Mornin' Scott,
I have discovered that IMail generated messages (bounce and Webmail)
are being fully scanned with Declude which will fail several technical
tests, but also, Declude will pick the connecting IP out of the headers
that appear in the body (there are no Received headers in the GSE
messages and therefore no IP).
This is very problematic because a good deal of the time the IP will
fail a DUL test since the original message comes from a client computer
in DUL space which was whitelisted due to using authentication. Most
of these bounces from my own users are now being blocked (IMail 8.13
and Declude 1.81 and earlier 1.79i16 as well). This started happening
when I upgraded to IMail 8.13 from 8.05HF3. With prior versions, all
Web mail and system messages would bypass Declude, but now both are
being processed with Declude, both with GSE extensions. I'm guessing
that this might also impact the listserv and messages generated by
calling IMail1.exe directly. Something definitely needs to be done in
order to better handle this condition.
Can I recommend that the condition be looked at where it grabs the
received headers from the body just in case there are other issues with
this code that could appear elsewhere, and apart from that, maybe
whitelist all GSE named files, or give us a way to whitelist all GSE
named files (such as working it into WHITELIST AUTH or another
switch). I do realize that some might want to scan Webmail (virus
scanning for instance), but you could differentiate by the combination
of a null sender plus the GSE extension. You could do a WHITELIST NDR
and a WHITELIST SERVER for all other server generated messages
(non-null senders). These are just some ideas off the top of my head,
not knowing the full extent of the issue and what the scope of the
impact would be.
Here's an example of a message that wasn't blocked, but it clearly
shows what is going on, but also note that I found that with a
different header where the HELO was named as a bracketed IP along with
the actual computer IP (look at the headers from this message and find
my own client), Declude actually uses the first bracketed IP and not
the second and proper one. The example below is in the more standard
format and can only be getting the IP from the body of the message as
there is no trace of it in the headers.
Date: Tue, 12 Oct 2004 16:46:16
Message-Id: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
From: "Postmaster" <[EMAIL PROTECTED]>
Sender: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: [20] Undeliverable Mail
X-Mailer: <SMTP32 v8.13>
X-MailPure:
================================================================
X-MailPure: NULLSENDER: Message failed NULLSENDER test (line 5, weight
4) (weight capped at 4).
X-MailPure: BADHEADERS: Failed, headers not RFC compliant or malformed
[8040000e] (weight 3).
X-MailPure: LEGITCONTENT: Passed, legitimate content detected (weight
-1).
X-MailPure: DUL-COMBO: Message failed DUL-COMBO test (line 11, weight
8) (weight capped at 8).
X-MailPure: CRUSHER: Message failed CRUSHER test (line 11, weight 5).
X-MailPure: RECIPIENTS: <[EMAIL PROTECTED]>
X-MailPure:
================================================================
X-MailPure: Spam Score: 20
X-MailPure: Scan Time: 10/12/2004 at 16:46:18 -0400
X-MailPure: Spool File: D42980000052c8655.GSE
X-MailPure: Server Name:
X-MailPure: SMTP Sender: <>
X-MailPure: Received From: [69.139.75.201]
X-MailPure: Country Chain:
X-MailPure:
================================================================
X-MailPure: Spam and virus blocking services provided by MailPure.com
X-MailPure:
================================================================
Unknown host: [EMAIL PROTECTED]
Original message follows.
Received: from COMPUTER [69.139.75.201] by clientdomain.com with ESMTP
(SMTPD32-8.13) id A2354CC800E6; Tue, 12 Oct 2004 16:44:37 -0400
Reply-To: <[EMAIL PROTECTED]>
From: "Client Name" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: Ref # 457-B A Manufacturer of Engineered Precision, Brazed
Components and Assemblies.
Date: Tue, 12 Oct 2004 16:47:28 -0400
Message-ID:
<[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0164_01C4B07B.29055DA0"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-MailPure:
================================================================
X-MailPure: Spam Score: 0
X-MailPure: Scan Time: 10/12/2004 at 16:44:44 -0400
X-MailPure: Spool File: D42344cc800e60b24.SMD
X-MailPure: Server Name:
X-MailPure: SMTP Sender: [EMAIL PROTECTED]
X-MailPure: Received From: [69.139.75.201]
X-MailPure: Country Chain:
X-MailPure:
================================================================
X-MailPure: Spam and virus blocking services provided by MailPure.com
X-MailPure:
================================================================
This is a multi-part message in MIME format.
------=_NextPart_000_0164_01C4B07B.29055DA0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
............
Thanks,
Matt
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
|