Re: [Declude.JunkMail] RE: Declude's To-Do List

[Matt]

David, I don't know if this was mentioned, but way back in 1.x a function to help with this was created called BYPASSWHITELIST bypasswhitelist This optional test instructs Declude JunkMail to bypass any whitelisting for emails with at least a specific number of recipients and at least a specific weight. For example, you could define a test with the following line in the \{MAILSERVER}\Declude\global.cfg file: BYPASSWHITELIST bypasswhitelist 60 5 0 0. The 60 refers to the weight the email must reach, and the 5 refers to the minimum number of recipients. In this case, it would attempt to bypass the whitelisting for email with 5 or more recipients and a weight of 60 or higher. Just to make the configuration more clear, here's what goes in your Global.cfg:     BYPASSWHITELIST        bypasswhitelist     60    5    0    0 The indicated settings probably aren't that useful, but you can configure multiple triggers, and of course change these values.  It is most useful to set this at 2 recipients, and bypass the whitelisting on any score that blocks.  It is very uncommon that a multiple recipient E-mail would need to be whitelisted to only one recipient and not another. Also, this condition is most common when using the AUTOWHITELIST ON directive.  This feeds off of user's own address books, and it is common for users to have their own address or fellow workers' addresses in their address book, and this can happen on a multiple-recipient zombie spam and trigger that spam to be whitelisted to everyone.  Zombie spam sometimes forges one of the recipients as the sender.  The BYPASSWHITELIST is a fix for this, and would limit forged senders from being whitelisted except where the sender and the recipient are the same, and it would not be a big deal to remove the person's own address from their own address book to fix that too. So if you generally started blocking on a score of 20, and would want to not AUTOWHITELIST any multiple recipient E-mail, this is what you would use:     BYPASSWHITELIST        bypasswhitelist     20    2    0    0 Matt Dave Beckstrom wrote: David, You also need to add a new whitelist tag (whitelistunique?) that only whitelists the "TO" recipient if it's the only recipient for the email. This bit about whitelisting all recipients if one is whitelisted is a problem. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of David Barker Sent: Wednesday, October 25, 2006 1:24 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] RE: Declude's To-Do List With reference to X-Declude-RefID: it is part of the *Zerohour test doesn't operate as other tests issue. David -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Andy Schmidt Sent: Wednesday, October 25, 2006 2:14 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] RE: Declude's To-Do List Hi, Thanks for posting! Openness is a great confidence builder! Seeing that problems are at least being recognized goes a long way to giving me some small flicker of hope that things at Declude might turn around yet. Now your corporate management has to prove themselves by demonstrating that they are finally serious about fulfilling the service contracts we purchased by not allowing crucial problems to remain open for yet another year. They cannot keep holding out their hands each year, if the money is not spent on the intended purpose. Fixing the Auto-Whitelist with a simple MDAC SQL query against the Imail 2006 Workgroupshare database is no rocket science. It might take a day - but not a year. PS: This is a minor issue and probably doesn't deserve to be on your list - but I never got a reply on how to suppress the empty and unwanted X-Declude-RefID: header. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of David Barker Sent: Wednesday, October 25, 2006 10:36 AM To: declude.junkmail@declude.com Subject: RE: SPAM-WARN: Re: [Declude.JunkMail] RE: On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned Here is a preliminary list, not all have been verified and several are currently being worked on: (Note these does not include Declude adds for new functionality) Email me if you are aware of a known issue that is not on this list. *Line Terminator Problem *Auto whitelist Imail 2006 *Reported Memory Leaks & Decludeproc crash on zero pointers *Zerohour test doesn't operate as other tests *Zip vulnerability *Attach function bug (forward as attachment) *When there is a MIME header mismatch Declude assumes it is an executable *Incorrectly filtering Object Data Vulnerability for MSOffice generated emails *Attached web pages seen as .com files *Yahoo CAL emails have header problems which cause improper blocking *Encoded attachments not correctly detected - long base64 *Prewhitelist is not skipping custom filters *Whitelisting messages in lower Log levels *SmarterMail order of Domains listed in xml for aliases David Barker Director of Product Development Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darin Cox Sent: Monday, October 23, 2006 10:35 AM To: declude.junkmail@declude.com Subject: Re: SPAM-WARN: Re: [Declude.JunkMail] RE: On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned Thanks, David. We appreciate your efforts. Darin. ----- Original Message ----- From: "David Barker" <[EMAIL PROTECTED]> To: <declude.junkmail@declude.com> Sent: Monday, October 23, 2006 10:26 AM Subject: RE: SPAM-WARN: Re: [Declude.JunkMail] RE: On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned I will see what I can do to bring together a list of known issues. Just give me some time (days) and I will get it posted. David B www.declude.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darin Cox Sent: Monday, October 23, 2006 10:19 AM To: declude.junkmail@declude.com Subject: Re: SPAM-WARN: Re: [Declude.JunkMail] RE: On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned Thanks, David. We appreciate your input. Is it feasible to post a list of known issues and/or issues being worked? I realize that's a lot of disclosure, and would probably increase call volume significantly, but I also know that would make me feel much more comfortable of someday being able to exercise our two-year-old unused SA, and upgrade to 4.x. Thanks again, Darin. ----- Original Message ----- From: "David Barker" <[EMAIL PROTECTED]> To: <declude.junkmail@declude.com> Sent: Monday, October 23, 2006 10:00 AM Subject: RE: SPAM-WARN: Re: [Declude.JunkMail] RE: On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned Darin, Our engineer Dave Franco is looking at a way to rewrite every message to standardize the format in order to overcome the incorrect line terminator issue. As there are several other things he is working on I do not have a definitive release date for this, I am looking at moving around some additional resources to further expedite a solution. David Barker Director of Product Development Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darin Cox Sent: Monday, October 23, 2006 9:38 AM To: declude.junkmail@declude.com Subject: Re: SPAM-WARN: Re: [Declude.JunkMail] RE: On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned David Barker, Can you tell us the status of this old case? What progress has been made on this seemingly critical issue? Darin. ----- Original Message ----- From: "Michael Thomas - Mathbox" <[EMAIL PROTECTED]> To: <declude.junkmail@declude.com> Sent: Monday, October 23, 2006 1:09 AM Subject: RE: SPAM-WARN: Re: [Declude.JunkMail] RE: On RFC Violation - Declude allows attachments and Virus to pass through untouched and unscanned Hi All, I said in my original email that Declude had been notified of LF only issue. I just looked back through my email and found the report. It was Declude case [06D-0BBF1866-F5A3] on Thu, 30 Mar 2006 22:29:58 -0500. Michael Thomas Mathbox 978-683-6718 1-877-MATHBOX (Toll Free) --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.