I think that Matt's reply to Markus is right on track. I went back and looked at some headers from my sneaky stock scamspam and it appears that whatever is happening incorrectly is causing these messages to be treated as outgoing and I had a typo in my global.cfg that was preventing my HOLD and DELETE actions from taking place. I haven't seen any slip through since making that repair.
That doesn't answer Heimir's basic question about official response. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Heimir Eidskrem Sent: Monday, 05 June 2006 2:53 PM To: declude.junkmail@declude.com Subject: Re: AW: [Declude.JunkMail] No action taken It seems to be obvious that this is a Declude problem with so many reports. Why no response from Declude yet? H. Matt wrote: > Markus, > > Your headers show that it was also a null sender for the messages that > bypassed your weights. Also curiously, you are logging in your > headers the inorout variable and it shows the message as being outgoing: > > X-Note: Sent from <> - [No Reverse DNS] ([210.212.188.106]) outgoing. > > It appears that Declude is treating all null senders as outgoing, > which would then use actions contained in your Global.cfg instead of a > JunkMail file, and I'm guessing that you don't have any actions > defined in your Global.cfg? Maybe that is the source of the bug. > > I don't recall this ever happening with 2.x and before, so maybe it's > a change of behavior in 3+. > > Declude??? > > Matt > > > > Markus Gufler wrote: >> (reposting the same message without attachments) >> >> Hi >> >> After reading this thread and have seen 3 spam messages in my inbox >> who has final results-lines in the header with more then 200% of my >> hold weight I've made some research: Exactly the same is happening >> here with Declude 3.1.0 and Imail 8.15 from 2006-06-04 20:00:00 GMT+1 >> on. I have the same actions for in- and outgoing messages in my config files. >> >> Normaly a message in v3+ is (MID) logged with 6 lines. >> Each message with the final action "NO ACTIONS WERE TAKEN" has only 2 >> lines in the logfile >> >> 06/04/2006 20:00:37.719 q1fa255d9003021bd.smd CBL:10 SPAMCOP:20 ... . >> Total weight = 360. >> 06/04/2006 20:00:37.719 q1fa255d9003021bd.smd Cumulative action(s) >> taken on this email = NO ACTIONS WERE TAKEN >> >> With this final weight the defined action is HOLD. >> >> I've noted also that this two lines are looking nearly like a >> whitelisted >> message: >> >> 06/04/2006 19:31:27.015 q18de1b3b00b21c63.smd Action(s) taken for >> [EMAIL PROTECTED] = WHITELISTED [LAST >> ACTION=WHITELISTED] >> 06/04/2006 19:31:27.015 q18de1b3b00b21c63.smd Cumulative action(s) >> taken on this email = NO ACTIONS WERE TAKEN >> >> So it seems to me that something is whitelisting this type of message >> but I don't know what. >> >> Following my logfiles arround 400 spam each one with a final result >> between 200 and 400% of the defined hold weight has passed the filter >> instead of being HOLD. >> >> Markus >> >> >> >> >> >>> -----Ursprüngliche Nachricht----- >>> Von: [EMAIL PROTECTED] >>> [mailto:[EMAIL PROTECTED] Im Auftrag von John >>> Shacklett >>> Gesendet: Montag, 5. Juni 2006 13:37 >>> An: Declude.JunkMail@declude.com >>> Betreff: RE: [Declude.JunkMail] No action taken >>> >>> This morning I'm seeing a flood of stock spam with scores that are >>> more than double my delete weight getting through with "no action >>> taken". I'm looking at one right now with a score of 67, and in my >>> scheme we delete at 30. >>> >>> -----Original Message----- >>> From: [EMAIL PROTECTED] >>> [mailto:[EMAIL PROTECTED] On Behalf Of Matt >>> Sent: Sunday, 04 June 2006 8:21 PM >>> To: Declude.JunkMail@declude.com >>> Subject: Re: [Declude.JunkMail] No action taken >>> >>> I was noticing the other day on some version of 4.x that bounce >>> messages for a domain that should have been using the settings in my >>> $Default$.JunkMail failed to take those actions. Typically I do >>> per-domain configs, but a few I just have using my >>> $Default$.JunkMail. I noticed this as soon as I upgraded to 4.x, and >>> I'm pretty sure it is a bug. I am not sure if it only affects >>> bounce messages or all messages for those domains (note that all of >>> my domains are gatewayed from the Declude box so they may be treated >>> differently from locally hosted E-mail. >>> >>> I believe that putting the actions in your Global.cfg would take >>> action on this stuff. Global.cfg is meant for outgoing E-mail >>> actions. While this was clearly incoming E-mail and not the way >>> things used to work with 2.x and before, I'm pretty sure that this >>> will take care of the issue. >>> >>> When I get some time to look into this further I'll probably report >>> the bug to Declude. I'm pretty sure that I have seen several other >>> such posts that might have been caused by this change in behavior. >>> >>> Matt >>> >>> >>> >>> Heimir Eidskrem wrote: >>> >>> >>>> Why would no action been taken on this email. >>>> We hold on 100. >>>> >>>> >>>> >From Declude log: >>>> >>>> 06/04/2006 17:38:44.987 q60eb01820000d92b.smd Triggered COUNTRIES >>>> CONTAINS filter COUNTRYFILTER on ES [weight->10]. >>>> 06/04/2006 17:38:45.003 q60eb01820000d92b.smd Filter: Set >>>> >>> max weight >>> >>>> to 60. >>>> 06/04/2006 17:38:45.112 q60eb01820000d92b.smd Filter: Set >>>> >>> max weight >>> >>>> to 70. >>>> 06/04/2006 17:38:45.159 q60eb01820000d92b.smd Filter >>>> >>> REVDNSBLACKLIST: >>> >>>> Skipping E-mail with a current weight of 245 (>=80) >>>> 06/04/2006 17:38:45.159 q60eb01820000d92b.smd Filter BADWORDFILTER: >>>> Skipping E-mail with a current weight of 245 (>=30) >>>> 06/04/2006 17:38:45.159 q60eb01820000d92b.smd SPAMCOP:70 >>>> >>> FIVETENSRC:30 >>> >>>> SORBS-DUL:35 COUNTRYFILTER:10 SNIFFERGETRICH:100 . Total >>>> >>> weight = 245. >>> >>>> 06/04/2006 17:38:45.159 q60eb01820000d92b.smd Cumulative action(s) >>>> taken on this email = NO ACTIONS WERE TAKEN >>>> >>>> >>>> >>>> Received: from jose-mih7wjftkx [62.42.134.246] by xxxxxxxxxxx with >>>> ESMTP >>>> (SMTPD-8.22) id A0EC1404; Sun, 04 Jun 2006 17:38:36 -0500 >>>> Date: Sun, 4 Jun 2006 22:38:39 -0060 >>>> From: "Rene Benjamin" [EMAIL PROTECTED] >>>> X-Mailer: The Bat! (3.69.9) Personal >>>> Reply-To: [EMAIL PROTECTED] >>>> X-Priority: 3 (Normal) >>>> Message-ID: <[EMAIL PROTECTED]> >>>> To: xxxxxxxx >>>> Subject: Under The Radar Equity Alert >>>> MIME-Version: 1.0 >>>> Content-Type: text/plain; charset=us-ascii >>>> Content-Transfer-Encoding: 7bit >>>> X-Declude-Sender: <> [62.42.134.246] >>>> X-Declude-Spoolname: D60eb01820000d92b.smd >>>> X-Spam-Tests-Failed: SPAMCOP, FIVETENSRC, SORBS-DUL, >>>> >>> NOLEGITCONTENT, >>> >>>> IPNOTINMX, COUNTRYFILTER, SNIFFERGETRICH, WEIGHT75, WEIGHT100, >>>> CATCHALLMAILS [245] >>>> X-Note: This E-mail was scanned by Declude JunkMail >>>> >>> (www.declude.com) >>> >>>> for spam. >>>> X-RCPT-TO: <[EMAIL PROTECTED]> >>>> Status: U >>>> X-UIDL: 440029386 >>>> >>>> >>>> X-IMail-ThreadID: 60eb01820000d92b >>>> >>>> >>>> --- >>>> This E-mail came from the Declude.JunkMail mailing list. To >>>> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type >>>> "unsubscribe Declude.JunkMail". The archives can be found at >>>> http://www.mail-archive.com. >>>> >>>> >>>> >>> --- >>> This E-mail came from the Declude.JunkMail mailing list. To >>> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type >>> "unsubscribe Declude.JunkMail". The archives can be found at >>> http://www.mail-archive.com. >>> >>> --- >>> This E-mail came from the Declude.JunkMail mailing list. To >>> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type >>> "unsubscribe Declude.JunkMail". The archives can be found at >>> http://www.mail-archive.com. >>> >>> >> >> --- >> This E-mail came from the Declude.JunkMail mailing list. To >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type >> "unsubscribe Declude.JunkMail". The archives can be found at >> http://www.mail-archive.com. >> >> >> > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > "unsubscribe Declude.JunkMail". The archives can be found at > http://www.mail-archive.com. [This E-mail scanned for viruses by Declude EVA] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. [This E-mail scanned for viruses by Declude EVA] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
