RE: [Declude.JunkMail] SURBL issue
OK, after some digging I found this --09:46:15-- http://www.surbl.org/sc.surbl.org.rbldns => `surbl.rbldns.tmp' Resolving www.surbl.org... done. Connecting to www.surbl.org[66.170.2.60]:80... connected. HTTP request sent, awaiting response... 404 Not Found 09:46:15 ERROR 404: Not Found. After checking the SURBL site I found this under the news section *.rbldns - going away when no traffic, use *.rbldnsd instead In the script find the line set v_url=http://www.surbl.org/sc.surbl.org.rbldns and change it to set v_url=http://www.surbl.org/sc.surbl.org.rbldnsd It now works again. Darrell -Original Message- From: Darrell LaRock [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 08, 2004 9:38 AM To: '[EMAIL PROTECTED]' Subject: RE: [Declude.JunkMail] SURBL issue Scott, What version of the script are you using? I just checked mine and it is giving me the same thing on both of my servers. I have surbl_filter.cmd version 1.1 Tue 09/07/2004 1:23a Update successful [976 entries] Tue 09/07/2004 1:53a Update failed [conversion error] Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Tuesday, September 07, 2004 5:46 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SURBL issue It's working ok here just tried 2 minutes ago: Tue 09/07/2004 4:41p Update successful [983 entries] If it was a one time only thing, maybe you caught a bad download or there was something bad in the zone. A conversion error implies something wrong here: rem --- Convert line breaks from LF to CRLF (or exit if conversion failed): --- if exist todos.exe todos surbl.rbldns.tmp for /f "tokens=*" %%c in ('findstr /r "$" surbl.rbldns.tmp') do set v_result=ok if not "%v_result%"=="ok" (set v_result=conversion error) & (goto :s_end) Scott Fisher Director of IT Farm Progress Companies >>> [EMAIL PROTECTED] 09/07/04 04:35PM >>> My surbl setup has been running fine up till 1:00 am this morning my setup is: SURBL filter d:\IMail\Declude\surbl\surbl.txt x 20 0 In the log file I now get: Tue 09/07/2004 5:15p Update failed [conversion error] Nothing has changed in my setup and the log file has successful entries for a very long time until now Anyone have any ideas? thank you Harry Vanderzand inTown Internet & Computer Services 11 Belmont Ave. W. Kitchener, ON N2M 1L2 519-741-1222 Did you know we offer: - Province wide dial-up and high speed internet access - Web accessible email with anti-spam\antivirus protection - Computer hardware sales and service - Experienced website developers --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SURBL issue
Scott, What version of the script are you using? I just checked mine and it is giving me the same thing on both of my servers. I have surbl_filter.cmd version 1.1 Tue 09/07/2004 1:23a Update successful [976 entries] Tue 09/07/2004 1:53a Update failed [conversion error] Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Tuesday, September 07, 2004 5:46 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SURBL issue It's working ok here just tried 2 minutes ago: Tue 09/07/2004 4:41p Update successful [983 entries] If it was a one time only thing, maybe you caught a bad download or there was something bad in the zone. A conversion error implies something wrong here: rem --- Convert line breaks from LF to CRLF (or exit if conversion failed): --- if exist todos.exe todos surbl.rbldns.tmp for /f "tokens=*" %%c in ('findstr /r "$" surbl.rbldns.tmp') do set v_result=ok if not "%v_result%"=="ok" (set v_result=conversion error) & (goto :s_end) Scott Fisher Director of IT Farm Progress Companies >>> [EMAIL PROTECTED] 09/07/04 04:35PM >>> My surbl setup has been running fine up till 1:00 am this morning my setup is: SURBL filter d:\IMail\Declude\surbl\surbl.txt x 20 0 In the log file I now get: Tue 09/07/2004 5:15p Update failed [conversion error] Nothing has changed in my setup and the log file has successful entries for a very long time until now Anyone have any ideas? thank you Harry Vanderzand inTown Internet & Computer Services 11 Belmont Ave. W. Kitchener, ON N2M 1L2 519-741-1222 Did you know we offer: - Province wide dial-up and high speed internet access - Web accessible email with anti-spam\antivirus protection - Computer hardware sales and service - Experienced website developers --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] DUL skipping was ISBLANK is blank
Matt, But if you rename the tests to DYN – than how you are configuring non-DUL tests twice? Darrell From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Saturday, May 15, 2004 6:42 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] DUL skipping was ISBLANK is blank Andy, I think there might be some confusion here. If you change the test names and use the %IP4R%/dnsbl trick, it will always test the first hop regardless of what the Mail From is, unless of course you are whitelisting the sender. You don't have to remove the tests, you just have to rename them. I renamed mine with DYN, that way Declude doesn't see them as matching DUL/DYNA/DUHL and therefore will not skip them when the Mail From matches a local address. The only drawback that I have found with this work around is when you try configuring non-DUL tests twice, once only for the first hop, and once for all hops, in which case the work around will cause some extra lookups, but that's minor, and I'm only aware of a few people besides myself that are doing this. Nothing else appears to be a problem in anyway whatsoever. Matt Andy Schmidt wrote: Then, in either cases, scanning the first hop is a simple matter of changing the test name to eliminate the reserved string of DUL, DYNA or DUHLand using the hack which Matt found. << NO - removing DUL/DYNA/DUHL is NOT an option. Because MUCH of the privateemails originate from some address that is on that list - but only on theFIRST hope. Thus, the DUL/DYNA/DUHL skip tests on the FIRST hop! They can't be omitted - otherwise we'd block most private mail relayedthrough other providers SMTP servers. Best RegardsAndy Schmidt Phone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Don BrownSent: Saturday, May 15, 2004 04:19 PMTo: MattCc: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] DUL skipping was ISBLANK is blank This wasn't a bug or a larger issue of Declude trust based upon the 'fromAddress.' There was no choice but to skip DUL/DYNA/DUHL tests (which werethe only ones skipped) when the 'from address' was spoofed as a localaddress. Imail 8 and WHITELIST AUTH help, but they don't solve this issue,either. Imail 8 can still be configured where the Client is NOT required to Auth inorder to send. One example of that is 'Relay for Addresses.' So, if we have IPs on a DUL/DYNA/DUHL list, are using anything but 'No MailRelay' in Imail 8 and we run a DYNA/DUL/DUHL test on the first hop, we willdefinitely tag our own customers. So, the way I see it, running DYNA/DUL/DUHL tests on the first hop of ALLmail, is only safe for those folks who: (1) are sure that none of their IPaddresses are on any DYNA/DUL/DUHL list (and will never be onone) -OR- (2) run Imail 8, have it configured for 'No Mail Relay' and haveWHITELIST AUTH specified in the Declude's Global.cfg. Then, in either cases,scanning the first hop is a simple matter of changing the test name toeliminate the reserved string of DUL, DYNA or DUHL and using the hack whichMatt found. For instance: Change this: NJABL-DUL ip4r dnsbl.njabl.org 127.0.0.3 10 0 To this: NJABL-HOP1 dnsbl %IP4R%.dnsbl.njabl.org 127.0.0.3 10 0 I don't think a switch in Declude is really needed. Thanks, Saturday, May 15, 2004, 10:01:11 AM, Matt <[EMAIL PROTECTED]> wrote:M> Andy, M> It's only been a matter of months since a realistic work around M> wasavailable for most users (using WHITELIST AUTH). To the best of M> myknowledge, I'm the only one of us that has said anything about it M> onthis list (first time in March, but of course I could be wrong). M> LikeI indicated though, there is a way to fix the problem using the M> dnsbltrick, and it works immediately. I would however like to see a M> switchgiven also, but this seems more like a convenience if you M> useDUL/DYNA/DUHL the way that they were meant to be used in the M> firstplace (which I was not), but still, it only means some extra M> lookups. M> Matt M> Andy Schmidt wrote: M> Thanks - ouch.M> M> I'd say that's a bug in design.M> M> Since AUTH is supported in Imail 8 and sinceothers may not allow M> local users to send through their Imail server (myoutbound is going M> through IIS SMTP with SMTP AUTH), there should be ATLEAST a config M> option to turn this "spam me by faking sender" featureoff! M> Best RegardsM> Andy Schmidt M> Phone: +1 201 934-3414 x20(Business)M> Fax: +1 201 934-9206 M> -Original Message-M> M> From:[EMAIL PROTECTED]:Declude.JunkMail-ownerM> @declude.com]M> On Behalf Of MattM> Sent: Saturday, May 15, 2004 01:49 AMM> To:[EMAIL PROTECTED]M> Subject: Re: [Declude.JunkMail] DUL skipping was ISBLANK isblank M> In absentia... M> M> http://www.mail-archive.com/[EMAIL PROTECTED]/msg17162.htmM> l M> This made a lot of sense before, and it was the only way to disable
[Declude.JunkMail] Hotmail Sending Mail From IP's with No Reverse DNS
Has anyone else noticed over the last day or so that some of the hotmail messages are coming from servers without revdns.. This is a snag cause they are failing both revdns and spamdomains.. Any thoughts? Received: from hotmail.com [207.68.164.107] by mail2.gannett-tv.com with ESMTP (SMTPD32-8.05) id A6657F0180; Wed, 21 Apr 2004 18:32:05 -0400 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 21 Apr 2004 15:30:14 -0700 Received: from 134.84.102.157 by sea2-dav3.sea2.hotmail.com with DAV; Wed, 21 Apr 2004 22:30:14 + X-Originating-IP: [134.84.102.157] X-Originating-Email: [EMAIL PROTECTED] X-Sender: [EMAIL PROTECTED] From: "x" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: [POTENTIAL SPAM]Assignment Desk Date: Wed, 21 Apr 2004 17:27:30 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_NextPart_000_0009_01C427C5.ECC21740" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1409 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Message-ID: <[EMAIL PROTECTED]> X-OriginalArrivalTime: 21 Apr 2004 22:30:14.0967 (UTC) FILETIME=[377B2C70:01C427F0] X-RBL-Warning: SPAMDOMAINS: Spamdomain 'hotmail.com' found: Address of [EMAIL PROTECTED] sent from invalid [No Reverse DNS]. [2-10-5000] X-RBL-Warning: NOPOSTMASTER: "Not supporting [EMAIL PROTECTED]" [2-48-18000] X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 207.68.164.107 with no reverse DNS entry. [2-53-1a800] X-Declude-Sender: [EMAIL PROTECTED] [207.68.164.107] X-Declude-Spoolname: Df665007f01804541.SMD X-Declude-Sender: [EMAIL PROTECTED] [12.25.87.100] X-Declude-Spoolname: Df66c3910081cb3c8.SMD X-Spam-Tests-Failed: Whitelisted X-Spam-Weight: 0 X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 377609636 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPAMCOP
Scott, It's AT&T's DNS servers. I wonder if they are doing something to block those kinds of lookup's. Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Thursday, April 01, 2004 11:02 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SPAMCOP >I noticed that several RBL's have not been triggered off one of our backup >mail servers over the last 24 hours. For example SPAMCOP hasn't. I turned >on "DEBUG" mode and noticed that it was reporting this > >04/01/2004 10:56:53.296 Q3bbb215802381bda Test #18 [ORDB] is same as Test >#18 [ORDB=*]. Answer=root.loopback.? >04/01/2004 10:56:53.296 Q3bbb215802381bda Test #19 [SPAMCOP] is same as Test >#19 [SPAMCOP=127.0.0.2]. Answer=root.loopback.? >04/01/2004 10:56:53.296 Q3bbb215802381bda Test #20 [DSBL] is same as Test >#20 [DSBL=*]. Answer=root.loopback.? > >Is this a normal answer? No, that is not a normal answer -- the "Answer=root.loopback.?" indicates that the DNS server is responding, but reporting an answer of "root.loopback" which isn't correct. It sounds like your DNS server is having problems. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] SPAMCOP
I noticed that several RBL's have not been triggered off one of our backup mail servers over the last 24 hours. For example SPAMCOP hasn't. I turned on "DEBUG" mode and noticed that it was reporting this 04/01/2004 10:56:53.296 Q3bbb215802381bda Test #18 [ORDB] is same as Test #18 [ORDB=*]. Answer=root.loopback.? 04/01/2004 10:56:53.296 Q3bbb215802381bda Test #19 [SPAMCOP] is same as Test #19 [SPAMCOP=127.0.0.2]. Answer=root.loopback.? 04/01/2004 10:56:53.296 Q3bbb215802381bda Test #20 [DSBL] is same as Test #20 [DSBL=*]. Answer=root.loopback.? Is this a normal answer? Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Atriks - Pt.2
How aggressive is SBL compared to SPEWS? I know with SPEWS they list a lot of adjacent net blocks of the spammers... Does SBL employ the same tactics? Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Tuesday, January 06, 2004 6:59 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Atriks - Pt.2 Forgive me for repeating myself on this one, but I'm a proponent of blocking outright on SBL. There's a good reason for spammers to be in their list, and it's not some community project where anyone and everyone makes nominations, so it's practically flawless. Another trick for Green Horse is the following lines in a custom filter somewhere: # Green Horse Corporation (SBL12495) BODY28CONTAINS/img/c.0/ BODY28CONTAINS/img/o.0/ BODY28CONTAINS/img/v.0/ This is just in case they break out into new address space. 28 is my delete weight plus Declude's negative weight tests (because they tend to get added in after custom filters and I use SKIPIFWEIGHT functionality). Matt Fritz Squib wrote: >Amazing, I knew that I saw a lot more spam coming from individual cable/dsl >modems, but I had no idea... > >http://www.spamhaus.org/SBL/sbl.lasso?query=SBL12495 > >http://groups.google.com/groups?scoring=d&q=atriks.com+group:*abuse* > >Fritz > >Frederick P. Squib, Jr. >Network Operations/Mail Administrator >Citizens Telephone Company of Kecksburg >http://www.wpa.net > >() ascii ribbon campaign - against html mail >/\- against microsoft attachments > > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: DNS Issue (HELP)
Matt, I think you are right. My guess is that for some reason they dropped the domain out of the root servers for a period of time and the major isps grabed the worldnic servers as being authoratative. Not much we can do, other than wait... Darrell -- Original Message -- From: Matthew Bramble <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Sat, 20 Dec 2003 00:02:14 -0500 >Darrell, > >It looks like your name server records were maybe munged for a period of >time from a root update that is now fixed. Those munged records though >are being cached and they should get a good copy once they expire. This >might explain why all of us seem to be able to resolve your domain, >being that we aren't likely to have it cached being smaller providers, >however the larger providers seem to have bad records for it because >they hit your domain while the data was bad. Just guessing of course. > >If you have some local ISP's which are likely to have chached an earlier >copy of the records, try querying their servers to see what it returns. >I suspect that they will have a bad copy also, at least for a short >period of time. I don't believe there is anything you can do about this >if I am correct. > >Matt > > > >Darrell LaRock wrote: > >>Scott, >> >>On the DNSSTUFF, I used the cached ISP report looking at the NS record. What does >>it mean when an ISP has the name server set to ns92.worldnic.com? Does this mean at >>one time when the domain was looked up it was not resolved from the root servers? >> >>AT&T Worldnet #1NS=ns1.infi.net. [TTL=1d 9h 38m 50s] NS=ns2.infi.net. >>[TTL=1d 9h 38m 50s] >>AT&T Worldnet #2NS=ns1.infi.net. [TTL=1d 4h 18m 50s] NS=ns2.infi.net. >>[TTL=1d 4h 18m 50s] >>AT&T Worldnet #1NS=ns1.infi.net. [TTL=1d 2h 53m 53s] NS=ns2.infi.net. >>[TTL=1d 2h 53m 53s] >>AT&T Worldnet #2NS=ns91.worldnic.com. [TTL=10h 45m 11s] >>NS=ns92.worldnic.com. [TTL=10h 45m 11s] >> >>Taking wild stabs in the dark :) >>Darrell >> >>-- Original Message -- >>From: "R. Scott Perry" <[EMAIL PROTECTED]> >>Reply-To: [EMAIL PROTECTED] >>Date: Fri, 19 Dec 2003 22:56:28 -0500 >> >> >> >>>>However, something is seriously wrong as the major ISP's can't resolve it >>>>(Earthlink, Charter, Some AOL Users, Road Runner). This occured right >>>>after the whois info was updated to the new authoratative servers. >>>> >>>> >>>That's probably the problem. >>> >>>Once the first .com parent server gets the new NS records, it takes up to >>>about 6 hours for all the other .com parent servers to get updated, and >>>another 48 hours before TTL values expire on DNS servers throughout the >>>world. Earthlink, Charter, and some other larger ISPs almost certainly >>>have the old values cached, which will take up to 48 hours to expire after >>>the change. During that time, they will be using the old NS records. >>> >>> -Scott >>> >>> > > >--- >[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.JunkMail". The archives can be found >at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: DNS Issue (HELP)
Scott, On the DNSSTUFF, I used the cached ISP report looking at the NS record. What does it mean when an ISP has the name server set to ns92.worldnic.com? Does this mean at one time when the domain was looked up it was not resolved from the root servers? AT&T Worldnet #1NS=ns1.infi.net. [TTL=1d 9h 38m 50s] NS=ns2.infi.net. [TTL=1d 9h 38m 50s] AT&T Worldnet #2NS=ns1.infi.net. [TTL=1d 4h 18m 50s] NS=ns2.infi.net. [TTL=1d 4h 18m 50s] AT&T Worldnet #1NS=ns1.infi.net. [TTL=1d 2h 53m 53s] NS=ns2.infi.net. [TTL=1d 2h 53m 53s] AT&T Worldnet #2NS=ns91.worldnic.com. [TTL=10h 45m 11s] NS=ns92.worldnic.com. [TTL=10h 45m 11s] Taking wild stabs in the dark :) Darrell -- Original Message -- From: "R. Scott Perry" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Fri, 19 Dec 2003 22:56:28 -0500 > >>However, something is seriously wrong as the major ISP's can't resolve it >>(Earthlink, Charter, Some AOL Users, Road Runner). This occured right >>after the whois info was updated to the new authoratative servers. > >That's probably the problem. > >Once the first .com parent server gets the new NS records, it takes up to >about 6 hours for all the other .com parent servers to get updated, and >another 48 hours before TTL values expire on DNS servers throughout the >world. Earthlink, Charter, and some other larger ISPs almost certainly >have the old values cached, which will take up to 48 hours to expire after >the change. During that time, they will be using the old NS records. > >-Scott >--- >Declude JunkMail: The advanced anti-spam solution for IMail mailservers. >Declude Virus: Catches known viruses and is the leader in mailserver >vulnerability detection. >Find out what you've been missing: Ask about our free 30-day evaluation. > >--- >[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.JunkMail". The archives can be found >at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: DNS Issue (HELP)
Scott, We duplicated the zone files between both providers. So all records are identical. If the zone files are the same than all of the timeouts should not matter. Check this out 1.) Do a direct query against ns1.loudcloud.com for wltx.com - Returns 66.54.32.202. 2.) Do a direct query against ns1.infi.net for wltx.com - Returns 66.54.32.202. 3.) Do a direct query against ns1.mindspring.net or ns2. or ns3 and the query will in general 9 out of 10 times timeout. We can also duplicate this behavior on Charter and Road Runner. I can't even come up with a possible explanation... The zone files are the same Thanks Darrell -- Original Message -- From: "R. Scott Perry" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Fri, 19 Dec 2003 22:56:28 -0500 > >>However, something is seriously wrong as the major ISP's can't resolve it >>(Earthlink, Charter, Some AOL Users, Road Runner). This occured right >>after the whois info was updated to the new authoratative servers. > >That's probably the problem. > >Once the first .com parent server gets the new NS records, it takes up to >about 6 hours for all the other .com parent servers to get updated, and >another 48 hours before TTL values expire on DNS servers throughout the >world. Earthlink, Charter, and some other larger ISPs almost certainly >have the old values cached, which will take up to 48 hours to expire after >the change. During that time, they will be using the old NS records. > >-Scott >--- >Declude JunkMail: The advanced anti-spam solution for IMail mailservers. >Declude Virus: Catches known viruses and is the leader in mailserver >vulnerability detection. >Find out what you've been missing: Ask about our free 30-day evaluation. > >--- >[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.JunkMail". The archives can be found >at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: DNS Issue (HELP)
Andrew, One question that I have is the TTL stuff shouldnt matter since the zone files that were moved over are the same. All we are doing is switching DNS providers right now. Darrell -- Original Message -- From: "Colbeck, Andrew" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Fri, 19 Dec 2003 18:45:00 -0800 >I'd say that the domain is fine at its new home; the question is what was >the TTL on the domain before it was moved? > >I would go very little out on a limb and say that the folks with trouble to >wltx.com were cacheing the DNS for longer than the TTL on the domain, or it >was really high before the change, and they're respecting that. > >If you didn't already know it, this site, courtesy of declude.com, is a >wonderful resource: > >http://www.dnsreport.com/ > >Andrew 8) > >-Original Message- >From: Darrell LaRock [mailto:[EMAIL PROTECTED] >Sent: Friday, December 19, 2003 5:59 PM >To: [EMAIL PROTECTED] >Subject: [Declude.JunkMail] OT: DNS Issue (HELP) > > >This is off topic, but I need some help in a bad way to figure out a DNS >problem I am having that is preventing one of our sites from receiving mail >and thier web site from loading. > >We recently (this week) switched the name servers from our current provider >to another provider. The zone files are duplicate between providers. > >However, something is seriously wrong as the major ISP's can't resolve it >(Earthlink, Charter, Some AOL Users, Road Runner). This occured right after >the whois info was updated to the new authoratative servers. > >Now the crazy thing is I can resolve the site using the auth. servers, but >not off one of Earthlink's or charters. > >The site is "wltx.com". > >Can you resolve it? > >How can I verify that the site did not fall out of the root servers? Anyone >else have any input? > >Darrell >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.JunkMail". The archives can be found >at http://www.mail-archive.com. >--- >[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.JunkMail". The archives can be found >at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: DNS Issue (HELP)
I am absolutly baffled. Eathlink Dial-up - Does not work Charter Cable Connection - Does not work AT&T T1 using local bind server - Works Roadrunner Cable - Does not work AOL - Intermittent. Several users who replied - Works Darrell -- Original Message -- From: Scott Winberg <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Fri, 19 Dec 2003 19:13:55 -0700 >Hello Darrell, > >Working from here. Denver, CO area. > > >Scott > >Friday, December 19, 2003, 6:59:06 PM, you wrote: > >Darrell> This is off topic, but I need some help in a bad way to figure out a DNS >problem I am having that is preventing one of our sites from receiving mail and thier >web site from loading. > >Darrell> We recently (this week) switched the name servers from our current provider >to another provider. The zone files are duplicate between providers. > >Darrell> However, something is seriously wrong as the major ISP's can't resolve it >(Earthlink, Charter, Some AOL Users, Road Runner). This occured right after the >whois info was updated to the new >Darrell> authoratative servers. > >Darrell> Now the crazy thing is I can resolve the site using the auth. servers, but >not off one of Earthlink's or charters. > >Darrell> The site is "wltx.com". > >Darrell> Can you resolve it? > >Darrell> How can I verify that the site did not fall out of the root servers? Anyone >else have any input? > >Darrell> Darrell >Darrell> --- >Darrell> [This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >Darrell> --- >Darrell> This E-mail came from the Declude.JunkMail mailing list. To >Darrell> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >Darrell> type "unsubscribe Declude.JunkMail". The archives can be found >Darrell> at http://www.mail-archive.com. > > > >-- > > Scottmailto:[EMAIL PROTECTED] > >--- >[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.JunkMail". The archives can be found >at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] OT: DNS Issue (HELP)
This is off topic, but I need some help in a bad way to figure out a DNS problem I am having that is preventing one of our sites from receiving mail and thier web site from loading. We recently (this week) switched the name servers from our current provider to another provider. The zone files are duplicate between providers. However, something is seriously wrong as the major ISP's can't resolve it (Earthlink, Charter, Some AOL Users, Road Runner). This occured right after the whois info was updated to the new authoratative servers. Now the crazy thing is I can resolve the site using the auth. servers, but not off one of Earthlink's or charters. The site is "wltx.com". Can you resolve it? How can I verify that the site did not fall out of the root servers? Anyone else have any input? Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] November 2003 Spam Statistics
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, December 05, 2003 2:18 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] November 2003 Spam Statistics our gateway now handles all incoming mail and there is no spam coming into our mail servers to test. The new test platforms will allow us to move some domains So are you saying your product when used as a gateway is 100% effective at removing spam? Nothing slips through Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Filter Entry Not Being Triggered
BODY5 CONTAINS href="http Should there by any reason why the above filter entry wouldn't be triggered on an email that contains that string in the html source? What am I doing wrong? Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] SPAM DOMAINS
We have a listing in our spam domains file mac.com apple.com this line seems to be tripping off on the following X-RBL-Warning: SPAMDOMAINS: Spamdomain 'mac.com' found: Address of [EMAIL PROTECTED] sent from invalid [No Reverse DNS]. How do I prevent the "mac.com" spam domain entry from picking up on for example freediemac.com? Thanks Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Filter question On Short Keywords
We make extensive use of filters based on keywords. With short keywords like like S_e_x we sometimes run into problems with keyword being triggered based on base64 encoding of an attachment. Example: 10/13/2003 00:00:36 Q236256fe026ef9a4 Triggered CONTAINS filter WORDFILTER on sex [weight->2; SExQlAnjsABzk My Questions: 1.) Is it possible to have a test created that detects attachments? 2.) Is there some kind of general text that is inserted into the headers or body that indicates that an attachment is present? Thanks Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Filters And Attachments
Darrell LaRock Systems Analyst Gannett Television 716-849-2272 Hod do most folks deal with word filters being triggered on attachments. See below for example? 10/13/2003 00:00:36 Q236256fe026ef9a4 Triggered CONTAINS filter WORDFILTER on sex [weight->2; SExQlAnjsABzk Is there something that is put in the body of a message that indicates there is an attachment so that potentially reverse weight can be applied? Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Starting Declude to Force a Queue Run
Scott, I am going to stop the smtp service so no mail will be coming in. Essentially, at that point I need to clear out that overflow queue.. Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, August 20, 2003 2:40 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Starting Declude to Force a Queue Run >I have a backup mail server that is a bit under-speed of our primary mail >server. Right now the backup mail server is being pounded with SoBig >which has forced the box to 100% cpu and the queue is growing slowly. > > > >I am going to stop the smtp service in imail on this backup server while I >swap a faster server into its place. How can I manually force declude to >start processing the messages in the overflow directory once I stop the >smtp service.. Declude will automatically start processing E-mails from the overflow directory as soon as the next E-mail arrives. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Starting Declude to Force a Queue Run
Title: RE: [Declude.JunkMail] Alligate Scott, I have a backup mail server that is a bit under-speed of our primary mail server. Right now the backup mail server is being pounded with SoBig which has forced the box to 100% cpu and the queue is growing slowly. I am going to stop the smtp service in imail on this backup server while I swap a faster server into its place. How can I manually force declude to start processing the messages in the overflow directory once I stop the smtp service.. Darrell -Original Message- From: Keith Johnson [mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson Sent: Wednesday, August 20, 2003 10:02 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Alligate John, We have it as a Declude only test Keith -Original Message- From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED] Sent: Wed 8/20/2003 1:05 AM To: [EMAIL PROTECTED] Cc: Subject: RE: [Declude.JunkMail] Alligate Do you mean as a Declude ONLY test? John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com > -Original Message- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of Keith Johnson > Sent: Tuesday, August 19, 2003 7:18 PM > To: [EMAIL PROTECTED] > Subject: [Declude.JunkMail] Alligate > > Does anyone have any configs they are willing to share that they are using in > production for Alligate with Declude? Thanks for the aid. > > Keith > Nyuujjrx吖Nrzujryjʞmrxjqy• <>
RE: [Declude.JunkMail] Redux: Test Like SPAMDOMAINS But Subtracts Points Instead of Adding
We use the following... REVDNS -10 ENDSWITH .thisdomain.com Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Tuesday, August 05, 2003 4:16 PM To: Declude JunkMail Subject: [Declude.JunkMail] Redux: Test Like SPAMDOMAINS But Subtracts Points Instead of Adding Hello, All, I had posted this message a couple of weeks ago and didn't hear anything so I thought I'd give it another shot. Is there anyway that the SPAMDOMAINS test can be setup so that if a message "passes" the SPAMDOMAINS test then points are "subtracted" from the total weight? I think of this as the opposite of points being "added" to the total weight if a message "fails" the SPAMDOMAINS test but my thinking might be wrong. Thanks In Advance, Dan Geiser [EMAIL PROTECTED] - Original Message - From: "Dan Geiser" <[EMAIL PROTECTED]> To: "Declude JunkMail" <[EMAIL PROTECTED]> Sent: Tuesday, July 22, 2003 7:41 PM Subject: [Declude.JunkMail] Test Like SPAMDOMAINS But Subtracts Points Instead of Adding > Hello, All, > I don't know if this would require a separate test or of there is some way > you can twist SPAMDOMAINS to have the desired result... > > But as SPAMDOMAINS can be configured to add points on to the weight of a > message if the message fails the test I would also like to be able to have a > test which subtracts points from the total weight if the Reverse DNS of the > IP address matches the Sender's domain name. Does that make sense? If so, > does anyone know how to implement this? > > Thanks In Advance, > Dan Geiser <[EMAIL PROTECTED]> > > > This E-mail is scanned and free from viruses. www.nexustechgroup.com > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > This E-mail is scanned and free from viruses. www.nexustechgroup.com > > This E-mail is scanned and free from viruses. www.nexustechgroup.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] dlanalyzer reporting system
Their has been an overwhelming request for this much more than I have anticipated. I am setting up a webpage for this. I have to get the documentation together, because there are a lot of options that need to be documented so that you will actually be able to use. I am hoping I will have everything together before the weekends over. Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Terry Parks Sent: Friday, August 01, 2003 12:30 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Report System It's become blatantly apparent that there is a VERY STRONG NEED for an application such as this. Are the Declude people listening? Terry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of i360 Support Sent: Friday, August 01, 2003 9:14 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Report System Please add me too. Would like to see it. Thanks Heimir - Original Message - From: "James James" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, August 01, 2003 10:53 AM Subject: Re: [Declude.JunkMail] Report System > I hate filling the list with another of these, but I would like a copy to. > This sounds like the utility I've always wanted but could never find. > > Thanks > James James > Help Desk/Systems Administration > Lile International > > - Original Message - > From: "Dave Jordan" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, August 01, 2003 8:44 AM > Subject: Re: [Declude.JunkMail] Report System > > > > Hey, Don't leave me out! It looks like it's just what the Dr. ordered. > > > > Dave Jordan > > > > - Original Message - > > From: "GlobalWeb.net Webmaster" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Friday, August 01, 2003 11:23 AM > > Subject: RE: [Declude.JunkMail] Report System > > > > > > > Add me to the list too - a donation will be in order... > > > > > > > > > Sincerely, > > > > > > Randy Armbrecht > > > Global Web SolutionsR, Inc. > > > 804-346-5300 ext. 1 > > > 877-800-GLOBAL (4562) ext. 1 > > > http://globalweb.net > > > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Shayne Embry > > > Sent: Friday, August 01, 2003 11:07 AM > > > To: [EMAIL PROTECTED] > > > Subject: RE: [Declude.JunkMail] Report System > > > > > > > > > Darrel, > > > > > > Maybe you should start charging for it. As long as you're not...please > > > include me. (Actually, I'd consider a donation if it works as well as > > > you claim.) > > > > > > Thanks, > > > Shayne Embry > > > [EMAIL PROTECTED] > > > > > > > > > > > > > -Original Message- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Brooks > > > > Sent: Friday, August 01, 2003 9:48 AM > > > > To: [EMAIL PROTECTED] > > > > Subject: RE: [Declude.JunkMail] Report System > > > > > > > > > > > > add me, also > > > > > > > > At 12:17 PM 8/1/2003 +0200, you wrote: > > > > >Hi Darrel, > > > > > > > > > >Please add me to your list, I'd love to try it out > > > > > > > > > >Best regards > > > > >Lachezar > > > > >[EMAIL PROTECTED] > > > > > > > > > >-Original Message- > > > > >From: [EMAIL PROTECTED] > > > > >[mailto:[EMAIL PROTECTED] Behalf Of VanTech.Net > > > > >Sent: Thursday, July 31, 2003 11:40 PM > > > > >To: [EMAIL PROTECTED] > > > > >Subject: RE: [Declude.JunkMail] Report System > > > > > > > > > > > > > > >Darrel, > > > > > > > > > >I would be interested in trying it out. I like Delog, but I > > > > would like > > > > >to have some format options such as .html. > > > > > > > > > >Thank you, > > > > >Aaron Caviglia > > > > >[EMAIL PROTECTED] > > > > > > > > > > > > > > >-Original Message- > > > > >From: [EMAIL PROTECTED] > > > > >[mailto:[EMAIL PROTECTED] On Behalf Of > > > > Darrell LaRock > > > >
RE: [Declude.JunkMail] Report System
Terry, I used delog for awhile, but I needed several other features that did not come with delog. So I developed an application that had all of the features that I needed. Below is a sample report that I generated(tab format). The reports can be in tab, csv, or html format and you have the ability to email them as well. There are many other things that dlanalyzer can report on. You can get reports on domains, users, tests, and different reporting periods. The combinations are endless. Right now I am finishing up database support and a few other miscellaneous features I wanted to add in.. If you would like to try it out let me know and I will make it available.. Darrell Start Time: 6/1/2003 12:00:00 AM End Time: 6/2/2003 12:00:00 AM Total Messages: 25935 Messages That Failed: 18252 Spam Percentage: 70.38% TEST# FAILEDPercentage BADHEADERS 373514.40% BASE64 12034.64% BLACKLIST 13255.11% COMMENTS668 2.58% DECREASEIPWGHT 40 0.15% DECREASEWEIGHT 557 2.15% DECREASEWEIGHTLOW 313 1.21% DSBL380714.68% DSN 12154.68% EASYNET-DNSBL 741828.60% FXBLACKLIST 25749.92% HELOBOGUS 477618.42% HEUR10 289911.18% IPBLACKLIST 5 0.02% MAILFROM385 1.48% NJABL 408 1.57% NOABUSE 334112.88% NONENGLISH 214 0.83% NOPOSTMASTER402015.50% OLDEMPLOYEE 29 0.11% ORDB261 1.01% OSDUL 113 0.44% OSLIST 2 0.01% OSRELAY 343 1.32% OSSOFT 326512.59% OSSRC 330812.75% POSTMASTER 12 0.05% REVDNS 423116.31% ROUTING 14875.73% SNIFFER 328512.67% SNIFFERAV 12 0.05% SNIFFERCASINO 159 0.61% SNIFFERDEBT 815 3.14% SNIFFEREXP 269 1.04% SNIFFERGETRICH 630 2.43% SNIFFERGREY 421 1.62% SNIFFERINK 196 0.76% SNIFFERINSURAN 58 0.22% SNIFFEROBFUS350 1.35% SNIFFERPHARM17276.66% SNIFFERPORN 16306.28% SNIFFERSCAM 1 0.00% SNIFFERSPAMWAR 127 0.49% SNIFFERTHEFT138 0.53% SNIFFERTRAVEL 438 1.69% SPAMCOP 417216.09% SPAMHEADERS 416016.04% WEIGHT1010482 40.42% WEIGHT5 769 2.97% WORDFILTER 782630.18% -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Terry Parks Sent: Thursday, July 31, 2003 2:26 PM To: Declude. JunkMail Subject: [Declude.JunkMail] Report System While it's quiet I'd like to know which system is best at reporting status of the email system in terms of most messages sent from/delivered to address, etc. I need a good summary reporting system that will email me these results. I've tried delog but the email feature doesn't work. Terry --- [This E-mail scanned for viruses by Surfside Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Kodak picture CD and Spam Domains
Kami, Great idea!!! This is much better then using contains on the header (since header forging is easy). Darrell -- Original Message -- From: "Kami Razvan" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Mon, 23 Jun 2003 18:15:06 -0400 >Hi; > >Do you know what the REVDNS is? We are finding good results for adding >negative weight to domains that are like this. We simply have a negative >REVDNS list. > >REVDNS -20 CONTAINS .yahoo.com >REVDNS -20 CONTAINS .aol.com > >The above are two entries in our list. > >Regards, >Kami > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Darrell LaRock >Sent: Monday, June 23, 2003 5:55 PM >To: [EMAIL PROTECTED] >Subject: [Declude.JunkMail] Kodak picture CD and Spam Domains > > >I have been seeing a lot of mail failing the spam domains test with kodak's >picture cd. It allows users to use their own email address when sending >pictures, but it comes from Kodak's servers. > >Is their any other way around this? Right now I setup a filter to subtract >the spam domains weight if picturecd.kodak.com is found in the headers. > >Also, not to mention their mail fails the BADHEADERS test for a bogus time >zone. > >Darrell > >> **COPY OF THE MESSAGES HEADERS - THESE ARE IMPORTANT FOR US TO SEE IF >> YOU FEEL THIS MESSAGE IS IN ERROR** >> Received: from picturecd2.kodak.com [192.232.121.246] by >mail1.gannett-tv.com with ESMTP >> (SMTPD32-7.15) id AE6BDC3601D6; Mon, 23 Jun 2003 00:13:31 -0400 >> Received: from picturecd.kodak.com >(dialup-67.31.149.71.Dial1.Denver1.Level3.net [67.31.149.71]) >> by picturecd2.kodak.com (8.11.6/8.11.6) with SMTP id h5N3gPU02484 >> for <[EMAIL PROTECTED]>; Sun, 22 Jun 2003 23:42:25 -0400 (EDT) >> Message-Id: <[EMAIL PROTECTED]> >> From: [EMAIL PROTECTED] >> To: [EMAIL PROTECTED] >> Subject: clouds 2nd try >> Date: 22 Jun 2003 21:42:44 Mountain Standard Time >> Content_Description: >> Content_Description: >> Content_Description: >> MIME-Version: 1.0 >> Content-Type: multipart/mixed; boundary=3_boundary > >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, >just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe >Declude.JunkMail". The archives can be found at >http://www.mail-archive.com. > >--- >[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.JunkMail". The archives can be found >at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Kodak picture CD and Spam Domains
I have been seeing a lot of mail failing the spam domains test with kodak's picture cd. It allows users to use their own email address when sending pictures, but it comes from Kodak's servers. Is their any other way around this? Right now I setup a filter to subtract the spam domains weight if picturecd.kodak.com is found in the headers. Also, not to mention their mail fails the BADHEADERS test for a bogus time zone. Darrell > **COPY OF THE MESSAGES HEADERS - THESE ARE IMPORTANT FOR US TO SEE IF > YOU FEEL THIS MESSAGE IS IN ERROR** > Received: from picturecd2.kodak.com [192.232.121.246] by mail1.gannett-tv.com with ESMTP > (SMTPD32-7.15) id AE6BDC3601D6; Mon, 23 Jun 2003 00:13:31 -0400 > Received: from picturecd.kodak.com (dialup-67.31.149.71.Dial1.Denver1.Level3.net [67.31.149.71]) > by picturecd2.kodak.com (8.11.6/8.11.6) with SMTP id h5N3gPU02484 > for <[EMAIL PROTECTED]>; Sun, 22 Jun 2003 23:42:25 -0400 (EDT) > Message-Id: <[EMAIL PROTECTED]> > From: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > Subject: clouds 2nd try > Date: 22 Jun 2003 21:42:44 Mountain Standard Time > Content_Description: > Content_Description: > Content_Description: > MIME-Version: 1.0 > Content-Type: multipart/mixed; boundary=3_boundary --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] From File Filter Not Being Triggered With Messages That Have Many Recipients
Scott, Looks like it fixed it. Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Thursday, June 12, 2003 10:25 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] From File Filter Not Being Triggered With Messages That Have Many Recipients >The config files were sent to your [EMAIL PROTECTED] account. Wow, this was a tricky one. It turns out that there was a problem where the first line of a fromfile blacklist might not work properly if multiple fromfile blacklists were used. There is an interim release v1.70i11 at http://www.declude.com/release/170i/declude.exe that fixes this issue. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] From File Filter Not Being Triggered With Messages That Have Many Recipients
The config files were sent to your [EMAIL PROTECTED] account. Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Thursday, June 12, 2003 9:28 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] From File Filter Not Being Triggered With Messages That Have Many Recipients >However, while going through the logs with debug on, I noticed other >fromfilters not triggering with valid addresses. In this case there is a >"reverseweightlow" fromfilter that has the @aol.com address in the file. >The sender is from @aol.com but there was no match form the filter. Isn't that the same user and same test that was having the problem before (when there were lots of recipients)? Could you E-mail me your \IMail\Declude\global.cfg file and the file used with the reverseweightlow test, so I can try to reproduce the problem here? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] From File Filter Not Being Triggered With Messages That Have Many Recipients
Scott, I will attempt to reproduce the original problem with the large amount of recipients with debug on. However, while going through the logs with debug on, I noticed other fromfilters not triggering with valid addresses. In this case there is a "reverseweightlow" fromfilter that has the @aol.com address in the file. The sender is from @aol.com but there was no match form the filter. Here is a snippet of the log in the attached text file. Darrell Darrell LaRock Systems Analyst Gannett Television 716-849-2272 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, June 11, 2003 2:58 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] From File Filter Not Being Triggered With Messages That Have Many Recipients >I have a from filter that contains email addresses. When this filter is >triggered it will "routeto" another email address. > >When I test this with one recipient it works. However, I am having an issue >when mail that comes in that has many recipients (>30+) the email addresses >from the filter is not being detected. > >I am using version 1.70 of declude. Scott I am emailing directly to you >snippets of the log and config files for a gander. Would there be any chance of trying to reproduce this with the debug mode on ("LOGLEVEL DEBUG" in the \IMail\Declude\global.cfg file temporarily)? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. filterlog.zip Description: Zip compressed data
RE: [Declude.JunkMail] From File Filter Not Being Triggered With Messages That Have Many Recipients
Scott, Not to convolute this issue, but I just noticed another fromfilter that is not getting triggered 100% of the time. This is a snippet from the debug output. In the fromfilter has the @aol.com address so the reverseweightlow filter should have been triggered. Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell LaRock Sent: Wednesday, June 11, 2003 1:33 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] From File Filter Not Being Triggered With Messages That Have Many Recipients I have a from filter that contains email addresses. When this filter is triggered it will "routeto" another email address. When I test this with one recipient it works. However, I am having an issue when mail that comes in that has many recipients (>30+) the email addresses from the filter is not being detected. I am using version 1.70 of declude. Scott I am emailing directly to you snippets of the log and config files for a gander. Darrell LaRock --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. 06/11/2003 15:46:23.140 Q870eb6a801ceed64 Setting DNS server to IMail's 12.25.87.98. 06/11/2003 15:46:23.140 Q870eb6a801ceed64 Declude JunkMail Pro Version Registered 06/11/2003 15:46:23.140 Q870eb6a801ceed64 Start 06/11/2003 15:46:23.140 Q870eb6a801ceed64 Locked e:\imail\spool\Q870eb6a801ceed64.SMD. 06/11/2003 15:46:23.140 Q870eb6a801ceed64 Getting message envelope 06/11/2003 15:46:23.140 Q870eb6a801ceed64 Copyall=no_copyall_account. 06/11/2003 15:46:23.140 Q870eb6a801ceed64 Qe:\imail\spool\D870eb6a801ceed64.SMD 06/11/2003 15:46:23.140 Q870eb6a801ceed64 Hmail1.gannett-tv.com 06/11/2003 15:46:23.140 Q870eb6a801ceed64 We:\imail 06/11/2003 15:46:23.140 Q870eb6a801ceed64 E0, 06/11/2003 15:46:23.140 Q870eb6a801ceed64 S<[EMAIL PROTECTED]> 06/11/2003 15:46:23.140 Q870eb6a801ceed64 NRCPT To:<[EMAIL PROTECTED]> 06/11/2003 15:46:23.140 Q870eb6a801ceed64 Recip: NRCPT To:<[EMAIL PROTECTED]> 06/11/2003 15:46:23.140 Q870eb6a801ceed64 R<[EMAIL PROTECTED]> 06/11/2003 15:46:23.140 Q870eb6a801ceed64 Recip: R<[EMAIL PROTECTED]> 06/11/2003 15:46:23.140 Q870eb6a801ceed64 Setting altaddr 0 to [EMAIL PROTECTED] [EMAIL PROTECTED] 06/11/2003 15:46:23.140 Q870eb6a801ceed64 Setting reciphost to wkyc.com 06/11/2003 15:46:23.140 Q870eb6a801ceed64 06/11/2003 15:46:23.140 Q870eb6a801ceed64 nRecips: 1 (1 total) 06/11/2003 15:46:23.140 Q870eb6a801ceed64 Recip 0: [EMAIL PROTECTED] = [EMAIL PROTECTED] 06/11/2003 15:46:23.140 Q870eb6a801ceed64 Starting locality check (sender=aol.com; nr=1 ca=off). 06/11/2003 15:46:23.140 Q870eb6a801ceed64 CL Opening HKEY_LOCAL_MACHINE\software\Ipswitch\IMail\Domains 06/11/2003 15:46:23.140 Q870eb6a801ceed64 [EMAIL PROTECTED] [0] is local domain1 06/11/2003 15:46:23.140 Q870eb6a801ceed64 [EMAIL PROTECTED] [0] is local main domain 06/11/2003 15:46:23.156 Q870eb6a801ceed64 Done getting message envelope 15 i=4 06/11/2003 15:46:23.156 Q870eb6a801ceed64 Getting headers 06/11/2003 15:46:23.156 Q870eb6a801ceed64 Done getting envelope and headers 06/11/2003 15:46:23.156 Q870eb6a801ceed64 Ver=30 verflag=0 06/11/2003 15:46:23.156 Q870eb6a801ceed64 About to run spam tests 06/11/2003 15:46:23.156 Q870eb6a801ceed64 fromfile: Starting BLACKLIST 06/11/2003 15:46:23.171 Q870eb6a801ceed64 fromfile: Done with BLACKLIST [448 lines processed] 06/11/2003 15:46:23.171 Q870eb6a801ceed64 fromfile: Starting FXBLACKLIST 06/11/2003 15:46:23.171 Q870eb6a801ceed64 fromfile: Done with FXBLACKLIST [851 lines processed] 06/11/2003 15:46:23.171 Q870eb6a801ceed64 fromfile: Starting WUSAOFFENSIVE 06/11/2003 15:46:23.171 Q870eb6a801ceed64 fromfile: Done with WUSAOFFENSIVE [9 lines processed] 06/11/2003 15:46:23.171 Q870eb6a801ceed64 fromfile: Starting DECREASEWEIGHT 06/11/2003 15:46:23.171 Q870eb6a801ceed64 fromfile: Done with DECREASEWEIGHT [73 lines processed] 06/11/2003 15:46:23.171 Q870eb6a801ceed64 fromfile: Starting DECREASEWEIGHTLOW 06/11/2003 15:46:23.171 Q870eb6a801ceed64 fromfile: Done with DECREASEWEIGHTLOW [5 lines processed] 06/11/2003 15:46:23.171 Q870eb6a801ceed64 fromfile: Starting DECREASEWEIGHTHIGH 06/11/2003 15:46:23.171 Q870eb6a801ceed64 fromfile: Done with DECREASEWEIGHTHIGH [7 lines processed] 06/11/2003 15:46:23.171 Q870eb6a801ceed64 Going through datafile 06/11/2003 15:46:23.171 Q870eb6a801ceed64 LOOKING FOR IP: Received: from imo-d05.mx.aol.com [205.1 06/11/2003 15:46:23.171 Q870eb6a801ceed64 Setting [IPTEXT] to 205.188.157.37 06/11/2003 15:46:23.171 Q870eb6a801ceed64 iptext now=205.188.157.37 06/11/2003 15:46:23.171 Q870eb6a801ceed64 Testing IP 205.188.157.37 06/11/2003 15:46:23.171 Q870eb6a801ceed64 Handling Received: header 06/11/2003 15:46:23.171 Q870e
[Declude.JunkMail] From File Filter Not Being Triggered With Messages That Have Many Recipients
I have a from filter that contains email addresses. When this filter is triggered it will "routeto" another email address. When I test this with one recipient it works. However, I am having an issue when mail that comes in that has many recipients (>30+) the email addresses from the filter is not being detected. I am using version 1.70 of declude. Scott I am emailing directly to you snippets of the log and config files for a gander. Darrell LaRock --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] DSN:Let it all through
You would use the "whitelist to" command in the global config file. Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Link Brokers Support Sent: Tuesday, June 10, 2003 2:19 PM To: Declude Junk Mail Subject: [Declude.JunkMail] DSN:Let it all through Question. I have a customer who just insists on wanting all junk mail. How do I set up a single email so anything coming to that address passes all test. Including test that I have set to delete, such as Spam db's I have set to delete. Kevin Shimwell Link Brokers Group, LLC ( Support ) 401 Ist Ave. North North Myrtle Beach, SC 29582 Phone: 843-663-1004 Fax: 843-663-1007 Email: [EMAIL PROTECTED] 24/7 Support http://www.linkbrokers.com/support_ticket.cfm Support M-F 1-888-546-5631 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] whitelist and mult rcpt
Karen, This is something that I brought up on the list awhile back with how to avoid this. As we were getting hammered with spam getting to the end user cause they were tagging the whitelisted postmaster account to it. We do not whitelist the postmaster account, instead you setup a "filter" test that contains an "allrecips" for the postmasters email address and assign this test a really high negative value to prevent the message from being bounced. Then you set the action up for the test as a "routeto" back to the postmasters account. What this does is the following [1] Allows all messages regardless of how many spam tests they fail to always be routed to the postmaster [2] If the message contains a user account other than the postmaster the mail will be delivered to the user if the message is under your spam threshold and if it is over your spam threshold whatever action you have specified will then be enacted on that message. Darrell Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Karen Oland Sent: Thursday, May 29, 2003 12:57 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] whitelist and mult rcpt We've been getting a lot of spam in the last week or so that bypasses all our spam filters -- they are all copied to the postmaster@ account for our domain. Apparently, they are taking advantage of the common practice of whitelisting the postmaster and the inability of spam filtering programs to separate actions on messages sent to multiple users. No doubt, it won't be long before most messages do the same, rendering both your postmaster account and spam filters useless. I know it has been asked for before and said to be "impossible" (programmer speak, for don't want to do it -- I know, being one), but PLEASE consider creating multiple copies of messages that arrive for multiple recipients, so that the spam filters can operate (yes, this means some complications, but a little trickery could reduce problems -- for example, only making a copy for the recipient(s) that are whitelisted). --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] DNS Redundancy
In regards to Declude does it use the second DNS IP address specified in IMAIL if the first is not available. Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] IPNOTINMX
Scott, My expected behavior would be that this piece of mail *SHOULD* have had -3 subtracted from it. This is the behavior that I am shooting for. Now you asked >>So, I would need to ask, why do you think that the weight of 3 was not >>subtracted from the total weight of the E-mail? The log files for Declude show that it wasn't subtracted 03/31/2003 18:24:33 Qce102a4f0086c057 BASE64:5 SNIFFER:8 . Total weight = 13 03/31/2003 18:24:33 Qce102a4f0086c057 Msg failed BASE64 (A binary encoded text or HTML section was found in this E-mail.). Action=WARN. 03/31/2003 18:24:33 Qce102a4f0086c057 Msg failed SNIFFER (Message failed SNIFFER: 63.). Action=COPYTO. 03/31/2003 18:24:33 Qce102a4f0086c057 Msg failed WEIGHT10 (Weight of 13 reaches or exceeds the limit of 10.). Action=BOUNCE. 03/31/2003 18:24:33 Qce102a4f0086c057 Subject: FW: Wildfire practice 03/31/2003 18:24:33 Qce102a4f0086c057 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 63.136.220.30 ID: Amy I missing something? Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, April 02, 2003 9:56 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] IPNOTINMX >Why didn't negative weight get added for this piece of mail I received >from the IPNOTINMX Test. The E-mail definitely should not fail the IPNOTINMX test, as the IP it came from is in the MX record for the domain in the return address. The log file snippet confirms that the E-mail did not fail the IPNOTINMX test. So the question is whether or not the negative weight was used. >Global.cfg >IPNOTINMX ipnotinmx x x 0 -3 Given this, the E-mail should have had a weight of 3 subtracted from its total weight, since it did not fail the IPNOTINMX test. So, I would need to ask, why do you think that the weight of 3 was not subtracted from the total weight of the E-mail? -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] IPNOTINMX
Are you sure about that? 03/31/2003 18:24:22 Qce246c0a00a00dbb WORDFILTER:4 nIPNOTINMX:-3 . Total weight = 1 03/31/2003 18:24:22 Qce246c0a00a00dbb L1 Message OK It seems to get triggered for other pieces of mail. Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Patrick Childers Sent: Wednesday, April 02, 2003 9:26 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] IPNOTINMX > Why didn't negative weight get added for this piece of mail I > received from the IPNOTINMX Test. > > Global.cfg > IPNOTINMX ipnotinmx x x 0 -3 > > Default.junkmail file > IPNOTINMX IGNORE Because you set the action to "IGNORE". Change it to "WARN" and it should work. :) ~Patrick --- [This E-mail scanned for viruses by Declude/McAfee] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] IPNOTINMX
Why didn't negative weight get added for this piece of mail I received from the IPNOTINMX Test. Global.cfg IPNOTINMX ipnotinmx x x 0 -3 Default.junkmail file IPNOTINMX IGNORE DNS Lookup > set q=mx > netaff.com. Server: wgrz-lclci01.us.ad.gannett.com Address: 10.4.41.134 netaff.com MX preference = 20, mail exchanger = mail.crosspoint.com netaff.com MX preference = 10, mail exchanger = mail.netaff.com netaff.com nameserver = ns2.crosspoint.com netaff.com nameserver = ns1.crosspoint.com mail.netaff.com internet address = 63.136.220.30 mail.crosspoint.com internet address = 63.136.220.20 ns1.crosspoint.com internet address = 63.136.220.20 ns2.crosspoint.com internet address = 63.136.220.30 Received: from mail.netaff.com [63.136.220.30] by mail1.gannett-tv.com with ESMTP (SMTPD32-7.12) id AE102A4F0086; Mon, 31 Mar 2003 18:24:00 -0500 Received: by mail.netaff.com with MailBeamer v3.32 ; Mon, 31 Mar 2003 16:23:58 -0700 From: Tammy Kehe <[EMAIL PROTECTED]> To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> Subject: FW: Wildfire practice Date: Mon, 31 Mar 2003 16:23:00 -0700 X-Mailer: MailBeamer v3.32 Message-ID: <[EMAIL PROTECTED]> X-Priority: 3 Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="_NextPart_0_vIFomJIuuVmGbDWQZXMDQyuCaiU" Dce102a4f0086c057.SMD 03/31/2003 18:24:33 Qce102a4f0086c057 Msg failed BASE64 (A binary encoded text or HTML section was found in this E-mail.). Action=WARN. 03/31/2003 18:24:33 Qce102a4f0086c057 Msg failed SNIFFER (Message failed SNIFFER: 63.). Action=WARN. 03/31/2003 18:24:33 Qce102a4f0086c057 Msg failed WEIGHT10 (Weight of 13 reaches or exceeds the limit of 10.). Action=BOUNCE. 03/31/2003 18:24:33 Qce102a4f0086c057 Subject: FW: Wildfire practice 03/31/2003 18:24:33 Qce102a4f0086c057 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 63.136.220.30 ID: --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Year 2020
I have seen random date changes when the battery that powers the RTC (Real Time Clock) on the MB goes bad.. However, I have only seen this in really old computers. Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Karl Hentschel Sent: Thursday, March 27, 2003 11:46 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Year 2020 I don't know if this is the right place for this question, but I'm looking for some feedback. The date has randomly changed to the year 2020 on our mail server. This has happened twice now. Has anybody ever heard of this happening before and what might cause it? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] IMail v8.0 and Declude Jinkmail??
Scott, A couple of notes... 1.) We started with IMail Antivirus and next week it looks like we will be adding another imail server purchasing Declude AntiVirus for it and another license for our existing server. My main problem is that to continue to run Imail AV it costs about $6,500 for a 1 year subscription(unlimited users). To me that price is ridiculous. Also, it lacks many features like suppress virus notifications for certain viruses and the ability to block certain file attachments. 2.) Potentially is it possible for Imail to ween the ability for your add on products to work. I'll hang up now and listen. (man, I have been listening way to much to sports radio.) Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Thursday, March 27, 2003 9:55 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] IMail v8.0 and Declude Jinkmail?? >Have you tested IMail v8.0 yet with Declude? No -- as far as I know, the beta testing hasn't begun yet (although Ipswitch does have it running on their own mailservers now). >It has built-in anti-spam functionality from what I hear. >Is this going to have an adverse effect on your product. Well, "hear" is the key word here. Does "hear" mean "full featured anti-spam product bundled with IMail at no cost", "very basic anti-spam functionality at high cost", etc? Right now, I'm looking at a box for IMail v6.0 that has a quote on the side "Stopped the spam dead cold." :) A year and a half ago, Ipswitch came out with IMail AntiVirus, and Declude has fared quite well. We even have some people who pay for a year with IMail AntiVirus, and switch to Declude before their year is up, because of problems where the mail delivery stops occasionally. As you know, that isn't an issue with Declude -- mail delivery won't stop with Declude. For mission critical mailservers, that's a big issue. Also, it's important to remember that (aside from filtering/rules) Ipswitch doesn't have much anti-spam experience. We started selling anti-spam software over 5 years ago. It takes a lot of time to develop anti-spam software that works well. For example, does the DNS engine that Ipswitch uses with IMail handle TXT records? If you are correct that v8 will have built-in anti-spam functionality, it most likely won't be very full featured (if they aren't going to be making money off of it, it may end up like the built-in mailing list functionality), so people will still need Declude JunkMail, whether or not they upgrade to v8. If it is a separate add-on, it is likely that it will be similar to the situation now with AV software (a product with fewer features at a high cost). In any case, we've been through this before, and can do it again. :) -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] What does this mean: internet.e-mail
Title: Message Kami, I seen several messages today that had that listed right at the top of the message source., Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan Sent: Wednesday, March 26, 2003 12:16 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] What does this mean: internet.e-mail Hi; We have a watch words file that if with an entry in the default file - simply to know if these words appear and how often. One such entry in the spam emails is: more importantly the last part: http://internet.e-mail Does anyone know if this is an output generated by a special software -- I hardly see this in any other emails. So far 100% of all the emails reported with this entry are spam. Regards, Kami
RE: [Declude.JunkMail] Question On behavior
John, You are absolutely right on this should be implemented instead of whitelisting the postmaster or abuse account. This week I can't tell you how many messages got through because "postmaster@" was listed as a recipient. That shouldn't happen anymore... Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff Sent: Wednesday, March 26, 2003 11:24 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Question On behavior > We have achieved the desired behavior with that setup. I sent a test > message tripping off one of the filters and the mail was delivered to > the postmaster and was not delivered to the other recipients. Thanks for that update Darrell. Sounds like something that should be implemented by any one whitelisting postmaster or root or abuse. John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Question On behavior
Scott, We have achieved the desired behavior with that setup. I sent a test message tripping off one of the filters and the mail was delivered to the postmaster and was not delivered to the other recipients. This is just a testament on how flexible this product is.. Thanks for the help Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, March 26, 2003 9:13 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Question On behavior >To get around this problem do you think this is possible? > >Add a lot of negative weight to the message that has a recipient as >postmaster so it won't get bounced. Then create a test that will route >the message back to the postmaster's account? It might be possible to do something like that. An action "ROUTETO [EMAIL PROTECTED]" would prevent the other users from seeing the E-mail. Perhaps adding a filter that includes a line "ALLRECIPS 0 CONTAINS [EMAIL PROTECTED]", and then having the action for that filter set to "ROUTETO [EMAIL PROTECTED]"? That way, any E-mail that was addressed to [EMAIL PROTECTED] would get sent only to [EMAIL PROTECTED] -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Not Failing the comments test
I assume this didn't fail the comments test because it is actually not formatted like a true html comment
RE: [Declude.JunkMail] Question On behavior
Scott, To get around this problem do you think this is possible? Add a lot of negative weight to the message that has a recipient as postmaster so it won't get bounced. Then create a test that will route the message back to the postmaster's account? This would then route the message to the postmaster and not the other recipients? I am only pursing this because some really offensive email has been getting through where they are including the postmaster@ address in the mail. Is it possible to accomplish something like that? Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Tuesday, March 25, 2003 10:04 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Question On behavior >We have our domains postmaster addresses whitelisted. I noticed that a >message coming in that has multiple recipients will be delivered to all >the recipients mailboxes as long as it has a whitelisted postmaster >address. > >This is not exactly the desired behavior I am looking for. Unfortunately, that is the behavior that is required. The problem is that you are dealing with a single E-mail with multiple recipients, not multiple E-mails. We are working on some creative ways to get around this, but there would still be some definite limitations. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] How can I do this?
I am sure many people have noticed a lot of spam that is like this. Consider a users email address like this [EMAIL PROTECTED] Then the subject of the email is bsmith, have you seen this blah blah Any thoughts on how to check to see if the right hand side of the email address is contained in the subject? Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Question On behavior
We have our domains postmaster addresses whitelisted. I noticed that a message coming in that has multiple recipients will be delivered to all the recipients mailboxes as long as it has a whitelisted postmaster address. This is not exactly the desired behavior I am looking for. It should have blocked this mail from all recipients except the postmaster. 03/24/2003 22:08:17 Qc816661e001c6824 WORDFILTER:13 DSBL:5 WIREHUB-DNSBL:3 NOPOSTMASTER:1 BASE64:5 SNIFFER:8 . Total weight = 35 03/24/2003 22:08:17 Qc816661e001c6824 E-mail whitelisted - automatically passing all spam tests [EMAIL PROTECTED] 03/24/2003 22:08:17 Qc816661e001c6824 L1 Message OK 03/24/2003 22:08:17 Qc816661e001c6824 Subject: Pe**nis Enlargement Pills - Order today! 03/24/2003 22:08:17 Qc816661e001c6824 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 12.233.204.136 ID: 03/24/2003 22:08:17 Qc816661e001c6824 L2 Message OK 03/24/2003 22:08:17 Qc816661e001c6824 Subject: Pe**nis Enlargement Pills - Order today! 03/24/2003 22:08:17 Qc816661e001c6824 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] IP: 12.233.204.136 ID: 03/24/2003 22:08:17 Qc816661e001c6824 L3 Message OK 03/24/2003 22:08:17 Qc816661e001c6824 Subject: Penis Enlargement Pills - Order today! 03/24/2003 22:08:17 Qc816661e001c6824 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] IP: 12.233.204.136 ID: 20030324 220817 127.0.0.1 SMTP (1812) processing e:\imail\spool\Qc816661e001c6824.SMD 20030324 220817 127.0.0.1 SMTP (1812) ldeliver mail1.gannett-tv.com dlarock-main (1) [EMAIL PROTECTED] 4166 20030324 220817 127.0.0.1 SMTP (1812) ldeliver wfmy.com 2wantstoknow-main (1) [EMAIL PROTECTED] 4166 20030324 220817 127.0.0.1 SMTP (1812) forwarded message to [EMAIL PROTECTED],[EMAIL PROTECTED] 20030324 220817 127.0.0.1 SMTP (1812) finished e:\imail\spool\Qc816661e001c6824.SMD status=1 Any thoughts? Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Headers Changing On Outbound Attached Message
I am using the copyto function to route a copy of any message that fails the sniffer test to my email box. If the message is a false positive I then insert the false positive message into another email and send it off to the folks at sniffer. What we found today is that for some reason headers are being inserted into the false positive attached message from Outlook? Also, it is inserting several other headers like altering the message id. Example of headers in message before forwarding it out as attached message Received: from sender0012.lodo.exactis.com [64.208.135.32] by mail1.gannett-tv.com with ESMTP (SMTPD32-7.12) id A91A577000EA; Fri, 21 Mar 2003 13:25:30 -0500 Received: by sender0012.lodo.exactis.com (queueup version 6.2: Copyright 2000 Experian, Inc. All rights reserved.) with stdio id KARE11_AAAJL29299; Fri, 21 Mar 2003 11:23:50 MST Date: Fri, 21 Mar 2003 18:17:12 UT From: "Tribune Alerts" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Reply-To: "Tribune Alerts" <[EMAIL PROTECTED]> Errors-To: [EMAIL PROTECTED] Message-Id: <[EMAIL PROTECTED]> Content-Disposition: inline Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=ISO-8859-1 MIME-Version: 1.0 Subject: [POTENTIAL SPAM]'Shock and awe' X-Mailer: Experian ContactMail Build v1.89 (Using MIME::Lite v2.117 ) X-RBL-Warning: OSSRC: Experian GBX-REQ6714-1 Spammed [EMAIL PROTECTED] Was: 64.208.135.177 from bog0007.lodo.exactis.com (bog0007.lodo.exactis.com [64.208.135.177]) by relays.osirusoft.com X-Declude-Sender: [EMAIL PROTECTED] [64.208.135.32] X-Declude-Spoolname: D591a577000eadda1.SMD X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 348193479 Example of headers When they receive it and view the attached message Reply-To: "Tribune Alerts" <[EMAIL PROTECTED]> From: "Tribune Alerts" <[EMAIL PROTECTED]> To: "Daly, Mark" <[EMAIL PROTECTED]> Subject: [POTENTIAL SPAM]'Shock and awe' Date: Fri, 21 Mar 2003 13:17:12 -0500 Message-ID: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_NextPart_000_016D_01C2EFD4.31C710F0" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-Declude-Sender: [EMAIL PROTECTED] [64.208.135.32] X-Declude-Spoolname: D591a577000eadda1.SMD X-RCPT-TO: <[EMAIL PROTECTED]> X-UIDL: 348193479 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-RBL-Warning: OSSRC: Experian GBX-REQ6714-1 Spammed [EMAIL PROTECTED] Was: 64.208.135.177 from bog0007.lodo.exactis.com (bog0007.lodo.exactis.com [64.208.135.177]) by relays.osirusoft.com Importance: Normal Why would Outlook be altering an attached message? Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Comments Test
For the comments test has anyone found an acceptable value that seems to trap a lot of spam? Thanks Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Declude Gone Wild
Today I had an instance where all my mail started being held as SPAM. 99% of it was legit mail. At first I thought it may be a sniffer problem as that was installed within the last week. Attached is a snippet of logs that shows declude over and over testing a peice of mail I disabled Sniffer at approximatly 2:30pm today. Reviewing the logs now seems to show that declude is still repeating the behavior below *substantially* less though. I am running Declude 1.63 Any thoughts? //INITIAL PROBLEM 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed OSRELAY (This entry was last confirmed open on 1/4/2003). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SPAMCOP (Blocked - see http://spamcop.net/bl.shtml?202.105.130.36). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed DSBL (http://dsbl.org/listing.php?202.105.130.36). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed NJABL (relay tested -- 1007947419). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed BADHEADERS (This E-mail was sent from a broken mail client [804f].). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed REVDNS (This E-mail was sent from a MUA/MTA 202.105.130.36 with no reverse DNS entry.). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SNIFFER (Message failed SNIFFER: 63.). Action=HOLD. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed WEIGHT10 (Weight of 32 reaches or exceeds the limit of 10.). Action=BOUNCE. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed OSRELAY (This entry was last confirmed open on 1/4/2003). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SPAMCOP (Blocked - see http://spamcop.net/bl.shtml?202.105.130.36). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed DSBL (http://dsbl.org/listing.php?202.105.130.36). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed NJABL (relay tested -- 1007947419). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed BADHEADERS (This E-mail was sent from a broken mail client [804f].). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed REVDNS (This E-mail was sent from a MUA/MTA 202.105.130.36 with no reverse DNS entry.). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SNIFFER (Message failed SNIFFER: 63.). Action=HOLD. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed WEIGHT10 (Weight of 32 reaches or exceeds the limit of 10.). Action=BOUNCE. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed OSRELAY (This entry was last confirmed open on 1/4/2003). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SPAMCOP (Blocked - see http://spamcop.net/bl.shtml?202.105.130.36). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed DSBL (http://dsbl.org/listing.php?202.105.130.36). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed NJABL (relay tested -- 1007947419). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed BADHEADERS (This E-mail was sent from a broken mail client [804f].). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed REVDNS (This E-mail was sent from a MUA/MTA 202.105.130.36 with no reverse DNS entry.). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SNIFFER (Message failed SNIFFER: 63.). Action=HOLD. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed WEIGHT10 (Weight of 32 reaches or exceeds the limit of 10.). Action=BOUNCE. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed OSRELAY (This entry was last confirmed open on 1/4/2003). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SPAMCOP (Blocked - see http://spamcop.net/bl.shtml?202.105.130.36). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed DSBL (http://dsbl.org/listing.php?202.105.130.36). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed NJABL (relay tested -- 1007947419). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed BADHEADERS (This E-mail was sent from a broken mail client [804f].). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed REVDNS (This E-mail was sent from a MUA/MTA 202.105.130.36 with no reverse DNS entry.). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SNIFFER (Message failed SNIFFER: 63.). Action=HOLD. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed WEIGHT10 (Weight of 32 reaches or exceeds the limit of 10.). Action=BOUNCE. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed OSRELAY (This entry was last confirmed open on 1/4/2003). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed SPAMCOP (Blocked - see http://spamcop.net/bl.shtml?202.105.130.36). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed DSBL (http://dsbl.org/listing.php?202.105.130.36). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed NJABL (relay tested -- 1007947419). Action=WARN. 01/22/2003 09:56:35 Qafa31fcd00869f47 Msg failed BADHEADERS (This E-mail was sent from a broken mail cli
RE: KITHRUP:RE: [Declude.JunkMail] Declude and Sniffer
I find that interesting that the major ISP's fail those kinds of tests. Anyone have any idea's on why they wouldn't have those addresses setup? Dl -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Baker | Netsmith Inc Sent: Friday, July 26, 2002 4:27 PM To: '[EMAIL PROTECTED]' Subject: RE: KITHRUP:RE: [Declude.JunkMail] Declude and Sniffer That is about average, over 50% of our inbound mail fails at least one test (more like 70%)... This is where the weighing system comes into play. Tests like "no postmaster" and "no abuse" fail every message from systems like aol.com, msn.com, earhtlink.net, etc,etc... So they will appear as SPAM in your logfiles. You need to use the weighing system / edit your $default$.junkmail and your global.cfg to meet your needs. There is no cut/dry solution to spam, I have definitely learned monitoring this list that everybody has a different solution that fits their setup. The great thing about declude/sniffer is their flexibility, great mailing lists and frequent updates. (ex: we completely disabled the no postmaster/no abuse tests in our system, they are just too inefficient for our setup, but in other setups they are very useful ) -Original Message- From: Jim Rooth [mailto:[EMAIL PROTECTED]] Sent: Friday, July 26, 2002 3:18 PM To: [EMAIL PROTECTED] Subject: KITHRUP:RE: [Declude.JunkMail] Declude and Sniffer I must be doing something wrong! I looked at the confirm log and I have caught almost half of the 20,000 emails as spam. I have poured through the logs though and have only found four obviously legitimate emails that should not have been caught. I fixed that with the myfilter file. Either I am doing it wrong or the program is great. I suspect the latter... Jim Rooth Klotron, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jeff Kratka Sent: Friday, July 26, 2002 3:08 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Declude and Sniffer Just curious. How many people are using both Declude Junk Mail and the sniffer add-on and has it made a difference if yes. I have been completely pummeled with Spam and am looking for more options. Thanks. Jeff * TymeWyse Internet P.O.Box 84 - 583 N. Main St., Canyonville, OR 97417 tel/fax: (541) 839-6027 - [EMAIL PROTECTED] * --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.377 / Virus Database: 211 - Release Date: 7/15/2002 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.377 / Virus Database: 211 - Release Date: 7/15/2002 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.JunkMail] 1.56 Stablility
Not to beat a dead horse, are we thinking anytime in the next 2 weeks or should I plan on just moving with 1.55. Darrell Darrell LaRock Information Systems Analyst Gannett Television 716-849-2272 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Wednesday, July 24, 2002 5:13 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] 1.56 Stablility >Any idea when 1.56 will move from the beta state. We are bringing up a >new mail server and I wanted to know if it is stable enough to go live >with it. I know a couple weeks back there were some posts about >problems that were corrected with an interim release. We should have a 1.57 shortly that addresses the issues from 1.56. We expect that 1.57 should be quite stable. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.JunkMail] 1.56 Stablility
Any idea when 1.56 will move from the beta state. We are bringing up a new mail server and I wanted to know if it is stable enough to go live with it. I know a couple weeks back there were some posts about problems that were corrected with an interim release. Thanks In Advance dl --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
[Declude.JunkMail] Console
Someone mentioned earlier that there was a way to invoke declude to spawn a console in order to see what's happening in real time. Is this correct and how do you invoke this? Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: BLARSBL:RE: [Declude.JunkMail] Get a load of this . . .
Title: Message Anyone wonder if they intended to send that message thinking that everyone would automatically block those sites? Nice little tactic…. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kami Razvan Sent: Wednesday, July 03, 2002 4:07 PM To: [EMAIL PROTECTED] Subject: RE: BLARSBL:RE: [Declude.JunkMail] Get a load of this . . . Hi; I also randomly checked the domains and I have a hard time believing some of those sites are in any sort of mass e-marketing. 216.234.252.98 home.faithmail.com 216.234.252.91 home.brownsmail.net 216.234.252.92 home.bazaar.com 216.234.252.97 home.esife.org are some that just don't appear to be e-spammers. this is the most peculiar message. Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Chuck Schick Sent: Wednesday, July 03, 2002 2:50 PM To: [EMAIL PROTECTED] Subject: BLARSBL:RE: [Declude.JunkMail] Get a load of this . . . I randomly checked some of those IPs and non of them showed up on any blacklist. Right now his mail would get through to us since he would not fail any tests. I wonder what his concern is. He should send the message to AOL and Earthlink to see if he gets any response. Chuck Schick Warp 8, Inc. 303-421-5140 www.warp8.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Glenn \ WCNet Sent: Wednesday, July 03, 2002 12:24 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Get a load of this . . . Here are some to add to your Kill file or BlackList! -- Hello Administrators for wcnet.net, Please check to verify that messages being sent to our Opt-in customers that are using your services are not being blocked by any of wcnet.net's servers. If there currently are blocks on any of our IP's, please contact me directly so that we may find a resolution to this. Relevant Marketing Technologies is a leading permission marketing and affinity-based email marketing company. The current client roster is primarily made up of four industries: Music, Sports, Broadcast, and Entertainment. Relevant Marketing Technologies is the leading online opt-in permission based newsletter services provider in each of these industries. Relevant Marketing Technologies has attained this leadership position primarily through the growth and evolution of ENewsNotifier (ENN). The ENN system is opt-in, and permission based, and provides direct live links to the URL to de-active the users individual account automatically imbedded into each and every message sent through our servers. We have modified all of our servers to prohibit open relay access, and have been cleared by MAPS through www.mail-abuse.org on all or our IP addresses. We are not spam. Currently, the servers we use to distribute email messages are: 216.234.252.24 ellis1.popmail.com 216.234.252.26 campbell1.popmail.com 216.234.252.35 feist1.popmail.com 216.234.252.36 leguin1.popmail.com 216.234.252.40 pohl1.popmail.com 216.234.252.44 herbert1.popmail.com 216.234.252.45 lucas1.popmail.com 216.234.252.46 verne1.popmail.com 216.234.252.47 trout1.popmail.com 216.234.252.48 simak1.popmail.com 216.234.252.49 mail.goglobal.net 216.234.252.50 niven1.popmail.com 216.234.252.51 wells1.popmail.com 216.234.252.52 bova1.popmail.com 216.234.252.53 orwell1.popmail.com 216.234.252.59 home.popmail.com 216.234.252.70 corporate.popmail.com 216.234.252.91 home.brownsmail.net 216.234.252.92 home.bazaar.com 216.234.252.93 home.ennmail.com 216.234.252.94 home.broadcastimagemail.com 216.234.252.95 home.mykswomail.com 216.234.252.96 home.countrystarsmail.com 216.234.252.97 home.esife.org 216.234.252.98 home.faithmail.com 216.234.253.20 mail4.roiinteractive.com 216.234.253.214 mail5.roiinteractive.com Our DNS Lookup information is as follows: Administrative Contact, Technical Contact: Host (HO9039-ORG) [EMAIL PROTECTED] Relevant Marketing Technologies Inc. Relevant Marketing Technologies, Inc. 6688 N. Central Expressway, Suite 150 Dallas, Tx 75026 US 469-385-2000 Fax- 469-385-2001 Fax- - 469-385-2001 If I can be of any assistance in the expeditious modification of our records with you, please do not hesitate contacting me. Sincerely, Bethann Lesnick Senior Client Consultant Strategic Development & Marketing Relevant Marketing Technologies 6688 N. Central Expressway, Suite 150 Dallas, TX 75206 Main - 469.385.2000 Direct - 469.385.2022 Fax - 469.385.2001 [EMAIL PROTECTED] www.RelevantMarketingTechnologies.com email marketing and communication solutions
RE: [Declude.JunkMail] maybe a dumb question
The "WARN" action only generates a line in the header of the message. Are you trying to send an alert to the user that sent it? Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Stanley Lyzak Sent: Monday, July 01, 2002 12:34 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] maybe a dumb question Ok, If this is too easy a question, cut me a break...we have been using declude for 4 days (and are LOVING it!) (hitting about 65% - 75% catch rate- trying to improve). We have an IMail 6.x mailbag server (no actual mailboxes or domains exist). It uses relay for IP and a hosts file per IMail recommendation. Using declude, we are seeing two odd behaviors: 1) No setting for inbound mail in $default$.junkmail can be made to generate a warning (we are testing with a piece of software that can be made to violate the rules enough to cause a warning). Outbound warnings in the global.cfg work like a champ. Is this because we have no actual domains/mailboxes hosted on this server??? 2) (Possibly related to above?): Although we are running the Pro version of Declude, we cannot get a per-domain variation in the rule set. The only warnings that are effective, are from the global.cfg file in the imail/declude folder. We have tried creating a subfolder under declude with the same name as our domain name, but it ignores any global.cfg or $default$.junkmail file setting in that folder (yes I restarted the IMail SMTP service after the changes). Any ideas? Thanks BTW, the manual doesn't seem to be very inclusive in how everything can be set. I have done some searches on the Internet and found a few nice tools (and this forum has been helping a lot). But is there a good repository of hints and specs (settings) that I could get my hands on??? I am very technically literate. Thanks again! Stan Lyzak, BSEE, CISSP, MCSE², CCNA, A+ Network Security Engineer ASysTech, Inc. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .