AW: AW: AW: [Declude.JunkMail] No action taken

[Markus Gufler]

looking at another mailserver smtp logfile I can't realy see some malformed mailfrom line. The only thing I can see in the othe logfiles is a wave of messages with mailfrom lines like   [EMAIL PROTECTED]   the first character is random the second one seems always be an underscore (or something similar) then is attached a name after the underscore and before the @ after the @ the domains is a random name like "mail" "bk" or "inbox" the final TLD seems always be ".ru"   This pattern of mailfrom is missing completely in the same time range on my IMail Server. There are only mailfrom's like   l   the first character is random the second one seems bring IMail/Declude in the nirvana...   Markus     Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Markus Gufler Gesendet: Dienstag, 6. Juni 2006 00:07 An: declude.junkmail@declude.com Betreff: AW: AW: AW: [Declude.JunkMail] No action taken After seeing this "" in the smtp logfile it seems not logic to me that there must be something wrong in the configuration. The first line of the declude logfiles says that the message is failing several tests and that is not whitelisted as other correctly whitelisted messages are Both in- and outgoing final actions are defined to hold such type of messages but they are not hold. There are only 4 defined actions IN:Subject, IN:Hold, OUT:Subject and OUT:Hold plus the IGNORE-action. At least one of this actions should happen. But not "no actions were taken"   I can't remember: Are inbound rules processed before or after declude processing? At the moment I try to find such a malformed mail from line in an other (not IMail) logfile. It would be interesting to have a origina queue file of such a message. (not possible with "no actions were taken")   Markus   PS: I haven't send a message directly to declude support but I expect that they write at least an official statement to the list that they are aware of a possible problem and that they are still alive. (hopefully!!!)     Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Matt Gesendet: Montag, 5. Juni 2006 23:48 An: declude.junkmail@declude.com Betreff: Re: AW: AW: [Declude.JunkMail] No action taken Markus, How about some debug logging?  It should be easy to pick out these messages. I fear that maybe something is different on your system than some others.  John for instance indicated that adding the actions to his Global.cfg seems to have fixed the issue, yet you are still seeing the issues.  I'm wondering if maybe you are whitelisting them or something???  Maybe it will show an error??? Matt Markus Gufler wrote: I'm 100% sure that I have exactly the same two actions defined in both global.cfg and $default$.junkmail. They are there for several months now and this server is handling also several gatewayed domains. As I know gatewayed messages are handled as outgoing. Markus -----Ursprüngliche Nachricht----- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Im Auftrag von John Shacklett Gesendet: Montag, 5. Juni 2006 23:10 An: declude.junkmail@declude.com Betreff: RE: AW: [Declude.JunkMail] No action taken I think that Matt's reply to Markus is right on track. I went back and looked at some headers from my sneaky stock scamspam and it appears that whatever is happening incorrectly is causing these messages to be treated as outgoing and I had a typo in my global.cfg that was preventing my HOLD and DELETE actions from taking place. I haven't seen any slip through since making that repair. That doesn't answer Heimir's basic question about official response. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Heimir Eidskrem Sent: Monday, 05 June 2006 2:53 PM To: declude.junkmail@declude.com Subject: Re: AW: [Declude.JunkMail] No action taken It seems to be obvious that this is a Declude problem with so many reports. Why no response from Declude yet? H. Matt wrote: Markus, Your headers show that it was also a null sender for the messages that bypassed your weights. Also curiously, you are logging in your headers the inorout variable and it shows the message as being outgoing: X-Note: Sent from <> - [No Reverse DNS] ([210.212.188.106]) outgoing. It appears that Declude is treating all null senders as outgoing, which would then use actions contained in your Global.cfg instead of a JunkMail file, and I'm guessing that you don't have any actions defined in your Global.cfg? Maybe that is the source of the bug. I don't recall this ever happening with 2.x and before, so maybe it's a change of behavior in 3+. Declude??? Matt Markus Gufler wrote: (reposting the same message without attachments) Hi After reading this thread and have seen 3 spam messages in my inbox who has final results-lines in the header with more then 200% of my hold weight I've made some research: Exactly the same is happening here with Declude 3.1.0 and Imail 8.15 from 2006-06-04 20:00:00 GMT+1 on. I have the same actions for in- and outgoing messages in my config files. Normaly a message in v3+ is (MID) logged with 6 lines. Each message with the final action "NO ACTIONS WERE TAKEN" has only 2 lines in the logfile 06/04/2006 20:00:37.719 q1fa255d9003021bd.smd CBL:10 SPAMCOP:20 ... . Total weight = 360. 06/04/2006 20:00:37.719 q1fa255d9003021bd.smd Cumulative action(s) taken on this email = NO ACTIONS WERE TAKEN With this final weight the defined action is HOLD. I've noted also that this two lines are looking nearly like a whitelisted message: 06/04/2006 19:31:27.015 q18de1b3b00b21c63.smd Action(s) taken for [[EMAIL PROTECTED]] = WHITELISTED [LAST ACTION="" 06/04/2006 19:31:27.015 q18de1b3b00b21c63.smd Cumulative action(s) taken on this email = NO ACTIONS WERE TAKEN So it seems to me that something is whitelisting this type of message but I don't know what. Following my logfiles arround 400 spam each one with a final result between 200 and 400% of the defined hold weight has passed the filter instead of being HOLD. Markus -----Ursprüngliche Nachricht----- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Im Auftrag von John Shacklett Gesendet: Montag, 5. Juni 2006 13:37 An: Declude.JunkMail@declude.com Betreff: RE: [Declude.JunkMail] No action taken This morning I'm seeing a flood of stock spam with scores that are more than double my delete weight getting through with "no action taken". I'm looking at one right now with a score of 67, and in my scheme we delete at 30. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Sunday, 04 June 2006 8:21 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No action taken I was noticing the other day on some version of 4.x that bounce messages for a domain that should have been using the settings in my $Default$.JunkMail failed to take those actions. Typically I do per-domain configs, but a few I just have using my $Default$.JunkMail. I noticed this as soon as I upgraded to 4.x, and I'm pretty sure it is a bug. I am not sure if it only affects bounce messages or all messages for those domains (note that all of my domains are gatewayed from the Declude box so they may be treated differently from locally hosted E-mail. I believe that putting the actions in your Global.cfg would take action on this stuff. Global.cfg is meant for outgoing E-mail actions. While this was clearly incoming E-mail and not the way things used to work with 2.x and before, I'm pretty sure that this will take care of the issue. When I get some time to look into this further I'll probably report the bug to Declude. I'm pretty sure that I have seen several other such posts that might have been caused by this change in behavior. Matt Heimir Eidskrem wrote: Why would no action been taken on this email. We hold on 100. >From Declude log: 06/04/2006 17:38:44.987 q60eb01820000d92b.smd Triggered COUNTRIES CONTAINS filter COUNTRYFILTER on ES [weight->10]. 06/04/2006 17:38:45.003 q60eb01820000d92b.smd Filter: Set max weight to 60. 06/04/2006 17:38:45.112 q60eb01820000d92b.smd Filter: Set max weight to 70. 06/04/2006 17:38:45.159 q60eb01820000d92b.smd Filter REVDNSBLACKLIST: Skipping E-mail with a current weight of 245 (>=80) 06/04/2006 17:38:45.159 q60eb01820000d92b.smd Filter BADWORDFILTER: Skipping E-mail with a current weight of 245 (>=30) 06/04/2006 17:38:45.159 q60eb01820000d92b.smd SPAMCOP:70 FIVETENSRC:30 SORBS-DUL:35 COUNTRYFILTER:10 SNIFFERGETRICH:100 . Total weight = 245. 06/04/2006 17:38:45.159 q60eb01820000d92b.smd Cumulative action(s) taken on this email = NO ACTIONS WERE TAKEN Received: from jose-mih7wjftkx [62.42.134.246] by xxxxxxxxxxx with ESMTP (SMTPD-8.22) id A0EC1404; Sun, 04 Jun 2006 17:38:36 -0500 Date: Sun, 4 Jun 2006 22:38:39 -0060 From: "Rene Benjamin" [EMAIL PROTECTED] X-Mailer: The Bat! (3.69.9) Personal Reply-To: [EMAIL PROTECTED] X-Priority: 3 (Normal) Message-ID: <[EMAIL PROTECTED]> To: xxxxxxxx Subject: Under The Radar Equity Alert MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Declude-Sender: <> [62.42.134.246] X-Declude-Spoolname: D60eb01820000d92b.smd X-Spam-Tests-Failed: SPAMCOP, FIVETENSRC, SORBS-DUL, NOLEGITCONTENT, IPNOTINMX, COUNTRYFILTER, SNIFFERGETRICH, WEIGHT75, WEIGHT100, CATCHALLMAILS [245] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 440029386 X-IMail-ThreadID: 60eb01820000d92b --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. [This E-mail scanned for viruses by Declude EVA] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. [This E-mail scanned for viruses by Declude EVA] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. [This E-mail scanned for viruses by Declude EVA] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.