[Declude.JunkMail] Befuddled: Test not logged!

[Andy Schmidt]

Title: Message

Hi Scott:

 

I know you are busy with viruses - but I can't figure THIS one out.  I have thousands of emails in the log file, where SORBS-DUHL is discovered, logged and treated properly. But at least this ONE got through and I have no explanation.

 

First let's look at a mail 10 minutes later, to the SAME person, that was handled properly. It detected SORBS-DUHL (in addition to SORBS), added it to the log, and then this test name was filtered in "DYNAMIC-IP" and added 6 to the weight:

 

03/19/2004 08:33:59 Qf6be2b780148067f WEIGHTFILTER:2 DYNAMIC-IP:6 OPEN-RELAY:5 .  Total weight = 13.
03/19/2004 08:34:00 Qf6be2b780148067f Deleting spam from [EMAIL PROTECTED] to [EMAIL PROTECTED]
03/19/2004 08:34:00 Qf6be2b780148067f Subject: Hotel and Meal expenses for breakdowns far from home
03/19/2004 08:34:00 Qf6be2b780148067f From: [EMAIL PROTECTED] To: [EMAIL PROTECTED]  IP: 200.164.142.10 ID:
03/19/2004 08:34:00 Qf6be2b780148067f Tests failed [weight=13]: DSBLSINGLE=WARN NJABL=WARN NJABLDYNA=LOG NJABLPROXIES=DELETE SORBS=WARN SORBS-DUHL=LOG IPNOTINMX=IGNORE NOLEGITCONTENT=IGNORE WEIGHTFILTER=WARN DYNAMIC-IP=IGNORE OPEN-RELAY=IGNORE WEIGHT10=BOUNCEONLYIFYOUMUST

The CONFIG files involved define:

 

[global.cfg]

SORBS  ip4r dnsbl.sorbs.net   *
...

SORBS-DUHL ip4r dnsbl.sorbs.net   127.0.0.10 0 0

...

SPAMDOMAINS  spamdomains D:\IMail\Declude\SpamDomains.txt x 4 0
WEIGHTFILTER filter  D:\IMail\Declude\WeightFilter.txt x 0 0
DYNAMIC-IP filter  D:\IMail\Declude\DUHLfilter.txt  x 6 0
OPEN-RELAY filter  D:\IMail\Declude\RELAYSfilter.txt x 6 0
MULTI-RELAY filter  D:\IMail\Declude\MULTIRELAYSfilter.txt x 6 0
FORMMAIL filter  D:\IMail\Declude\WEBfilter.txt  x 8 0

[$default$.junkmail] (global)

SORBS  WARN X-RBL-Warning: Suspected SPAM. %WARNING%
...

SORBS-DUHL LOG

 

[DUHLfilter.txt]

SKIPIFWEIGHT 20
TESTSFAILED 0 CONTAINS NJABLDUL
TESTSFAILED 0 CONTAINS NJABLDYNA
TESTSFAILED 0 CONTAINS AHBLDYNA
TESTSFAILED 0 CONTAINS SORBS-DUHL

Now I try to understand THIS email, only a few minutes earlier.

a) It came from an IP that returns 127.0.0.10 (for DUHL):

nslookup result:
Query:    104.96.47.69.dnsbl.sorbs.net
Address:  127.0.0.10

b) the header clearly shows, that Declude did get the proper return code from SORBS (Dynamic IP) text

Received: from COMPAC [69.47.96.104] by hm-software.com
  (SMTPD32-7.07) id A50B5B900020; Fri, 19 Mar 2004 08:26:35 -0500
Received: from COMPAC [192.168.1.101] by maranello.cc with SMTP;
 Fri, 19 Mar 2004 08:26:32 -0500
Message-ID: <[EMAIL PROTECTED]>
From: "Elizabeth Letterman" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: Lower your  m ortgage today!
Date: Fri, 19 Mar 2004 08:26:32 -0500
MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
X-Priority: 3
X-Mailer: yPHP
Return-Path: [EMAIL PROTECTED]
XML-Context: <aGFyYWxkQG1hcmFuZWxsby5jYw==>
X-RBL-Warning: Suspected SPAM. "Blocked - see http://www.spamcop.net/bl.shtml?69.47.96.104"
X-RBL-Warning: Suspected SPAM. "Dynamic IP Address See: http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=69.47.96.104"
X-Declude: Version 1.78i27; Df50b5b900020628c.SMD from d47-69-104-96.try.wideopenwest.com [69.47.96.104]
X-Declude: Triggered SPAMCOP [4]
X-Countries: UNITED STATES->destination
Return-Path: <[EMAIL PROTECTED]>
X-RCPT-TO: <[EMAIL PROTECTED]>
Status: U
X-UIDL: 378205927

c) Yet - Declude never logs SORBS-DUHL!?

03/19/2004 08:26:38 Qf50b5b900020628c SPAMCOP:7 nNOLEGITCONTENT:-3 .  Total weight = 4.
03/19/2004 08:26:38 Qf50b5b900020628c Subject: Lower your  m ortgage today!
03/19/2004 08:26:38 Qf50b5b900020628c From: [EMAIL PROTECTED] To: [EMAIL PROTECTED]  IP: 69.47.96.104 ID:
03/19/2004 08:26:38 Qf50b5b900020628c Tests failed [weight=4]: SPAMCOP=WARN SORBS=WARN IPNOTINMX=IGNORE

Best Regards
Andy Schmidt

H&M Systems Software, Inc.
600 East Crescent Avenue, Suite 203
Upper Saddle River, NJ 07458-1846

Phone:  +1 201 934-3414 x20 (Business)
Fax:    +1 201 934-9206

http://www.HM-Software.com/