Re: AW: [Declude.JunkMail] No action taken

[Matt]

Markus, Your headers show that it was also a null sender for the messages that bypassed your weights.  Also curiously, you are logging in your headers the inorout variable and it shows the message as being outgoing:     X-Note: Sent from <> - [No Reverse DNS] ([210.212.188.106]) outgoing. It appears that Declude is treating all null senders as outgoing, which would then use actions contained in your Global.cfg instead of a JunkMail file, and I'm guessing that you don't have any actions defined in your Global.cfg?  Maybe that is the source of the bug. I don't recall this ever happening with 2.x and before, so maybe it's a change of behavior in 3+. Declude??? Matt Markus Gufler wrote: (reposting the same message without attachments) Hi After reading this thread and have seen 3 spam messages in my inbox who has final results-lines in the header with more then 200% of my hold weight I've made some research: Exactly the same is happening here with Declude 3.1.0 and Imail 8.15 from 2006-06-04 20:00:00 GMT+1 on. I have the same actions for in- and outgoing messages in my config files. Normaly a message in v3+ is (MID) logged with 6 lines. Each message with the final action "NO ACTIONS WERE TAKEN" has only 2 lines in the logfile 06/04/2006 20:00:37.719 q1fa255d9003021bd.smd CBL:10 SPAMCOP:20 ... . Total weight = 360. 06/04/2006 20:00:37.719 q1fa255d9003021bd.smd Cumulative action(s) taken on this email = NO ACTIONS WERE TAKEN With this final weight the defined action is HOLD. I've noted also that this two lines are looking nearly like a whitelisted message: 06/04/2006 19:31:27.015 q18de1b3b00b21c63.smd Action(s) taken for [[EMAIL PROTECTED]] = WHITELISTED [LAST ACTION="" 06/04/2006 19:31:27.015 q18de1b3b00b21c63.smd Cumulative action(s) taken on this email = NO ACTIONS WERE TAKEN So it seems to me that something is whitelisting this type of message but I don't know what. Following my logfiles arround 400 spam each one with a final result between 200 and 400% of the defined hold weight has passed the filter instead of being HOLD. Markus -----Ursprüngliche Nachricht----- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Im Auftrag von John Shacklett Gesendet: Montag, 5. Juni 2006 13:37 An: Declude.JunkMail@declude.com Betreff: RE: [Declude.JunkMail] No action taken This morning I'm seeing a flood of stock spam with scores that are more than double my delete weight getting through with "no action taken". I'm looking at one right now with a score of 67, and in my scheme we delete at 30. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Sunday, 04 June 2006 8:21 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No action taken I was noticing the other day on some version of 4.x that bounce messages for a domain that should have been using the settings in my $Default$.JunkMail failed to take those actions. Typically I do per-domain configs, but a few I just have using my $Default$.JunkMail. I noticed this as soon as I upgraded to 4.x, and I'm pretty sure it is a bug. I am not sure if it only affects bounce messages or all messages for those domains (note that all of my domains are gatewayed from the Declude box so they may be treated differently from locally hosted E-mail. I believe that putting the actions in your Global.cfg would take action on this stuff. Global.cfg is meant for outgoing E-mail actions. While this was clearly incoming E-mail and not the way things used to work with 2.x and before, I'm pretty sure that this will take care of the issue. When I get some time to look into this further I'll probably report the bug to Declude. I'm pretty sure that I have seen several other such posts that might have been caused by this change in behavior. Matt Heimir Eidskrem wrote: Why would no action been taken on this email. We hold on 100. >From Declude log: 06/04/2006 17:38:44.987 q60eb01820000d92b.smd Triggered COUNTRIES CONTAINS filter COUNTRYFILTER on ES [weight->10]. 06/04/2006 17:38:45.003 q60eb01820000d92b.smd Filter: Set max weight to 60. 06/04/2006 17:38:45.112 q60eb01820000d92b.smd Filter: Set max weight to 70. 06/04/2006 17:38:45.159 q60eb01820000d92b.smd Filter REVDNSBLACKLIST: Skipping E-mail with a current weight of 245 (>=80) 06/04/2006 17:38:45.159 q60eb01820000d92b.smd Filter BADWORDFILTER: Skipping E-mail with a current weight of 245 (>=30) 06/04/2006 17:38:45.159 q60eb01820000d92b.smd SPAMCOP:70 FIVETENSRC:30 SORBS-DUL:35 COUNTRYFILTER:10 SNIFFERGETRICH:100 . Total weight = 245. 06/04/2006 17:38:45.159 q60eb01820000d92b.smd Cumulative action(s) taken on this email = NO ACTIONS WERE TAKEN Received: from jose-mih7wjftkx [62.42.134.246] by xxxxxxxxxxx with ESMTP (SMTPD-8.22) id A0EC1404; Sun, 04 Jun 2006 17:38:36 -0500 Date: Sun, 4 Jun 2006 22:38:39 -0060 From: "Rene Benjamin" [EMAIL PROTECTED] X-Mailer: The Bat! (3.69.9) Personal Reply-To: [EMAIL PROTECTED] X-Priority: 3 (Normal) Message-ID: <[EMAIL PROTECTED]> To: xxxxxxxx Subject: Under The Radar Equity Alert MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Declude-Sender: <> [62.42.134.246] X-Declude-Spoolname: D60eb01820000d92b.smd X-Spam-Tests-Failed: SPAMCOP, FIVETENSRC, SORBS-DUL, NOLEGITCONTENT, IPNOTINMX, COUNTRYFILTER, SNIFFERGETRICH, WEIGHT75, WEIGHT100, CATCHALLMAILS [245] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 440029386 X-IMail-ThreadID: 60eb01820000d92b --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.