RE: [Declude.JunkMail] Logged spam getting to mailbox

[Agid, Corby]

Title: Logged spam getting to mailbox

Hi Matt,   I'm not using any MS gateway on this.  The mail comes into Imail/declude and uses Imail as the email server.   I opened the message with notepad and didn't locate any misplaced headers.  I would like to try updating to 2.0.6 as you suggest, but I'm not finding any 2.x downloads on the site.     Can you tell me where to find them?  I logged in and found the 3.x downloads.   Thanks for all of your help.   This is sure a head scratcher for me.   Cheers   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, January 24, 2006 4:59 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Logged spam getting to mailbox Corby, I also received a bunch of these, and one copy that I came up with in a hold box showed that the headers were in fact broken.  My MS SMTP gateway shows the From, Bcc, and locally inserted MS SMTP headers at the very bottom of this message.  That's how MS SMTP deals with it, but Declude might deal with it differently, or it might even have broken your older version of Declude.  You should at least upgrade to 2.0.6.16 which is available from their site.  Upgrading to 3.x would be something that you should plan more carefully though as it is a major change. I suspect that you are looking at the rendered view of the E-mail, and since this is a multipart message with both text and HTML segments, it is not rendering the broken headers in the normal view, but they might be there if you were to look at the original text source.  If the headers are in the body and your rule in your client is looking for headers where they belong, that would explain why your filter isn't working. Matt Agid, Corby wrote: Well I'm somewhat more confused as I don't really know what "bad folding" means.  However, I don't see any of the X-headers in the message body. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Tuesday, January 24, 2006 2:34 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Logged spam getting to mailbox Andrew probably nailed this.  In at least some versions of Declude, the headers that it inserts could land in the body of the message due to bad folding techniques that the spammer uses (sometimes also legitimate mailers will produce this flaw).  Your client rule is probably searching for headers and doesn't recognize the header that was inserted into what became the body due to bad folding.  An upgrade may or may not fix the issue, though there was talk about this issue several months ago in relation to 3.x and I believe some work was done to take care of some of it. Matt Agid, Corby wrote: Actually, I'm still running 2.0.5.   I suppose that I should probably upgrade, eh?      I don't actually delete mail at any score.  I use the header information in my email client to sort the incoming messages.    Other than this particular bugger, it's worked well for me. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick Hayer Sent: Tuesday, January 24, 2006 1:46 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Logged spam getting to mailbox Odd - just because its always the same email. What number do you delete on? Although the logs will balloon in size running the Declude in DEBUG may shed some light. I presume this is Declude 3x ver? -Nick Agid, Corby wrote: Hello, I'm having trouble with a particular spam message getting to my mailbox each day.   The declude log file shows the scanning and scoring.  However, the message that lands in the mailbox shows no sign of being scanned….ie there are no X-RBL headers in the message that gets to the mailbox.   All of my other mail, whether spam or not spam, still shows X-rbl headers to verify they were scanned.  Can you help me understand why the final message doesn’t' show the X-RBL headers?  I get about three of these per day, each has the same style, but the IP and From addresses are different. Below are the log snips and message headers. ======================================= Dec0123.log 01/23/2006 15:45:52 Q6aae01510000a967 CBL:6 FIVETEN-SRC:4 SORBS-DUHL:4 SPAMBAG:2 SPAMHEADERS:3 MS-SNAKEOIL:25 .  Total weight = 44. 01/23/2006 15:45:52 Q6aae01510000a967 Using [incoming] CFG file C:\IMail\Declude\mail.agid.com\$default$.junkmail. 01/23/2006 15:45:52 Q6aae01510000a967 Msg failed CBL ("Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=68.41.152.175"). Action=""> 01/23/2006 15:45:52 Q6aae01510000a967 Msg failed FIVETEN-SRC (175.152.41.68.blackholes.five-ten-sg.com.). Action=""> 01/23/2006 15:45:52 Q6aae01510000a967 Msg failed SORBS-DUHL ("Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?68.41.152.175"). Action=""> 01/23/2006 15:45:52 Q6aae01510000a967 Msg failed SPAMBAG (175.152.41.68.blacklist.spambag.org.). Action=""> 01/23/2006 15:45:52 Q6aae01510000a967 Msg failed SPAMHEADERS (This E-mail has headers consistent with spam [4000100e].). Action=""> 01/23/2006 15:45:52 Q6aae01510000a967 Msg failed MS-SNAKEOIL (Message failed MS-SNAKEOIL: 52.). Action=""> 01/23/2006 15:45:52 Q6aae01510000a967 Msg failed WEIGHT10-29A (Weight of 44 reaches or exceeds the limit of 10.). Action=""> 01/23/2006 15:45:52 Q6aae01510000a967 Msg failed WEIGHT10-29B (Weight of 44 reaches or exceeds the limit of 10.). Action=""> 01/23/2006 15:45:52 Q6aae01510000a967 Msg failed WEIGHT30A (Weight of 44 reaches or exceeds the limit of 30.). Action=""> 01/23/2006 15:45:52 Q6aae01510000a967 Msg failed SPAMYELLOW (Weight of 44 reaches or exceeds the limit of 10.). Action=""> 01/23/2006 15:45:52 Q6aae01510000a967 Msg failed SPAMRED (Weight of 44 reaches or exceeds the limit of 30.). Action=""> 01/23/2006 15:45:52 Q6aae01510000a967 Msg failed CATCHALLMAILS (). Action=""> 01/23/2006 15:45:52 Q6aae01510000a967 L1 Message OK 01/23/2006 15:45:52 Q6aae01510000a967 Subject: Viagra Professional as low as $3.84 01/23/2006 15:45:52 Q6aae01510000a967 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED]  IP: 68.41.152.175 ID: 01/23/2006 15:45:52 Q6aae01510000a967 Tests failed [weight=44]: CBL=IGNORE FIVETEN-SRC="" SORBS-DUHL=IGNORE SPAMBAG=IGNORE SPAMHEADERS=WARN MS-SNAKEOIL=IGNORE WEIGHT10-29A=IGNORE WEIGHT10-29B=IGNORE WEIGHT30A=IGNORE SPAMYELLOW=WARN SPAMRED=WARN CATCHALLMAILS=WARN 01/23/2006 15:45:52 Q6aae01510000a967 Last action = ""> Sys0123.log 01:23 15:45 SMTPD(6aae01510000a967) [216.101.5.133] connect 68.41.152.175 port 4251 01:23 15:45 SMTPD(6aae01510000a967) [68.41.152.175] HELO localhost 01:23 15:45 SMTPD(6aae01510000a967) [68.41.152.175] Mail From: <[EMAIL PROTECTED]> 01:23 15:45 SMTPD(6aae01510000a967) [68.41.152.175] Rcpt To: <[EMAIL PROTECTED]> 01:23 15:45 SMTPD(6aae01510000a967) [68.41.152.175] C:\IMail\spool\D6aae01510000a967.SMD 4723 01:23 15:45 SMTPD(6aae01510000a967) performing antispam checks 01:23 15:45 SMTP-(6aae01510000a967) processing C:\IMail\spool\Q6aae01510000a967.SMD 01:23 15:45 SMTP-(6aae01510000a967) ldeliver mail.agid.com corby-main (1) [EMAIL PROTECTED] 5361 01:23 15:45 SMTP-(6aae01510000a967) finished C:\IMail\spool\Q6aae01510000a967.SMD status=1 Email Headers: Received: from localhost [68.41.152.175] by mail.agid.com   (SMTPD-8.21) id AAAE0130; Mon, 23 Jan 2006 15:45:50 -0800 Date: Mon, 23 Jan 2006 18:45:52 +0100 Return-path: <[EMAIL PROTECTED]> From: "Adler"<[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: Viagra Professional as low as $3.84 Message-ID: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: multipart/alternative;         boundary="----=_NextPart_000_0003_01C618B6.107D4F00" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180