2013
X-Declude-Tests: SPFUNKNOWN [1]
X-Country-Chain: UNITED STATES-destination
X-Declude-Code: 1e
X-HELO: mail.garrettlaw.com
X-Identity: 70.89.176.73 | mail.ghrlawyers.com | ghrlawyers.com
X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 0 [raw: 0], DK_None, DKIM_None, 
URIBL:7, Declude: -3
X-SmarterMail-SpamDetail: 0.0 TVD_SUBJ_ACC_NUM
X-SmarterMail-SpamDetail: 0.0 T_OBFU_PDF_ATTACH
X-SmarterMail-TotalSpamWeight: 28

**

X-MessageSniffer-Scan-Result: 0
X-MessageSniffer-Rules: 0-0-0-32767-c
X-Declude-Sender: gha...@ghrlawyers.com [70.89.176.73]
X-Declude-Spoolname: 159487567.eml
X-Declude-RefID:
X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm;
X-Declude-Scan: Incoming Score [-3] at 16:35:50 on 01 Mar 2013
X-Declude-Tests: SPFUNKNOWN [1]
X-Country-Chain: UNITED STATES-destination
X-Declude-Code: 1e
X-HELO: mail.garrettlaw.com
X-Identity: 70.89.176.73 | mail.ghrlawyers.com | ghrlawyers.com
X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 1 [raw: 1], DK_None, DKIM_None, 
URIBL:10, Declude: -3
X-SmarterMail-TotalSpamWeight: 41

**

Just for comparison, here is an email from the same source from Tuesday (and 
very typical of past headers):



X-MessageSniffer-Scan-Result: 0
X-MessageSniffer-Rules: 0-0-0-27512-c
X-Declude-Sender: gha...@ghrlawyers.com

[Declude.JunkMail] why have spam scores jumped?

2013-03-05 Thread SM Admin
(I sent this message on Friday but it never showed up, so I thought I’d try 
again.)

Hi,

I don't know if anyone is still here but I'd like some insights into some 
strange anti-spam behavior.

We have latest SmarterMail and Declude, as well as Sniffer. Over the last few 
days I noticed a significant drop in email messages.  Upon further 
investigation, I found that messages were being givn much higher spam scores 
than in the past, with the result that they get classified as spam or just 
outright deleted.  Checking the headers, however, I don't see why the scores 
are coming in so high.  Below are a few examples.  Does anyone see why the spam 
scores come out so high?

Thanks,

Ben

***
X-MessageSniffer-Scan-Result: 0
X-MessageSniffer-Rules: 0-0-0-2998-c
X-Declude-Sender: mstad...@ghrlawyers.com [70.89.176.73]
X-Declude-Spoolname: 195938010.eml
X-Declude-RefID:
X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm;
X-Declude-Scan: Incoming Score [0] at 17:26:20 on 01 Mar 2013
X-Declude-Tests: SPFUNKNOWN [1]
X-Country-Chain: UNITED STATES-destination
X-Declude-Code: e
X-HELO: mail.garrettlaw.com
X-Identity: 70.89.176.73 | mail.garrettlaw.com | ghrlawyers.com
X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 0 [raw: 0], DK_None, DKIM_None, 
URIBL:3, Declude: 0
X-SmarterMail-TotalSpamWeight: 15
*
-MessageSniffer-Scan-Result: 0
X-MessageSniffer-Rules: 0-0-0-32767-c
X-Declude-Sender: gha...@ghrlawyers.com [70.89.176.73]
X-Declude-Spoolname: 159487572.eml
X-Declude-RefID:
X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm;
X-Declude-Scan: Incoming Score [-3] at 16:38:51 on 01 Mar 2013
X-Declude-Tests: SPFUNKNOWN [1]
X-Country-Chain: UNITED STATES-destination
X-Declude-Code: 1e
X-HELO: mail.garrettlaw.com
X-Identity: 70.89.176.73 | mail.ghrlawyers.com | ghrlawyers.com
X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 0 [raw: 0], DK_None, DKIM_None, 
URIBL:7, Declude: -3
X-SmarterMail-SpamDetail: 0.0 TVD_SUBJ_ACC_NUM
X-SmarterMail-SpamDetail: 0.0 T_OBFU_PDF_ATTACH
X-SmarterMail-TotalSpamWeight: 28
**
X-MessageSniffer-Scan-Result: 0
X-MessageSniffer-Rules: 0-0-0-32767-c
X-Declude-Sender: gha...@ghrlawyers.com [70.89.176.73]
X-Declude-Spoolname: 159487567.eml
X-Declude-RefID:
X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm;
X-Declude-Scan: Incoming Score [-3] at 16:35:50 on 01 Mar 2013
X-Declude-Tests: SPFUNKNOWN [1]
X-Country-Chain: UNITED STATES-destination
X-Declude-Code: 1e
X-HELO: mail.garrettlaw.com
X-Identity: 70.89.176.73 | mail.ghrlawyers.com | ghrlawyers.com
X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 1 [raw: 1], DK_None, DKIM_None, 
URIBL:10, Declude: -3
X-SmarterMail-TotalSpamWeight: 41
**
Just for comparison, here is an email from the same source from Tuesday (and 
very typical of past headers):

X-MessageSniffer-Scan-Result: 0
X-MessageSniffer-Rules: 0-0-0-27512-c
X-Declude-Sender: gha...@ghrlawyers.com [70.89.176.73]
X-Declude-Spoolname: 159486224.eml
X-Declude-RefID:
X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm;
X-Declude-Scan: Incoming Score [-3] at 17:56:38 on 26 Feb 2013
X-Declude-Tests: SPFUNKNOWN [1]
X-Country-Chain: UNITED STATES-destination
X-Declude-Code: 1e
X-HELO: mail.garrettlaw.com
X-Identity: 70.89.176.73 | mail.garrettlaw.com | ghrlawyers.com
X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 5 [raw: 3], DK_None, DKIM_None, 
Declude: -3
X-SmarterMail-TotalSpamWeight: 5




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] why have spam scores jumped?

2013-03-05 Thread Randy Armbrecht
Your Friday post did show up and already has 2 or 3 responses to it







Sincerely,



Randy Armbrecht

Global Web Solutions, Inc.

Office: 804.442.5300 x112

Toll Free: 877.800.4562



24 /7 Tech Support!

Your Internet Source.Since 1996!



NEW GlobalSync Remote-BackUp Solutions!



Web Hosting  -  E-Mail  -  Spam/Virus Gateway Services

Hi-Speed DSL, Ethernet and Wireless Internet -  T-1/T-3's

PC Support - Networking - Virus/MalWare Removal



25% discount on most services for Non-Profits!  Call us today!



From: SM Admin [mailto:imailad...@bcwebhost.net]
Sent: Tuesday, March 05, 2013 1:52 PM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] why have spam scores jumped?



(I sent this message on Friday but it never showed up, so I thought I’d try 
again.)



Hi,



I don't know if anyone is still here but I'd like some insights into some 
strange anti-spam behavior.



We have latest SmarterMail and Declude, as well as Sniffer. Over the last few 
days I noticed a significant drop in email messages.  Upon further 
investigation, I found that messages were being givn much higher spam scores 
than in the past, with the result that they get classified as spam or just 
outright deleted.  Checking the headers, however, I don't see why the scores 
are coming in so high.  Below are a few examples.  Does anyone see why the spam 
scores come out so high?



Thanks,



Ben



***

X-MessageSniffer-Scan-Result: 0
X-MessageSniffer-Rules: 0-0-0-2998-c
X-Declude-Sender: mstad...@ghrlawyers.com [70.89.176.73]
X-Declude-Spoolname: 195938010.eml
X-Declude-RefID:
X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm;
X-Declude-Scan: Incoming Score [0] at 17:26:20 on 01 Mar 2013
X-Declude-Tests: SPFUNKNOWN [1]
X-Country-Chain: UNITED STATES-destination
X-Declude-Code: e
X-HELO: mail.garrettlaw.com
X-Identity: 70.89.176.73 | mail.garrettlaw.com | ghrlawyers.com
X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 0 [raw: 0], DK_None, DKIM_None, 
URIBL:3, Declude: 0
X-SmarterMail-TotalSpamWeight: 15

*

-MessageSniffer-Scan-Result: 0
X-MessageSniffer-Rules: 0-0-0-32767-c
X-Declude-Sender: gha...@ghrlawyers.com [70.89.176.73]
X-Declude-Spoolname: 159487572.eml
X-Declude-RefID:
X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm;
X-Declude-Scan: Incoming Score [-3] at 16:38:51 on 01 Mar 2013
X-Declude-Tests: SPFUNKNOWN [1]
X-Country-Chain: UNITED STATES-destination
X-Declude-Code: 1e
X-HELO: mail.garrettlaw.com
X-Identity: 70.89.176.73 | mail.ghrlawyers.com | ghrlawyers.com
X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 0 [raw: 0], DK_None, DKIM_None, 
URIBL:7, Declude: -3
X-SmarterMail-SpamDetail: 0.0 TVD_SUBJ_ACC_NUM
X-SmarterMail-SpamDetail: 0.0 T_OBFU_PDF_ATTACH
X-SmarterMail-TotalSpamWeight: 28

**

X-MessageSniffer-Scan-Result: 0
X-MessageSniffer-Rules: 0-0-0-32767-c
X-Declude-Sender: gha...@ghrlawyers.com [70.89.176.73]
X-Declude-Spoolname: 159487567.eml
X-Declude-RefID:
X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm;
X-Declude-Scan: Incoming Score [-3] at 16:35:50 on 01 Mar 2013
X-Declude-Tests: SPFUNKNOWN [1]
X-Country-Chain: UNITED STATES-destination
X-Declude-Code: 1e
X-HELO: mail.garrettlaw.com
X-Identity: 70.89.176.73 | mail.ghrlawyers.com | ghrlawyers.com
X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 1 [raw: 1], DK_None, DKIM_None, 
URIBL:10, Declude: -3
X-SmarterMail-TotalSpamWeight: 41

**

Just for comparison, here is an email from the same source from Tuesday (and 
very typical of past headers):



X-MessageSniffer-Scan-Result: 0
X-MessageSniffer-Rules: 0-0-0-27512-c
X-Declude-Sender: gha...@ghrlawyers.com [70.89.176.73]
X-Declude-Spoolname: 159486224.eml
X-Declude-RefID:
X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm;
X-Declude-Scan: Incoming Score [-3] at 17:56:38 on 26 Feb 2013
X-Declude-Tests: SPFUNKNOWN [1]
X-Country-Chain: UNITED STATES-destination
X-Declude-Code: 1e
X-HELO: mail.garrettlaw.com
X-Identity: 70.89.176.73 | mail.garrettlaw.com | ghrlawyers.com
X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 5 [raw: 3], DK_None, DKIM_None, 
Declude: -3
X-SmarterMail-TotalSpamWeight: 5








--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, 
just send an E-mail to imail...@declude.com, and type unsubscribe 
Declude.JunkMail. The archives can be found at http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


Re: [Declude.JunkMail] why have spam scores jumped?

2013-03-05 Thread SM Admin
Thanks for the heads-up, but I didn’t and still don’t see either my original 
email or the responses.  I just took a look at it via the web interface because 
sometime Microsoft Live Mail (like Outlook Express before it) will not show 
some messages where it doesn’t like the header, but I just don’t see either my 
message or the responses. I’m assuming what happened was exactly what I was 
asking about – those messages were given him spam scores and deleted.

I don’t suppose you could resend those replies to the list?

Thanks,

Ben

From: Randy Armbrecht
Sent: Tuesday, March 05, 2013 11:12 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] why have spam scores jumped?

Your Friday post did show up and already has 2 or 3 responses to it







Sincerely,



Randy Armbrecht

Global Web Solutions, Inc.

Office: 804.442.5300 x112

Toll Free: 877.800.4562



24 /7 Tech Support!

Your Internet Source.Since 1996!



NEW GlobalSync Remote-BackUp Solutions!



Web Hosting  -  E-Mail  -  Spam/Virus Gateway Services

Hi-Speed DSL, Ethernet and Wireless Internet -  T-1/T-3's

PC Support - Networking - Virus/MalWare Removal



25% discount on most services for Non-Profits!  Call us today!



From: SM Admin [mailto:imailad...@bcwebhost.net]
Sent: Tuesday, March 05, 2013 1:52 PM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] why have spam scores jumped?



(I sent this message on Friday but it never showed up, so I thought I’d try 
again.)



Hi,



I don't know if anyone is still here but I'd like some insights into some 
strange anti-spam behavior.



We have latest SmarterMail and Declude, as well as Sniffer. Over the last few 
days I noticed a significant drop in email messages.  Upon further 
investigation, I found that messages were being givn much higher spam scores 
than in the past, with the result that they get classified as spam or just 
outright deleted.  Checking the headers, however, I don't see why the scores 
are coming in so high.  Below are a few examples.  Does anyone see why the spam 
scores come out so high?



Thanks,



Ben



***

X-MessageSniffer-Scan-Result: 0
X-MessageSniffer-Rules: 0-0-0-2998-c
X-Declude-Sender: mstad...@ghrlawyers.com [70.89.176.73]
X-Declude-Spoolname: 195938010.eml
X-Declude-RefID:
X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm;
X-Declude-Scan: Incoming Score [0] at 17:26:20 on 01 Mar 2013
X-Declude-Tests: SPFUNKNOWN [1]
X-Country-Chain: UNITED STATES-destination
X-Declude-Code: e
X-HELO: mail.garrettlaw.com
X-Identity: 70.89.176.73 | mail.garrettlaw.com | ghrlawyers.com
X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 0 [raw: 0], DK_None, DKIM_None, 
URIBL:3, Declude: 0
X-SmarterMail-TotalSpamWeight: 15

*

-MessageSniffer-Scan-Result: 0
X-MessageSniffer-Rules: 0-0-0-32767-c
X-Declude-Sender: gha...@ghrlawyers.com [70.89.176.73]
X-Declude-Spoolname: 159487572.eml
X-Declude-RefID:
X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm;
X-Declude-Scan: Incoming Score [-3] at 16:38:51 on 01 Mar 2013
X-Declude-Tests: SPFUNKNOWN [1]
X-Country-Chain: UNITED STATES-destination
X-Declude-Code: 1e
X-HELO: mail.garrettlaw.com
X-Identity: 70.89.176.73 | mail.ghrlawyers.com | ghrlawyers.com
X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 0 [raw: 0], DK_None, DKIM_None, 
URIBL:7, Declude: -3
X-SmarterMail-SpamDetail: 0.0 TVD_SUBJ_ACC_NUM
X-SmarterMail-SpamDetail: 0.0 T_OBFU_PDF_ATTACH
X-SmarterMail-TotalSpamWeight: 28

**

X-MessageSniffer-Scan-Result: 0
X-MessageSniffer-Rules: 0-0-0-32767-c
X-Declude-Sender: gha...@ghrlawyers.com [70.89.176.73]
X-Declude-Spoolname: 159487567.eml
X-Declude-RefID:
X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm;
X-Declude-Scan: Incoming Score [-3] at 16:35:50 on 01 Mar 2013
X-Declude-Tests: SPFUNKNOWN [1]
X-Country-Chain: UNITED STATES-destination
X-Declude-Code: 1e
X-HELO: mail.garrettlaw.com
X-Identity: 70.89.176.73 | mail.ghrlawyers.com | ghrlawyers.com
X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 1 [raw: 1], DK_None, DKIM_None, 
URIBL:10, Declude: -3
X-SmarterMail-TotalSpamWeight: 41

**

Just for comparison, here is an email from the same source from Tuesday (and 
very typical of past headers):



X-MessageSniffer-Scan-Result: 0
X-MessageSniffer-Rules: 0-0-0-27512-c
X-Declude-Sender: gha...@ghrlawyers.com [70.89.176.73]
X-Declude-Spoolname: 159486224.eml
X-Declude-RefID:
X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm;
X-Declude-Scan: Incoming Score [-3] at 17:56:38 on 26 Feb 2013
X-Declude-Tests: SPFUNKNOWN [1]
X-Country-Chain: UNITED STATES-destination
X-Declude-Code: 1e
X-HELO: mail.garrettlaw.com
X-Identity: 70.89.176.73

RE: [Declude.JunkMail] why have spam scores jumped?

2013-03-02 Thread Randy Armbrecht
This doesn’t look like Declude is the culprit in your scoring, but rather your 
SmarterMail Spam scoring is the culprit.  Have you changed anything recently in 
the Spam settings of SmarterMail?







Sincerely,



Randy Armbrecht

Global Web Solutions, Inc.

Office: 804.442.5300 x112

Toll Free: 877.800.4562



24 /7 Tech Support!

Your Internet Source.Since 1996!



NEW GlobalSync Remote-BackUp Solutions!



Web Hosting  -  E-Mail  -  Spam/Virus Gateway Services

Hi-Speed DSL, Ethernet and Wireless Internet -  T-1/T-3's

PC Support - Networking - Virus/MalWare Removal



25% discount on most services for Non-Profits!  Call us today!



From: SM Admin [mailto:imailad...@bcwebhost.net]
Sent: Friday, March 01, 2013 8:54 PM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] why have spam scores jumped?



Hi,



I don't know if anyone is still here but I'd like some insights into some 
strange anti-spam behavior.



We have latest SmarterMail and Declude, as well as Sniffer. Over the last few 
days I noticed a significant drop in email messages.  Upon further 
investigation, I found that messages were being givn much higher spam scores 
than in the past, with the result that they get classified as spam or just 
outright deleted.  Checking the headers, however, I don't see why the scores 
are coming in so high.  Below are a few examples.  Does anyone see why the spam 
scores come out so high?



Thanks,



Ben



***

X-MessageSniffer-Scan-Result: 0
X-MessageSniffer-Rules: 0-0-0-2998-c
X-Declude-Sender: mstad...@ghrlawyers.com [70.89.176.73]
X-Declude-Spoolname: 195938010.eml
X-Declude-RefID:
X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm;
X-Declude-Scan: Incoming Score [0] at 17:26:20 on 01 Mar 2013
X-Declude-Tests: SPFUNKNOWN [1]
X-Country-Chain: UNITED STATES-destination
X-Declude-Code: e
X-HELO: mail.garrettlaw.com
X-Identity: 70.89.176.73 | mail.garrettlaw.com | ghrlawyers.com
X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 0 [raw: 0], DK_None, DKIM_None, 
URIBL:3, Declude: 0
X-SmarterMail-TotalSpamWeight: 15

*

-MessageSniffer-Scan-Result: 0
X-MessageSniffer-Rules: 0-0-0-32767-c
X-Declude-Sender: gha...@ghrlawyers.com [70.89.176.73]
X-Declude-Spoolname: 159487572.eml
X-Declude-RefID:
X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm;
X-Declude-Scan: Incoming Score [-3] at 16:38:51 on 01 Mar 2013
X-Declude-Tests: SPFUNKNOWN [1]
X-Country-Chain: UNITED STATES-destination
X-Declude-Code: 1e
X-HELO: mail.garrettlaw.com
X-Identity: 70.89.176.73 | mail.ghrlawyers.com | ghrlawyers.com
X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 0 [raw: 0], DK_None, DKIM_None, 
URIBL:7, Declude: -3
X-SmarterMail-SpamDetail: 0.0 TVD_SUBJ_ACC_NUM
X-SmarterMail-SpamDetail: 0.0 T_OBFU_PDF_ATTACH
X-SmarterMail-TotalSpamWeight: 28

**

X-MessageSniffer-Scan-Result: 0
X-MessageSniffer-Rules: 0-0-0-32767-c
X-Declude-Sender: gha...@ghrlawyers.com [70.89.176.73]
X-Declude-Spoolname: 159487567.eml
X-Declude-RefID:
X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm;
X-Declude-Scan: Incoming Score [-3] at 16:35:50 on 01 Mar 2013
X-Declude-Tests: SPFUNKNOWN [1]
X-Country-Chain: UNITED STATES-destination
X-Declude-Code: 1e
X-HELO: mail.garrettlaw.com
X-Identity: 70.89.176.73 | mail.ghrlawyers.com | ghrlawyers.com
X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 1 [raw: 1], DK_None, DKIM_None, 
URIBL:10, Declude: -3
X-SmarterMail-TotalSpamWeight: 41

**

Just for comparison, here is an email from the same source from Tuesday (and 
very typical of past headers):



X-MessageSniffer-Scan-Result: 0
X-MessageSniffer-Rules: 0-0-0-27512-c
X-Declude-Sender: gha...@ghrlawyers.com [70.89.176.73]
X-Declude-Spoolname: 159486224.eml
X-Declude-RefID:
X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm;
X-Declude-Scan: Incoming Score [-3] at 17:56:38 on 26 Feb 2013
X-Declude-Tests: SPFUNKNOWN [1]
X-Country-Chain: UNITED STATES-destination
X-Declude-Code: 1e
X-HELO: mail.garrettlaw.com
X-Identity: 70.89.176.73 | mail.garrettlaw.com | ghrlawyers.com
X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 5 [raw: 3], DK_None, DKIM_None, 
Declude: -3
X-SmarterMail-TotalSpamWeight: 5








--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, 
just send an E-mail to imail...@declude.com, and type unsubscribe 
Declude.JunkMail. The archives can be found at http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] why have spam scores jumped?

2013-03-02 Thread Michael Graveen
A discussion on the subject that may be of interest in the SmarterMail forum.

http://forums.smartertools.com/showthread.php/38483-jump-in-spam-scores


Mike


Michael Graveen

m...@anim8.net



Return-Path: declude.junkmail-f83d868d348149c9928eaad64e22d...@declude.com

Received: from smtp.declude.com (smtp.declude.com [216.144.195.81]) by 
ns.pixel8.com with SMTP;

Sat, 2 Mar 2013 10:23:43 -0600

Received: from smail.globalweb.net (smail.globalweb.net [208.74.80.105]) by 
smtp.declude.com with SMTP;

Sat, 2 Mar 2013 11:22:35 -0500

Received: from HRADT (173-163-199-121-richmond.hfc.comcastbusiness.net 
[173.163.199.121]) by smail.globalweb.net with SMTP;

Sat, 2 Mar 2013 11:22:22 -0500

From: Randy Armbrecht ra...@globalweb.us

To: Declude.JunkMail@declude.com

References: 
1044585735_52516...@declude.com1056213922_52517...@declude.com1070057329_52517...@declude.com1226673407_52521...@declude.com1245946641_52522...@declude.com
 1249494625_52522...@declude.com 1251923344_52522...@declude.com 
-1916622906_42591...@declude.com

In-Reply-To: -1916622906_42591...@declude.com

Subject: RE: [Declude.JunkMail] why have spam scores jumped?

Date: Sat, 2 Mar 2013 11:22:04 -0500

Message-ID: -1864395546_42592...@declude.com

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary==_NextPart_000_053A_01CE1738.2B571DA0

X-Mailer: Microsoft Outlook 14.0

X-Vipre-Scanned: 0AC03A97003DC80AC03BE4

Thread-Index: 
AQGfnOsLrnxuRjEYIyUIZ/qhpeQALAIkewrQA4Zvh3wCcEpK0AG5X5wcAlfJDG0BMAgZkQGdxfpImHe4hjA=

Content-Language: en-us

X-GBUdb-Analysis: 0, 208.74.80.105, Ugly c=0 p=0 Source New

X-MessageSniffer-Scan-Result: 0

X-MessageSniffer-SNF-Group: OK

X-Declude-Sender: ra...@globalweb.us [208.74.80.105]

X-Declude-Spoolname: 42592729.eml

X-Declude-RefID: str=0001.0A020208.51322762.00AC,ss=1,fgs=0

X-DECLUDE: 
--

X-Declude-Note: Scanned by Declude 4.12.01 http://www.declude.com/x-note.htm;

X-Declude-Scan: Incoming Score [-3] at 11:23:01 on 02 Mar 2013 by

X-Declude-Tests: TOKENS [-5], MAILSPIKE-L2 [6], SPFPASS [-1], CT-UNKNOWN [-1], 
FILTER-SUBJECT [2], FILTER-SPAM [5], HAM-INDICATOR [-5], X1234X [0], 
UNSUBSCRIBE [-100], SUBJECT-FWD [-100]

X-Country-Chain: UNITED STATES-destination

X-Declude-Code: e

X-Declude-Recipcount: 1

X-Recipients: declude.junkmail@declude.com

X-HELO: smail.globalweb.net

X-Identity: 208.74.80.105 | smail.globalweb.net | globalweb.us

X-DECLUDE: 
--

List-Id: listid.Declude.JunkMail.42592764.declude.com

X-Mailing-List: Declude.JunkMail@declude.com

Reply-to: Declude.JunkMail@declude.com

Precedence: list

Sender: Randy Armbrecht ra...@globalweb.us

X-Rcpt-To: m...@anim8.net

X-SmarterMail-Spam: SPF_Pass, ISpamAssassin 0 [raw: 0], DK_None, DKIM_None, 
Custom Rules [], URIBL:11

X-SmarterMail-TotalSpamWeight: 0 (Trusted Sender)

This doesn't look like Declude is the culprit in your scoring, but rather your 
SmarterMail Spam scoring is the culprit.  Have you changed anything recently in 
the Spam settings of SmarterMail?




Sincerely,

Randy Armbrecht
Global Web Solutions, Inc.
Office: 804.442.5300 x112
Toll Free: 877.800.4562

24 /7 Tech Support!
Your Internet Source.Since 1996!

NEW GlobalSync Remote-BackUp Solutions!

Web Hosting  -  E-Mail  -  Spam/Virus Gateway Services
Hi-Speed DSL, Ethernet and Wireless Internet -  T-1/T-3's
PC Support - Networking - Virus/MalWare Removal

25% discount on most services for Non-Profits!  Call us today!



From: SM Admin [mailto:imailad...@bcwebhost.net]

Sent: Friday, March 01, 2013 8:54 PM

To: Declude.JunkMail@declude.com

Subject: [Declude.JunkMail] why have spam scores jumped?



Hi,



I don't know if anyone is still here but I'd like some insights into some 
strange anti-spam behavior.



We have latest SmarterMail and Declude, as well as Sniffer. Over the last few 
days I noticed a significant drop in email messages.  Upon further 
investigation, I found that messages were being givn much higher spam scores 
than in the past, with the result that they get classified as spam or just 
outright deleted.  Checking the headers, however, I don't see why the scores 
are coming in so high.  Below are a few examples.  Does anyone see why the spam 
scores come out so high?



Thanks,



Ben



***

X-MessageSniffer-Scan-Result: 0

X-MessageSniffer-Rules: 0-0-0-2998-c

X-Declude-Sender: mstad...@ghrlawyers.com [70.89.176.73]

X-Declude-Spoolname: 195938010.eml

X-Declude-RefID:

X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm;

X-Declude-Scan: Incoming Score [0] at 17:26:20 on 01 Mar 2013

X-Declude-Tests: SPFUNKNOWN [1]

X-Country-Chain: UNITED STATES-destination

X-Declude-Code: e

X-HELO: mail.garrettlaw.com

X-Identity: 70.89.176.73 | mail.garrettlaw.com | ghrlawyers.com

X-SmarterMail-Spam

[Declude.JunkMail] why have spam scores jumped?

2013-03-01 Thread SM Admin
Hi,

I don't know if anyone is still here but I'd like some insights into some 
strange anti-spam behavior.

We have latest SmarterMail and Declude, as well as Sniffer. Over the last few 
days I noticed a significant drop in email messages.  Upon further 
investigation, I found that messages were being givn much higher spam scores 
than in the past, with the result that they get classified as spam or just 
outright deleted.  Checking the headers, however, I don't see why the scores 
are coming in so high.  Below are a few examples.  Does anyone see why the spam 
scores come out so high?

Thanks,

Ben

***
X-MessageSniffer-Scan-Result: 0
X-MessageSniffer-Rules: 0-0-0-2998-c
X-Declude-Sender: mstad...@ghrlawyers.com [70.89.176.73]
X-Declude-Spoolname: 195938010.eml
X-Declude-RefID:
X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm;
X-Declude-Scan: Incoming Score [0] at 17:26:20 on 01 Mar 2013
X-Declude-Tests: SPFUNKNOWN [1]
X-Country-Chain: UNITED STATES-destination
X-Declude-Code: e
X-HELO: mail.garrettlaw.com
X-Identity: 70.89.176.73 | mail.garrettlaw.com | ghrlawyers.com
X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 0 [raw: 0], DK_None, DKIM_None, 
URIBL:3, Declude: 0
X-SmarterMail-TotalSpamWeight: 15
*
-MessageSniffer-Scan-Result: 0
X-MessageSniffer-Rules: 0-0-0-32767-c
X-Declude-Sender: gha...@ghrlawyers.com [70.89.176.73]
X-Declude-Spoolname: 159487572.eml
X-Declude-RefID:
X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm;
X-Declude-Scan: Incoming Score [-3] at 16:38:51 on 01 Mar 2013
X-Declude-Tests: SPFUNKNOWN [1]
X-Country-Chain: UNITED STATES-destination
X-Declude-Code: 1e
X-HELO: mail.garrettlaw.com
X-Identity: 70.89.176.73 | mail.ghrlawyers.com | ghrlawyers.com
X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 0 [raw: 0], DK_None, DKIM_None, 
URIBL:7, Declude: -3
X-SmarterMail-SpamDetail: 0.0 TVD_SUBJ_ACC_NUM
X-SmarterMail-SpamDetail: 0.0 T_OBFU_PDF_ATTACH
X-SmarterMail-TotalSpamWeight: 28
**
X-MessageSniffer-Scan-Result: 0
X-MessageSniffer-Rules: 0-0-0-32767-c
X-Declude-Sender: gha...@ghrlawyers.com [70.89.176.73]
X-Declude-Spoolname: 159487567.eml
X-Declude-RefID:
X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm;
X-Declude-Scan: Incoming Score [-3] at 16:35:50 on 01 Mar 2013
X-Declude-Tests: SPFUNKNOWN [1]
X-Country-Chain: UNITED STATES-destination
X-Declude-Code: 1e
X-HELO: mail.garrettlaw.com
X-Identity: 70.89.176.73 | mail.ghrlawyers.com | ghrlawyers.com
X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 1 [raw: 1], DK_None, DKIM_None, 
URIBL:10, Declude: -3
X-SmarterMail-TotalSpamWeight: 41
**
Just for comparison, here is an email from the same source from Tuesday (and 
very typical of past headers):

X-MessageSniffer-Scan-Result: 0
X-MessageSniffer-Rules: 0-0-0-27512-c
X-Declude-Sender: gha...@ghrlawyers.com [70.89.176.73]
X-Declude-Spoolname: 159486224.eml
X-Declude-RefID:
X-Declude-Note: Scanned by Declude 4.11.00 http://www.declude.com/x-note.htm;
X-Declude-Scan: Incoming Score [-3] at 17:56:38 on 26 Feb 2013
X-Declude-Tests: SPFUNKNOWN [1]
X-Country-Chain: UNITED STATES-destination
X-Declude-Code: 1e
X-HELO: mail.garrettlaw.com
X-Identity: 70.89.176.73 | mail.garrettlaw.com | ghrlawyers.com
X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 5 [raw: 3], DK_None, DKIM_None, 
Declude: -3
X-SmarterMail-TotalSpamWeight: 5




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.